Program Overview
The FIRST Technical Colloquium (TC) event is restricted to FIRST members only and will be held in Oct 5-7, 2005.
Nevertheless, since this will be a joint event with other CSIRT initiatives in the region, there will be two additional events adjacent to the TC in order to achieve non-FIRST-members as well. These two events are the FIRST/TRANSITS Course (Oct 1-2) and the Latin American Security Workshop (Oct 3-4).
Saturday, October 1st
| FIRST/TRANSITS course |
|---|
| 08:30 – 09:00 | Introduction FIRST.Org Inc |
Thursday, October 6th
| Technical Colloquium – Hands-On Class |
|---|
| 09:20 – 10:40 | Botnet Malware Analysis Francisco Jesus Monserrat Coll (IRIS-CERT) DE Common Vulnerabilities Score Systems Marco Thorbrügge (ENISA, DE) AR Cryptography in forensics & reverse engineering Ariel Futoransky, Gerardo Richarte (CORE Security Technologies, AR); Ariel Waissbein (CORE Security Technology, AR) US Hands-on analysis of a compromised Linux machine Dr. Wietse Z. Venema (IBM, US) |
| 11:00 – 12:30 | Botnet Malware Analysis Francisco Jesus Monserrat Coll (IRIS-CERT) DE Common Vulnerabilities Score Systems Marco Thorbrügge (ENISA, DE) AR Cryptography in forensics & reverse engineering Ariel Futoransky, Gerardo Richarte (CORE Security Technologies, AR); Ariel Waissbein (CORE Security Technology, AR) US Hands-on analysis of a compromised Linux machine Dr. Wietse Z. Venema (IBM, US) |
| 14:20 – 15:40 | Botnet Malware Analysis Francisco Jesus Monserrat Coll (IRIS-CERT) DE Common Vulnerabilities Score Systems Marco Thorbrügge (ENISA, DE) AR Cryptography in forensics & reverse engineering Ariel Futoransky, Gerardo Richarte (CORE Security Technologies, AR); Ariel Waissbein (CORE Security Technology, AR) US Hands-on analysis of a compromised Linux machine Dr. Wietse Z. Venema (IBM, US) |
| 16:00 – 17:30 | Botnet Malware Analysis Francisco Jesus Monserrat Coll (IRIS-CERT) DE Common Vulnerabilities Score Systems Marco Thorbrügge (ENISA, DE) AR Cryptography in forensics & reverse engineering Ariel Futoransky, Gerardo Richarte (CORE Security Technologies, AR); Ariel Waissbein (CORE Security Technology, AR) US Hands-on analysis of a compromised Linux machine Dr. Wietse Z. Venema (IBM, US) |
Friday, October 7th
| Technical Colloquium – Laboratory |
|---|
| 09:00 – 10:40 | US Botnets Lab: From Soup to Nuts Guilherme Vênere (CAIS/RNP – Brazilian Academic and Research Network); Stephen Gill (Cymru Team, US) |
| 11:00 – 13:00 | US Botnets Lab: From Soup to Nuts Guilherme Vênere (CAIS/RNP – Brazilian Academic and Research Network); Stephen Gill (Cymru Team, US) |
Wednesday, November 14th
| 18:00 – 20:00 | Social Event |
Wednesday, September 7th
| 17:15 – 18:00 | Fortinet Security Fabric Stefan Moise, Major Accounts Manager, Fortinet |
Ivo Carvalho Peixinho, CAIS/RNP
This paper describes a tool that emulates the capabilities of a SSH server and is capable of monitoring the behavior of brute force ssh attacks. The tool was developed for using as a stand-alone tool or integrated on a honeypot. It was designed to obtain information about connections, users, passwords, SSH protocol version and commands entered by a successful attack attempt. An experiment using the same tool is also described. The experiment aimed to obtain information, statistics and a profile about this kind of attack. Some of the experiment results are presented at the end of the presentation.
October 5, 2005 09:50-10:20
An evening with Kha0s
Sebastián García, CITEFA
On March 10th, 2005, a Romenian intruder got access to an Army Force´s server of Argentinian Government. We allowed him to do that.
Later, others would add. For a six-month time period we studied, tested, provoked, analyzed them and of course we learned a lot from them.
We learned how to classify and identify as a result of their interaction with our systems. This presentation they will be shown investigative techniques, cases, motivations, the tools they had used and the ones we had to develop, the frustrations, the methodology, results and the actions these miscreants use to perform in real life.
October 4, 2005 09:00-09:50
Botnet Malware Analysis
Francisco Jesus Monserrat Coll
How to find malware associated to a botnet and perform a behavior analysis of the binaries and how to investigate and find the bot password.
Format: students use their own laptops to make malware analysis on a Unix enviroment.
October 6, 2005 09:20-10:40, October 6, 2005 11:00-12:30, October 6, 2005 14:20-15:40, October 6, 2005 16:00-17:30
- US
Botnets Lab: From Soup to Nuts
Guilherme Vênere (Brazilian Academic and Research Network), Stephen Gill (Cymru Team, US)
The basics of botnet operations will be demonstrated in this lab from the initial moment of infection and miscreant abuse, to methods of spotting bot, and network cleanup. This lab will attempt to dispel some security myths
along the way such as the protection of NAT firewalls, safety of non-Windows operating systems, and miscreant motivations. It will also show how botnets can be used to perform illicit actions such as keylogging, scanning,
exploiting, and launching denial of service attacks.
October 7, 2005 09:00-10:40, October 7, 2005 11:00-13:00
Cisco PSIRT - Incident Management
Dario Ciccarone, Cisco PSIRT
This presentation talks about the internal and external groups the PSIRT team works with, relationship with external researchers, internal process to fix software, internal advisory process,factors driving timing of public disclosure.
October 3, 2005 15:10-16:10
ciccarone-dario-slides.pdf
MD5: db82df4581aed7a55325c2eb0c73a865
Format: application/pdf
Last Update: October 25th, 2005
Size: 239.9 Kb
- DE
Common Vulnerabilities Score Systems
Marco Thorbrügge (ENISA, DE)
This class will first go over CVSS basics. Then have the participants score some test vulnerabilities themselves. We will then go over the results and attempt to identify any discrepancies.
Format: students use their own laptops to run a .xls file
to score vulnerabilities.
October 6, 2005 09:20-10:40, October 6, 2005 11:00-12:30, October 6, 2005 14:20-15:40, October 6, 2005 16:00-17:30
art-manion-paper-1.pdf
MD5: 7df22aec593f49008375a5e7051236c4
Format: application/pdf
Last Update: June 9th, 2011
Size: 201.33 Kb
- AR
Cryptography in forensics & reverse engineering
Ariel Futoransky (CORE Security Technologies, AR), Ariel Waissbein (CORE Security Technology, AR), Gerardo Richarte (CORE Security Technologies, AR)
Cryptography can be effectively used to improve the strength of communication, authentication and logging systems, but can also help the attacker in several different ways. Cryptographic obfuscation tools, can be used by an attacker to effectively hide the intent of tools deployed on compromised systems, complicating the analysis and limiting the information that can be obtained in a forensic process. This also applies to the payload of exploits and massive worms. A family of cryptographic obfuscation methods based on one-way-hash-functions will be presented and available analysis tools discussed. Format: demo
October 6, 2005 09:20-10:40, October 6, 2005 11:00-12:30, October 6, 2005 14:20-15:40, October 6, 2005 16:00-17:30
Digital crimes under different perspectives
Various
Digital Crimes Under the perspective of a lawyer, a public prosecutor, the police, a CSIRT Representative.
October 3, 2005 16:30-18:00
ferreyro-lorena-slides.pdf
MD5: f2a51b5209c591c6c6a8569e326d81f3
Format: application/pdf
Last Update: October 25th, 2005
Size: 84.62 Kb
pizzoli-diego-slides.pdf
MD5: 2cc8b0b096a287fa07d3e39066a424c8
Format: application/pdf
Last Update: October 25th, 2005
Size: 327.41 Kb
savaro-slides.pdf
MD5: 1861dc7b909b1e894f488b8048ddf34e
Format: application/pdf
Last Update: October 25th, 2005
Size: 128.19 Kb
FIRST: Global Incident Handling
FIRST Board Member
FIRST (the Forum of Incident Response and Security Teams) was formed in response to one of the original incidents to affect the Internet in 1989 – a year after the original CERT was formed. FIRST was formed to enable response teams to liaise with each other, form trusted relationships, exchange tools and information and assist each other is responding to incidents.
Membership of FIRST allows teams to join a global group specifically setup to improve the state of the internet. Why should you join? What benefits would it bring you and your organization?
October 3, 2005 11:20-11:50
duncan-james-slides.pdf
MD5: 97089874de2c339611b30a79d8394793
Format: application/pdf
Last Update: October 25th, 2005
Size: 146.02 Kb
Forensics Discovery
Wietse Venema, FIRST Liason Member
Wietse presents lessons learned about persistence of information in file systems and in main memory of modern computers – how long information persists and why. The results are based on measurements of a variety of UNIX and Linux systems, with some results for Windows/XP, including how to recover encrypted files without knowing the key.
October 4, 2005 09:50-10:50
venema-wietse-slides.pdf
MD5: ff7e911451104a72caec18c5122de0f7
Format: application/pdf
Last Update: October 25th, 2005
Size: 426.22 Kb
Fraud and Phishing Scam Response Arrangements in Brazil
Marcelo H P C Chaves, CERT.br
Brazil has seen a huge increase in incidents related
with frauds and phishing scams, specially schemes based on the use of trojan horses. In this presentation CERT.br will discuss how we are responding to these issues in Brazil, including technical analysis and coordination with AV vendors and the financial sector.
October 5, 2005 16:30-17:00
- US
Hands-on analysis of a compromised Linux machine
Dr. Wietse Z. Venema (IBM, US)
Wietse presents lessons learned about persistence of information in file systems and in main memory of modern computers - how long information persists and why. The results are based on measurements of a variety of UNIX and Linux systems, with some results for Windows/XP, including how to recover encrypted files without knowing
the key.
- Format: students use their own laptops as telnet/ssh/ftp terminals, data is collected and analyzed on a dedicated server.
October 6, 2005 09:20-10:40, October 6, 2005 11:00-12:30, October 6, 2005 14:20-15:40, October 6, 2005 16:00-17:30
Honeypots for Security Operations
James J. Barlow, NCSA-IRST
This presentation covers some real live cases of using honeypots for investigating some security incidents.
October 5, 2005 09:20-09:50
barlow-james-slides.pdf
MD5: 6aa8c305deaac14db9886d9666625513
Format: application/pdf
Last Update: June 9th, 2011
Size: 36.54 Kb
ICMP Attacks Against TCP
Fernando Gont, UTN (Invited)
The ICMP protocol is a fundamental part of the TCP/IP protocol suite, and is used mainly for reporting network error conditions. However, the current IETF specifications do not recommend any kind of security checks on the received ICMP error messages, thus leaving the door open to a variety of attacks. ICMP can be used to perform a number of attacks against the TCP protocol, which include blind connection-reset, blind throughput-reduction, and blind performance degrading attacks.
Fernando will introduce the attacks that can be performed against TCP by means of ICMP, and will discuss the possible counter-measures against them. Of particular interest will be a discussion of a counter-measure for the blind performance-degrading attack, and a discussion of advanced packet filtering policies that could be used to mitigate the impact of these attacks. Furthermore, Fernando will also discuss why existing security mechanisms do not help to protect TCP from these ICMP-based attacks.
Last, but not least, Fernando will discuss the disclosure process of these security vulnerabilities, and the ongoing work at IETF on these issues.
October 5, 2005 15:30-16:10
gont-fernando-slides.pdf
MD5: d32246277ee991a5eec9e34f5f8b8a82
Format: application/pdf
Last Update: June 9th, 2011
Size: 880.37 Kb
Incident Response and Early Warning Initiatives in Brazil
Marcelo H P C Chaves, CERT.br
This presentation will show Incident Response Initiatives in Brazil, specially the The Early Warning Capabilty Based on a Network of Distributed Honeypots.
October 4, 2005 15:20-16:10
chaves-marcelo-slides.pdf
MD5: 59b8fd42651f8d629c70de98675c2356
Format: application/pdf
Last Update: October 25th, 2005
Size: 899.14 Kb
Incident Response in Latin America
Latin American CSIRTs
Incident Response Activities in Latin America. Experiences from Argentina, Brazil, Mexico and Spain.
October 3, 2005 09:20-11:00
franco-gaston-slides.pdf
MD5: 7add861066b345051de3edb908e35c22
Format: application/pdf
Last Update: October 25th, 2005
Size: 108.08 Kb
solha-liliana-slides.pdf
MD5: cc7c4b61a999423085dbc51c4129190f
Format: application/pdf
Last Update: June 9th, 2011
Size: 385 Kb
Iván Arce, Core Security Technologies
A review of current attack tools, methods, and trends as viewed by Ivan Arce, Core Security Technologies CTO and author of IEEE Security & Privacy Magazine Attack Trends column will be presented.
October 4, 2005 11:10-12:10
arce-ivan-slides.pdf
MD5: 72e1ed030afb99a7d49ff7d459f53072
Format: application/pdf
Last Update: October 25th, 2005
Size: 247.46 Kb
Latin-American Forensic challenge V.2: Conclusion
UNAM-CERT, IRIS-CERT
The two major academic computer security related organizations from Mexico and Spain, UNAM through UNAM-CERT and the public company Red.es
through RedIRIS security group organized the forensic challenge V2.0, motivating system forensics development in Latin-America. 960 incident handlers were dissecting an image of a compromised Linux system and their reports were evaluated by specialist from Mexico, Spain
and Brazil last spring.
For this presentation we will discuss our Experinces and lessons learned about this work and what tools are being used by the community in
Latinamerica for this Forensic Challenge.
October 4, 2005 16:30-16:50
Recent Activity in Phishing Malware
Jason Milletary
This presentation will provide an overview of the capabilities that CERT/CC has observed being implemented within malicious code designed to steal sensitive user information for online banking, commerce, and payment system sites.
October 5, 2005 15:00-15:30
Recycling IPv4 exploit for IPv6
Franciso Jesús Monserrat Coll , IRIS-CERT
There is the false though in some people that IPv6 will be more "secure" than IPv4, mainly for the inclusion of IPSec . This presentation show that some of this ideas are not real and that it would be very easy to convert the current exploits (that propagates using IPv4) to use IPv6.
October 4, 2005 12:10-13:00
Regional Initiatives in Incident Response
Various FIRST Members
Regional Initiatives in Asia-Pacific, Europe, and Latin American
Academic Networks.
October 3, 2005 11:50-13:00
ito-yurie-slides.pdf
MD5: 5976bb7e26603afd08a6485c961d8427
Format: application/pdf
Last Update: October 25th, 2005
Size: 159.97 Kb
solha-liliana-slides-1.pdf
MD5: 73955f03a271694d0e67d1a3df370edd
Format: application/pdf
Last Update: October 25th, 2005
Size: 258.96 Kb
Taxonomy of Mexican Online Banking 2005: Threats and Mitigation
Juan Carlos Guel, David Gimenez, UNAM-CERT
Last spring UNAM-CERT presented within the Computer Security Congress 2005 in Mexico an study about 25 financial organizations, assessing Internet Banking computer security threatens and incident handlers
based reports like phishing, scam, pharming, etc.
This study discusses the need to bring on communications and coordinations channels in order to reduce the threatens faced by Internet Banking and anticipating new kinds of cyber-crime. Finally we
will present a work in progrees between UNAM-CERT and Mexican financial institutions.
October 3, 2005 14:30-15:10
guel-juan-slides.pdf
MD5: 1f0c984ad3ce6bef44a6b3eea9fe74c3
Format: application/pdf
Last Update: October 25th, 2005
Size: 206.18 Kb
Johannes Ullrich, SANS Internet Storm Center
The talk will outline how the SANS Internet Storm Center works, and how it attempts to inform about and mitigate current threats. The basic principles will be illustrated using the example of a DNS poisoning attack from earlier this year. In conclusion, the talk will suggest future trends and threats as they are currently being observed by the ISC.
October 4, 2005 16:50-17:40
Trends in Internet Attack Technology and the Role of Artifact
Jason Milletary, Cert/CC
Observation of recent attack trends have demonstrated the shifting of Internet attack technology to support financial gains. Attacks are increasingly targeting the end-user in an attempt to gather valued information and resources. An overview of these trends and the
role of artifact analysis in understanding and countering these threats will be presented.
October 4, 2005 14:30-15:20
milletary-jason-slides.pdf
MD5: 8c6c4de20dea75cfa7ccfda5b0ffad23
Format: application/pdf
Last Update: October 25th, 2005
Size: 158.82 Kb
VoIP Security
Peter Quick, Deutsche Telekom, T-Com CERT
Although VoIP is a new revolutionary technology in the world of communications, it presents some drawbacks in aspects of information security. The fact that it is based mostly on standard Computer-Environment makes it vulnerable to all well known security threats such as computer fraud. This presentation will focus on some
fraud scenarios, such as subscriber fraud and PSTN fraud.
October 5, 2005 17:30-18:00
Work in Progress Session
Various FIRST Members
Short update presentations on ongoing FIRST members projects, initiatives, etc.
October 5, 2005 11:50-13:00, October 5, 2005 14:30-15:00
baader-rodolfo-slides.pdf
MD5: 06e3227bd703d09015ff0a6683099caa
Format: application/pdf
Last Update: June 9th, 2011
Size: 758.14 Kb
guel-juan-slides-1.pdf
MD5: 1c7c998bb7c34307b3bd17181d071416
Format: application/pdf
Last Update: June 9th, 2011
Size: 46.58 Kb
osterberg-par-slides.pdf
MD5: a40a0da3f211b24fa0becee82ff7f362
Format: application/pdf
Last Update: June 9th, 2011
Size: 474.19 Kb
terada-masato-slides.pdf
MD5: 8dc4e9db1740e4ca7af54c316dd32288
Format: application/pdf
Last Update: June 9th, 2011
Size: 9 Mb
watasi-jumpei-slides.pdf
MD5: 15c3b8980c058f8bada33e4a254198a5
Format: application/pdf
Last Update: June 9th, 2011
Size: 4.06 Mb
Juan Carlos Guel, David Gimenez, UNAM-CERT
Since every day we can get lots of logs in ours systems, debug them is a overwhelming task. We can identify events showing failed login attempts, privileges changes, and further intrusion attempts within the events in the system. But within a huge network architecture it could be an impossible task even when we were talking about the same operative system.
The tool described in this paper gathers all the events in remote host that are suspicious of being about a possible intrusion attempt. All the data is stored in a data base an the administrator is alerted in order
to reduce the time in response. It's a client-server architecture and could be used within a domain or not. All the information is encrypted before send it through the network. The administrators can get HTML or text reports from the computer they wish.
October 5, 2005 17:00-17:30
