Speakers

June 22-27, 2008
Hyatt Regency Vancouver
British Columbia, Canada

20th Annual FIRST Conference

Speakers

  • UKAdam Laurie (RFIDIOt, UK)

    Practical RFID hacking without soldering irons (or Patent Attorneys)  [schedule]

    RFID is being embedded in everything... From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even!

    For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them....

    Adam Laurie is a UK based freelance security consultant. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. Downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world's first CD ripper, 'CDGRAB'. At this point, he and his brother, Ben, became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.

    More recently he has become interested in mobile device security, and was responsible for discovering many major Bluetooth security issues, and has also spoken on other wireless topics such as InfraRed and Magnetic Stripes. His current interest, RFID, has spawned another Open Source project, RFIDIOt, which is also bringing several security issues to the fore. More detail can be found here: http://rfidiot.org.

  • CAAndre Cormier (CCIRC, CA)

    Building a no frills malware lab: How to construct a relatively inexpensive, yet effective, malware analysis lab for CIRTs  [schedule]

    Summary: CCIRC would like to host a 3 hour session that involves the creation of a relatively cheap malware analysis lab. The session will focus on open source tools, procedures, hardware and software that can be combined to create a highly effective malware analysis station that can rival modern commercial versions. The session will cover the requirements, setup demonstration, and employment of the tools in the analysis of an archived CCIRC malware related incident.

    Background: Incident handlers often need to perform a quick behavior analysis of malware when handling infected computers. There are many online and commercial services offering this capability ranging from free, to extremely expensive. However, in many instances the information to be analyzed may be sensitive, and the need arises for a CIRT team to perform its own analysis. The question then arises as to how do you process malware, which is sensitive and/or not typically detected by modern vendors, in a timely manner? The answer is that each CIRT team needs the ability to analyze any malware it receives. CCIRC will present a setup that will equal no more than the cost of two PCs, configured to match the organization standards of each organization. CCIRC will base the development of this presentation on an actual proven setup currently in use by our office, and demonstrate its effectiveness through the processing of an archived CCIRC malware event.

    (Note: We have decided to pursue a three hour session as it will provide ample time to show the setup, configuration, and application of the lab in a real world example. This presentation can be reduced to a single session in which only the requirements would be covered if space is limited. However, for the full effect, a three hour session is preferred.)

  • UKAndrea Rigoni (Symantec, UK)

    Models and Experiences for National and International Information Sharing  [schedule]

    Today almost any organization relies on ICT infrastructures to deliver core and critical services. Risk scenario is changing so quickly that a new Dynamic Risk Management approach is required.

    One of the major challenges is to keep a shared situational awareness of the Digital Battlefield, which is fragmented under the responsibility and visibility of many private and public organizations.

    Information Sharing can help both the single organizations and national bodies to keep an updated situational awareness and to define proactively the correct countermeasures. Despite a common acknowledgment on the importance of Information Sharing, many initiatives have failed and many organizations still look at it with suspect.

    During his speech, Andrea will illustrate the different approaches adopted by private companies, service providers and national authorities for Information Sharing and Early Warning. In particular, Andrea will show how the positive developments of the Military doctrine (Network Centric Operations) can be used to define new information sharing approaches. He we also provide an overview of the different initiatives in US and Europe and will discusses the issues that have prevented Information Sharing to be widely adopted at a National and International level.

    WHAT WILL BE COVERED:

    • Status of Information Sharing in US and Europe
    • New Information Sharing paradigms based on Network Centric Operations
    • Analysis of successful projects
    • Issues and future developments

    HOW THE AUDIENCE WILL BENEFIT FROM THE INFORMATION:

    • Understanding the role of Information Sharing in modern Risk Analysis and Management
    • Understanding key success factors and constraints
    • Get practical suggestions on how to implement information sharing in their own organizations
    Andrea Rigoni Andrea Rigoni is in charge of Symantec’s EU and European Critical Infrastructure Protection Consulting. Based in Brussels, Rigoni has over 16 years experience in the security sector having concentrated on the government ICT security sector for the past decade, both in European Member States and Middle East. Rigoni regularly participates in international initiatives calling for Symantec’s expertise in information security. As such he recently joined the European Commission’s critical infrastructure expert group. Rigoni has also participated in the Interpol IT crime working group, Italian association of critical infrastructures experts, Union for the Coordination of Transmission of Energy (UCTE), Council for Large Power Companies (CIGRE), Italian Police, and Information Security Forum. Before joining Symantec in 2003, Rigoni worked 4 years in Getronics as director of the mission critical BU, working on security and business continuity projects. Rigoni is an expert in critical infrastructure protection (CIP), computer incidents and emergency response (CERT) and security operation centres. He is fluent in Italian and English speaker.
  • USAnton Chuvakin (LogLogic, Inc., US)

    System, Network and Security Log Analysis for Incident Response  [schedule]

    The presentation will cover the use of various system, network and security logs and audit trails in the incident response process, from concepts and methodology to practical case studies and tools. It will touch upon incident response practices and the role of logs in them, using logs for forensics and e-discovery as well as for pre-incident threat detection. The presentation will include many detailed case studies from the real world, some complete with logs and tools used in them.

    Here is the brief summary:

    • Brief incident response process overview
    • Relationship between incident response and forensics
    • Logs: what are they and what are they for?
    • Log use at various stages of the response process: from incident detection to lessons learned
    • Use of logs from various sources (firewall, IDS, system, application, etc) during incident response
    • Open source tools to use
    • Which tools to get and which to build!
    • Log review and monitoring processes
    • Routine log review
    • In-depth log analysis and log mining for incident recognition
    • Log evidence integrity and DoJ criteria challenges
    • Raw vs parsed/tokenized logs as evidence
    • Practical scenarios
    • Conclusions
    Anton Chuvakin

    Dr Anton Chuvakin, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Chief Logging Evangelist with LogLogic, a log management and intelligence company, he is involved with projecting LogLogic’s product vision and strategy to the outside world, conducting logging research, as well as influencing company vision and roadmap.

    A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3", "PCI Compliance" and the upcoming book on logs. Anton also published numerous papers on a broad range of security and logging subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs such as one at http://chuvakin.blogspot.com

  • DEAntonio Liu (PRESECURE, DE)

    GridCERT Services - Modification of traditional and additional new CERT Services for Grids  [schedule]

    A CERT that services a Grid community faces certain specific challenges due to the technical nature of Grids. The traditional CERT services have to be modified to meet the needs of a Grid community and to offer added value to the community.

    The presentation will briefly outline the necessary modifications of traditional CERT services. In addition to that it will introduce new CERT services developed for a Grid community.

    These new services cannot be categorized to the traditional three CERT services - reactive, proactive and security quality management services. But rather these new services form a new category of CERT services. The new CERT Services will improve the operational security level by improving reliability and integrity in the Grid and therefore will benefit and offer added value to a Grid community.

  • BRAtanai Sousa Ticianelli (CAIS/RNP – Brazilian Academic and Research Network, BR)

    Phishing without URL, when miscreants go malware  [schedule]

    This presentation will focus on Phishing that don't rely on fake url and fake web-pages. Three examples of phishing that don't need a fake page will be shown during this live presentation. This new vector used by phishers need to be known by the security community in order to identify such type of attack.

    Atanaí Sousa Ticianelli

    Atanaí Sousa Ticianelli holds an Engineer degree in Computer Engineering at Universidade Federal de Săo Carlos - UFSCar along with one post-graduate degree, obtained from the Computer Science Institute of Universidade de Campinas - Unicamp. He holds GSIP (GIAC Secure Internet Presence) and SSP-CNSA (Computer and Network Security Awareness). Working as security analyst at the Brazilian Research and Academic Network CSIRT (CAIS), he has 5 years of experience in the security field. He is currently focused on the incident response process at CAIS.


  • CABobby Singh (Smart Systems for Health Agency, CA)

    Managing Security & Privacy Incidents in the Health Care Environment  [schedule]

    The purpose of the presentation is to provide an overview on how to build a comprehensive and integrated security & privacy incident mgt program in the health care sector. Privacy incidents are becoming common but there is not available in the market place such as use cases and documented examples to assist health care organizations with incident mgt.

    Where ever we look privacy incidents are grabbing the headlines. As Canada moves towards eHealth protecting personal health information is going to be front and centre. However, the cost to maintain a ‘perfectly secure’ system will be too high so organizations such as hospitals, IT organizations such as Smart Systems for Health Agency (SSHA) will have to be prepared to handle security & privacy breaches.

    SSHA has developed a comprehensive Enterprise Security & Privacy Incident management program (ESPIM) to manage security & privacy breaches to ensure high security posture for the organization and to continue to retain clients trust in its infrastructure.

    ESPIM identifies, analyses, resolves and reports on security and privacy incidents and breaches to minimize risk to individuals, clients and SSHA.

    • Security Incident: A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
    • Privacy Incident: Unauthorized or illegal use, collection, disclosure, or disposal of personal or personal health information.

    ESPIM is built on International Standards and meets the reporting requirements set out in the PHIPA Legislation (Ontario).

    Mr. Singh has 13+ years experience in IT Security with extensive experience in Risk Management, Business Operations, Public Relations, Consulting and Auditing. As the Director of Information Security for the Smart Systems for Health Agency, Mr. Singh’s role involves ensuring that security is built-in both at the enterprise-level and to SSHA product and service offerings. He provides leadership in the development and promotion of security standards and practices within the Agency; and the establishment and maintenance of security standards and practices that enhance credibility and engender trust. He has extensive experience developing and implementing security programs for public and private sector organizations. He is a frequent speaker at conferences and round tables. Prior to joining SSHA, Mr. Singh has held positions at Bank of America and Deloitte were he focused on delivering security services to clients and developing the Security practice. Mr. Singh received his MBA from University of Pittsburgh and holds CISSP, CISM, CISA and CPA designations.

  • USBruce Monroe (Intel, US)

    Vendor SIG  [schedule]

  • NLCarol Overes (GOVCERT.NL, NL)

    The HoneySpider Network: Fighting client-side threats  [schedule]

    The Honeyclient Project is a joint venture between NASK/CERT Polska, GOVCERT.NL and SURFnet. The goal is to develop a complete open source honeyclient system, based on existing state-of- the-art client honeypot solutions and an advanced crawler. The system is focused primarily on attacks against, or involving the use of Web browsers. These include detection of drive-by downloads, malicious binaries and phishing attempts. Apart from identifying browser exploits (including 0day attacks), the system is expected to automatically obtain and analyze the attacking malware and ultimately generate its signature. The major incentive to start this project is the rapidly growing number of browser exploits involving varying degrees of user interaction. These types of attacks lie outside the scope of current monitoring systems in use by the three parties. Therefore we view this new system as an expansion of our current monitoring and early warning abilities. Interfaces with existing systems - the CERT Polska ARAKIS system and SURFnet IDS - will be designed. The system will improve situational awareness of what is happening on the Internet and improve security services offered by the parties to their constituents. The project itself is the result of very close cooperation of three different organizations from two different countries – such cooperation involving research into new areas and software development has been rare so far in the CERT community. The proposed article and presentation will include a short introduction of client honeypots and the state-of-the-art. It will then describe how attacks that involve malicious web servers are being carried out and what techniques attackers use to make analysis of such activity more difficult. The functional requirements and architecture of the solution will be presented. It will also briefly touch upon the lesson learned regarding international cooperation. Novel detection heuristics for low interaction client honeypots will be introduced. Finally, preliminary results of the functioning of the system will be published.

    Network Monitoring SIG - Large-scale Monitoring of Fast-Flux Service Networks  [schedule]

    • Detection and Mitigation of Fast-Flux Service Networks
      Christian Gorecki (University of Mannheim Germany)
    • Bring your demo
      NM-SIG attendees, Exploratory

    Network Monitoring SIG - Monitoring and Detection of Fast-Flux Service Networks  [schedule]

    • Introduction
      Carol Overes (GOVCERT.NL)
    • Know Your Enemy: Fast-Flux Service Networks
      David Watson (The Honeynet Project)
    • Peering into Botnets via Fastflux Enumeration: The ATLAS Experience
      Jose Nazario (Arbor Networks)

    Carol Overes started to work for CERT-RO (former name of GOVCERT.NL) in 2003. In these four years, he has been involved with the operational side of GOVCERT.NL; mostly writing advisories and handling incidents.

    His personal security interest is monitoring in general. Two years ago, Carol started with an experiment to set up a monitoring network for GOVCERT.NL, based on honeypot technology. This experiment was the starting point for an official monitoring project. One of the first results of that project is the establishment of a distributed intrusion detection system, based on the tool SURFids.

    At the moment, Carol is involved with the second phase of the monitoring project, namely the development of a complete honeyclient solution.

    His background comes from the ISP environment. Carol have worked for quite some years for the Dutch Telco-provider KPN, where he has worked as a network engineer for their IP-network. He loved to work with routing protocols, such as BGP (Border Gateway Protocol). He also worked on projects like expanding the European peering network of KPN and the MPLS-migration of the IP-backbone. During his period at KPN, Carol was also kernel member of KPN’s CERT, called Uni-CERT.

  • TWChia-Mei Chen (TWCERT/CC – National Sun Yat-Sen University, TW)

    A Collaborative Approach to Anti-Spam  [schedule]

    Growing volume of spam mails has generated a need for a reliable anti-spam filter detecting unsolicited e-mails. Most works focus on spam detection on a standalone mail server. This paper presents a collaborative approach on classification, discovery, and exchange of spam information. The spam filter can be built based on the mixture of rough set theory, genetic algorithm, and reinforcement learning.

    In this paper, we integrate our spam filter with Open Web Mail to validate the performance of proposed approach. The results of collaborative spam filter draw the following conclusion: (1) The rules exchanged among mail servers indeed help the spam filter block more spam messages than standalone one. (2) A combination of filtering algorithms improves accuracy and reduces false positives of spam detection.

    Chia-Mei Chen is a Professor in the Department of Information Management at National Sun Yat-Sen University, Kaohsiung, Taiwan
  • USChris Gormley (Tiversa, Inc., US)

    The Easiest Score on the Internet - PII and corporate secrets for the taking on P2P file sharing networks.  [schedule]

    Forget hacking and phishing – criminals, competitors, and the media are using the same P2P file sharing programs that teenagers use to obtain thousands of your sensitive, confidential, and classified documents each day putting your organization, customers, and partners at significant risk.

    • See live P2P file sharing demonstration of consumers sharing their tax returns, user ID’s, and passwords and corporations sharing confidential intellectual property.
    • See in real-time how an active underground of criminals searches for these very documents.
    • Explore real-life case examples of highly sensitive file disclosures – their causes and the incident response efforts used to address these disclosures.
    • See actual examples illustrating how quickly and from where malicious individuals upload files from PC running P2P file sharing software.
    • Learn how 40-60% of confidential files about a corporation originate outside their corporate networks from suppliers, contractors, attorneys, accountants, partners, and others.
    • Learn how consumers unknowingly expose information about themselves that results in fraud and ID theft that banks end-up covering.
    • Learn about the attitudes and approaches to this issue from a recent survey of almost 800 IT professionals.
    • Learn what actions other companies are taking to mitigate these risks.

    Real-life and highly concrete examples will be used for each part of the presentation.

    Christopher Gormley - Chief Operating Officer, Tiversa, Inc.

    Christopher Gormley is Chief Operating Officer of Tiversa. In this role, he is responsible for Client Services, P2P Information Recovery and Analysis, Marketing, and Public Relations. Mr.Gormley joined Tiversa in 2005.

    Prior to Tiversa, Mr. Gormley was VP of Marketing and Business Development for Haley Systems, a leading business process and middleware software provider. Before Haley Systems, Mr. Gormley was VP of Product Management at FreeMarkets, a world leader in purchasing and supply management technology and services. Prior to his tenure at FreeMarkets, Mr. Gormley was a management consultant with McKinsey & Company and held several marketing and engineering positions with the General Electric.

    He holds an MBA in Finance & Strategy from the Wharton School and earned an undergraduate degree in Chemical Engineering from Worcester Polytechnic Institute.

  • CAChris van Breda (Cyberklix, CA)

    Computer Forensics for Managers and IT Administrators What you need to know  [schedule]

    As a manager or IT administrator, why is it important to understand computer forensics? Simply stated electronic data can be fleeting and easily changed or overwritten. If computer forensics isn’t part of your incident response plan, you are substantially increasing the chances that someone may get away with malicious activity on your network. This could include illegal activity or policy violations such as harassment, unacceptable use of computer resources or deliberate destruction of files and data.

    Digital forensics has evolved to address these issues but many IT security officers, managers and IT administrators are not aware of the processes involved and have not incorporated proper forensic procedures into their incident response plans. The application of computer forensics requires specific knowledge and skills that are not common within the IT security industry.

    This presentation provides a quick overview of what computer forensics is and the various incident response points where it must be considered. It includes some real life examples of how simple things done wrong can impede incident response.

    This presentation is a condensed version of a free half-day workshop on Computer Forensics conducted on a regular basis for IT security officers, all managers (not just IT) and IT administrators.

    The author can tailor the presentation to a suitable time slot from one hour to two hours.

    Mr. Chris van Breda has over 30 years experience in the fields of communications, information management and IT security, with emphasis computer incident response team set-up, development and management. Mr. van Breda has experience in computer forensics, conducting Threat and Risk Assessments, IT security, HR, leadership, training development and production management. Mr. van Breda has been a member of of the Forum of Incident Response and Security Teams (FIRST) for the past eight years and a founding board member of the Ottawa Chapter of the High Technology Crime Investigation Association (HTCIA) in 2001. Mr. van Breda has also presented tutorials on security team essentials and the need for computer forensics at international security forums and teaches computer forensics.

    Mr. van Breda spent over 28 years in the Canadian Armed Forces working in signals intelligence, electronic warfare, IT security and finished his military career as the DND CIRT Team Manager.

  • USChristopher Abad (20 GOTO 10, US)

    Trends in the Internet Underground / Cyber Kadogos  [schedule]

    For better or worse, the ideas and technology of WEB 2.0 has changed the way the younger internet generation interacts with each other and carries out ideas. These effects are seen in the internet underground. Security is completely consumed by academia and corporate R&D, and the internet is not the wild west it once was still only a decade ago. Internet youth are working together in larger groups than ever before, with an amazing ability to naturally organize, communicate and task but opt to use very low tech attacks when conducting internet warfare and have very few ties to the previous generation of (blackhat) hackers.

    I am Christopher Abad, an internet native, a hacker, a scientist and an artist….a jack of many trades but master of none. With such diverse experience and network of peers, I've been about to observe and participate in many aspects of internet and normal society without moral bias. I've worked for numerous security companies including Foudstone, Qualys, nCircle and Cloudmark as a security researcher and now I currently work for a performance advertising company. I attended UCLA for Mathematics. I own an art gallery in San Francisco, 20 GOTO 10, dedicated to the folk art of the internet as well as emerging urban artists.

  • USChristopher Burgess (Cisco, US)

    Intellectual Property Loss in the Global Marketplace  [schedule]

    The speaker will address the global realities with respect to the threat to a corporation's Intellectual Property. Via the case study vehicle, the attendee will learn of the experiences of firms from around the world and the impact loss of Intellectual Property caused or could have caused to otherwise healthy firms as seen from the optic of the insider, the competitor, the state entity and the organized criminal element. The session should be of interest to any individual who has an interest or responsibility for safeguarding their own or their employer's Intellectual Property, as they draft policy, and engage the government's of the world to enforce intellectual property protection strategies.

    • The scope as seen by Cisco
    • The insider, competitor, state and organized criminal element and their motivations
    • The methodologies as shared via case study exemplars
    • Cisco's top-down solution, based on trust, awareness, empowerment, audit, and realistic expectations
    Christopher Burgess

    Christopher Burgess is a senior security advisor to the chief security officer of Cisco®, where he focuses on intellectual property strategies. Additionally, Christopher leads the Global Investigative Support team, providing forensic support to the enterprise, as well as the Government Security Office, addressing global national industrial security support and administration, from within the Corporate Security Programs Office. Prior to joining Cisco, Christopher served as a senior national security executive for more than 30 years. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America where he acquired a deep understanding of the people, cultures, and business practices of these respective areas.

    Christopher is the co-author of the book, Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008). In March 2008, CSO magazine published his study on “Nation States’ Espionage and Counterespionage, Overview of the 2007 Global Economic Espionage Landscape.” He also co-authored the four-part study of the global threat to intellectual property, which was published by CSO Magazine in June 2006, also titled Secrets Stolen, Fortunes Lost and excerpted in CIO Magazine in July 2006; and How to Stop Industrial Espionage, published in CSO Magazine in August 2006. As an invited speaker, he has addressed various corporate intellectual property strategy teams and industry organizations on the many threats to intellectual property. His breadth of knowledge and expertise allows him to focus his substantive efforts on education, awareness and prevention of industrial espionage.

    Christopher, serves on the advisory board of a number of technology firms, and holds membership in a number of security professional organizations and is an advisor to Secure Computing Magazine.

    Mr. Burgess’s recent and future speaking engagements include:

    • Building & Enforcing Intellectual Property Value in China, 2007, San Francisco, CA
    • High Tech Criminal Investigative Association, 2007, San Francisco, CA
    • American Council for Technology and Industry Advisory Council, 2007, Washington DC
    • Purdue University, 2007, West Lafayette, IN
    • North Atlantic Treaty Organization (NATO), 2007, Mons, Belgium
    • Massachusetts E-Government Summit, 2007, Boston, MA
    • ISSA/ISACA Conference, 2007, Pittsburgh, PA
    • FIRST - June 2008, Vancouver, BC
    • ISSA Conference, October 2008, Raleigh, NC
    • North Atlantic Treaty Organization (NATO), October 2008, Mons, Belgium

  • UKDamir (Gaus) Rajnovic (Cisco PSIRT – Cisco Systems Co., UK)

    Vendor SIG  [schedule]

  • UKDavid Pybus (Diageo, UK)

    Techies Can Communicate Too !   [schedule]

    The importance of good communication in incident management today cannot be overestimated. The incident manager's interests spread all the way from the users and ICT staff to the management and board levels, and include also contacts with PR, accountancy and risk management people. At all levels effective communication is in need to make clear that proper incident management is one of the boundary conditions for continued success. Different levels talk different languages and the incident manager needs to understand and honour those. This workshop aims to raise awareness for this exciting challenge, enable a better understanding of the wonder of communication and provide a few basic techniques to build on in everyday work.

    Objective

    Foster awareness of the powers of language, both verbal and non-verbal, and show and practice together useful techniques to build constructively on that awareness, and become more effective in communicating. Group size:
    8-12. Will break up in groups of 2-3 regularly to do practical work.

    Content

    In a relaxed and joyful manner, the trainers will explain and demo the following basic concepts of NLP and adjacent fields:

    • Respect (towards self and others)
    • Representational Systems (the significance of your 5 senses for you and others)
    • Rapport (getting “in sync”)
    • Meta Model (an effective questioning technique, that by its objectivity can lead the questioned person to renewed insights)
    • Milton Model (the power of positive suggestion)
    • Outcome Frame (focusing on the outcome, not the process)
    • Self Confidence (everything can be learnt and unlearnt)

    NLP – Neuro Linguistic Programming – is a model that is best used to foster effective and constructive communication.

    Format

    For most topics covered we seek a format as follows:

    • 1. Demo / Anecdote (wake up!)
    • 2. Set Expectation / Scene (what is this about?)
    • 3. Examples (raise interest)
    • 4. Topical (content)
    • 5. Hands-on (trainees do)
    • 6. Lessons Learned (experiences, re-cap)

    Outcome Frame

    We will achieve the following with the trainees:

    • Basic knowledge of techniques
    • Appropriate level of confidence to start adopting techniques and learn by doing
    • Understanding of general applicability of NLP
    • Interest to learn more

    All details - see full submission pdf.

    David Pybus graduated from Royal Holloway with an MSc in Information Security in 1999. His first position was performing security research and producing security documentation at Internet Security Systems (ISS). David subsequently moved to COLT where he was instrumental in the setup of their CSIRT and forensics capability. At present David is working at Diageo managing their CSIRT, having in 2006 successfully led the team through accreditation to FIRST.

    Recognising the importance of the human component in successful information security and incident response David has sought to broaden his skill set beyond the technical and to this end sought and obtained a qualification as Certified Practitioner in the Art of Neuro-Linguistic Programming (NLP). In his every day work David is continually looking at how these techniques can be applied in the CSIRT environment to make his work, and the work of those around him, more effective – and enjoyable.

  • USDerrick Scholl (FIRST Chair, US)

    Special: Closing Remarks  [schedule]

    Special: Opening Remarks  [schedule]

  • NLDon Stikvoort (S-CURE, NL)

    Techies Can Communicate Too !   [schedule]

    The importance of good communication in incident management today cannot be overestimated. The incident manager's interests spread all the way from the users and ICT staff to the management and board levels, and include also contacts with PR, accountancy and risk management people. At all levels effective communication is in need to make clear that proper incident management is one of the boundary conditions for continued success. Different levels talk different languages and the incident manager needs to understand and honour those. This workshop aims to raise awareness for this exciting challenge, enable a better understanding of the wonder of communication and provide a few basic techniques to build on in everyday work.

    Objective

    Foster awareness of the powers of language, both verbal and non-verbal, and show and practice together useful techniques to build constructively on that awareness, and become more effective in communicating. Group size:
    8-12. Will break up in groups of 2-3 regularly to do practical work.

    Content

    In a relaxed and joyful manner, the trainers will explain and demo the following basic concepts of NLP and adjacent fields:

    • Respect (towards self and others)
    • Representational Systems (the significance of your 5 senses for you and others)
    • Rapport (getting “in sync”)
    • Meta Model (an effective questioning technique, that by its objectivity can lead the questioned person to renewed insights)
    • Milton Model (the power of positive suggestion)
    • Outcome Frame (focusing on the outcome, not the process)
    • Self Confidence (everything can be learnt and unlearnt)

    NLP – Neuro Linguistic Programming – is a model that is best used to foster effective and constructive communication.

    Format

    For most topics covered we seek a format as follows:

    • 1. Demo / Anecdote (wake up!)
    • 2. Set Expectation / Scene (what is this about?)
    • 3. Examples (raise interest)
    • 4. Topical (content)
    • 5. Hands-on (trainees do)
    • 6. Lessons Learned (experiences, re-cap)

    Outcome Frame

    We will achieve the following with the trainees:

    • Basic knowledge of techniques
    • Appropriate level of confidence to start adopting techniques and learn by doing
    • Understanding of general applicability of NLP
    • Interest to learn more

    All details - see full submission pdf.

    CERTification: Assessing CSIRT Maturity  [schedule]

    The CSIRT scene is maturing slowly. If it was in its infancy in the early 90s, then it is in its teens now – still developing, but the signs of maturity are visible. CSIRTs need to be measurable in their maturity for at least two reasons:

    • (1) all ICT services and structures are experiencing a growing demand for quality and measurement of that quality – CSIRTs are no exception;
    • (2) the growing importance of the Internet in all aspects of business and society in general means that the worldwide cooperation of CSIRTs needs to be judged against increasing standards – therefore CSIRTs need the capability to objectively and verifiably assess each other’s operating and policy standards.

    This paper proposes a model which evolves from the already existing CSIRT accreditations (e.g. Trusted Introducer) to better and more objective measures of CSIRT maturity and quality through verification and certification. This model focuses on team maturity rather than the personal development of CSIRT members. Certification of team members remains a potential parameter in assessing CSIRT maturity however. Further the authors will demonstrate the benefits of increasing maturity this way – benefits for management/board level, for the team itself and for interoperation with other CSIRTs (and other stakeholders). The boundary conditions for accreditation and certification will be discussed, including the need for a self-funded, independent, community oriented verification mechanism.

    Don Stikvoort obtained an MSc (Hons) degree in physics in 1987. After an effective management training as Infantry platoon commander in the Dutch Army, he joined SURFnet, the Dutch national research and educational network. Starting out with consultancy he soon found himself lucky to be among the pioneers who built the European Internet, started RIPE, etcetera. Don was involved in the formation of CERTNL in 1991 (today SURFcert) and was its chairman from 1992-1998. Together with Klaus-Peter Kossakowski he started the cooperation of CERTs in Europe which eventually led to both TF-CSIRT and the Trusted Introducer. In 1998 he finished the first version of the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC – Don’s collaboration with CERT/CC has remained till today.

    Don’s short FIRST history:

    CERT-NL became the second European member of FIRST in 1992 – in total Don has been the rep of three FIRST member teams, and mentored several more towards membership. From 1996-8 Don was member of the Future of FIRST Task Force I (FoFI) and secretary to FoF II. Don was chairman of the Program Committee for the 1999 FIRST conference in Brisbane, Australia. In the same year he set up the FIRST Secretariat (FSS), which he managed till mid 2007. Currently Don is a liaison member of FIRST and member of the FoF III task force.

    In 1998 Don co-founded STELVIO, a Dutch company specialising in Internet related consultancy. Within STELVIO he helped build Kennisnet, the Dutch schools' network connecting over 10,000 schools. Several CERTs were created with his help and guidance, among which GovCERT.NL (the Dutch Government team), and the teams for Philips and several academic institutions. Second opinions and maturity assessments in this area are among his specialties. In 2000 Don set up the Trusted Introducer accreditation for CERTs in Europe (TI). In 2002/2003 Don was co-ordinator of eCSIRT.net, an EU funded research project that aimed at developing pragmatical standards for the interoperation of CSIRTs.

    Don left STELVIO in 2004 to continue with S-CURE. He was among the first two Europeans accredited by CERT/CC as "Certified Incident Handler" in 2004. At this moment, apart from engaging on consultancy and coaching projects for SURFnet and others, Don leads the TI CERT accreditation service. As subcontractor to TERENA, Don supports the development and operation of the TRANSITS courses for CSIRT professionals – a not for profit project meant to educate CSIRT professionals in Europen – and is also one of the tutors there.

    Since 2004 Don acquired the C.M.H., C.Hyp. and CPNLP accreditations in psycho/hypnotherapy and NLP. Don has started taking up work in those areas and the adjacent coaching as well, and is also using this to enrich his portfolio in security and explore new grounds – like the “Techies Can Communicate Too!” workshop he is developing with David Pybus. In March 2008 he will acquire the MPNLP – master practitioner NLP - level.

  • DEDr. Martin Wimmer (Siemens AG, Corporate Technology, CT IC CERT, DE)

    About the Security Pros and Cons of Server Virtualization  [schedule]

    Recently, the discussion about security of virtualized IT infrastructures has intensified. Several research papers have been published discussing both, the pros and cons of virtualization for security. Additionally, new business ideas and products have been developed for enhancing security for virtualized IT. With this paper we provide a survey of the recent advances in computer security for server virtualization.

    Dr. Martin Wimmer is Consultant with Siemens CERT. After studying computer science at the University of Passau, where he received his Diploma degree in 2003, he worked as research assistant at the University of Passau and, from April 2004 on, at the Munich University of Technology where he received his PhD in 2007. His research activities mainly focused on security requirements of upcoming service oriented IT infrastructures. In April 2007 he joined the research group of Siemens CERT, where he is currently working on techniques to detect system compromise.

  • USEarl Zmijewski (Renesys, US)

    Has Pakistan stolen your traffic lately? – Threats to Internet Routing and Global Connectivity  [schedule]

    We will review recent disruptions to global connectivity, including cable systems breaks in the Middle East and Taiwan, network hijacks (Pakistan vs. YouTube) and partitions of the Internet brought about by soured business relationships (Cogent vs. Telia). While most Internet-savvy users are very familiar with typical electronic threats to desktop machines and their corresponding countermeasures (firewalls, virus scanners, etc.), threats to Internet routing are not nearly as well understood. In both arenas, it’s the Internet’s outmoded model of implicit trust and cooperation that underlies many of the problems. Unfortunately, there are fewer means for risk mitigation when it comes to threats to the core infrastructure. After reviewing specific incidents and looking at the problem from a holistic standpoint, we’ll consider some of the available remedies.

    VP and General Manager, Internet Data Services Earl Zmijewski is responsible for all of Renesys's Internet Data software, services and operations. He has nearly 20 years of experience encompassing scientific computing and most areas of IT, with particular emphasis on networking and security. Before Renesys, Earl was IT Director at Fluent Inc., a computational fluid dynamics software company, where he was instrumental in establishing new offices throughout the US, Europe and Asia and in the promotion and implementation of Linux clustering technologies. He was also principal architect in the design of Fluent’s networks and Internet security posture. Before that, Earl held various academic positions at Cornell University, University of California, and James Madison University. Earl has a PhD and MS in Computer Science from Cornell University and an MS and BA in Mathematical Sciences from The Johns Hopkins University.

  • PLEmin Akhundov (NASK/CERT Polska, PL)

    Barriers to CSIRTS cooperation with other CSIRTS and The CLOSER Project  [schedule]

    Barriers to CSIRTS cooperation with other CSIRTS

    The growing number of network security incidents and computer crime statistics indicate that the current condition of ICT security is unfavorable and the future is ambiguous. This can have a significant negative impact on the world economy which is increasingly dependant on electronic communication.

    It is not clear who is responsible for such a situation and why there is no breakthrough in  security despite many initiatives over the years. Home users, vendors, ISPs, governments have often different points of view and interests looking at their roles in the process of improving Internet security.

    Nevertheless a success in combating harmful and illegal activates on the Internet is very much related to the intensity and quality of a cooperation between all stakeholders. A cooperation within a particular stakeholder community is important as well.

    Undoubtedly the  CSIRT community is an important player in this area and it has potentially all the assets required to build models of effective cooperation both inside a community and with external parties. To achieve this goal, barriers to cooperation should be analyzed and proposals to overcome them should be created - including proper incentives.

    In the article the authors will present existing barriers, such as:

    • Necessity of information confidentiality (vs. information sharing)
    • Lack of service level agreement between CSIRTs
    • Differences in Legal Systems
    • Lack of standards
    • Incident handling
    • Data exchange formats
    • Threat assessment
    • Insufficient organizational, political and financial support

    In a correspondence to these barriers preliminary proposals of solutions and incentives will be presented. Ideally this could involve a discussion which start some initiatives (e.g. SIGs) and projects to that could foster better CSIRT cooperation.


    The CLOSER Project

    The CERT concept, after almost 20 years of the existence, is recognized as the one of the most effective way of combating illegal activities in the Internet. This effectiveness is in part a result of a good communication between incident response teams. However, communication sometimes becomes a problem because of a lack of sufficient coverage by CSIRTs in a particular region. To improve this situation, the CERT Polska team, with the NATO support, started the CLOSER project, which is mainly about establishing the new teams in the regions where there are white spots on the map of the CSIRT world (project duration 2007-2009). Participants of the project are countries associated in CEENet http://www.ceenet.org (see attachment).

    The project is aimed at building a network of operational CSIRT teams through:

    • Coaching and mentoring activities of emerging CSIRTs by existing and mature teams. At the first stage of the project, teams will be assisted in reaching basic operational capability. After achieving that stage, support will be provided to resolve possible issues related to everyday CSIRT work.
    • Establishing organisational standards and procedures for incident handling in coached CSIRT teams based on mentors’ experience. This includes common classification schemes for incidents, allowing for comparison of incident characteristics across teams.
    • Introduction of new teams to international forums (like FIRST, TF-CSIRT, Trusted Introducer), allowing for exchange of knowledge and experience as well as setting a platform for operational exchange of information and common incident handling world-wide.

    For successful integration of new established teams with existing international cooperation forums emphasis will be put on helping new teams in formal and informal joining of international forums (e.g. FIRST). We believe that experiences from the CLOSER project could be valuable in the discussion on how to reach out to new areas with the CERT concept.

  • USEric Fleischman (Boeing, US)

    Safety and Security of Networked LANs in Aircraft  [schedule]

    Civil aviation aircraft certification, including existing procedures, policies, and Federal and International Law, centers upon aircraft safety. A new generation of digital aircraft (e.g., B787, A350, A380) are being fielded in which electrical components and software perform avionics functions that traditionally were accomplished by hydraulics and other analog systems. These digital systems are connected via internal local area networks (LANs). Simultaneously, economic forces are encouraging aircraft to internally deploy Internet protocols and support digital communications with ground entities. These vectors have created the need to address security issues within the current safety milieu.

    This presentation summarizes some of the findings of the Federal Aviation Authority’s (FAA) Airborne Networked Local Area Network (LAN) study that took place during 2005 and 2006. This study investigated the methodologies for identifying and mitigating potential security risks of onboard networks that could impact safety. It also investigated techniques for mitigating security risks in the certification environment.

    Networks are inherently hostile environments because every network user, which includes both devices (and their software) and humans, are potential threats to that environment. Networked entities form a fate-sharing relationship with each other because any compromised networked entity can theoretically be used to attack other networked entities or their shared network environment. Safety and security have therefore become intertwined concepts within networked airborne environments. Security engineering addresses the potential for failure of security controls caused by malicious actions or other means. Safety analysis focuses on the affects of failure modes. The two concepts (safety and security) are therefore directly related through failure effects.

    This study concluded that the primary issue impacting network airborne system safety is how to extend existing safety assurance processes into networked systems and environments in a mathematically viable manner. This study recommends that the existing safety processes can be extended into arbitrarily vast network environments in a mathematically viable manner by using the Biba integrity model framework. This study maps current airborne software processes into the Biba integrity model framework using well established system security engineering processes to define airborne safety requirements. It applies best current information assurance techniques upon those airborne safety requirements to create a generic exemplar airborne network architecture that simultaneously addresses the safety and security requirements of airborne infrastructures.

    Eric Fleischman is a certified information system security professional (CISSP), who has worked for The Boeing Company for over 16 years. He was the principal investigator on the Federal Aviation Authority’s (FAA) Airborne Networked Local Area Network (LAN) study. He was formerly Boeing's chief data communications architect, who led the migration of Boeing's previously disjoint internal network systems into a unified enterprise network infrastructure built upon Internet technologies in the early to mid-1990s. He has been active within the Internet Engineering Task Force (IETF) since 1992. He has worked for Boeing on multiple US Department of Defense (DoD) programs, helping to develop tactical military communications products and DoD network designs. He formerly was the electronic commerce architect for the Microsoft Corporation, designing and helping to deploy their electronic commerce infrastructure. He also previously worked for AT&T Bell Laboratories, Digital Research, and Victor Technologies.

  • USFoy Shiver (The Anti Phishing Working Group, US)

    The State of Internet Phishing and Fraud and Useful Means to Combat It  [schedule]

    The fight against Internet Fraud and Phishing is continually evolving as the miscreants change tactics in response to successful countermeasures by brand owners and fraud fighters. This presentation will discuss by example the current tactics employed by the fraudsters as seen by the APWG crime fighters such as fast-flux name servers and variants of the Rock phish and the future expectations. Additionally, current APWG and ICANN activities in making the DNS system less useful to phishers will be examined, along with the latest news from the DNS Whois Privacy discussions will be covered. The talk will close with recent APWG work on strategies to converse with customers with compromised web servers, how too recover useful forensic data from those servers; and how to report and remove fraudulent sites from the Internet.

    Foy Shiver is President and CEO of Woodstock Clinical Data Systems and Deputy Secretary-General for the Anti-Phishing Working Group (APWG). Mr. Shiver took over operations of the new non-profit Anti-Phishing Working Group in 2003. He has helped develop this organization into a global industry, law enforcement and research group dedicated to countering the growing threat of electronic crime. In 2005 Mr. Shiver accepted an appointment as Deputy Secretary-General of the APWG for which he is charged with cultivating the membership base around research to fight internet crimeware and fraud. This role includes cultivation of the APWG’s eCrime Researchers Summit. This annual event works with academia and industry partners to focus projects in the electronic crime area through publication and scholarship monies.

    Mr. Shiver left a successful career in Lotus/IBM in 2000 to pursue development of new applications in the clinical software field. He was recruited to join KafkaAdaptive, Ltd., a venture-funded UK start-up, as a member of the board of directors and Director of Development. After partial development of some clinical data logistics systems, the UK venture fund dissolved KafkaAdaptive and agreed to the appointment of Mr. Shiver as President and CEO of the successor company, Woodstock Data. In this role he continues to develop web-driven study enrollment platforms dedicated to automate study cohort formation. Meanwhile, Mr. Shiver retains a seat on the technical advisory board of Facultech, a developer of cognitive reasoning skills tests for schoolchildren based on handheld microcomputers.

  • FRFranck Veysset (France Télécom R&D, FR)

    FMC (Fixed Mobile Convergence) - What About Security  [schedule]

    Since 2007, new FMC (Fixed Mobile Convergence) solutions are emerging. Three main technologies seem to rule the market: WiFi SIP, UMA (Unlicensed Mobile Access) and Cell (Femto/pico cell). Those solutions look very attractive to customers, as they open new possibilities in term of telecommunication. After introducing those technologies, we will focus on the security aspects of those solutions. They might have strong impacts on customers / companies security, but things are also quite complicate from the telco point of view, as new threats are emerging (Operators will have to “open” some part of their core network, which is not an easy issue…).

    The goal of this presentation is to give an overview of FMC solutions, including the security aspects.

    
Franck Veysset

    Franck Veysset is a network security expert working for France Telecom R&D / Orange labs. His activities are focused on Wi-Fi security, honeypot, cybersecurity and more generally IP security.

    He has presented at numerous technical and security conferences (BlackHat, ToorCon, Shmoocon, Eurosec, First, Hack.lu...). He is also a program chair member of different conferences (SSTIC, JSSI...). Aside from these activities, he is member of the board of the French Information Systems and Network Security Observatory (OSSIR), and he lectures in different university and engineering schools.


  • UKFrank Wintle (PanMedia Ltd, UK)

    Security and Education – Bringing it all Together  [schedule]

    In his address to the 19th FIRST conference inSeville, Frank Wintle argued that the exclusive “private languages” spoken by Internet Technology specialists were a major cause of “ordinary” users falling victim to viruses, sabotage and criminal attacks, and urged delegates to find a lingua franca which would enable lay people to comprehend security practices and apply or comply with them competently and confidently.

    At the Vancouver 2008 conference, Wintle, who is FIRST’s communications consultant, takes his argument to the next stage, sharing a programme which will enable delegates to return to their organisations and take the first steps towards the conversion of “lay” colleagues into security evangelists. Wintle will argue that the experts’ constant refrain against the non-specialist mass of colleagues – “They just don’t get it!” – betrays a first and fatal flaw in the conventional approach: the division of the problem between the us-savants and the them-idiots.

    Only holistic mentoring techniques will begin the process of transforming each organisation’s culture towards an inclusively security-conscious universe. Sharing the building-block principles of his communications techniques, Wintle demonstrates how to bring colleagues onside and build up a momentum for change in which word-of-mouth (everywhere recognised as the most potent persuasive force) gradually begins to augment and reinforce more formal dialogues as part of the tutorial matrix.

    What are the major obstacles along the way? How will you know when the message is getting through? How will you stop momentum from flagging after the change-programme has ended? These are just a few of the questions which will be answered in a session which will excite delegates to rise to the challenges of a new model of security education.

    Frank Wintle runs the London-based communications consultancy PanMedia, offering courses in internal and external communications, individual coaching in communications skills, and agenda, production and presentation services for business seminars. His clients include Cisco Systems, HSBC Actuaries and Consultants, Virgin Money, E-ON Ruhrgas, Deloitte, and FIRST (the international Forum of Incident Response and Security Teams). He also trains Peace Observers in reporting and diary-keeping before their tours of duty in the Middle East.

    In his writing and producing career for factual television Frank Wintle won gold and silver medals from the New York Film and TV Festival, the Golden Gate Award from the San Francisco Film and TV Festival, best programme award from the Royal Television Society and an Emmy nomination.

    He has written two books and continues to contribute to the national Press.

  • USGavin Reid (Cisco Systems, US)

    CVSS SIG  [schedule]

    • CVSS version v2 score research
      Jeff Jones
    • Update on SCAP
      Tim Grance (NIST)
    • MSP vendor PCI compliance feedback
      Ron Gula (Tenable)
    • Practical vendor implementation of PCI demo and experiences
      Morey Harber (Eeye)
    • Overview of CVSS v2 scoring guide
      Chris Johnson (NIST)
    • Karen Scarfone
      NIST v2 scoring research

    With the time remaining we will have a roundtable discussion on CVSS futures lead by Seth Hanford and Sasha Romanosky.

    Gavin manages the Computer Security Incident Response Team for Cisco Systems. His team has global responsibility for investigation on all security monitoring, events and incidents.

  • USGeorgia Killcrece (CERT/CC – Carnegie Mellon University, US)

    Creating and Managing Computer Security Incident Response Teams(CSIRTs)  [schedule]

    This one-day course is designed to provide a high-level overview of the issues involved in creating and managing an effective computer security incident response team (CSIRT).

    For anyone who is new to the field or who is interested in the type of activities a CSIRT performs, this course will provide valuable insight and suggestions for developing such a capability.

    A high-level discussion of key issues and topics is covered in this one-day tutorial, focusing on the purpose and structure of CSIRTs, incident management processes, key design and implementation elements, CSIRT operational issues, and other CSIRT functions.

    Incident Management Mission Diagnostic(IMMD) Method  [schedule]

    The Incident Management Mission Diagnostic (IMMD) is a risk-based approach for determining the potential for success of an organization's incident management capability (IMC).

    An organization's IMC potential for success is based on a finite set of current conditions – a limited set of key indicators used to estimate the current IMC health relative to a defined benchmark. Decision-makers can determine if the current state of their IMC is acceptable, or if actions are required to improve the situation. The IMMD can be viewed as an efficient, first-pass screening of an IMC to provide a quick evaluation and diagnose any unusual circumstances that might affect its potential for success.

    This presentation will provide an overview of the IMMD method.

    Incident Management Mission Diagnostic Method, Version 1.0
    http://www.cert.org/archive/pdf/08tr007.pdf

    CSIRT Metrics SIG  [schedule]

    Georgia Killcrece

    Georgia Killcrece is a Member of the Technical Staff and joined the CERT® Coordination Center (CERT/CC) in 1989. The CERT/CC, established in 1988, is part of the CERT® Program based at the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh, Pennsylvania. Since 1999 Killcrece has led the CERT® CSIRT Development Team and takes an active role in promoting the development of computer security incident response teams (CSIRTs) worldwide. She has worked directly with a number of government, industry, and academic enterprises to facilitate the development of their incident management capabilities. She is internationally recognized as a leader in CSIRT development and has been invited to present at a number of international conferences. Killcrece also chaired the 2006 FIRST conference. Killcrece participates in the creation and delivery of public and onsite training courses, as well as facilitate workshops focused on CSIRT development. As part of broader outreach efforts in the CSIRT community, her team licenses the suite of CSIRT training materials to external transition partners. In 2003, to meet the need for trained incident handling staff, the CERT Program created and launched a certification program. From 1994 to 1999 Killcrece was a technical coordinator and incident response coordinator in the CERT/CC. In those roles, she gained firsthand knowledge of the processes involved in forming, operating, and managing incident response teams, including the dynamics of working in a fast-paced team environment. Killcrece is author or contributor to a suite of CSIRT documents and reports, available on the CERT web site at http://www.cert.org/csirts/. Killcrece can be reached directly by email at georgia@cert.org.


  • USGib Sorebo (SAIC, US)

    Security Breaches: To Disclose or not to Disclose  [schedule]

    Laws are increasingly requiring more breach reporting. Just when should you disclose and to whom This is a question frequently asked as breaches now include not only verified data compromises but also security vulnerabilities where there is only a mere possibility of compromise. This session will discuss recent disclosures, analyze hypothetical scenarios, and offer guidance.

    The presentation will begin by discussing the notion of the security breach and how that term has evolved from a clear cut case of data compromise to a more speculative scenario where a vulnerability has been discovered or data was sent over the Internet in the clear. Examples of recent disclosures will be presented to show how these concepts have changed over time. We will then examine the relevant laws, such as SB-1386 in the US and laws of other countries, and look at how they define security breaches and potential implications of not disclosing. The presentation will then walk through the steps of investigating of potential breach from the initial discovery of a security event to the notification of affected parties. The session will describe the roles for attorneys, IT professionals, and managers. The talk will then consider the pros and cons of disclosing. Such considerations will include the organization’s reputation, customer obligations, and the potential for over-reporting. We will then summarize a recommended approach to security breaches that takes into account the technical aspects of the potential breach, the type of information involved, and the legal obligations of the organization.

    By the end of the session, the participants will have a good understanding of the pros and cons of disclosing security breaches and will be able to provide their organizations with additional information to help make this difficult decision and help it mitigate harms to customers and the organizations reputation.

    Gib Sorebo is a Senior Information Security Analyst and Program Manager for SAIC where he assists government and private sector organizations in complying with legal and regulatory requirements related to information security and privacy. He has been working in the information technology industry for more than fifteen years in both the public and private sector. He is recognized for his expertise in information security compliance where has helped government and commercial customers comply with FISMA, GLBA, HIPAA, and other legal obligations. Additionally, Gib leads an incident response and computer forensics team that investigates computer-based intrusions and employee misconduct. Prior to joining the private sector, he held a variety of positions with the U.S. Senate and U.S. House of Representatives in support of their information technology infrastructures.

    Gib is also an attorney, specializing in information security and privacy issues. He has been active with the American Bar Association’s Information Security Committee for several years and has contributed to publications relating to PKI, information security liability, and electronic evidence. He has spoken at national conferences on the subjects of information security liability and Sarbanes-Oxley. Gib holds a Bachelor of Arts from the University of Chicago, a Master of Arts from George Washington University, and Juris Doctor from Catholic University. He is also an active member of the Virginia State Bar.

  • USGreg Bassett (Intel Corporation, US)

    Incident Handling around the world in 80 ms. (Well not really that fast)  [schedule]

    Having a global presence looks great on paper and is perhaps even doing wonders for your bottom line. The downside to being spread across the global is the ability to properly staff certain emergency job roles, such as incident response. Not everyone is trained to do incident response; not everyone possesses the mindset for this work. The question is how to do then operate a successful incident response program across a company where you may have a computer presence but not trained staff to address incidents?

    With the release of 3.2 of RAPIER, we have created a client / server architecture for our information gathering tool suite. Now a disperse company can establish repositories for information gathering during incident handling - your IR specialists no longer have to muddle through getting accurate information off a remote system or worse, walk someone through gathering the data over the phone. RAPIER 3.2 includes several new modules and can be configured to execute against a remote target.

    Greg Bassett joined Intel and the Ocotillo Site Automation in August 1995 to support the Production UNIX infrastructure for manufacturing operations. As a Senior UNIX Engineer, he provided creative solutions to address availability, performance, security and capacity issues on a variety of Mission Critical UNIX systems and configurations. He led a variety of cross-site teams, including an effort to reduce patching timelines across manufacturing sites. Late 2004, he joined the Security Operations Center as a security specialist to drive identification and analysis operational efforts of new malware and other external threats found, research and testing of mitigation to protect internal networks. He developed the Automated Worm Detection Tool (AWDT), an automated system to load firewall blocks based on infected system traffic seen through NIDS and other sources. Prior to joining Intel, Greg worked for Digital Equipment Corporation Manufacturing testing and troubleshooting Alpha/VAX systems.

    Contact Email: greg.l.bassett@intel.com

  • TNHaythem EL MIR (Technical Department / NACS, TN)

    Tunisia’s experience in building an information sharing and analysis center  [schedule]

    Tunisia as an outstanding example for the developing country, have built its CERT and launched many projects to improve computer security in the national area. we are trying through this document, to present the used approach in order to set an ISAC in a specific environment and context, while taking in account several constraints as the socioeconomic factors.

    Indeed, we will present the different components of the project as well as the deployed mechanisms, to achieve a collection, analysis and risk assessment system to inform about potential threat incurred by the national cyberspace.

    Haythem EL MIR is an information security professional; he acted as a member in the starting team which founded the National Agency for Computer Security and the Tunisian CERT. He is now the NACS Technical Manager, responsible on the national IT security projects, critical infrastructure protection, cyberspace monitoring, etc.

    He is also currently the head of the incident response team at cert-Tcc which deal with incident handling at the national scale and computer forensics. With 6 years of experience in the IT security field, Haythem is a security trainer and he is working as a consultant for many companies.

  • DEDr. Heiko Patzlaff (Siemens AG, Corporate Technology, CT IC CERT, DE)

    Push-Email in the Enterprise. Is it BlackBerry, WindowsMobile or Symbian?  [schedule]

    Over the last few years push-email on mobile devices has become a major trend and is taken up by companies to mobilize their workforce. Various risks are associated with the use of mobile devices outside the company perimeter - in particular with respect to the transmission and storage of confidential information.

    This paper compares the different approaches the three operating system platforms Symbian, Windows Mobile and Blackberry take in offering this functionality. It explores the security architectures and features and evaluates the suitability for a deployment in the enterprise.

    The paper develops a set of criterias for the comparison of the security features of mobile devices. It covers the areas infrastructure security, device security, services, protection of static data, protection of data in transit, administration and mobile malware.

    Heiko Patzlaff

    Born in 1966, Mr. Heiko Patzlaff received a PhD in statistical theoretical physics from Leipzig University. For several years he worked in the anti-virus industry as a researcher and systems developer for Sophos Antivirus in Oxford, United Kingdom. He is currently employed by Siemens Germany where he is responsible for forensic and malware topics and is involved in various research activities. He lives with his wife and three children in Munich and enjoys outdoor activities in the nearby mountains and the local bavarian cuisine.


  • HRIvan Krstić

    The Dark Future of Desktop Security and How to Stop It  [schedule]

    It's 2008. About 75% of all corporate machines are infected with at least one piece of malicious code. We're seeing the emergence of weapons-grade botnets, designer trojans, smart mobile malware, and the graduation of the black hat community from what was once a ragtag army of rebels without a cause to a group of well-paid professionals engaging in research-quality work to rake in profits and evade detection. The entrenched players in the security industry have been predictably slow to respond. Now, seemingly bewildered by the new security landscape, they are increasingly finding salvation in restrictive new systems that threaten to transform your computer into little more than a glorified abacus. There must be a better way. This session will turn to history and explain how we dug ourselves into the present predicament, and then look at Bitfrost, the One Laptop per Child security system, for lessons on how we might dig ourselves out.

    Ivan Krstić is a software architect and researcher currently on leave from Harvard University. Until recently, he worked as director of security architecture at One Laptop per Child, an education non-profit that aimed to produce a $100 laptop for children in the developing world. Prior to that, Ivan served as director of research at the medical informatics laboratory of a European children's hospital, tackling infrastructure and security problems in wide-scale digital healthcare. Ivan is deeply involved in open-source and free software, co-authored the best-selling Official Ubuntu Linux Book, and specializes in architecture and security of large distributed systems.

    He has consulted on both matters for some of the largest websites on the Internet. Described by Wired magazine as a "security guru", in 2007 the MIT Technology Review named him one of the world's top innovators under the age of 35 for his work on the OLPC security platform, Bitfrost. Recently, eWEEK declared him one of the top three most influential people in modern computer security.

  • BRIvo Carvalho Peixinho (CAIS/RNP – Brazilian Federal Police, BR)

    Tales from the dark. Diary of a compromised Windows Vista  [schedule]

    This presentation is a working in progress study. A Windows Vista system was configured with a ssh server and weak passwords. The diary to be presented will show all the activity done by miscreants over 9 months period. This honeypot is on-line for 3 months now and will be kept on until the conference; where all information collect will be shared. For the first three months this experiment shown very interesting findings, since attackers were not expecting to find a Windows system when they ssh brute-force a system.

    Ivo Peixinho

    Ivo de Carvalho Peixinho has a BS degree on Computer Science at Universidade Federal da Bahia, with two post-graduations, one in Distributed Systems and another on Mechatronics. He is also a BS7799 certified auditor.

    Ivo has more than 10 years of experience on network security, and worked the last two years on security research and incident handling. Actually works as a Forensics Expert at the Brazilian Federal Police Department.


  • CAJ. D. Frazer (UserFriendly.org, CA)

    Insecurity  [schedule]

    Human beings by their very nature are insecure. They spend all of their lives seeking ways to make themselves feel more secure, and usually fail despite superhuman efforts, huge spending and support from the rest of their tribe. Professionals in Information Technology face exactly the same situation, except for the huge spending and tribal support parts.

    This talk will cleverly point out the absurdities we face as we each search for a safe corner against which we can place our backs.

    JD "Illiad" Frazer is a Canadian 40-something cartoonist, writer and occasional thinker. He started down the hallowed path of technology at a tender age, immersing himself in punch cards, acoustic couplers, and eventually, boat anchors. His greatest epiphany came when he beheld modem-transferred text that appeared faster than he could read it. His much-too-indulgent cartoon strip UserFriendly.Org has been published once a day, every day, since November of 1997, and has appeared in such august publications as The National Post, Linux Journal, and the Spuzzum Weekly Courier. He's won a few awards but his neighbour's dog has eaten them all. Despite his generally facetious approach to life, he is a vocal advocate of freedom of expression, corporate ethics and rational discourse. He has spoken at over fifty events in North America, Europe and Australia.

  • BRJacomo Piccolini (CAIS/RNP – Brazilian Academic and Research Network, BR)

    Phishing without URL, when miscreants go malware  [schedule]

    This presentation will focus on Phishing that don't rely on fake url and fake web-pages. Three examples of phishing that don't need a fake page will be shown during this live presentation. This new vector used by phishers need to be known by the security community in order to identify such type of attack.

    Tales from the dark. Diary of a compromised Windows Vista  [schedule]

    This presentation is a working in progress study. A Windows Vista system was configured with a ssh server and weak passwords. The diary to be presented will show all the activity done by miscreants over 9 months period. This honeypot is on-line for 3 months now and will be kept on until the conference; where all information collect will be shared. For the first three months this experiment shown very interesting findings, since attackers were not expecting to find a Windows system when they ssh brute-force a system.

    Jacomo Dimmit Boca Piccolini

    Jacomo Dimmit Boca Piccolini has an Engineer degree in Industrial Engineering at Universidade Federal de Sao Carlos - UFSCar, with two post-graduation one obtained on the Computer Science Institute and other on the Economics Institute of Universidade de Campinas - Unicamp. Hi is GCIA, GIAC Certified Intrusion Analyst and GCFA, GIAC Certified Forensics Analyst, working as a senior security analyst at the Brazilian Research and Academic Network CSIRT (CAIS/RNP). With 10+ years of experience in the security field his is the lead instructor of CAIS/RNP and hands-on coordinator for FIRST Technical Colloquiums. He is currently fighting the misuse of RNP backbone infrastructure by hackers.


  • USJeff Boerio (Intel Corporation, US)

    Automating Vulnerability Management in a Heterogeneous Enterprise  [schedule]

    Managing the response to vulnerabilities in a heterogeneous enterprise is no simple task. A significant growth in applicable vulnerabilities, a complex network of devices, and constraining budgets create a problem for managers when it comes to resources. In this paper, we will propose some measures to address handling the growing number of alerts while decreasing the staff needed to do so. We begin with a review of the vulnerability management process, offering suggestions to improve consistency in processing vulnerability reports and risk ratings. Then we examine possible solutions for automating and streamlining several key steps of the process, such as processing alerts, assigning risk, and disposition them for patching.

    Jeff Boerio is an Information Security Specialist for Intel Corporation. He has two main focuses there. One is managing the IT Emergency Response Process for intelligence gathering, meaning that in a cyber incident he and his team are responsible for gathering and reporting as much information as possible. The second is managing the operational security of UNIX platforms across the company, including driving enforcement of minimum security specifications for operating systems and applications as well as the hardening of the same. Jeff was hired by Intel in October, 1993 after obtaining a Bachelor of Science in Computer Science from Purdue University, and has held positions from UNIX Systems Administrator to Software Project/Program Manager. He also has a GIAC Security Essentials Certification (GSEC Silver) from SANS. When not at work, Jeff and his wife live in the heart of Oregon’s wine country on a small farm, raising his three-year old son and caring for five horses. He enjoys wine, photography, rock n’roll, sports and Corvettes. Not necessarily in that order.

  • USJeff Williams (Microsoft, US)

    Malware Without Borders - Multi-Party Response  [schedule]

    As malware and potentially unwanted software are becoming motivated more and more by financial gain, their nature is also changing. The attackers often use social engineering techniques to lure the user to run their code and usually will show some messages or bogus warnings using some language. The effectiveness of the attack in any specific region will then rely on the popularity of that language in that region. Other factors may impact too such as the level of user education in that region and the usage of security products there. The result is that we see more and more threats that affect specific countries or regions more than they affect others. This paper will overview some major differences in the types of malware and spyware that exist in different regions around the world and will provide specific examples. The information for this paper is collected from hundreds of millions of computers around the world.

    Given the locality of many of the threats, the model of national response teams and organizational response teams can be extremely helpful. The paper is going to call for even higher level of interaction between these response teams and the security software industry as well as several working examples which illustrate success.

    As the principal group manager for the Microsoft Malware Protection Center (MMPC), Jeff Williams is responsible for the coordination of response activities both within the MMPC and in the broader research community. He is also involved in the release of protection technologies such as the Malicious Software Removal Tool (MSRT).

    Williams is responsible for a number of critical functions for Microsoft Corp.’s anti-malware research and response efforts, including the monthly release of the MSRT, internal and external outreach to security researchers and partner organizations, competitive analysis, and the incubation and business development of new response technologies and methods. His team is responsible for handling vendor inquiries and disputes relating to inclusion in Windows Defender and Windows Live OneCare anti-malware definitions, and provides subject matter expertise and analysis for Microsoft’s semiannual Security Intelligence Report. In addition, Williams helps represent Microsoft to industry organizations such as the Anti-Spyware Coalition, a consortium of anti-malware companies and nonprofit organizations, and manages the Microsoft Virus Initiative, a program to share critical security information with other anti-malware independent software vendors.

    Williams has worked in security at Microsoft since October 2001, when the company launched its Strategic Technology Protection Program, the precursor to today’s Trustworthy Computing. Before his current position, Williams served as divisional privacy officer for Microsoft’s support and consulting businesses, where he was responsible for protecting data relating to Microsoft’s customers, employees and partners on thousands of systems and educating thousands of employees worldwide on privacy and data protection. Williams also ensured that the methods the company uses to collect, store, use and transport such data were conducted in a manner that complied with all laws and the higher bar of Microsoft’s corporate policies relating to data handling.

    Before joining Microsoft in 2000, he was senior network architect for an international provider of financial services in San Francisco, and an adjunct professor of risk management and telecommunications for the University of Phoenix’s Bay Area campuses.

    Williams holds a master’s degree in business administration in technology management from the University of Phoenix. He received his bachelor’s degree from Bennington College.

  • KRJinWook Choi (Financial Security Agency, KR)

    Efforts to Secure Electronic Financial Transactions  [schedule]

    Securing electronic financial transactions have been an important issue all over the world.

    In Korea, internet banking customer has increased dramatically reaching 42,450,000(Sep. 2007) for 19 Banks. And the government led high attention to set up a policy and technology to make the online transaction safe.

    Accordingly, every financial institution that has online service should provide security programs such as anti-virus and anti-keylog to their customers in Korea. However, cyber threats to the financial institutions and to their customers are increased day by day, the techniques for the attack are evolving everyday, so a dedicated organization is needed to follow-up and fight for such risks. Finally, Financial Security Agency (“FSA”) was established in Dec 2006.

    In this presentation, incident cases, new threats, and the efforts of Korean financial institutions and government will be introduced.

    KFCERT in FSA is a FIRST full member since Dec. 2007.

    William Yurcik

    JinWook Choi joined the FSA as a founding member in December 2006 and works as a security coordinator. JinWook was a KrCERT/CC member in 2003 and 2004 and has experience in online game security (NCSOFT, 2004-2006) and military (retired, Navy Lieutenant Junior Grade). He has a Bachelor’s degree in Computer Science from SoongSil University and has also studied at the University of Victoria, Canada as an exchange student.


  • USJohn Stewart (Cisco Systems, US)

    The Enterprise’s Role in Protecting Critical Infrastructures  [schedule]

    In today’s networked world, private industry plays an increasingly vital role in the physical and cyber protection of critical infrastructures. Companies in the U.S. and across the globe are evolving close partnerships with government counterparts to address growing infrastructure complexity as well as local and worldwide threats. Cisco’s commitment and leadership in cyber-security, global incident response collaboration, public-private partnerships and information sharing demonstrates the positive effect that enterprises can have on helping to secure public critical infrastructure. Join Cisco chief security officer John N. Stewart as he shares his perspective on the opportunities associated with delivering, managing, and expanding the reach of corporate security programs in a global environment relative to critical infrastructure assurance.

    John Stewart

    Mr. Stewart provides leadership and direction to multiple corporate security and government teams throughout Cisco, strategically aligning with business units and the IT organization to generate leading corporate security practices, policies, and processes. His organization focuses on global information security consulting and services, security evaluation, critical infrastructure assurance, eDiscovery, source code security, identification management, as well as special programs that promote Cisco, Internet, and national security. Additionally, he is responsible for overseeing the security for Cisco.com—the infrastructure supporting Cisco’s more than $35 billion business.

    Mr. Stewart’s longstanding career in information security encompasses numerous roles. He was the Chief Security Officer responsible for operational and strategic direction for corporate and customer security at Digital Island. Mr. Stewart has served as a research scientist responsible for investigating emerging technologies in the Office of the CTO at Cable & Wireless America. He has professional experience in software development, systems and network administration, and is a software specialist, author, and instructor.

    Throughout his career, Mr. Stewart has been an active member of the security industry community. He served on advisory boards for Akonix, Cloudshield, Finjan, Ingrian Networks, Riverhead, and TripWire, Inc. Currently, Mr. Stewart sits on technical advisory boards for Panorama Venture Capital (formerly JPMorganPartners Venture), RedSeal Networks, and Signacert, Inc. He is on the board of directors for KoolSpan, Inc., and a member of the CSIS commission on cyber security for the 44th Presidency.

    Mr. Stewart’s publications and recent speaking engagements include:

    • Author, Securing Cisco Routers Step by Step
    • Co-author, Internet WWW Security FAQ, found online at the W3C
    • FIRST 20th Annual Conference, 2008 Vancouver, British Columbia
    • AusCERT2008 Asia Pacific Information Security Conference, 2008, Gold Coast, Australia
    • RSA Conference, 2008, San Francisco, CA
    • CSO Perspectives, 2008, Atlanta, GA
    • DHS Kauffman Foundation IT Security Entrepreneurs' Forum, 2008, Stanford University, CA
    • Federal Aviation Administration’s IT/ISS Partnership/Training Conference, 2008, Atlanta, GA
    • Canadian Privacy & Security Conference, 2008, Victoria, British Columbia

    Mr. Stewart holds a Master of Science Degree in Computer and Information Science from Syracuse University, Syracuse, New York.


  • CAJohnathan Nightingale (Mozilla, CA)

    The Most Important Thing: How Mozilla Does Security and What You Can Steal  [schedule]

    In this presentation, Johnathan Nightingale will share best practices for building secure applications when implementing an open source model. He will highlight the benefits of remaining open and transparent throughout the security process.

    Developers generally agree on the importance of security, but there are options for incorporating security into the development environment. With threats emerging daily, the importance of building more secure applications is rising. A solid security process throughout the development lifecycle will provide a road map to guide the team in making and measuring security improvements during every step of application development.

    Mozilla’s open source security model describes how to build security into a software project. Johnathan will share the 5 primary aspects of applying this model to the development environment:

    Security Design

    • Evaluating the impact of new features on the security architecture

    Security Implementation

    • How to establish best security programming practices
    • Balancing the compromise between security and functionality

    Security Testing – How To

    • Engaging security vendors
    • Tools – building your own and leveraging existing

    Security Response

    • Creating processes to address the inevitable external security report
    • Shipping security updates – making security updates less painful for users
    • Engaging and building trust within the security community
    • Transparency – external visibility for the process

    Security Metrics

    • How to measure security progress
    • How to evaluate security strength and improvement

    Johnathan Nightingale is the Mozilla Corporation's Human Shield. Educated in cognitive science and artificial intelligence, now working on security, usability & coding for Firefox, he can usually be found occupying the centre of a Venn diagram. He has written for Dr. Dobb's Journal about software integration, and for O'Reilly's Make: magazine about making tea. He lives just outside Toronto, Canada, in a house that needs more room for books.

  • ESJuan Díez González (INTECO, ES)

    National spam monitoring network  [schedule]

    Spam, as unsolicited e-mail, has become a serious problem not only for final users, but also for companies that use e-mail on a daily basis at work, due to the economic damage that it causes. Nowadays, it seems that this issue has no direct solution, although more and more efficient antispam solutions are constantly developed.

    In this context, it is extremely important to have mechanisms that allow us to measure in some way the most significant information about the current spam situation.

    For this reason, due to its status of national public institution, INTECO-CERT has promoted the establishment of collaboration agreements with a group of different and varied organizations. As a result of these agreements, programs acting as sensors or meters have been installed in these organizations to collect information about spam. The information is centralized and properly analyzed, which makes easier its future exploitation.

    The most useful information that results from this process is shown in form of statistics in a web site accessible to the general public, thanks to the advantages that the widespread use of Internet offers.

    In this sense, users can interact in a friendly way with the application, which will offer them results that can be easily interpreted and a general view of the spam situation in Spain and in the rest of the world

    Juan Díez González holds a degree in Computer Science from the University of León and a MCSE certification by Microsoft.

    He has more than seven years of experience in the IT sector, basically in IT Consulting projects for clients, such as Cap Gemini, Oracle EMEA, T-Systems, the Regional Government of Catalonia and BBVA.

    In 2006, he joined ISDEFE, becoming a member of the Centre of Early Alert on Viruses and Computer Security.

    Currently, he is the Head of the Development Team of INTECO-CERT, actively involved, among other projects, in the deployment of a sensor network of spam detection.

  • USKenneth R. van Wyk (KRvW Associates, LLC, US)

    Identifying network scanning tools  [schedule]

    We propose that proper identification of automated network scanning tools has value to network monitoring teams. Currently it is simply misunderstood, improperly handled, or over looked. Furthermore, there is value in the identification and cataloguing of the identification features and options used in those tools. Using a few open source tools (TCPDump, Silk toolset - rwscan with Threshold Random Walk, and MySQL) we will show that valuable information can be catalogued from a simple process of detecting, identifying, and transforming captured network packets (pcap) into a much smaller database record with identification characteristics. This process can also be seamlessly implemented in existing open source NSM products like Sguil, ACID, or BASE.

    The following are valuable analysis results gained from identifying and storing scan metadata:

    • Eliminate known scans from unknown traffic to focus on what is left
    • Identification of a pattern of pre-attack reconnaissance to interrupt an attack cycle
    • If the pre-attack is missed but a pattern is still discernable, the effort to size and scope the incident is quickly reduced by identifying all possible external systems used in the reconnaissance phase. Note, this is not limited to the attacking IP or only systems still in the raw pcap data.
    • Truly identify a scan, not just detect it, to pare down IDS false positives.
    • Free up IDS/IPS resources associated with scan detection and storage.
    • Identify what information could have been gained from the scan.
    • Determining the motivation behind a scan or series of scans that form a pattern, assisting in triage and situational awareness.

    Security Testing: Moving Beyond the Penetration Test  [schedule]

    Penetration testing is the most common form of security testing software, yet it fails the most basic measurement of testing efficacy -- code coverage. To thoroughly and rigorously test the security of software, we must go beyond the penetration test. This session describes many of the testing methods available today including fuzz testing, dynamic validation, as well as how to improve penetration testing practices to drive up measurements such as code coverage.

    Kenneth R. van Wyk

    Kenneth R. van Wyk is an internationally recognized information security expert and author of the O’Reilly and Associates books, Incident Response and Secure Coding. In addition to providing consulting and training services through his company, KRvW Associates, LLC, (http://www.KRvW.com), he currently holds numerous positions: Founder and moderator of the “Secure Coding” mailing list, SC-L@SecureCoding.org, Member of the Board of Directors and Steering Committee for non-profit organization, FIRST.org, Inc. (http://www.first.org), monthly columnist for on-line security portal, eSecurityPlanet (http://www.eSecurityPlanet.com), and a Visiting Scientist at Carnegie Mellon University's Software Engineering Institute (http://www.sei.cmu.edu). Ken has 20+ years experience as an IT Security practitioner in the academic, military, and commercial sectors. He has held senior and executive technologist positions at Tekmark, Para-Protect, Science Applications international Corporation (SAIC), in addition to the U.S. Department of Defense and Carnegie Mellon and Lehigh Universities.

    Ken also served a two-year elected position as a member of the Steering Committee, and a one-year elected position as the Chairman of the Steering Committee, for the Forum of Incident Response and Security Teams (FIRST) organization. At Carnegie Mellon University’s Software Engineering Institute, Ken was one of the founders of the Computer Emergency Response Team (CERT®). He holds an engineering degree from Lehigh University and is a frequent speaker at technical conferences, and has presented tutorials and technical sessions CSI, ISF, USENIX, FIRST, AusCERT, and others. Kenis also a CERT® Certified Computer Security Incident Handler.

  • DEKlaus-Peter Kossakowski (PRE-CERT – PRESECURE Consulting GmbH, DE)

    CERTification: Assessing CSIRT Maturity  [schedule]

    The CSIRT scene is maturing slowly. If it was in its infancy in the early 90s, then it is in its teens now – still developing, but the signs of maturity are visible. CSIRTs need to be measurable in their maturity for at least two reasons:

    • (1) all ICT services and structures are experiencing a growing demand for quality and measurement of that quality – CSIRTs are no exception;
    • (2) the growing importance of the Internet in all aspects of business and society in general means that the worldwide cooperation of CSIRTs needs to be judged against increasing standards – therefore CSIRTs need the capability to objectively and verifiably assess each other’s operating and policy standards.

    This paper proposes a model which evolves from the already existing CSIRT accreditations (e.g. Trusted Introducer) to better and more objective measures of CSIRT maturity and quality through verification and certification. This model focuses on team maturity rather than the personal development of CSIRT members. Certification of team members remains a potential parameter in assessing CSIRT maturity however. Further the authors will demonstrate the benefits of increasing maturity this way – benefits for management/board level, for the team itself and for interoperation with other CSIRTs (and other stakeholders). The boundary conditions for accreditation and certification will be discussed, including the need for a self-funded, independent, community oriented verification mechanism.

    As the co-chair of the IETF working group “Guidelines and Recommendations for Incident Processing” (GRIP), he was instrumental for the development of the RFC-2350 providing a format for descriptions of CSIRT services. He is also the author of many papers about CSIRTs and international cooperation. Together with Don Stikvoort he initiated a closer cooperation among European CSIRTs and organised several annual meetings to support these. He was elected as a member of the FIRST Steering Committee in 1997, 1999, 2001 and 2003. From June 2003 to June 2005 he was representing FIRST, the worldwide forum of CSIRTs, product security and abuse teams as Chair. Most recently he became chair of the ENISA ad-hoc working group on CSIRT cooperation.

  • USKowsik Guruswamy (Mu Dynamics, US)

    Who’s watching the watch dogs? Security Audits for network infrastructure security enforcement devices  [schedule]

    Many products simulate attacks on end-systems and validate whether or not the systems are up-to-date with their patches. However, there are very few, if any, analysis tools to verify that network infrastructure security enforcement devices such as Intrusion Prevention Systems, Firewalls, UTMs, or any deep-inspection device are vulnerable to 0-day attacks. In other words, nobody is watching the watchdogs.

    There is an ongoing need to audit network infrastructure security enforcement devices to ensure that they have the ability to block attack and protect end-systems and networks as advertised.

    This presentation will discuss the new security analyzer market and solutions, and why security analyzers are instrumental in providing systematic, comprehensive negative testing and auditing. The speaker will also discuss why it is essential that customers continuously audit and conduct negative testing on their network infrastructure in order to minimize the risk to their network, its users, and the corporation’s data.

    Kowsik Guruswamy is the founder and CTO of Mu Security. Prior to founding Mu, he was a Distinguished engineer at Juniper Networks and the Chief Architect for the Intrusion Prevention product line. Kowsik came to Juniper Networks through the acquisition of NetScreen/OneSecure where he designed and architected the first inline Intrusion Prevention device. He holds 8 patents in various networking and security technologies and has a MS in Computer Science from University of Louisiana.

  • PLKrzysztof Silicki (NASK/CERT Polska, PL)

    Barriers to CSIRTS cooperation with other CSIRTS and The CLOSER Project  [schedule]

    Barriers to CSIRTS cooperation with other CSIRTS

    The growing number of network security incidents and computer crime statistics indicate that the current condition of ICT security is unfavorable and the future is ambiguous. This can have a significant negative impact on the world economy which is increasingly dependant on electronic communication.

    It is not clear who is responsible for such a situation and why there is no breakthrough in  security despite many initiatives over the years. Home users, vendors, ISPs, governments have often different points of view and interests looking at their roles in the process of improving Internet security.

    Nevertheless a success in combating harmful and illegal activates on the Internet is very much related to the intensity and quality of a cooperation between all stakeholders. A cooperation within a particular stakeholder community is important as well.

    Undoubtedly the  CSIRT community is an important player in this area and it has potentially all the assets required to build models of effective cooperation both inside a community and with external parties. To achieve this goal, barriers to cooperation should be analyzed and proposals to overcome them should be created - including proper incentives.

    In the article the authors will present existing barriers, such as:

    • Necessity of information confidentiality (vs. information sharing)
    • Lack of service level agreement between CSIRTs
    • Differences in Legal Systems
    • Lack of standards
    • Incident handling
    • Data exchange formats
    • Threat assessment
    • Insufficient organizational, political and financial support

    In a correspondence to these barriers preliminary proposals of solutions and incentives will be presented. Ideally this could involve a discussion which start some initiatives (e.g. SIGs) and projects to that could foster better CSIRT cooperation.


    The CLOSER Project

    The CERT concept, after almost 20 years of the existence, is recognized as the one of the most effective way of combating illegal activities in the Internet. This effectiveness is in part a result of a good communication between incident response teams. However, communication sometimes becomes a problem because of a lack of sufficient coverage by CSIRTs in a particular region. To improve this situation, the CERT Polska team, with the NATO support, started the CLOSER project, which is mainly about establishing the new teams in the regions where there are white spots on the map of the CSIRT world (project duration 2007-2009). Participants of the project are countries associated in CEENet http://www.ceenet.org (see attachment).

    The project is aimed at building a network of operational CSIRT teams through:

    • Coaching and mentoring activities of emerging CSIRTs by existing and mature teams. At the first stage of the project, teams will be assisted in reaching basic operational capability. After achieving that stage, support will be provided to resolve possible issues related to everyday CSIRT work.
    • Establishing organisational standards and procedures for incident handling in coached CSIRT teams based on mentors’ experience. This includes common classification schemes for incidents, allowing for comparison of incident characteristics across teams.
    • Introduction of new teams to international forums (like FIRST, TF-CSIRT, Trusted Introducer), allowing for exchange of knowledge and experience as well as setting a platform for operational exchange of information and common incident handling world-wide.

    For successful integration of new established teams with existing international cooperation forums emphasis will be put on helping new teams in formal and informal joining of international forums (e.g. FIRST). We believe that experiences from the CLOSER project could be valuable in the discussion on how to reach out to new areas with the CERT concept.

    Krzysztof Silicki

    Krzysztof Silicki graduated from Warsaw University of Technology, Department of Fine Mechanics. After graduation, he worked in the Institute of Electron Technology. He joined NASK at the very beginning of the company's establishment (in 1993). Since February 2000 he has held the post of Technical Director.

    He established and actively manages the CERT NASK team ("CERT Polska" since December 2000) - the first such team in Poland. He also created and was the main co-ordinator of the "SECURE" conference, which is held by NASK since 1997. Silicki is a well-known creator in the IT environment and the chief editor (since 1999) of the monthly IT magazine NETforum. He is the author of many publications devoted to the problem of securing networks and has issued many expert opinions on network security and confidentiality mechanisms, authorisation technologies and principles for proceeding in the event of a breach of network security. Since 2004 Krzysztof Silicki has held a position of Polish representative in the ENISA Management Board.

  • ESLuis Fernández (INTECO, ES)

    National spam monitoring network  [schedule]

    Spam, as unsolicited e-mail, has become a serious problem not only for final users, but also for companies that use e-mail on a daily basis at work, due to the economic damage that it causes. Nowadays, it seems that this issue has no direct solution, although more and more efficient antispam solutions are constantly developed.

    In this context, it is extremely important to have mechanisms that allow us to measure in some way the most significant information about the current spam situation.

    For this reason, due to its status of national public institution, INTECO-CERT has promoted the establishment of collaboration agreements with a group of different and varied organizations. As a result of these agreements, programs acting as sensors or meters have been installed in these organizations to collect information about spam. The information is centralized and properly analyzed, which makes easier its future exploitation.

    The most useful information that results from this process is shown in form of statistics in a web site accessible to the general public, thanks to the advantages that the widespread use of Internet offers.

    In this sense, users can interact in a friendly way with the application, which will offer them results that can be easily interpreted and a general view of the spam situation in Spain and in the rest of the world

    Luis Fernández holds a degree in Computer Science from the University of León and has continued his training with several specialisation courses:

    • TRANSITS course on CSIRT Security Technicians offered by INTECO and the University of León.
    • Course on Accessibility and Web Usability offered by the Centre of Reference in Accessibility and Web Standards of INTECO.
    • Course on Computer Expertise offered by the Professional Association of Engineers of Castilla y Leon.
    • Various courses of the postgraduate programme “Intelligent Systems in Engineering” offered by the University of León.

    He has more than 4 years of experience in the IT sector and has participated in several projects of IT consulting, development and implementation of software applications for different public administrations.

    Since 2006, he develops his professional career in the development team of INTECO-CERT, where he currently participates, among other projects, in the deployment of the Sensor Network of Spam Detection.

  • USMark Zajicek (CERT/CC – Carnegie Mellon University, US)

    Creating and Managing Computer Security Incident Response Teams(CSIRTs)  [schedule]

    This one-day course is designed to provide a high-level overview of the issues involved in creating and managing an effective computer security incident response team (CSIRT).

    For anyone who is new to the field or who is interested in the type of activities a CSIRT performs, this course will provide valuable insight and suggestions for developing such a capability.

    A high-level discussion of key issues and topics is covered in this one-day tutorial, focusing on the purpose and structure of CSIRTs, incident management processes, key design and implementation elements, CSIRT operational issues, and other CSIRT functions.

    Incident Management Mission Diagnostic(IMMD) Method  [schedule]

    The Incident Management Mission Diagnostic (IMMD) is a risk-based approach for determining the potential for success of an organization's incident management capability (IMC).

    An organization's IMC potential for success is based on a finite set of current conditions – a limited set of key indicators used to estimate the current IMC health relative to a defined benchmark. Decision-makers can determine if the current state of their IMC is acceptable, or if actions are required to improve the situation. The IMMD can be viewed as an efficient, first-pass screening of an IMC to provide a quick evaluation and diagnose any unusual circumstances that might affect its potential for success.

    This presentation will provide an overview of the IMMD method.

    Incident Management Mission Diagnostic Method, Version 1.0
    http://www.cert.org/archive/pdf/08tr007.pdf

    Mark Zajicek

    Mark Zajicek is a member of the technical staff at the Software Engineering Institute (SEI) at Carnegie Mellon University. Zajicek's current work is focused on helping other organizations to build their own computer security incident response team (CSIRT) or incident management capability (IMC). As a member of the CERT® CSIRT Development Team , part of the Practices, Development, and Training group within the CERT Program at the SEI, he is responsible for providing guidance to new and existing CSIRTs, worldwide. He has codeveloped a variety of documents and training materials, and is an instructor for a suite of several courses that provide training for CSIRT managers and technical staff. Previously, Zajicek was the Daily Operations team leader for the CERT Coordination Center (CERT/CC), after having joined the CERT/CC's incident handling staff in 1992. Prior to joining the CERT/CC, he was a user consultant for the Computing Facilities group at the SEI. Zajicek also helped support the CERT/CC during its initial start-up in 1988. Zajicek has co-authored publications including Handbook for Computer Security Incident Response Teams (CSIRTs), 2nd Edition; State of the Practice of Computer Security Incident Response Teams (CSIRTs); Organizational Models for Computer Security Incident Response Teams (CSIRTs); Defining Incident Management Processes for CSIRTs: A Work in Progress; Incident Management Capability Metrics, Version 0.1; and Incident Management Mission Diagnostic Method, Version 1.0. Zajicek holds a Bachelor of Science in Electrical engineering and Biomedical Engineering from Carnegie Mellon University. Zajicek can be reached directly by email at mtz@cert.org or via the CERT CSIRT Development Team alias at csirt-info@cert.org


  • NLMartijn van der Heide (KPN-CERT – Chairman KPN-CERT, NL)

    Abuse Handling SIG  [schedule]

  • USMichael La Pilla (VeriSign – iDefense, US)

    Inside a BBB Malware Scheme - Mapping and Dissecting Attacker Infrastructure  [schedule]

    Between February 2007 and November 2007 one group was responsible for at least 13 targeted email campaigns using various government agencies to trick victims into installing malicious code. Using a combination of investigative tactics, custom written tools and perseverance it is possible to follow the attackers footprints and infrastructure through the attacks. During the investigation the attacker is seen modifying attack codes, improving targeting and altering his/her cash out scheme to adapt to shutdowns, law enforcement and investigations.

    The goal of the presentation is to provide a case study in tracking long term malicious code campaigns using this series of incidents. The data collected includes preventative information used to mitigate some attacks before they were released and protect victims from fraudulent transactions.

    Michael La Pilla, Manager, iDefense Malicious Code Operations Team

    Mr. La Pilla leads the iDefense Malicious Code Operations Group (Malcode), responsible for the active collection of open-source intelligence, and for the reporting and analysis of new and prevalent malicious code. Mr. La Pilla also develops and maintains projects for the iDefense malicious code lab. Mr. La Pilla's expertise lies in the area of malicious code that targets financial institutions and their customers. Prior to joining iDefense, Mr. La Pilla worked as a contractor in the Web hosting sector while pursuing a BS in Computer Engineering from Virginia Tech.

  • USMichael H. Warfield (IBM Internet Security Systems, US)

    Virtualization Technology A Manifold Arms Race  [schedule]

    Lately, the term "virtualization" has been all the rage in the news and in technology forums. For many, the term virtualization brings to mind products like VMware and Xen and virual machines. But virtualization has been around much longer than VMware or Xen and is much broader than either of these two specific examples. Virtualization is also well known in the security underground, where it is also a popular topic from both an offensive perspective and a defensive perspective.

    Michael Warfield is a Senior Researcher and Analyst for the X-Force Threat Analysis Team of IBM Internet Security Systems, Inc. (IBM-ISS).

    With computer security experience dating back to the early 1970s and Unix experience dating back to the early 1980s, Mike is responsible for doing research into security vulnerabilities and intrusion protection techniques for IBM-ISS X-Force, the research division of IBM-ISS.

    Prior to joining Internet Security Systems, Mike has held positions such as, a Unix systems engineer, Unix consultant, security consultant and network administrator on the Internet. He is one of the resident Unix gurus at the Atlanta UNIX Users Group and is one of the founding members of the Atlanta Linux Enthusiasts. He is also an active member of the Samba development team and is a contributor to the Linux Kernel and numerous Open Source Software projects. Mike has published articles on both Samba and on Security and is a respected cryptographer in the Open Source community.

  • CNDr Minghua Wang (CNCERT/CC – National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)

    Malicious Websites on the Chinese Web: Overview and Case Study  [schedule]

    The World Wide Web and online Games have become very popular within China, driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, quite a large number of blackhats construct malicious websites and infect the victims with stealer Trojans, steal the virtual assets from the exploited computers and sell them for money. In this paper, we give the overview of the malicious websites phenomenon in China, including its background, history and the driven underground economy chain. Furthermore, we present the detailed behinding scene of this specific threat, as well as our analysis procedure. From the case study, we can find it as a representative large web-based Trojan network constructed by the organized and experienced blackhats, and is completely for economic profits. To deal with these threats, we need to build a monitoring system and improve the efficiency of co-operations between CISRTs.

    Minghua Wang, Engineer of National Computer Emergency Response Team/Coordination Center, China. he got his Ph.D. degree of Beijing University of Posts and Telecommunications in June 2006. His research interests include security measurement, incident response and cryptology.

  • PLMiroslaw Maj (NASK/CERT Polska, PL)

    Barriers to CSIRTS cooperation with other CSIRTS and The CLOSER Project  [schedule]

    Barriers to CSIRTS cooperation with other CSIRTS

    The growing number of network security incidents and computer crime statistics indicate that the current condition of ICT security is unfavorable and the future is ambiguous. This can have a significant negative impact on the world economy which is increasingly dependant on electronic communication.

    It is not clear who is responsible for such a situation and why there is no breakthrough in  security despite many initiatives over the years. Home users, vendors, ISPs, governments have often different points of view and interests looking at their roles in the process of improving Internet security.

    Nevertheless a success in combating harmful and illegal activates on the Internet is very much related to the intensity and quality of a cooperation between all stakeholders. A cooperation within a particular stakeholder community is important as well.

    Undoubtedly the  CSIRT community is an important player in this area and it has potentially all the assets required to build models of effective cooperation both inside a community and with external parties. To achieve this goal, barriers to cooperation should be analyzed and proposals to overcome them should be created - including proper incentives.

    In the article the authors will present existing barriers, such as:

    • Necessity of information confidentiality (vs. information sharing)
    • Lack of service level agreement between CSIRTs
    • Differences in Legal Systems
    • Lack of standards
    • Incident handling
    • Data exchange formats
    • Threat assessment
    • Insufficient organizational, political and financial support

    In a correspondence to these barriers preliminary proposals of solutions and incentives will be presented. Ideally this could involve a discussion which start some initiatives (e.g. SIGs) and projects to that could foster better CSIRT cooperation.


    The CLOSER Project

    The CERT concept, after almost 20 years of the existence, is recognized as the one of the most effective way of combating illegal activities in the Internet. This effectiveness is in part a result of a good communication between incident response teams. However, communication sometimes becomes a problem because of a lack of sufficient coverage by CSIRTs in a particular region. To improve this situation, the CERT Polska team, with the NATO support, started the CLOSER project, which is mainly about establishing the new teams in the regions where there are white spots on the map of the CSIRT world (project duration 2007-2009). Participants of the project are countries associated in CEENet http://www.ceenet.org (see attachment).

    The project is aimed at building a network of operational CSIRT teams through:

    • Coaching and mentoring activities of emerging CSIRTs by existing and mature teams. At the first stage of the project, teams will be assisted in reaching basic operational capability. After achieving that stage, support will be provided to resolve possible issues related to everyday CSIRT work.
    • Establishing organisational standards and procedures for incident handling in coached CSIRT teams based on mentors’ experience. This includes common classification schemes for incidents, allowing for comparison of incident characteristics across teams.
    • Introduction of new teams to international forums (like FIRST, TF-CSIRT, Trusted Introducer), allowing for exchange of knowledge and experience as well as setting a platform for operational exchange of information and common incident handling world-wide.

    For successful integration of new established teams with existing international cooperation forums emphasis will be put on helping new teams in formal and informal joining of international forums (e.g. FIRST). We believe that experiences from the CLOSER project could be valuable in the discussion on how to reach out to new areas with the CERT concept.

    Miroslaw Maj

    Miroslaw Maj is employed in the Research and Academic Computer Network since 1995. From 1996 to 1999 he was member of the NASK Security Team. From 1996 he is member of CERT Polska Team and from 2001 he is the head of this team. Mirosław Maj is the organizer and lecturer of security conferences in Poland. He is the author of the papers on security statistics and others subjects from the security area. He is involved in international cooperation between CSIRT teams as well as in formal European projects related to security issues (standards, statistics, fighting with an illegal content, building security awareness and establishing new CSIRT teams). He participates in the activities on the national level with the goal of protecting critical ICT infrastructure.

    Mirosław Maj has successfully completed the training in Carnegie Mellon University – Managing Computer Security Incident Response Teams. He also completed PRINCE2 methodology training.

    Since 2004 Mirosław Maj has held a position of Polish Liaison Officer for ENISA. For the last two years he is a member of ENISA Working Group on CERT Cooperation and Support. He is also a co-author of documents prepared for ENISA about CERT Cooperation and CERT exercises.

  • UKPeter Wood (First Base Technologies, UK)

    The future of hacking: Blended attacks using social engineering  [schedule]

    What is a hacker: Someone who breaks into computer systems in order to steal or change or destroy information? Someone for whom computing is its own reward? Hacking is a way of thinking. A hacker is someone who thinks outside the box. It's someone who discards conventional wisdom, and does something else instead. It's someone who looks at the edge and wonders what's beyond. It's someone who sees a set of rules and wonders what happens if you don't follow them. Hacking applies to all aspects of life and not just computers. The new blended attack is social engineering plus technology. Over the past fifteen years, Peter Wood has conducted numerous penetration tests for some of the largest organisations in the world. His experience in simulating attacks for these organisations has led to a unique approach combining real-world criminal methods and tools in both the social engineering and technical spheres. This workshop will describe how criminals are succeeding in stealing information, often without the victims even being aware it. He will call on case histories and "war stories" to illustrate each type of blended attack, and demonstrate some techniques and tools in real time on the day.

    Peter’s innovative and entertaining style has led him to present to the boards of the largest international companies as well as at international conferences on many IT security-related topics.He was recently rated the British Computer Society’s number one speaker.

    Peter has worked in the electronics and computer industries since 1969. He has extensive experience of international communications and networking, with hands-on experience of many large-scale systems. Peter’s board-level responsibilities have included sales, marketing and technical roles, giving him a broad industry view.

    Founded in May 1989, First Base Technologies provides security testing and audit services to international companies and UKL government. Peter has hands-on technical involvement in the firm on a daily basis, working in areas as diverse as penetration testing, social engineering and skills transfer.

    Peter is a Fellow of the British Computer Society and a Chartered IT Professional. He is a member of the BCS Register of Security Specialists and a CISSP. He is also a member of ACM, HTCIA, IEEE, IISP, IMIS, ISACA, ISSA and Mensa.

  • USPeter G. Allor (IBM Internet Security Systems, US)

    Industry Briefing – An Exercise in Vendor Coordination  [schedule]

    Public and Private Collaboration for Improved National Cyber Security  [schedule]

    As part of a concerted effort to secure the nation’s IT infrastructure, including service provider networks, the Federal government is working to create a comprehensive, central repository of raw security data that can be shared by the private and public sectors. This data is key to pinpointing critical cyber security trends for early warning and situational awareness. The problem is that raw data is usually highly specific, lacking in context, and clearly identifies the author – creating a potentially devastating impact if it were to be illegally accessed or used for unauthorized purposes. This session will outline a plan towards creating mutually beneficial “data centers of excellence” that employ best practices in cyber security and information assurance, enabling the public and private sectors to share raw security data without the political and technical hurdles of ownership. Key Learning Objectives: How to create bridges of trust for sharing information instead of data Best practices in cyber security for data protection How Federal, State and Local government can work effectively through and with the private sector, including service providers

    SCADA Security – Who Is Really In Control of Our Control Systems?  [schedule]

    Peter Allor is the director of intelligence and special assistant to the General Manager for IBM Internet Security Systems where he is responsible for guiding the company’s overall security intelligence initiatives and participation in enterprise and government implementation strategies. He assists X-Force Research and Development Team with the collection, analysis and dissemination of information regarding cyber vulnerabilities, exploits, incidents, threats and early warning. This information is used to provide customers with information and resources to employ best practices to defend their networks from potential attacks.

    Allor is also the director of operations for the Information Technology - Information Sharing and Analysis Center (IT-ISAC) as part of the X-Force Internet threat intelligence services-- a task force that provides global information protection solutions analysis for securing IT infrastructure and defending key online assets and critical infrastructures from attack and misuse. He is responsible for managing ISAC operations where members report vulnerabilities, solutions, best security practices and track hackers globally. The ISAC operations center provides threat analysis and anonymous reporting of security vulnerabilities and shares solutions with all of its members.

    Allor participates on the ISAC Council, a private industry forum for sharing information, and is a member of the Georgia Business Force. He also participated in the formation of the Information Technology Sector Coordination Council (IT SCC). As a member of the ISS FIRST team, Allor has spoken at numerous events on security, information sharing and cyber intelligence, including Homeland Security for Networked Industries, GFirst National Conference, FIRST, Infragard National Conference, Forbes Corporate Security Forum, iSecuTech Taiwan and Secret Service San Francisco. In 2005, Allor was presented with IT* Security Magazine’s Individual Innovation Award.

    Prior to joining IBM Internet Security Systems, Allor served in the United States Army where he worked in a variety of security related positions reporting from Panama to Korea, as well as the Middle East.

    Allor holds a bachelor’s degree in business administration degree from Rollins College and a master’s degree in organizational management from the University of Phoenix. He is a graduate of the U.S. Army Command and General Staff College. In addition, he is a member of the Information Systems Security Association (ISSA) and the Atlanta InfraGard Chapter.

    Peter Allor is the director of intelligence and special assistant to the General Manager for IBM Internet Security Systems where he is responsible for guiding the company’s overall security intelligence initiatives and participation in enterprise and government implementation strategies. He assists X-Force Research and Development Team with the collection, analysis and dissemination of information regarding cyber vulnerabilities, exploits, incidents, threats and early warning. This information is used to provide customers with information and resources to employ best practices to defend their networks from potential attacks.

    Allor is also the director of operations for the Information Technology - Information Sharing and Analysis Center (IT-ISAC) as part of the X-Force Internet threat intelligence services-- a task force that provides global information protection solutions analysis for securing IT infrastructure and defending key online assets and critical infrastructures from attack and misuse. He is responsible for managing ISAC operations where members report vulnerabilities, solutions, best security practices and track hackers globally. The ISAC operations center provides threat analysis and anonymous reporting of security vulnerabilities and shares solutions with all of its members. Allor participates on the ISAC Council, a private industry forum for sharing information, and is a member of the Georgia Business Force. He also participated in the formation of the Information Technology Sector Coordination Council (IT SCC). As a member of the ISS FIRST team, Allor has spoken at numerous events on security, information sharing and cyber intelligence, including Homeland Security for Networked Industries, GFirst National Conference, FIRST, Infragard National Conference, Forbes Corporate Security Forum, iSecuTech Taiwan and Secret Service San Francisco. In 2005, Allor was presented with IT* Security Magazine’s Individual Innovation Award.

    Prior to joining IBM Internet Security Systems, Allor served in the United States Army where he worked in a variety of security related positions reporting from Panama to Korea, as well as the Middle East.

    Allor holds a bachelor’s degree in business administration degree from Rollins College and a master’s degree in organizational management from the University of Phoenix. He is a graduate of the U.S. Army Command and General Staff College. In addition, he is a member of the Information Systems Security Association (ISSA) and the Atlanta InfraGard Chapter.

  • PLPiotr Kijewski (CERT POLSKA – NASK/CERT Polska, PL)

    The HoneySpider Network: Fighting client-side threats  [schedule]

    The Honeyclient Project is a joint venture between NASK/CERT Polska, GOVCERT.NL and SURFnet. The goal is to develop a complete open source honeyclient system, based on existing state-of- the-art client honeypot solutions and an advanced crawler. The system is focused primarily on attacks against, or involving the use of Web browsers. These include detection of drive-by downloads, malicious binaries and phishing attempts. Apart from identifying browser exploits (including 0day attacks), the system is expected to automatically obtain and analyze the attacking malware and ultimately generate its signature. The major incentive to start this project is the rapidly growing number of browser exploits involving varying degrees of user interaction. These types of attacks lie outside the scope of current monitoring systems in use by the three parties. Therefore we view this new system as an expansion of our current monitoring and early warning abilities. Interfaces with existing systems - the CERT Polska ARAKIS system and SURFnet IDS - will be designed. The system will improve situational awareness of what is happening on the Internet and improve security services offered by the parties to their constituents. The project itself is the result of very close cooperation of three different organizations from two different countries – such cooperation involving research into new areas and software development has been rare so far in the CERT community. The proposed article and presentation will include a short introduction of client honeypots and the state-of-the-art. It will then describe how attacks that involve malicious web servers are being carried out and what techniques attackers use to make analysis of such activity more difficult. The functional requirements and architecture of the solution will be presented. It will also briefly touch upon the lesson learned regarding international cooperation. Novel detection heuristics for low interaction client honeypots will be introduced. Finally, preliminary results of the functioning of the system will be published.

    Piotr Kijewski Piotr Kijewski works for NASK since 2002, as an IT Security Specialist in the CERT Polska team. His main interests in the computer and network security field include intrusion detection, honeynets and network forensics. He has also worked for nearly 10 years as a network administrator at the Warsaw University of Technology and as a network security consultant for many companies in Poland. He holds an MSc degree in Telecommunications from the Warsaw University of Technology.
  • PLPrzemyslaw Jaroszewski (CERT POLSKA, PL)

    Spotspam - Tackling Spam at New Frontiers  [schedule]

    Whereas sending spam is illegal in many countries, there are only a small number of convictions of spammers both in the area of penal law as well as when it comes to claiming damages. In many cases this is due to technical means taken by spammers to hide their identity. Sometimes the reason is sheer lack of enough reported and confirmed cases from individuals willing to go through all the procedures required by various legal systems. The fact that spamming is a cross-border phenomenon only makes things worse.

    Within SPOTSPAM, a project realized in two years between 2005 and 2007 by eco (German Association of Internet Providers) and NASK, legal research was conducted and technical solutions built to make it possible to legally gather, process and share reports from individual users in ways that would make them usable in the court of law. While the system developed for the project automatically collects a lot of investigative information (such as whois data of IP addresses and e-mails), it also tries to find points of most value for parties potentially interested in pressing charges against spammers in the following ways:

    • Individual reports are clustered into spam campaigns, i.e. mass waves of emails with similar characteristics indicating that they likely came from asingle source.
    • Content of messages is analyzed to identify types of spam that are penalized under laws that allow for fast and effective legal handling, e.g. illegal distribution of drugs and medicaments or pornography presented to minors.
    • Reports can be scanned against keywords such as domains of email addresses (which might be of interest to email providers when their domains areused or faked as sending) or trademarks (when owner’s rights are breached). The paper will discuss methods and algorithms used by the system, their effectiveness, weaknesses and areas for improvement.

    Przemyslaw Jaroszewski is a security specialist in CERT Polska. For the past seven years he has been involved in incident response, advocating and coaching in computer security, as well as taking part in various security-related projects. One of his main areas of interest is e-mail security and spam. He was managing processes of development and implementation of a prototype database in the SPOTSPAM project.

  • SEPär Österberg Medina (Swedish IT Incident Centre, Sitic, SE)

    Detecting Intrusions - The latest forensics tools and techniques to identify Windows malware infections  [schedule]

    Responding to IT incidents and investigating computers for signs of a compromise can be a challenging and time consuming task, which becomes all the more complicated with the proliferation of malware and rootkit technology. This full day tutorial will teach forensic acquisition and analysis techniques with a focus on investigating and identifying potential intrusions involving the Windows OS. The course is aimed at a technical audience, preferably incident responders and forensic examiners, who are interested in learning the latest in volatile data analysis and live forensics techniques.

    The course is split into two sessions, the first focusing on acquisition, and the second on analysis.

    After a outlining a methodology for conducting forensic incident response, we will, in the morning session, walk through the construction of a 'First Responders Toolkit', the purpose of which is the live collection of volatile data from a potentially compromised windows OS. Participants will be walked through the process of first assembling the toolkit from a number of open source and freely available tools, and then hardening this trusted toolset.

    Volatile memory acquisition will then be introduced, identifying specific pro's and con's of the currently available approaches, providing participants with the knowledge of how to choose the right tool for their circumstances.

    The culmination of the morning session is to employ the constructed toolkit to collect various pieces of evidence from a live system in the order of volatility: main memory, the swap file, NTFS meta data files, the Registry and lots more.

    The second session is organized into two components: analysis of storage related data, and analysis of volatile memory. In this session, participants will be shown how to analyze the data collected in the morning session.

    In the storage analysis section, we will analyze the $Mft, the heart of NTFS, looking for Alternate Data Streams and commonly used File System Anti-Forensic techniques. We then introduce analysis techniques which identify malware behavior by identifying discrepancies between the user mode view of the filesystem, and the raw filesystem.  Additional practical topics covered include analysis of the raw Windows Registry files, fast analysis of binary files collected from running system and how to effectively use databases of hashes to distinguish unknown files and modified binaries from known operating system files.

    The volatile memory analysis component of the second session will begin with an introduction into the basics of Windows memory management. Then we will start to explore memory dumps, employing freely available forensic memory analysis tools, so participants can take them home and start working with them immediately. We will cover some of the leading-edge commercial tools in the field, and identify their merits relative to the freely available tools. Participants will be instructed in the use of the Windows debugging infrastructure for exploring memory dumps, and verifying the semantic integrity of these dumps. The afternoon session will culminate in participants trying out the tools on a number of sample images to uncover exploits and actual rootkit infections on their own.

    Participants are expected to bring their own laptop with a DVD player and Microsoft Windows will be required to run most of the programs provided. Sample files for analysis will be available during class so save at least 10GB of free hard drive space.

    This course is based on the course "The latest in forensic tools and techniques to examine Microsoft Windows", which was presented at the 2007 FIRST conference in Seville. Developed and presented by Andreas Schuster and Pär Österberg Medina, the course received high ratings from participants.

    Pär Österberg-Medina (CISSP) started his career doing Unix and Windows network administration, but quickly migrated into doing only security related work, like administrating firewall and intrusion detection systems. After working several years doing penetration testing for various consulting firms, he started working for the Swedish Gvt CERT (Sitic), where he among other things has been handling IT incidents for the last five years.

  • USRaffael Marty (Splunk, US)

    Applied Security Visualization  [schedule]

    Visualization of data has proven to be the approach generating the best return on investment when it comes to complex data analysis problems. This workshop takes a step-by step approach to visually analyzing data.

    I will use a few open source tools to process the information and generate visual representations. Among them is a tool called AfterGlow (afterglow.sourceforge.net), which was written by the submitter. It is a very simple tool to visualize preprocessed information. The analysis I will go over in the workshop will show how to find insider abuse, help with compliance reporting, and use visualization for perimeter threat (e.g., IDS and firewall log analysis).

    The goal of the workshop is to leave the audience with the knowledge and tools to do visual log analysis on their own data. I will be discussing log sources, how to get from the data to graphs, what open source tools are available for visualization, and how to address the above use-cases in detail.

    As chief security strategist and senior product manager, Raffy is customer advocate and guardian - expert on all things security and log analysis at Splunk. With customers, he uses his skills in data visualization, log management, intrusion detection, and compliance to solve problems and create solutions. Inside Splunk, he is the conduit for customer issues, new ideas and market requirements to the development team. Fully immersed in industry initiatives, standards efforts and activities, Raffy lives and breathes security and visualization. His passion for visualization is evident in the many presentations he gives at conferences around the world and the upcoming "Applied Security Visualization" book. In addition, Raffy is the author of AfterGlow, founder of the security visualization portal http://secviz.org, and contributing author to a number of books on security and visualization.

  • USRalph Thomas (VERISIGN iDefense, US)

    Cyber Fraud Trends  [schedule]

    Financial institutions worldwide face an ever-increasing number of malicious code and phishing attacks that adapt and mature constantly. Regulators and industry promote authentication as panacea while the crooks are developing and deploying highly specialized Trojans designed to target and circumvent multifactor authentication schemes. Hijacking transactions that a user has initiated and authorized is the newest of these targeted threats. This technique has been discussed theoretically for some time but has now left the malware labs and is actively being used in real world attacks, not only against financial institutions. Technology and implementation are important factors for the effectiveness of multifactor authentication schemes and even strong technologies with correct implementations that thwart transaction-hijacking attempts have weaknesses that might constitute a surface for future attack scenarios.

    This presentation discusses state of attack and mitigation techniques surrounding transaction-hijacking and lessons learned from real world incidents. The audience will be given an overview on implementation details that can make or break a successful authentication scheme in light of these new threats.

  • USRichard Perlotto (Shadowserver Foundation, US)

    The life cycle of infections and a botnet  [schedule]

    This would be a half-day demonstration of the infection of systems, the capture, and analysis of the malware, and the live interaction of a botnet.

    Requirements

    To participate in this class, each member will be required to have a computer system that they bring that is capable of running a VMWare image. Each system will need to have a USB port, as well as a hard wired ethernet connection. The host system should have some form of Anti-Virus and firewall software loaded. This class will be working with and utilizing live infecting malware and there is always a chance of a local infection if your system is not up to date and protected.

    Bot Herder Case Studies  [schedule]

    We will present two to three different case studies on botnet herders and showing examples of behavior and activity.

    Richard Perlotto is one of two directors running the Shadowserver Foundation, an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud.

    Mr. Perlotto runs the technology and operational side of the organization with a focus on streamlining the processes and information gathering techniques.

    Richard Perlotto is an Information Security Adviser for Cisco Systems providing assistance and guidance on Information, Internet Risks and Threats to Cisco and their Customers. Previously he ran Security Operations worldwide for all of Cisco for almost four years. He is a ten-year Cisco veteran.

  • USRobert Floodeen (Spectrum, US)

    Identifying network scanning tools  [schedule]

    We propose that proper identification of automated network scanning tools has value to network monitoring teams. Currently it is simply misunderstood, improperly handled, or over looked. Furthermore, there is value in the identification and cataloguing of the identification features and options used in those tools. Using a few open source tools (TCPDump, Silk toolset - rwscan with Threshold Random Walk, and MySQL) we will show that valuable information can be catalogued from a simple process of detecting, identifying, and transforming captured network packets (pcap) into a much smaller database record with identification characteristics. This process can also be seamlessly implemented in existing open source NSM products like Sguil, ACID, or BASE.

    The following are valuable analysis results gained from identifying and storing scan metadata:

    • Eliminate known scans from unknown traffic to focus on what is left
    • Identification of a pattern of pre-attack reconnaissance to interrupt an attack cycle
    • If the pre-attack is missed but a pattern is still discernable, the effort to size and scope the incident is quickly reduced by identifying all possible external systems used in the reconnaissance phase. Note, this is not limited to the attacking IP or only systems still in the raw pcap data.
    • Truly identify a scan, not just detect it, to pare down IDS false positives.
    • Free up IDS/IPS resources associated with scan detection and storage.
    • Identify what information could have been gained from the scan.
    • Determining the motivation behind a scan or series of scans that form a pattern, assisting in triage and situational awareness.

    Robert Floodeen is cofounder of Outbreak Security, LLC, an Information Security Architect for the Envision Labs division of Spectrum Comm Inc., and a Visiting Scientist at the Software Engineering Institute at Carnegie Mellon University, where he is a course instructor for the CERT/CC. Robert has led teams in Intrusion Detection for various U.S. DoD Agencies, to include the Pentagon and as an Operations Manager for the Defense Threat Reduction Agency CERT. Robert holds an undergraduate degree in computer science, with honors and is finishing his Masters degree, also in computer science. He has been formerly trained by the U.S. Army in network administration and computer network defense.

  • CARobert Pitcher (CCIRC, CA)

    Building a no frills malware lab: How to construct a relatively inexpensive, yet effective, malware analysis lab for CIRTs  [schedule]

    Summary: CCIRC would like to host a 3 hour session that involves the creation of a relatively cheap malware analysis lab. The session will focus on open source tools, procedures, hardware and software that can be combined to create a highly effective malware analysis station that can rival modern commercial versions. The session will cover the requirements, setup demonstration, and employment of the tools in the analysis of an archived CCIRC malware related incident.

    Background: Incident handlers often need to perform a quick behavior analysis of malware when handling infected computers. There are many online and commercial services offering this capability ranging from free, to extremely expensive. However, in many instances the information to be analyzed may be sensitive, and the need arises for a CIRT team to perform its own analysis. The question then arises as to how do you process malware, which is sensitive and/or not typically detected by modern vendors, in a timely manner? The answer is that each CIRT team needs the ability to analyze any malware it receives. CCIRC will present a setup that will equal no more than the cost of two PCs, configured to match the organization standards of each organization. CCIRC will base the development of this presentation on an actual proven setup currently in use by our office, and demonstrate its effectiveness through the processing of an archived CCIRC malware event.

    (Note: We have decided to pursue a three hour session as it will provide ample time to show the setup, configuration, and application of the lab in a real world example. This presentation can be reduced to a single session in which only the requirements would be covered if space is limited. However, for the full effect, a three hour session is preferred.)

  • USRobin Ruefle (CERT/CC – Carnegie Mellon University, US)

    Creating and Managing Computer Security Incident Response Teams(CSIRTs)  [schedule]

    This one-day course is designed to provide a high-level overview of the issues involved in creating and managing an effective computer security incident response team (CSIRT).

    For anyone who is new to the field or who is interested in the type of activities a CSIRT performs, this course will provide valuable insight and suggestions for developing such a capability.

    A high-level discussion of key issues and topics is covered in this one-day tutorial, focusing on the purpose and structure of CSIRTs, incident management processes, key design and implementation elements, CSIRT operational issues, and other CSIRT functions.

    Incident Management Mission Diagnostic(IMMD) Method  [schedule]

    The Incident Management Mission Diagnostic (IMMD) is a risk-based approach for determining the potential for success of an organization's incident management capability (IMC).

    An organization's IMC potential for success is based on a finite set of current conditions – a limited set of key indicators used to estimate the current IMC health relative to a defined benchmark. Decision-makers can determine if the current state of their IMC is acceptable, or if actions are required to improve the situation. The IMMD can be viewed as an efficient, first-pass screening of an IMC to provide a quick evaluation and diagnose any unusual circumstances that might affect its potential for success.

    This presentation will provide an overview of the IMMD method.

    Incident Management Mission Diagnostic Method, Version 1.0
    http://www.cert.org/archive/pdf/08tr007.pdf

    Robin Ruefle

    Robin Ruefle is a member of the technical staff of the CERT Program at the Software Engineering Institute at Carnegie Mellon University. She works as a member of the CERT® CSIRT Development team (CDT). Ruefle’s focus is on the development of management, procedural, and technical guidelines and practices for the establishment, maturation, operation, and evaluation of Computer Security Incident Response Teams (CSIRTs) worldwide. As a member of the CDT, Ruefle develops and delivers sessions in the suite of courses offered to CSIRT managers and incident handling staff, including Creating a CSIRT, Managing CSIRTs, Fundamentals of Incident Handling, and Advanced Incident Handling for Technical Staff. She also participates in the Train-the-Trainer program that licenses these products to existing CSIRTs. The CSIRT Development Team also provides guidance in the development of implementation strategies, policies, standard operating procedures, response plans, and training programs for new and existing CSIRTs. As part of that work, Ruefle has authored or co-authored publications including: Handbook for CSIRTs 2nd Edition, Organizational Models for CSIRTs Handbook, CSIRT Services, State of the Practice of CSIRTs, Defining Incident Management Processes for CSIRTs: A Work in Progress, The Role of Computer Security Incident Response Teams in the Software Development Life Cycle, as well as numerous other articles and best practice guides. These documents can be found on the CSIRT Development webpages at [http://www.cert.org/csirts/]. Ruefle has presented at numerous incident response and security conferences, including The Forum for Incident Response and Security Teams (FIRST), The US Government Forum for Incident Response and Security Teams (GFIRST), EDUCAUSE, SECURE IT, and other similar venues. Ruefle received a BS in political science and an MPIA (Master of Public and International Affairs) from the University of Pittsburgh. She has also taught courses in information technology, management information systems, and information retrieval and analysis as an adjunct faculty member in the Continuing Education and MBA programs at Chatham College and in the Graduate School of Public and International Affairs (GSPIA) at the University of Pittsburgh


  • CARodrigo Werlinger (University of British Columbia, CA)

    Responding to Security Incidents: Are Security Tools Everything You Need?  [schedule]

    It is important to consider not just the technological factors impacting IT security, but also the human and organizational factors. One key aspect of security that requires attention from these perspectives is security incident response, a field that has not yet reached maturity in terms of best practices. The empirical study we report in this paper was conducted to investigate the challenges that security practitioners face as they implement security controls as well as how the security practitioners respond to security incidents within their organizations. This understanding is important in order to identify opportunities for improvement of tools and processes. In this paper, we present our findings based on qualitative analysis of 29 in-situ semi-structured interviews along with questionnaires and participatory observation. The challenges our participants discuss provide context for the tasks, strategies, skills, and tools that they used when engaged in security incident response. We contrasted our findings with industry recommendations and case studies of security incidents. This comparison provided insight as to the potential sources of breakdown between recommended best practices and actual practices as impacted by human, organizational, and technological factors. We found several opportunities to improve the security processes and tools used by security professionals when performing their tasks and responding to security incidents in order to better support the best practices.

    Rodrigo Werlinger (CISSP) received a degree in Electrical Engineering from the University of Chile. He has work experience in IT security in the telecommunications sector, having designed and implemented IT security for telecommunication services from 2002 to 2006. Currently, he is doing his MASc in the Electrical & Computer Engineering Department at the University of British Columbia. He is also a research assistant in the Laboratory for Education and Research in Secure Systems Engineering (LERSSE), working on the HOT Admin project.

    Kirstie Hawkey is a Postdoctoral Research Fellow in the Departments of Computer Science and Electrical & Computer Engineering at the University of British Columbia. She is working on the HOT Admin project in the Laboratory for Education and Research in Secure Systems Engineering. She received her PhD in Computer Science from Dalhousie University in 2007. Her research interests include personal information management and usable privacy and security, particularly within the context of group work.

    Konstantin (Kosta) Beznosov is an assistant professor at the University of British Columbia’s Department of Electrical and Computer Engineering. He founded and leads the university’s Laboratory for Education and Research in Secure Systems Engineering. He previously was a security architect with Hitachi Computer Products, where he designed and developed products for security integration of enterprise applications. He has also been a consultant for large telecommunication and banking companies on the architecture of security solutions for distributed enterprise applications. He’s a coauthor of Enterprise Security with EJB and CORBA (John Wiley & Sons, 2001) and Mastering Web Services Security (John Wiley & Sons, 2003). He received his PhD in computer science from Florida International University.

  • NLRogier J.L. Spoor (SURFnet, NL)

    The HoneySpider Network: Fighting client-side threats  [schedule]

    The Honeyclient Project is a joint venture between NASK/CERT Polska, GOVCERT.NL and SURFnet. The goal is to develop a complete open source honeyclient system, based on existing state-of- the-art client honeypot solutions and an advanced crawler. The system is focused primarily on attacks against, or involving the use of Web browsers. These include detection of drive-by downloads, malicious binaries and phishing attempts. Apart from identifying browser exploits (including 0day attacks), the system is expected to automatically obtain and analyze the attacking malware and ultimately generate its signature. The major incentive to start this project is the rapidly growing number of browser exploits involving varying degrees of user interaction. These types of attacks lie outside the scope of current monitoring systems in use by the three parties. Therefore we view this new system as an expansion of our current monitoring and early warning abilities. Interfaces with existing systems - the CERT Polska ARAKIS system and SURFnet IDS - will be designed. The system will improve situational awareness of what is happening on the Internet and improve security services offered by the parties to their constituents. The project itself is the result of very close cooperation of three different organizations from two different countries – such cooperation involving research into new areas and software development has been rare so far in the CERT community. The proposed article and presentation will include a short introduction of client honeypots and the state-of-the-art. It will then describe how attacks that involve malicious web servers are being carried out and what techniques attackers use to make analysis of such activity more difficult. The functional requirements and architecture of the solution will be presented. It will also briefly touch upon the lesson learned regarding international cooperation. Novel detection heuristics for low interaction client honeypots will be introduced. Finally, preliminary results of the functioning of the system will be published.

    Rogier Spoor graduated in Bioprocess Engineering at the Wageningen University and Research Centre.

    His first job was working as a Technical Linux and Network Engineer.

    Currently, Rogier works as a Manager Middleware Services at SURFnet, the National Research and Educational Network of the Netherlands, and is in charge of the SURFids project.

  • USRuss McRee (holisticinfosec.org, US)

    Malcode Analysis Techniques for Incident Handlers  [schedule]

    The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover tools and methodology useful to handlers, analysts, and administrators. From detection and discovery, capture and containment, count on a useful discussion meant to further your understanding of the information security practitioner's greatest bane.

    Russ McRee, GCIH, GCFA, CISSP is a security analyst working for the Windows Live Security Incident Management team. Prior speaking engagements include SecureWorld Expo, ISSA Northwest Regional, WSA SIG, RAID 2005, and Linuxfest Northwest.

    He's the author of ISSA Journal's monthly column Toolsmith, and has written for Information Security, Linux Pro, SysAdmin and others, including an OWASP whitepaper. Russ is a board member of ISSA Puget Sound, and a member of PACCISO, InfraGard and CCSA. Russ maintains holisticinfosec.org.

  • USRyan Olson (VeriSign – Verisign/iDefense, US)

    Tracking and Detecting Trojan Command and Control Servers  [schedule]

    Modern Trojan horses frequently report their activities to a central command and control (C&C) server. Specifically, information stealing Trojans typically use a C&C server as the storage location for the data they steal. These servers are very numerous, reside on a variety of networks, and in many countries around the world, but exist much more frequently in certain locations. Attackers often use so called “bullet proof” hosting providers which are unresponsive to take-down notices to host these servers and ensure that they remain active. Tracking which networks new Trojans report their data allows security administrators to proactively monitor for traffic generated by clients infected with these Trojans and take appropriate action.

    This presentation discusses how to detect traffic generated by toolkit-based information stealing Trojans using network based intrusion detection systems like Snort. The audience will receive an overview of popular toolkit-based Trojans and common locations used to host C&C servers based on their network and country of origin.

    Ryan Olson has worked for iDefense as a member of their Malicious Code Operations team since 2006. His primary security interests include automated malicious code analysis and Trojan's specifically targeting financial institutions. He holds a BS from Iowa State University in Management Information Systems and a MS in Security Informatics from The Johns Hopkins University.

  • USScott Charney (Corporate Vice President, Trustworthy Computing, Microsoft, US)

    Enabling End-to-End Trust  [schedule]

    Imagine a more trusted, privacy enhanced Internet experience where devices and software enable people to make more effective choices and take control over who, and what, to trust online.  Scott Charney, VP Trustworthy Computing, describes a new approach that focuses on stronger authentication and accountability in the appropriate environments as a means of making the Internet a safer place to work, play, communicate, and conduct business. Join Scott as he summarizes his ideas around End to End Trust and seeks the community’s feedback.

    Scott Charney serves as corporate vice president of Microsoft’s Trustworthy Computing (TwC) Group within the Core Operating System Division. The group’s mission is to drive Trustworthy Computing principles and processes within Microsoft and throughout the IT ecosystem. This includes working with business groups throughout the company to ensure their products and services uphold Microsoft’s security and privacy policies, controls and best practices. The TwC group also collaborates with the rest of the computer industry and the government to increase public awareness, education and other safeguards.

    In addition, Charney oversees Microsoft’s efforts to address critical infrastructure protection, Engineering Excellence, network security, and industry outreach about privacy and security.

    Charney possesses a wealth of computer privacy and security experience in both the government and the private sector. Before joining Microsoft in 2002, he was a principal for the professional services organization PricewaterhouseCoopers (PwC), where he led the firm’s Cybercrime Prevention and Response Practice. He provided computer security services to Fortune 500 companies and smaller enterprises. These services included designing and building computer security systems, testing existing systems and conducting cybercrime investigations.

    Before PwC, Charney served as chief of the Computer Crime and Intellectual Property Section (CCIPS) in the Criminal Division of the U.S. Department of Justice. As the leading federal prosecutor for computer crimes, he helped prosecute nearly every major hacker case in the United States from 1991 to 1999. He co-authored the original Federal Guidelines for Searching and Seizing Computers, the federal Computer Fraud and Abuse Act, federal computer crime sentencing guidelines and the Criminal Division’s policy on appropriate computer use and workplace monitoring. He also chaired the Group of Eight nations (G8) Subgroup on High-Tech Crime, served as vice chair and head of the U.S. delegation to an ad hoc group of experts on global cryptography policy for the Organization for Economic Cooperation and Development (OECD). In addition, he was a member of the U.S. delegation to OECD’s Group of Experts on Security, Privacy and Intellectual Property Rights in the Global Information Infrastructure.

    Charney also served as an assistant district attorney in Bronx County, N.Y., where he later was named deputy chief of the Investigations Bureau. In addition to supervising 23 prosecutors, he developed a computer-tracking system that was later used throughout the city for tracking criminal cases.

    Charney has received numerous professional awards, including the prestigious John Marshall Award for Outstanding Legal Achievement in 1995 and the Attorney General’s Award for Distinguished Service in 1998. He was nominated to the Information System Security Association’s Hall of Fame in 2000. That same year, the Washington Chapter of the Armed Forces Communications and Electronics Association presented him with its award for excellence in critical electronic infrastructure protection. Among his other affiliations, he served on the American Bar Association Task Force on Electronic Surveillance, the American Health Lawyers Association Task Force on Security and Electronic Signature Regulations, the Software Engineering Institute Advisory Board at Carnegie-Mellon University, and the Privacy Working Group of the Clinton administration’s Information Infrastructure Task Force.

    He holds a law degree with honors from Syracuse University in Syracuse, N.Y., and bachelor’s degrees in history and English from the State University of New York in Binghamton.

  • ATStefan Fenz (Secure Business Austria, AT)

    Semantic Potential of Existing Security Advisory Standards  [schedule]

    New discoveries made on a nearly daily basis and the constantly growing amount of vulnerabilities in software products have led to the distribution of great numbers of vendor dependent vulnerability information over various channels such as mailing lists and RSS (Really Simple Syndication) feeds. However, the format of these messages presents a major problem as it lacks standardized, semantic information, resulting in very time-intensive, expensive, and error-prone processing due to the necessary human involvement. Recent developments in the field of IT security have increased the need for a sound semantic security advisory standard that would allow for automatic processing of relevant security advisories in a more precise and timely manner. This would reduce pressure on organizations trying to keep their complex infrastructures secure and up-to-date by complying to standards, such as Basel II and local legislations. This paper conducts an evaluation of existing advisory standards and extends the most semantic usable to fulfill the requirements of a semantic security advisory standard. A proof of concept shows how non-semantic vendor-dependent vulnerability information can be automatically converted to the proposed semantic security advisory format. The automated processing of security advisories allows faster reaction times and precise response to new threats and vulnerabilities. In this way IT management can concentrate on solutions rather than on filtering messages.

  • CHStephen Frei (ETH Zurich, CH)

    Putting private and government CERT’s to the test  [schedule]

    There is some ongoing debate about the value that CERTs provide - especially when compared with commercial services of the private sector. In an independent research project at ETH Zurich, we monitored for more than 18 months the worlds top security advisory providers. Due to a short 30-minute monitoring interval, we discovered significant differences in quality, quantity, and timeliness.

  • USSteve Mancini (Intel Corporation, US)

    Incident Handling around the world in 80 ms. (Well not really that fast)  [schedule]

    Having a global presence looks great on paper and is perhaps even doing wonders for your bottom line. The downside to being spread across the global is the ability to properly staff certain emergency job roles, such as incident response. Not everyone is trained to do incident response; not everyone possesses the mindset for this work. The question is how to do then operate a successful incident response program across a company where you may have a computer presence but not trained staff to address incidents?

    With the release of 3.2 of RAPIER, we have created a client / server architecture for our information gathering tool suite. Now a disperse company can establish repositories for information gathering during incident handling - your IR specialists no longer have to muddle through getting accurate information off a remote system or worse, walk someone through gathering the data over the phone. RAPIER 3.2 includes several new modules and can be configured to execute against a remote target.

    Steve Mancini

    Steve Mancini has been with Intel since 1997 when he graduated from the Purdue University computer science program. After surviving a year in a technical support role he moved on to UNIX applications where he was a member of the team responsible for building an extensive UNIX application tool suite critical to chip design. In early 2000 he seized the opportunity to pursue his college interest as a security program manager and has since worked as a senior information security specialist and now security strategist. During his time he been involved with several Intel security initiatives including the formation of the Security Operations Center, co-authored of Intel’s risk assessment process with his interest in incident handling which resulted in his creation of the first generations of RAPIER. Steve has received 3 SANS certifications with honors in Incident Handling and Auditing. In his spare time Steve volunteers as a digital forensics examiner for the city and county police department.

  • USSteven Michalove (Microsoft, US)

    Securing Wiki-Style Technology in the Global Enterprise: The Competing Tensions of Privacy Law and Distributed Collaboration  [schedule]

    The new generation of wiki-style collaboration tools is a boon to workers everywhere. By empowering users to easily post, distribute and retain information, these systems foster the type of virtual collaboration that is vital for success in our modern, globally-interconnected world. The very features that make these systems popular also raise troubling security and legal concerns.

    Privacy and data security laws are now in effect around the world. Some of these regimes only provide high-level guidance, others proscribe detailed security requirements. Such differences notwithstanding, privacy mandates generally call for (1) full disclosure, (2) user consent, (3) data security, and (4) reasonable data retention/destruction. Notably, these legal goals are in direct conflict with the technical goals of distributed collaboration systems. Simply put, encouraging users to collect data outside of a centralized IT system significantly complicates the compliance challenge.

    The good news is that numerous steps can be taken to help mitigate these concerns. Deploying sophisticated detective controls to identify data scattered throughout these collaboration environments is a vital first step. Without new technologies and procedures to detect, notify, and remediate, the enterprise will not know where data resides, much less how they are best secured. Although this paper identifies the leading distributed security techniques – most notably the process of securing data containers and/or utilizing document-level rights management – there are a wide range of tools that can help in this process.

    In a classic case of “no good deed goes unpunished,” however, these solutions raise their own legal challenges. Many countries have privacy laws that expressly prohibit the employee system scans that are vital for the detective controls. In other cases, corporate agreements with labor nions/works councils may restrict such practices. Companies must take the time to fully research and understand their legal exposure before deploying these exciting new technologies.

    Steven Michalove is a Senior Security Strategist in Microsoft’s Information Security Compliance organization. He relocated from Copenhagen to Seattle two years ago to join Microsoft after a 20 year career with Hewlett-Packard. He has held a variety of positions ranging from Worldwide Security Services manager for Hewlett-Packard’s outsourcing division to Lead Technical Contract Negotiator. He has consulted with a wide range of large multinational companies in Europe as well as in North and South America on security in the outsourcing arena. Steven has an honors degree in Management of Information Systems from the Terry College of Business at the University of Ga. He currently holds both CISSP and CISM certifications.

  • USSteven Ringelberg (Vanguard Integrity Professionals, US)

    International Privacy & Security Compliance — Navigating the Maze  [schedule]

    As more U.S.-based businesses branch out to overseas markets, it’s become clear that many have no idea how to comply with international data privacy and security laws. And who can blame them? Unless you’re a Global 500 company with the financial and physical means to stay on top of the confusing mass of regulations, the likelihood exists that you are currently breaking one, if not more, policies.

    For the most part, U.S. businesses don’t even know they are breaking these cross-border data flow laws. For example, you wouldn’t assume that sending payroll information from a UK subsidiary to the New York headquarters for processing would be a violation of European Union (EU) regulations. But it is. Or what about a CEO that wants to look up the address or phone number of his biggest European customer so he can schedule a dinner while overseas? Yes, that’s a breach, too. While these seem like innocent mistakes, different governments consider them significant violations that carry with them high-dollar fines.

    Nearly 50 countries have their own data security and protection laws, many of which overlap and most of which can be inconsistent. Three main privacy frameworks are currently in place: the EU regulatory model is the most structured, the U.S. requires self regulation, and the Asia-Pacific Economic Cooperation (APEC) is a mash up of the previous two. To fully understand or keep up with this layered web of compliance doctrine, one would have to be both a legal expert and a technical expert.

    This presentation will discuss the various types of international privacy and security policies and will address the risks, benefits and possible ways to efficiently comply with them. Recommendations will be made on how to combine technology and compliance expertise to create a rules-based access application that integrates with compliance tools.

    Steven is responsible for directing all business operations at Vanguard. Vanguard provides security and compliance software solutions to Fortune 1000 corporations and to governments around the world. Steven has previously served Vanguard as Vice President of Business Development, Director of International Operations and General Counsel. Steven joined Vanguard from Exstream Software, an enterprise document automation software vendor, where he was Chief Administrative Officer and General Counsel. While at Exstream Steven also served Exstream as Acting Chief Financial Officer and VP Business Development. Prior to Exstream, Steven was Director and General Counsel of Honkworm International, an on-line media company based in Seattle, Washington, Director and General Counsel of Agile Equity, a technology focused boutique investment bank, based in Paris, France and New York, and in-house counsel for Microsoft EMEA, based in Paris, France. Prior to going in-house with Microsoft, Steven practiced law in Washington, DC with Curtis, Mallet-Prevost, Colt & Mosle, and in New York with Webster & Sheffield. Steven is a graduate of Oberlin College and New York University School of Law.

  • USTerri Forslof (TippingPoint, a division of 3Com, US)

    Emerging Economies: The Vulnerability Market  [schedule]

    Security vulnerabilities: once mysterious and elusive to IT professionals and developers alike, they have now grown to become the stock and trade of the security research industry. Government, business and criminals seek out new and exciting “Zero Day” vulnerabilities like forbidden fruit, and guard them as if precious jewels. The business of security research has officially migrated from the hacker spending long nights in the basement seeking momentary glory to professionals building and offering portfolios of fresh, cutting-edge security research for hire.

    We must consider today’s vulnerability research as a commodity, such as orange juice, wheat, oil, or other commodities that you might find on Wall Street and similar traditional marketplaces. While many people have heard the term “black market” used to describe non-traditional buyers and sellers, it’s just one of several global markets where a security researcher can receive compensation for their work.

    In this presentation we will explore the history and evolution of these different markets, how they interact with each other and how they impact the rest of the global information security economy.

    Terri Forslof is the Manager of Security Response for TippingPoint. Her team is responsible for managing and resolving all security issues relating to TippingPoint products. Additionally, her team oversees the vendor disclosure of vulnerabilities purchased through the Zero Day Initiative.

    Prior to joining TippingPoint, Terri was a Security Program Manager for the Microsoft Security Response Center, focused on driving the resolution of security vulnerabilities within Microsoft products. She has 12+ years of experience in the information technology industry, including Systems Engineering and Administration, with a focus on Information Security for the past 6 1/2 years. Terri holds a Certified Information Systems Security Professional designation.

  • BEThomas Daemen (Microsoft, BE)

    Securing Wiki-Style Technology in the Global Enterprise: The Competing Tensions of Privacy Law and Distributed Collaboration  [schedule]

    The new generation of wiki-style collaboration tools is a boon to workers everywhere. By empowering users to easily post, distribute and retain information, these systems foster the type of virtual collaboration that is vital for success in our modern, globally-interconnected world. The very features that make these systems popular also raise troubling security and legal concerns.

    Privacy and data security laws are now in effect around the world. Some of these regimes only provide high-level guidance, others proscribe detailed security requirements. Such differences notwithstanding, privacy mandates generally call for (1) full disclosure, (2) user consent, (3) data security, and (4) reasonable data retention/destruction. Notably, these legal goals are in direct conflict with the technical goals of distributed collaboration systems. Simply put, encouraging users to collect data outside of a centralized IT system significantly complicates the compliance challenge.

    The good news is that numerous steps can be taken to help mitigate these concerns. Deploying sophisticated detective controls to identify data scattered throughout these collaboration environments is a vital first step. Without new technologies and procedures to detect, notify, and remediate, the enterprise will not know where data resides, much less how they are best secured. Although this paper identifies the leading distributed security techniques – most notably the process of securing data containers and/or utilizing document-level rights management – there are a wide range of tools that can help in this process.

    In a classic case of “no good deed goes unpunished,” however, these solutions raise their own legal challenges. Many countries have privacy laws that expressly prohibit the employee system scans that are vital for the detective controls. In other cases, corporate agreements with labor nions/works councils may restrict such practices. Companies must take the time to fully research and understand their legal exposure before deploying these exciting new technologies.

    Thomas Daemen is a Senior Attorney in Microsoft’s Legal and Corporate Affairs group. He recently moved to Seattle from Brussels, Belgium, where he helped a wide range of companies navigate the European Union’s legal and political maze and launch products and services across the region. Mr. Daemen has law degrees in both Europe and the United states, receiving his LL.M. in European Union law from the Katholieke Universiteit Leuven, Belgium, and his Juris Doctor from Northwestern University School of Law. He is also an adjunct professor at the University of Washington School of Law, where he teaches EU/US comparative law. A frequent author, Mr. Daemen regularly speaks around the world on cross-border business strategies and compliance challenges.

  • DETill Dörges (PRE-CERT – PRESECURE Consulting GmbH, DE)

    Event Correlation for Early Warning Systems  [schedule]

    Early Warning is a very helpful concept when it comes to getting the “big picture” of larger computer networks, e. g. corporate networks or the Internet, and providing others with information about harmful events that are spreading through the network. Situational Awareness as the basis for Early Warning usually involves gathering as much data as possible from the network. An analyst, however, certainly cannot deal with all this data but it has to be condensed into something more abstract and manageable. While this condensation is part of an analyst’s job, he or she needs help in processing the amounts of data any non-trivial network will generate. The problem itself is pretty well known from other domains, e. g. intrusion detection systems (IDS), which tend to generate so many false positives that the real alerts pass unnoticed by any human.

    This paper presents existing aggregation approaches. It then discusses one implementation based on the Early Warning system CarmentiS. The resulting findings are generally positive but plenty of future work remains.

    Till Dörges joined PRESECURE Consulting GmbH as a researcher in 2002. The two major projects he's currently working on are a network of distributed IDS-sensors (evolved from the EC-funded project "eCSIRT.net") and the also EC-funded research project about pro-active security monitoring in a policy-based framework ("POSITIF"). Both projects strongly relate to Intrusion Detection, Honeynets and (Security-) Policies.

    Last, but not least, he is the team representative of PRESECURE within the European community of accredited CSIRTs ("Trusted Introducer") as well as for FIRST. Till Dörges studied Computer Sciences in Hamburg, Toulouse and Leipzig. He holds a French "Maîtrise d'Informatique" and a German "Informatik-Diplom".

  • USWilliam Cook (Wildman, Harrold, Allen and Dixon LLP, US)

    Internet Law Update 2008  [schedule]

    Mr. Cook has been involved with the practical, legal implications of IT security for 25 years first as a prosecutor and currently as a counselor and litigator at a major Chicago law firm.His speech will deal with the specific realities of legal issues facing security professionals in the commercial, educational and government sectors. He will address the real costs of data breaches and privacy compromises, the practical implications of the Advanced Persistent Threat, the actual implications of federal and EU regulatory actions and discuss at the current status of employee espionage and data theft.He will also address the implications of electronic discovery and records retention. As in the past, Mr. Cook will rely heavily on current case laws and IT security issues facing his clients.

    William J. Cook is partner at Wildman, Harrold, Allen & Dixon LLP, a 200-attorney national law firm with an established reputation in high-stakes legal matters, successfully defending novel theories from the plaintiffs’ bar and emphasizing complex litigation. Mr. Cook’s practice areas include intellectual property, data security, intellectual property litigation and investigations. Mr. Cook has authored over 500 presentations on online law and liability.

  • USWilliam Yurcik (University of Texas at Dallas, US)

    Safely Sharing Data Between CSIRTs for Collaborative Security: The SCRUB* Anonymization Tool Infrastructure  [schedule]

    Since attackers typically cross network boundaries and frequently change targets to attack within different security domains, effective protection now requires CSIRTS to look beyond their own organizational perimeter toward collaborative security analysis with other organizations. For collaborative security analysis to occur, data needs to be shared. However, to date data sharing between CSIRTS has been minimal due to valid practical concerns for the protection of private and secret information. Unfortunately, this is not also true for attackers who are quite efficient at sharing vulnerability and exploit information amongst themselves! In keeping with the theme of FIRST’08 “Crossing Borders: Towards the Globalization of Security”, we present an infrastructure that CSIRTS can use to share data globally with other organizations. The SCRUB* infrastructure is based on an integrated suite of anonymization tools with common algorithms and command options.In this paper we focus on anonymizers for the two most desirable data sets for security sharing, packet traces (SCRUB-tcpdump) and NetFlows (SCRUB-NetFlows). While anonymizing data for global sharing will protect private information if configured correctly, it also sets up fundamental tradeoffs between privacy protection versus security analysis capability – the more obscured the shared data, the less collaborative security analysis may be possible. This privacy/analysis tradeoff has been acknowledged by many security researchers but we are the first to report quantitative measurements to characterize this privacy/analysis tradeoff for practical guidance when sharing data.

    William Yurcik is Visiting Scientist at the University of Texas at Dallas. He has over 20 years of professional experience as a Network Engineer for large worldwide networks (U.S. Department of Defense, NASA, Verizon, NCSA) and has both theoretical and practical experience in computer network security. He is a graduate of Johns Hopkins University (MS Electrical Engineering 1990, MS Computer Science 1987), the University of Maryland (BS Electrical Engineering, 1984), and is Ph.D. ABD from the University of Pittsburgh (1994-99).

  • NLWim Biemolt (SURFnet, NL)

    Beyond a sensor: Towards the Globalization of SURFids  [schedule]

    SURFnet is a high-speed network which connects the networks of Dutch universities, colleges, research centers, academic hospitals and scientific libraries to the Internet. During the 18th annual FIRST conference we presented our plans to roll-out a Distributed Intrusion Detection System within SURFnet. [1] Some of the design principles for our IDS included: * Runs out-of-the-box * Completely passive * No false positive alerts * Runs in a standard LAN environment * Comparison of statistics At this moment we have actually widely deployed our IDS, called SURFids. Roughly at 30 institutions and at almost 100 different network locations. SURFids is actively being developed and the latest versions contain additional features such as: * Argos integration * Layer 2 detection o ARP poisoning attack o Rogue DHCP server * RSS reports * Improved email reporting * CWSandbox support This contribution will focus on the various experiences of running SURFids and what can and needs to be done to work with other CSIRT Teams around the globe, to interact with ISPs and to improve security. Some features to achieve this are: * IDMEF export * netflow analysis [1] http://www.first.org/conference/2006/program/a_distributed_intrusion_detection_system_based_on_passive_sensors.html

  • CNYonglin Zhou (CNCERT/CC – National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)

    Matrix, a Distributed Honeynet and its Applications  [schedule]

    Distributed Honeynets play an important role in cyber-space threat discovery and measurement, we have developed and deployed Chinese Matrix Distributed Honeynet by integrating low-interaction and high-interaction honeypot technologies, and use it for daily measurement of the specific threats on the Chinese Internet. The system has collected nearly 100,000 unique autonomous spreading malware binaries, and discovered 3,290 IRC-based botnets during a period of almost twelve months. Based on this information, this paper presents several statistical results of botnet activities. These include botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions, and other patterns that describe the IRC-based botnet phenomenon.

    Yonglin Zhou

    Yonglin Zhou, Senior Engineer of National Computer Emergency Response Team/Coordination Center, China(i.e. CNCERT/CC), Ph.D. candidate, his research interests include security measurement and incident response.


  • JPYurie Ito (JPCERT/CC, JP)

    FIRST Law Enforcement/CSIRT Cooperation SIG (LECC-SIG) – Related G8: HI-Tech Crimes Workshop  [schedule]

    • Observations: Past law enforcement and present crime fighter
      Levi Gundert (Director Fraud Cyber Intelligence, Team Cymru)
    • CSIRT - LE Collaboration success story in US
      Chris Painter (Deputy Chief, Computer Crime and Intellectual Property Section at US Department of Justice)
    • Title TBA
      John Pignataro (Director of SIRT Investigations, Citigroup)
    • Targeting the Cyber Criminal, the Canadian Way
      Robert Pitcher (Canadian Cyber Incident Response Centre - CCIRC) & S/Sgt. Dan Howard (Integrated Technological Crime Unit - RCMP)
    • Title TBA
      Tom Mullen (Head of BT e-Crime Team and BTCERT at BT)
    • How CERTs could cooperate with each other that would enhance information that can be supplied to LE partners
      Christopher Geary (FBI)

    There will also be LEs and prosecutors from Japan, Taipei, and Germany.

  • USZiv Mador (Microsoft, US)

    Malware Without Borders - Multi-Party Response  [schedule]

    As malware and potentially unwanted software are becoming motivated more and more by financial gain, their nature is also changing. The attackers often use social engineering techniques to lure the user to run their code and usually will show some messages or bogus warnings using some language. The effectiveness of the attack in any specific region will then rely on the popularity of that language in that region. Other factors may impact too such as the level of user education in that region and the usage of security products there. The result is that we see more and more threats that affect specific countries or regions more than they affect others. This paper will overview some major differences in the types of malware and spyware that exist in different regions around the world and will provide specific examples. The information for this paper is collected from hundreds of millions of computers around the world.

    Given the locality of many of the threats, the model of national response teams and organizational response teams can be extremely helpful. The paper is going to call for even higher level of interaction between these response teams and the security software industry as well as several working examples which illustrate success.

    As Senior Program Manager and Response Coordinator for the Microsoft Malware Protection Center (MMPC), Ziv Mador manages cross-team coordination with the Microsoft Security Response Center (MSRC), the Online Crash Analysis Team, Product Support Service Team and other security focused teams throughout Microsoft to respond to and rectify significant malware incidents.

    As a senior member of the MMPC, he has also been tasked with coordinating his teams’ “Zero-Day” response efforts, which are meant to identify and resolve program vulnerabilities that are exposed when there is not a readily available security update. Ultimately, his goal is to optimize the protection that the Microsoft security solutions provide the user against such attacks.

    A key author of the Microsoft Security Intelligence Report, Mador has established himself as an expert in his field. His work has placed him at the forefront of Microsoft’s efforts to develop relationships with organizations and governments from around the world to collaborate on the fight against malware and spyware threats. Additionally, he participates in and presents at various conferences and events that focus on security and antimalware issues. Mador believes strongly in Microsoft’s antispyware and antimalware programs and has dedicated himself to their success.

    Prior to joining the MMPC, Mador worked in software development as part of the Proxy server team, which later became the Internet Security and Acceleration Server (ISA) team. He spent seven years on the ISA Server Team in various roles, including a period as Sustained Engineering manager. Before coming to Microsoft, he spent time as a research and development intern for IBM in Israel.

    Mador has a BSc and MSc in Computer Science from the Technion Institute – Israel’s leading technology institution; and has contributed to several published works, including the Microsoft Security Intelligence Report. In his free time, Mador enjoys traveling, camping and hiking with his wife, two sons and their family dog.


20th Annual Conference Sponsorship Team