Chia-Mei Chen (National Sun Yat-Sen University, TW)
Growing volume of spam mails has generated a need for a reliable anti-spam filter detecting unsolicited e-mails. Most works focus on spam detection on a standalone mail server. This paper presents a collaborative approach on classification, discovery, and exchange of spam information. The spam filter can be built based on the mixture of rough set theory, genetic algorithm, and reinforcement learning.
In this paper, we integrate our spam filter with Open Web Mail to validate the performance of proposed approach. The results of collaborative spam filter draw the following conclusion: (1) The rules exchanged among mail servers indeed help the spam filter block more spam messages than standalone one. (2) A combination of filtering algorithms improves accuracy and reduces false positives of spam detection.
MD5: f5b61d4dd71f7716be4e184fac5ac363
Format: application/pdf
Last Update: June 7th, 2024
Size: 401.06 Kb
Dr. Martin Wimmer (Siemens AG, Corporate Technology, CT IC CERT, DE)
Recently, the discussion about security of virtualized IT infrastructures has intensified. Several research papers have been published discussing both, the pros and cons of virtualization for security. Additionally, new business ideas and products have been developed for enhancing security for virtualized IT. With this paper we provide a survey of the recent advances in computer security for server virtualization.
MD5: 257b754bdeca181998a5edb2d6043a1d
Format: application/pdf
Last Update: June 7th, 2024
Size: 163.68 Kb
Adam Laurie (RFIDIOt, GB)
Not content with breaking (into) other people's hardware, Adam Laurie likes to get up on his own roof and tinker with his satellite dish, and has also been known to discharge projectile weapons at perfectly serviceable computer equipment... Following up on his "a day in the life of..." talk, Adam will present some of his works in progress, and will attempt to answer fundamental questions that bother him after a hard day's hacking, such as "What would happen if I fire this real gun at an online computer game?" and "Is that a satellite, or are you just pleased to see me?".
MD5: 12f0fe5310b585f702669b28e7bd3ada
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.2 Mb
Raffael Marty (Splunk, US)
Visualization of data has proven to be the approach generating the best return on investment when it comes to complex data analysis problems. This workshop takes a step-by step approach to visually analyzing data.
I will use a few open source tools to process the information and generate visual representations. Among them is a tool called AfterGlow (afterglow.sourceforge.net), which was written by the submitter. It is a very simple tool to visualize preprocessed information. The analysis I will go over in the workshop will show how to find insider abuse, help with compliance reporting, and use visualization for perimeter threat (e.g., IDS and firewall log analysis).
The goal of the workshop is to leave the audience with the knowledge and tools to do visual log analysis on their own data. I will be discussing log sources, how to get from the data to graphs, what open source tools are available for visualization, and how to address the above use-cases in detail.
Vancouver, CA
June 25, 2008 09:50-10:20, June 25, 2008 11:10-11:40, June 25, 2008 11:40-12:10, June 25, 2008 12:10-12:50, June 25, 2008 10:20-10:50
Hosted by FIRST.org
MD5: 197a59cb91aca78c70eb05233adde0b6
Format: application/pdf
Last Update: June 7th, 2024
Size: 20.2 Kb
Jeff Boerio (Intel Corporation, US)
Managing the response to vulnerabilities in a heterogeneous enterprise is no simple task. A significant growth in applicable vulnerabilities, a complex network of devices, and constraining budgets create a problem for managers when it comes to resources. In this paper, we will propose some measures to address handling the growing number of alerts while decreasing the staff needed to do so. We begin with a review of the vulnerability management process, offering suggestions to improve consistency in processing vulnerability reports and risk ratings. Then we examine possible solutions for automating and streamlining several key steps of the process, such as processing alerts, assigning risk, and disposition them for patching.
Vancouver, CA
June 26, 2008 14:50-15:20, June 26, 2008 15:20-15:40
Hosted by FIRST.org
MD5: cabc4095b3a1dc35c490c63355c6f23b
Format: application/pdf
Last Update: June 7th, 2024
Size: 389.63 Kb
Miroslaw MajEmin Akhundov (NASK/CERT Polska, PL), Krzysztof Silicki (NASK/CERT Polska, PL), Miroslaw Maj (ComCERT S.A., PL)
The growing number of network security incidents and computer crime statistics indicate that the current condition of ICT security is unfavorable and the future is ambiguous. This can have a significant negative impact on the world economy which is increasingly dependant on electronic communication.
It is not clear who is responsible for such a situation and why there is no breakthrough in security despite many initiatives over the years. Home users, vendors, ISPs, governments have often different points of view and interests looking at their roles in the process of improving Internet security.
Nevertheless a success in combating harmful and illegal activates on the Internet is very much related to the intensity and quality of a cooperation between all stakeholders. A cooperation within a particular stakeholder community is important as well.
Undoubtedly the CSIRT community is an important player in this area and it has potentially all the assets required to build models of effective cooperation both inside a community and with external parties. To achieve this goal, barriers to cooperation should be analyzed and proposals to overcome them should be created - including proper incentives.
In the article the authors will present existing barriers, such as:
In a correspondence to these barriers preliminary proposals of solutions and incentives will be presented. Ideally this could involve a discussion which start some initiatives (e.g. SIGs) and projects to that could foster better CSIRT cooperation.
The CERT concept, after almost 20 years of the existence, is recognized as the one of the most effective way of combating illegal activities in the Internet. This effectiveness is in part a result of a good communication between incident response teams. However, communication sometimes becomes a problem because of a lack of sufficient coverage by CSIRTs in a particular region. To improve this situation, the CERT Polska team, with the NATO support, started the CLOSER project, which is mainly about establishing the new teams in the regions where there are white spots on the map of the CSIRT world (project duration 2007-2009). Participants of the project are countries associated in CEENet http://www.ceenet.org (see attachment).
The project is aimed at building a network of operational CSIRT teams through:
For successful integration of new established teams with existing international cooperation forums emphasis will be put on helping new teams in formal and informal joining of international forums (e.g. FIRST). We believe that experiences from the CLOSER project could be valuable in the discussion on how to reach out to new areas with the CERT concept.
Vancouver, CA
June 26, 2008 14:50-15:20, June 26, 2008 15:20-15:40
Hosted by FIRST.org
silicki-krzysztof-maj-miroslaw-slides.pdf
MD5: 9583c460941a7c03c660bf473bb65f9b
Format: application/pdf
Last Update: June 7th, 2024
Size: 851.59 Kb
Wim Biemolt (SURFnet, NL)
SURFnet is a high-speed network which connects the networks of Dutch universities, colleges, research centers, academic hospitals and scientific libraries to the Internet. During the 18th annual FIRST conference we presented our plans to roll-out a Distributed Intrusion Detection System within SURFnet. [1] Some of the design principles for our IDS included: * Runs out-of-the-box * Completely passive * No false positive alerts * Runs in a standard LAN environment * Comparison of statistics At this moment we have actually widely deployed our IDS, called SURFids. Roughly at 30 institutions and at almost 100 different network locations. SURFids is actively being developed and the latest versions contain additional features such as: * Argos integration * Layer 2 detection o ARP poisoning attack o Rogue DHCP server * RSS reports * Improved email reporting * CWSandbox support This contribution will focus on the various experiences of running SURFids and what can and needs to be done to work with other CSIRT Teams around the globe, to interact with ISPs and to improve security. Some features to achieve this are: * IDMEF export * netflow analysis [1] http://www.first.org/conference/2006/program/a_distributed_intrusion_detection_system_based_on_passive_sensors.html
MD5: 0361e6295500f60af11f12fc499f2caa
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.77 Mb
Andre Cormier (CA), Robert Pitcher (Public Safety Canada, CA)
Summary: CCIRC would like to host a 3 hour session that involves the creation of a relatively cheap malware analysis lab. The session will focus on open source tools, procedures, hardware and software that can be combined to create a highly effective malware analysis station that can rival modern commercial versions. The session will cover the requirements, setup demonstration, and employment of the tools in the analysis of an archived CCIRC malware related incident.
Background: Incident handlers often need to perform a quick behavior analysis of malware when handling infected computers. There are many online and commercial services offering this capability ranging from free, to extremely expensive. However, in many instances the information to be analyzed may be sensitive, and the need arises for a CIRT team to perform its own analysis. The question then arises as to how do you process malware, which is sensitive and/or not typically detected by modern vendors, in a timely manner? The answer is that each CIRT team needs the ability to analyze any malware it receives. CCIRC will present a setup that will equal no more than the cost of two PCs, configured to match the organization standards of each organization. CCIRC will base the development of this presentation on an actual proven setup currently in use by our office, and demonstrate its effectiveness through the processing of an archived CCIRC malware event.
(Note: We have decided to pursue a three hour session as it will provide ample time to show the setup, configuration, and application of the lab in a real world example. This presentation can be reduced to a single session in which only the requirements would be covered if space is limited. However, for the full effect, a three hour session is preferred.)
Vancouver, CA
June 27, 2008 09:30-10:20, June 27, 2008 10:40-11:30, June 27, 2008 11:30-12:20, June 27, 2008 12:20-12:50
Hosted by FIRST.org
MD5: 415b35a5e1364963cb90c012d731f6e6
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.52 Mb
Scott McIntyre (NL)
Walled Garden or "quarantine" networks can protect your users/customers whilst still allowing them to perform necessary updates. This 30 minute talk will discuss the technologies used by one ISP in building their Walled Garden and how such technology can be useful for incident responders as well as security analysts within an organisation. The technology discussed is low cost & mostly open source based.
MD5: 671cc13bf5ac45285321d2fcfef4eba3
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.24 Mb
Mark ZajicekGeorgia Killcrece (Carnegie Mellon University), Mark Zajicek (Carnegie Mellon University, US), Robin Ruefle (Carnegie Mellon University, US)
This one-day course is designed to provide a high-level overview of the issues involved in creating and managing an effective computer security incident response team (CSIRT).
For anyone who is new to the field or who is interested in the type of activities a CSIRT performs, this course will provide valuable insight and suggestions for developing such a capability.
A high-level discussion of key issues and topics is covered in this one-day tutorial, focusing on the purpose and structure of CSIRTs, incident management processes, key design and implementation elements, CSIRT operational issues, and other CSIRT functions.
Vancouver, CA
June 24, 2008 08:30-10:50, June 24, 2008 11:10-12:30, June 24, 2008 14:00-15:20, June 24, 2008 15:40-16:30
Hosted by FIRST.org
MD5: 16c03a35edf87301da7cdcfbc4d8a557
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.44 Mb
Ralph Thomas (VERISIGN iDefense, US)
Financial institutions worldwide face an ever-increasing number of malicious code and phishing attacks that adapt and mature constantly. Regulators and industry promote authentication as panacea while the crooks are developing and deploying highly specialized Trojans designed to target and circumvent multifactor authentication schemes. Hijacking transactions that a user has initiated and authorized is the newest of these targeted threats. This technique has been discussed theoretically for some time but has now left the malware labs and is actively being used in real world attacks, not only against financial institutions. Technology and implementation are important factors for the effectiveness of multifactor authentication schemes and even strong technologies with correct implementations that thwart transaction-hijacking attempts have weaknesses that might constitute a surface for future attack scenarios.
This presentation discusses state of attack and mitigation techniques surrounding transaction-hijacking and lessons learned from real world incidents. The audience will be given an overview on implementation details that can make or break a successful authentication scheme in light of these new threats.
MD5: 803663f86f763e2b2aa8e20202e40ff1
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.15 Mb
Pär Österberg Medina (Swedish IT Incident Centre, Sitic, SE)
Responding to IT incidents and investigating computers for signs of a compromise can be a challenging and time consuming task, which becomes all the more complicated with the proliferation of malware and rootkit technology. This full day tutorial will teach forensic acquisition and analysis techniques with a focus on investigating and identifying potential intrusions involving the Windows OS. The course is aimed at a technical audience, preferably incident responders and forensic examiners, who are interested in learning the latest in volatile data analysis and live forensics techniques.
The course is split into two sessions, the first focusing on acquisition, and the second on analysis.
After a outlining a methodology for conducting forensic incident response, we will, in the morning session, walk through the construction of a 'First Responders Toolkit', the purpose of which is the live collection of volatile data from a potentially compromised windows OS. Participants will be walked through the process of first assembling the toolkit from a number of open source and freely available tools, and then hardening this trusted toolset.
Volatile memory acquisition will then be introduced, identifying specific pro's and con's of the currently available approaches, providing participants with the knowledge of how to choose the right tool for their circumstances.
The culmination of the morning session is to employ the constructed toolkit to collect various pieces of evidence from a live system in the order of volatility: main memory, the swap file, NTFS meta data files, the Registry and lots more.
The second session is organized into two components: analysis of storage related data, and analysis of volatile memory. In this session, participants will be shown how to analyze the data collected in the morning session.
In the storage analysis section, we will analyze the $Mft, the heart of NTFS, looking for Alternate Data Streams and commonly used File System Anti-Forensic techniques. We then introduce analysis techniques which identify malware behavior by identifying discrepancies between the user mode view of the filesystem, and the raw filesystem. Additional practical topics covered include analysis of the raw Windows Registry files, fast analysis of binary files collected from running system and how to effectively use databases of hashes to distinguish unknown files and modified binaries from known operating system files.
The volatile memory analysis component of the second session will begin with an introduction into the basics of Windows memory management. Then we will start to explore memory dumps, employing freely available forensic memory analysis tools, so participants can take them home and start working with them immediately. We will cover some of the leading-edge commercial tools in the field, and identify their merits relative to the freely available tools. Participants will be instructed in the use of the Windows debugging infrastructure for exploring memory dumps, and verifying the semantic integrity of these dumps. The afternoon session will culminate in participants trying out the tools on a number of sample images to uncover exploits and actual rootkit infections on their own.
Participants are expected to bring their own laptop with a DVD player and Microsoft Windows will be required to run most of the programs provided. Sample files for analysis will be available during class so save at least 10GB of free hard drive space.
This course is based on the course "The latest in forensic tools and techniques to examine Microsoft Windows", which was presented at the 2007 FIRST conference in Seville. Developed and presented by Andreas Schuster and Pär Österberg Medina, the course received high ratings from participants.
Vancouver, CA
June 23, 2008 08:30-10:50, June 23, 2008 11:10-12:30, June 23, 2008 14:00-15:20, June 23, 2008 15:40-17:00
Hosted by FIRST.org
medina-osterberg-par-slides.pdf
MD5: 54e98ece12b4ddee973653880cd6d206
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.14 Mb
JinWook Choi (Financial Security Agency, KR)
Securing electronic financial transactions have been an important issue all over the world.
In Korea, internet banking customer has increased dramatically reaching 42,450,000(Sep. 2007) for 19 Banks. And the government led high attention to set up a policy and technology to make the online transaction safe.
Accordingly, every financial institution that has online service should provide security programs such as anti-virus and anti-keylog to their customers in Korea. However, cyber threats to the financial institutions and to their customers are increased day by day, the techniques for the attack are evolving everyday, so a dedicated organization is needed to follow-up and fight for such risks. Finally, Financial Security Agency (“FSA”) was established in Dec 2006.
In this presentation, incident cases, new threats, and the efforts of Korean financial institutions and government will be introduced.
KFCERT in FSA is a FIRST full member since Dec. 2007.
MD5: a4b7682ef51ca3ba72cc6a855cd6bc39
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.26 Mb
Terri Forslof (TippingPoint, a division of 3Com, US)
Security vulnerabilities: once mysterious and elusive to IT professionals and developers alike, they have now grown to become the stock and trade of the security research industry. Government, business and criminals seek out new and exciting “Zero Day” vulnerabilities like forbidden fruit, and guard them as if precious jewels. The business of security research has officially migrated from the hacker spending long nights in the basement seeking momentary glory to professionals building and offering portfolios of fresh, cutting-edge security research for hire.
We must consider today’s vulnerability research as a commodity, such as orange juice, wheat, oil, or other commodities that you might find on Wall Street and similar traditional marketplaces. While many people have heard the term “black market” used to describe non-traditional buyers and sellers, it’s just one of several global markets where a security researcher can receive compensation for their work.
In this presentation we will explore the history and evolution of these different markets, how they interact with each other and how they impact the rest of the global information security economy.
MD5: a589c31060cc1cbaf1e7b4e77100ef93
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.33 Mb
Scott Charney (Corporate Vice President, Trustworthy Computing, Microsoft, US)
Imagine a more trusted, privacy enhanced Internet experience where devices and software enable people to make more effective choices and take control over who, and what, to trust online. Scott Charney, VP Trustworthy Computing, describes a new approach that focuses on stronger authentication and accountability in the appropriate environments as a means of making the Internet a safer place to work, play, communicate, and conduct business. Join Scott as he summarizes his ideas around End to End Trust and seeks the community’s feedback.
MD5: 19b9b1f78df9fe5a07af2e0c1b065547
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.69 Mb
Vladimir Kotal (CZ)
Netcat is often called "TCP/IP Swiss army knife" and used by both system administrators and hackers. Up to now Solaris lacked the implementation of Netcat. The talk will describe the process of integration of nc(1) into OpenSolaris. The talk will also cover processes specific for (Open)Solaris development such as code review, architectural review and testing. Also, future plans for extensions and enhancements will be laid out.
MD5: 9569d5de7112f289a946b96ca8a78c4a
Format: application/pdf
Last Update: June 7th, 2024
Size: 595.32 Kb
Till Dörges (PRESECURE Consulting GmbH, DE)
Early Warning is a very helpful concept when it comes to getting the “big picture” of larger computer networks, e. g. corporate networks or the Internet, and providing others with information about harmful events that are spreading through the network. Situational Awareness as the basis for Early Warning usually involves gathering as much data as possible from the network. An analyst, however, certainly cannot deal with all this data but it has to be condensed into something more abstract and manageable. While this condensation is part of an analyst’s job, he or she needs help in processing the amounts of data any non-trivial network will generate. The problem itself is pretty well known from other domains, e. g. intrusion detection systems (IDS), which tend to generate so many false positives that the real alerts pass unnoticed by any human.
This paper presents existing aggregation approaches. It then discusses one implementation based on the Early Warning system CarmentiS. The resulting findings are generally positive but plenty of future work remains.
MD5: d2a2a52a5d4e52d6cad0bdb99cb146cd
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.34 Mb
Derrick Scholl (FIRST Chair, US)
A brief update on FIRST activities and the Steering Committee
MD5: 4cc6f7a8ee30fdf30afb1deff7e6dac9
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.67 Mb
Franck Veysset (France Télécom R&D, FR)
Since 2007, new FMC (Fixed Mobile Convergence) solutions are emerging. Three main technologies seem to rule the market: WiFi SIP, UMA (Unlicensed Mobile Access) and Cell (Femto/pico cell). Those solutions look very attractive to customers, as they open new possibilities in term of telecommunication. After introducing those technologies, we will focus on the security aspects of those solutions. They might have strong impacts on customers / companies security, but things are also quite complicate from the telco point of view, as new threats are emerging (Operators will have to “open” some part of their core network, which is not an easy issue…).
The goal of this presentation is to give an overview of FMC solutions, including the security aspects.
MD5: 494f69bdb0a43a62bac5c84b27e288e2
Format: application/pdf
Last Update: June 7th, 2024
Size: 651.46 Kb
Antonio Liu (PRESECURE, DE)
A CERT that services a Grid community faces certain specific challenges due to the technical nature of Grids. The traditional CERT services have to be modified to meet the needs of a Grid community and to offer added value to the community.
The presentation will briefly outline the necessary modifications of traditional CERT services. In addition to that it will introduce new CERT services developed for a Grid community.
These new services cannot be categorized to the traditional three CERT services - reactive, proactive and security quality management services. But rather these new services form a new category of CERT services. The new CERT Services will improve the operational security level by improving reliability and integrity in the Grid and therefore will benefit and offer added value to a Grid community.
MD5: ddf04948f9680f181449f2aa60c9d241
Format: application/pdf
Last Update: June 7th, 2024
Size: 436.7 Kb
Earl Zmijewski (Renesys, US)
We will review recent disruptions to global connectivity, including cable systems breaks in the Middle East and Taiwan, network hijacks (Pakistan vs. YouTube) and partitions of the Internet brought about by soured business relationships (Cogent vs. Telia). While most Internet-savvy users are very familiar with typical electronic threats to desktop machines and their corresponding countermeasures (firewalls, virus scanners, etc.), threats to Internet routing are not nearly as well understood. In both arenas, it’s the Internet’s outmoded model of implicit trust and cooperation that underlies many of the problems. Unfortunately, there are fewer means for risk mitigation when it comes to threats to the core infrastructure. After reviewing specific incidents and looking at the problem from a holistic standpoint, we’ll consider some of the available remedies.
MD5: dcc062c4dee8948dd534a65c08afed36
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.26 Mb
Kenneth R. van Wyk (KRvW Associates, LLC, US), Robert Floodeen (US)
We propose that proper identification of automated network scanning tools has value to network monitoring teams. Currently it is simply misunderstood, improperly handled, or over looked. Furthermore, there is value in the identification and cataloguing of the identification features and options used in those tools. Using a few open source tools (TCPDump, Silk toolset - rwscan with Threshold Random Walk, and MySQL) we will show that valuable information can be catalogued from a simple process of detecting, identifying, and transforming captured network packets (pcap) into a much smaller database record with identification characteristics. This process can also be seamlessly implemented in existing open source NSM products like Sguil, ACID, or BASE.
The following are valuable analysis results gained from identifying and storing scan metadata:
MD5: 39e8725e9b32d14aa78dd56040b61581
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.89 Mb
Greg Bassett (Intel Corporation, US), Steve Mancini (Intel Corporation, US)
Having a global presence looks great on paper and is perhaps even doing wonders for your bottom line. The downside to being spread across the global is the ability to properly staff certain emergency job roles, such as incident response. Not everyone is trained to do incident response; not everyone possesses the mindset for this work. The question is how to do then operate a successful incident response program across a company where you may have a computer presence but not trained staff to address incidents?
With the release of 3.2 of RAPIER, we have created a client / server architecture for our information gathering tool suite. Now a disperse company can establish repositories for information gathering during incident handling - your IR specialists no longer have to muddle through getting accurate information off a remote system or worse, walk someone through gathering the data over the phone. RAPIER 3.2 includes several new modules and can be configured to execute against a remote target.
Vancouver, CA
June 25, 2008 14:50-15:40, June 25, 2008 16:00-17:00
Hosted by FIRST.org
MD5: 1c089cf96a7fcf79e7d940ecec8f48bc
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.95 Mb
Mark ZajicekGeorgia Killcrece (Carnegie Mellon University), Mark Zajicek (Carnegie Mellon University, US), Robin Ruefle (Carnegie Mellon University, US)
The Incident Management Mission Diagnostic (IMMD) is a risk-based approach for determining the potential for success of an organization's incident management capability (IMC).
An organization's IMC potential for success is based on a finite set of current conditions – a limited set of key indicators used to estimate the current IMC health relative to a defined benchmark. Decision-makers can determine if the current state of their IMC is acceptable, or if actions are required to improve the situation. The IMMD can be viewed as an efficient, first-pass screening of an IMC to provide a quick evaluation and diagnose any unusual circumstances that might affect its potential for success.
This presentation will provide an overview of the IMMD method.
Incident Management Mission Diagnostic Method, Version 1.0
http://www.cert.org/archive/pdf/08tr007.pdf
MD5: 413f07f4c64a3c766fb955c0bbf67368
Format: application/pdf
Last Update: June 7th, 2024
Size: 145.06 Kb
Michael La Pilla (iDefense, US)
Between February 2007 and November 2007 one group was responsible for at least 13 targeted email campaigns using various government agencies to trick victims into installing malicious code. Using a combination of investigative tactics, custom written tools and perseverance it is possible to follow the attackers footprints and infrastructure through the attacks. During the investigation the attacker is seen modifying attack codes, improving targeting and altering his/her cash out scheme to adapt to shutdowns, law enforcement and investigations.
The goal of the presentation is to provide a case study in tracking long term malicious code campaigns using this series of incidents. The data collected includes preventative information used to mitigate some attacks before they were released and protect victims from fraudulent transactions.
MD5: 8c0f5b59fc9afbbb9fe1af1df074a088
Format: application/pdf
Last Update: June 7th, 2024
Size: 819.55 Kb
William Cook (Wildman, Harrold, Allen and Dixon LLP, US)
Mr. Cook has been involved with the practical, legal implications of IT security for 25 years first as a prosecutor and currently as a counselor and litigator at a major Chicago law firm.His speech will deal with the specific realities of legal issues facing security professionals in the commercial, educational and government sectors. He will address the real costs of data breaches and privacy compromises, the practical implications of the Advanced Persistent Threat, the actual implications of federal and EU regulatory actions and discuss at the current status of employee espionage and data theft.He will also address the implications of electronic discovery and records retention. As in the past, Mr. Cook will rely heavily on current case laws and IT security issues facing his clients.
MD5: 40de0d6fe6a5dc6c555c24bc5178f03b
Format: application/pdf
Last Update: June 7th, 2024
Size: 383.71 Kb
Wout De Natris (London Action Plan, NL)
Mr. De Natris will talk about the London Action Plan (LAP), a world wide informal organisation on the cooperation against cyber crime and spam. His presentation will touch on the mission statement of LAP, the goals, the results and who can participate. He will also tell us something on the work of OPTA - the Dutch Independent Post and Telecommunication Authority, and as such the internet safety enforcer of the Netherlands - and their aims to cooperate nationally and internationally.
MD5: bf752f66ee1d65932e3bda4ebeb84d80
Format: application/pdf
Last Update: June 7th, 2024
Size: 107.64 Kb
Russ McRee (holisticinfosec.org, US)
The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover tools and methodology useful to handlers, analysts, and administrators. From detection and discovery, capture and containment, count on a useful discussion meant to further your understanding of the information security practitioner's greatest bane.
Vancouver, CA
June 25, 2008 09:50-10:20, June 25, 2008 10:20-10:50
Hosted by FIRST.org
MD5: 58064f5f558a155acb9d4fb2ae1ef71d
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.22 Mb
Dr Minghua Wang (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)
The World Wide Web and online Games have become very popular within China, driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, quite a large number of blackhats construct malicious websites and infect the victims with stealer Trojans, steal the virtual assets from the exploited computers and sell them for money. In this paper, we give the overview of the malicious websites phenomenon in China, including its background, history and the driven underground economy chain. Furthermore, we present the detailed behinding scene of this specific threat, as well as our analysis procedure. From the case study, we can find it as a representative large web-based Trojan network constructed by the organized and experienced blackhats, and is completely for economic profits. To deal with these threats, we need to build a monitoring system and improve the efficiency of co-operations between CISRTs.
MD5: 8c80d913fd9a4f03a69363b114978ca8
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.16 Mb
Jeff Williams (Microsoft, US), Ziv Mador (Microsoft, US)
As malware and potentially unwanted software are becoming motivated more and more by financial gain, their nature is also changing. The attackers often use social engineering techniques to lure the user to run their code and usually will show some messages or bogus warnings using some language. The effectiveness of the attack in any specific region will then rely on the popularity of that language in that region. Other factors may impact too such as the level of user education in that region and the usage of security products there. The result is that we see more and more threats that affect specific countries or regions more than they affect others. This paper will overview some major differences in the types of malware and spyware that exist in different regions around the world and will provide specific examples. The information for this paper is collected from hundreds of millions of computers around the world.
Given the locality of many of the threats, the model of national response teams and organizational response teams can be extremely helpful. The paper is going to call for even higher level of interaction between these response teams and the security software industry as well as several working examples which illustrate success.
williams-jeff-mador-ziv-slides.pdf
MD5: 7f30458acb10744f117c165f39c1c19b
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.11 Mb
Bobby Singh (Smart Systems for Health Agency, CA)
The purpose of the presentation is to provide an overview on how to build a comprehensive and integrated security & privacy incident mgt program in the health care sector. Privacy incidents are becoming common but there is not available in the market place such as use cases and documented examples to assist health care organizations with incident mgt.
Where ever we look privacy incidents are grabbing the headlines. As Canada moves towards eHealth protecting personal health information is going to be front and centre. However, the cost to maintain a ‘perfectly secure’ system will be too high so organizations such as hospitals, IT organizations such as Smart Systems for Health Agency (SSHA) will have to be prepared to handle security & privacy breaches.
SSHA has developed a comprehensive Enterprise Security & Privacy Incident management program (ESPIM) to manage security & privacy breaches to ensure high security posture for the organization and to continue to retain clients trust in its infrastructure.
ESPIM identifies, analyses, resolves and reports on security and privacy incidents and breaches to minimize risk to individuals, clients and SSHA.
ESPIM is built on International Standards and meets the reporting requirements set out in the PHIPA Legislation (Ontario).
MD5: 2b49f488773890f978fffdd7ffdc692b
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.06 Mb
Yonglin Zhou (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)
Distributed Honeynets play an important role in cyber-space threat discovery and measurement, we have developed and deployed Chinese Matrix Distributed Honeynet by integrating low-interaction and high-interaction honeypot technologies, and use it for daily measurement of the specific threats on the Chinese Internet. The system has collected nearly 100,000 unique autonomous spreading malware binaries, and discovered 3,290 IRC-based botnets during a period of almost twelve months. Based on this information, this paper presents several statistical results of botnet activities. These include botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions, and other patterns that describe the IRC-based botnet phenomenon.
MD5: 9fb2d64a5cd5df763fa09dc1570fffe6
Format: application/pdf
Last Update: June 7th, 2024
Size: 9.58 Mb
Andrea Rigoni (Symantec, IT)
Today almost any organization relies on ICT infrastructures to deliver core and critical services. Risk scenario is changing so quickly that a new Dynamic Risk Management approach is required.
One of the major challenges is to keep a shared situational awareness of the Digital Battlefield, which is fragmented under the responsibility and visibility of many private and public organizations.
Information Sharing can help both the single organizations and national bodies to keep an updated situational awareness and to define proactively the correct countermeasures. Despite a common acknowledgment on the importance of Information Sharing, many initiatives have failed and many organizations still look at it with suspect.
During his speech, Andrea will illustrate the different approaches adopted by private companies, service providers and national authorities for Information Sharing and Early Warning. In particular, Andrea will show how the positive developments of the Military doctrine (Network Centric Operations) can be used to define new information sharing approaches. He we also provide an overview of the different initiatives in US and Europe and will discusses the issues that have prevented Information Sharing to be widely adopted at a National and International level.
WHAT WILL BE COVERED:
HOW THE AUDIENCE WILL BENEFIT FROM THE INFORMATION:
MD5: aca170c4ac4070394142183d4b38c512
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.96 Mb
Juan Díez González (INTECO, ES), Luis Fernández (INTECO, ES)
Spam, as unsolicited e-mail, has become a serious problem not only for final users, but also for companies that use e-mail on a daily basis at work, due to the economic damage that it causes. Nowadays, it seems that this issue has no direct solution, although more and more efficient antispam solutions are constantly developed.
In this context, it is extremely important to have mechanisms that allow us to measure in some way the most significant information about the current spam situation.
For this reason, due to its status of national public institution, INTECO-CERT has promoted the establishment of collaboration agreements with a group of different and varied organizations. As a result of these agreements, programs acting as sensors or meters have been installed in these organizations to collect information about spam. The information is centralized and properly analyzed, which makes easier its future exploitation.
The most useful information that results from this process is shown in form of statistics in a web site accessible to the general public, thanks to the advantages that the widespread use of Internet offers.
In this sense, users can interact in a friendly way with the application, which will offer them results that can be easily interpreted and a general view of the spam situation in Spain and in the rest of the world
MD5: 0f02fde97cca76291f99676f079709b0
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.8 Mb
Adam Laurie (RFIDIOt, GB)
RFID is being embedded in everything... From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even!
For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them....
Vancouver, CA
June 25, 2008 11:10-11:40, June 25, 2008 11:40-12:10
Hosted by FIRST.org
MD5: b9bbb2a1d1170b4f8406a21fe942a580
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.89 Mb
Dr. Heiko Patzlaff (Siemens AG, Corporate Technology, CT IC CERT, DE)
Over the last few years push-email on mobile devices has become a major trend and is taken up by companies to mobilize their workforce. Various risks are associated with the use of mobile devices outside the company perimeter - in particular with respect to the transmission and storage of confidential information.
This paper compares the different approaches the three operating system platforms Symbian, Windows Mobile and Blackberry take in offering this functionality. It explores the security architectures and features and evaluates the suitability for a deployment in the enterprise.
The paper develops a set of criterias for the comparison of the security features of mobile devices. It covers the areas infrastructure security, device security, services, protection of static data, protection of data in transit, administration and mobile malware.
MD5: ca69e6c9dee986cc64b428539d6ff8fd
Format: application/pdf
Last Update: June 7th, 2024
Size: 79.2 Kb
Stephen Frei (ETH Zurich, CH)
There is some ongoing debate about the value that CERTs provide - especially when compared with commercial services of the private sector. In an independent research project at ETH Zurich, we monitored for more than 18 months the worlds top security advisory providers. Due to a short 30-minute monitoring interval, we discovered significant differences in quality, quantity, and timeliness.
MD5: b6359d713a45e89540195927f4362906
Format: application/pdf
Last Update: June 7th, 2024
Size: 305.11 Kb
Roman Valls (ES)
The project aims to create a complete free *nix-like toolchain for working with binary files.
Its core is a commandline block-based hexadecimal editor which handles everything as a file. A process, file, disk, memory. This flexibility offers nice scripting features which can be mixed with perl, python and Vala.
A data block can be visualized in the way you want, making easier to recognize data structures. One of them is a disassembler print format which currently supports intel, arm, powerpc, m68k and java architectures. Here's a pseudocode representation of an intel program.
radare comes with some other utilities:
The abstraction layer is done by IO plugins which wraps all the open/read/..
Currently the debugging IO layer works on *BSD and Linux on x86 and arm. w32 port is planed.
Here'r the list of current features:
MD5: 36261bc5955c06de9493c282302aa6b2
Format: application/pdf
Last Update: June 7th, 2024
Size: 432.17 Kb
Rodrigo Werlinger (University of British Columbia, CA)
It is important to consider not just the technological factors impacting IT security, but also the human and organizational factors. One key aspect of security that requires attention from these perspectives is security incident response, a field that has not yet reached maturity in terms of best practices. The empirical study we report in this paper was conducted to investigate the challenges that security practitioners face as they implement security controls as well as how the security practitioners respond to security incidents within their organizations. This understanding is important in order to identify opportunities for improvement of tools and processes. In this paper, we present our findings based on qualitative analysis of 29 in-situ semi-structured interviews along with questionnaires and participatory observation. The challenges our participants discuss provide context for the tasks, strategies, skills, and tools that they used when engaged in security incident response. We contrasted our findings with industry recommendations and case studies of security incidents. This comparison provided insight as to the potential sources of breakdown between recommended best practices and actual practices as impacted by human, organizational, and technological factors. We found several opportunities to improve the security processes and tools used by security professionals when performing their tasks and responding to security incidents in order to better support the best practices.
MD5: 7c56746124505ea6bb1484d160cbecb3
Format: application/pdf
Last Update: June 7th, 2024
Size: 461.81 Kb
William Yurcik (University of Texas at Dallas, US)
Since attackers typically cross network boundaries and frequently change targets to attack within different security domains, effective protection now requires CSIRTS to look beyond their own organizational perimeter toward collaborative security analysis with other organizations. For collaborative security analysis to occur, data needs to be shared. However, to date data sharing between CSIRTS has been minimal due to valid practical concerns for the protection of private and secret information. Unfortunately, this is not also true for attackers who are quite efficient at sharing vulnerability and exploit information amongst themselves! In keeping with the theme of FIRST’08 “Crossing Borders: Towards the Globalization of Security”, we present an infrastructure that CSIRTS can use to share data globally with other organizations. The SCRUB* infrastructure is based on an integrated suite of anonymization tools with common algorithms and command options.In this paper we focus on anonymizers for the two most desirable data sets for security sharing, packet traces (SCRUB-tcpdump) and NetFlows (SCRUB-NetFlows). While anonymizing data for global sharing will protect private information if configured correctly, it also sets up fundamental tradeoffs between privacy protection versus security analysis capability – the more obscured the shared data, the less collaborative security analysis may be possible. This privacy/analysis tradeoff has been acknowledged by many security researchers but we are the first to report quantitative measurements to characterize this privacy/analysis tradeoff for practical guidance when sharing data.
MD5: c530ed772bfcae64f4c9c78f9a61c185
Format: application/pdf
Last Update: June 7th, 2024
Size: 385.95 Kb
Eric Fleischman (Boeing, US)
Civil aviation aircraft certification, including existing procedures, policies, and Federal and International Law, centers upon aircraft safety. A new generation of digital aircraft (e.g., B787, A350, A380) are being fielded in which electrical components and software perform avionics functions that traditionally were accomplished by hydraulics and other analog systems. These digital systems are connected via internal local area networks (LANs). Simultaneously, economic forces are encouraging aircraft to internally deploy Internet protocols and support digital communications with ground entities. These vectors have created the need to address security issues within the current safety milieu.
This presentation summarizes some of the findings of the Federal Aviation Authority’s (FAA) Airborne Networked Local Area Network (LAN) study that took place during 2005 and 2006. This study investigated the methodologies for identifying and mitigating potential security risks of onboard networks that could impact safety. It also investigated techniques for mitigating security risks in the certification environment.
Networks are inherently hostile environments because every network user, which includes both devices (and their software) and humans, are potential threats to that environment. Networked entities form a fate-sharing relationship with each other because any compromised networked entity can theoretically be used to attack other networked entities or their shared network environment. Safety and security have therefore become intertwined concepts within networked airborne environments. Security engineering addresses the potential for failure of security controls caused by malicious actions or other means. Safety analysis focuses on the affects of failure modes. The two concepts (safety and security) are therefore directly related through failure effects.
This study concluded that the primary issue impacting network airborne system safety is how to extend existing safety assurance processes into networked systems and environments in a mathematically viable manner. This study recommends that the existing safety processes can be extended into arbitrarily vast network environments in a mathematically viable manner by using the Biba integrity model framework. This study maps current airborne software processes into the Biba integrity model framework using well established system security engineering processes to define airborne safety requirements. It applies best current information assurance techniques upon those airborne safety requirements to create a generic exemplar airborne network architecture that simultaneously addresses the safety and security requirements of airborne infrastructures.
Vancouver, CA
June 25, 2008 09:50-10:20, June 25, 2008 10:20-10:50
Hosted by FIRST.org
MD5: c7b496091318100f8982e1fb3db5eb5b
Format: application/pdf
Last Update: June 7th, 2024
Size: 750.62 Kb
Steven Michalove (Microsoft, US), Thomas Daemen (Microsoft, BE)
The new generation of wiki-style collaboration tools is a boon to workers everywhere. By empowering users to easily post, distribute and retain information, these systems foster the type of virtual collaboration that is vital for success in our modern, globally-interconnected world. The very features that make these systems popular also raise troubling security and legal concerns.
Privacy and data security laws are now in effect around the world. Some of these regimes only provide high-level guidance, others proscribe detailed security requirements. Such differences notwithstanding, privacy mandates generally call for (1) full disclosure, (2) user consent, (3) data security, and (4) reasonable data retention/destruction. Notably, these legal goals are in direct conflict with the technical goals of distributed collaboration systems. Simply put, encouraging users to collect data outside of a centralized IT system significantly complicates the compliance challenge.
The good news is that numerous steps can be taken to help mitigate these concerns. Deploying sophisticated detective controls to identify data scattered throughout these collaboration environments is a vital first step. Without new technologies and procedures to detect, notify, and remediate, the enterprise will not know where data resides, much less how they are best secured. Although this paper identifies the leading distributed security techniques – most notably the process of securing data containers and/or utilizing document-level rights management – there are a wide range of tools that can help in this process.
In a classic case of “no good deed goes unpunished,” however, these solutions raise their own legal challenges. Many countries have privacy laws that expressly prohibit the employee system scans that are vital for the detective controls. In other cases, corporate agreements with labor nions/works councils may restrict such practices. Companies must take the time to fully research and understand their legal exposure before deploying these exciting new technologies.
MD5: 54b21b474b5e8cc60f1b25071796d9e0
Format: application/pdf
Last Update: June 7th, 2024
Size: 519.82 Kb
Frank Wintle (PanMedia Ltd, GB)
In his address to the 19th FIRST conference inSeville, Frank Wintle argued that the exclusive “private languages” spoken by Internet Technology specialists were a major cause of “ordinary” users falling victim to viruses, sabotage and criminal attacks, and urged delegates to find a lingua franca which would enable lay people to comprehend security practices and apply or comply with them competently and confidently.
At the Vancouver 2008 conference, Wintle, who is FIRST’s communications consultant, takes his argument to the next stage, sharing a programme which will enable delegates to return to their organisations and take the first steps towards the conversion of “lay” colleagues into security evangelists. Wintle will argue that the experts’ constant refrain against the non-specialist mass of colleagues – “They just don’t get it!” – betrays a first and fatal flaw in the conventional approach: the division of the problem between the us-savants and the them-idiots.
Only holistic mentoring techniques will begin the process of transforming each organisation’s culture towards an inclusively security-conscious universe. Sharing the building-block principles of his communications techniques, Wintle demonstrates how to bring colleagues onside and build up a momentum for change in which word-of-mouth (everywhere recognised as the most potent persuasive force) gradually begins to augment and reinforce more formal dialogues as part of the tutorial matrix.
What are the major obstacles along the way? How will you know when the message is getting through? How will you stop momentum from flagging after the change-programme has ended? These are just a few of the questions which will be answered in a session which will excite delegates to rise to the challenges of a new model of security education.
MD5: 978902fbff5d482ea2a2de02640cf3c1
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.92 Mb
Gib Sorebo (SAIC, US)
Laws are increasingly requiring more breach reporting. Just when should you disclose and to whom This is a question frequently asked as breaches now include not only verified data compromises but also security vulnerabilities where there is only a mere possibility of compromise. This session will discuss recent disclosures, analyze hypothetical scenarios, and offer guidance.
The presentation will begin by discussing the notion of the security breach and how that term has evolved from a clear cut case of data compromise to a more speculative scenario where a vulnerability has been discovered or data was sent over the Internet in the clear. Examples of recent disclosures will be presented to show how these concepts have changed over time. We will then examine the relevant laws, such as SB-1386 in the US and laws of other countries, and look at how they define security breaches and potential implications of not disclosing. The presentation will then walk through the steps of investigating of potential breach from the initial discovery of a security event to the notification of affected parties. The session will describe the roles for attorneys, IT professionals, and managers. The talk will then consider the pros and cons of disclosing. Such considerations will include the organization’s reputation, customer obligations, and the potential for over-reporting. We will then summarize a recommended approach to security breaches that takes into account the technical aspects of the potential breach, the type of information involved, and the legal obligations of the organization.
By the end of the session, the participants will have a good understanding of the pros and cons of disclosing security breaches and will be able to provide their organizations with additional information to help make this difficult decision and help it mitigate harms to customers and the organizations reputation.
MD5: 5819638a01aab9905efba9647ae86572
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.4 Mb
Kenneth R. van Wyk (KRvW Associates, LLC, US)
Penetration testing is the most common form of security testing software, yet it fails the most basic measurement of testing efficacy -- code coverage. To thoroughly and rigorously test the security of software, we must go beyond the penetration test. This session describes many of the testing methods available today including fuzz testing, dynamic validation, as well as how to improve penetration testing practices to drive up measurements such as code coverage.
MD5: a9d93690729c1a27875ae5bb8f8c57c6
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.12 Mb
Stefan Fenz (Secure Business Austria, AT)
New discoveries made on a nearly daily basis and the constantly growing amount of vulnerabilities in software products have led to the distribution of great numbers of vendor dependent vulnerability information over various channels such as mailing lists and RSS (Really Simple Syndication) feeds. However, the format of these messages presents a major problem as it lacks standardized, semantic information, resulting in very time-intensive, expensive, and error-prone processing due to the necessary human involvement. Recent developments in the field of IT security have increased the need for a sound semantic security advisory standard that would allow for automatic processing of relevant security advisories in a more precise and timely manner. This would reduce pressure on organizations trying to keep their complex infrastructures secure and up-to-date by complying to standards, such as Basel II and local legislations. This paper conducts an evaluation of existing advisory standards and extends the most semantic usable to fulfill the requirements of a semantic security advisory standard. A proof of concept shows how non-semantic vendor-dependent vulnerability information can be automatically converted to the proposed semantic security advisory format. The automated processing of security advisories allows faster reaction times and precise response to new threats and vulnerabilities. In this way IT management can concentrate on solutions rather than on filtering messages.
MD5: 858238c2524b240ae93433b431abe00c
Format: application/pdf
Last Update: June 7th, 2024
Size: 375.57 Kb
Przemyslaw Jaroszewski (PL)
Whereas sending spam is illegal in many countries, there are only a small number of convictions of spammers both in the area of penal law as well as when it comes to claiming damages. In many cases this is due to technical means taken by spammers to hide their identity. Sometimes the reason is sheer lack of enough reported and confirmed cases from individuals willing to go through all the procedures required by various legal systems. The fact that spamming is a cross-border phenomenon only makes things worse.
Within SPOTSPAM, a project realized in two years between 2005 and 2007 by eco (German Association of Internet Providers) and NASK, legal research was conducted and technical solutions built to make it possible to legally gather, process and share reports from individual users in ways that would make them usable in the court of law. While the system developed for the project automatically collects a lot of investigative information (such as whois data of IP addresses and e-mails), it also tries to find points of most value for parties potentially interested in pressing charges against spammers in the following ways:
jaroszewski-przemyslaw-slides.pdf
MD5: 724470738c04111acd482200a085b1cd
Format: application/pdf
Last Update: June 7th, 2024
Size: 589.18 Kb
Anton Chuvakin (LogLogic, Inc., US)
The presentation will cover the use of various system, network and security logs and audit trails in the incident response process, from concepts and methodology to practical case studies and tools. It will touch upon incident response practices and the role of logs in them, using logs for forensics and e-discovery as well as for pre-incident threat detection. The presentation will include many detailed case studies from the real world, some complete with logs and tools used in them.
Here is the brief summary:
Vancouver, CA
June 23, 2008 08:30-10:50, June 23, 2008 11:10-12:30, June 23, 2008 14:00-15:20, June 23, 2008 15:40-17:00
Hosted by FIRST.org
MD5: d4aa0128ad1f231697dec33c048907a6
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.54 Mb
Yoshiki SugiuraChris Bateman (QA), Cyril Gayet, Helmi Rais (TN), Kauto Huopio (CERT-FI, FI), Masato Terada (IPA, JP), Mirek Maj, Per Arne Enstad (NO), Stelios Maistros (GRNET CERT, GR), Udo Schweigert (FIRST Membership Committee Chair, DE), Vytautas Krakauskas (LT), Yoshiki Sugiura (JP)
Masato Terada received M.E. in Information and Image Sciences from University of Chiba, Japan, in 1986. From 1986 to 1995, he was a researcher at the Network Systems Research Dept., Systems Development Lab., Hitachi. Since 1996, he has been Senior Researcher at the Security Systems Research Dept., Systems Development Lab., Hitachi. Since 2002, he had been studying at Graduate School of Science and Technology, Keio University and received Ph.D in 2005. Since 2004, he has been with the Hitachi Incident Response Team. Also, he is a visiting researcher at Security Center, Information - Technology Promotion Agency, Japan (ipa.go.jp), and JVN associate staff at JPCERT/CC (jpcert.or.jp), as well.
After school and military service, Udo Schweigert finished university with a masters degree in Computer Science, and served as an assistant professor at two German universities for three years. In 1989 he joined Siemens, where he was doing work as software engineer for the OS-development of SINIX (a SVR4-derivate very similar to SUN Solaris). Later he developed security products for these OSes. In 1996 he switched internally to the central research and development department of Siemens, where he (in 1998) founded Siemens CERT.
At the moment Mr. Schweigert is the team lead of Siemens CERT leading a team of 15 people deploying the CERT services internally to the whole Siemens group.
In his spare time he also contribute to the FreeBSD project as a port maintainer (nessus and mutt).
Mr. Schweigert is a member of the Steering Committee of the FIRST (his term ends in 2008) serving as the vice-chair and additionally he is the chair of membership committee of FIRST which is in charge of reviewing every membership application submitted to FIRST.
Yoshiki Sugiura has 24-year experience on CSIRTs. He used to be a member of JPCERT/CC since 1998. He works for two CSIRTs, IL-CSIRT and NTT-CERT now. He is also a board member of Nippon CSIRT Association. On SIM3 he is a certified trainer and auditor. He is a specialist in management of CSIRT.
MD5: b9c7a257175aad0aeb52163e9c56579e
Format: application/pdf
Last Update: June 7th, 2024
Size: 428.3 Kb
MD5: 437b125f09bef6270c0bd41cccf49887
Format: application/pdf
Last Update: June 7th, 2024
Size: 658.45 Kb
krakauskas-vytautas-slides.pdf
MD5: ecb23d19cd2fc86f636568fd1e48ff63
Format: application/pdf
Last Update: June 7th, 2024
Size: 250.99 Kb
MD5: be6a4ac98026a5009a66b6ec5bcdd605
Format: application/pdf
Last Update: June 7th, 2024
Size: 688.47 Kb
MD5: 01291fd4987216dfea4bcfef70b7522a
Format: application/pdf
Last Update: June 7th, 2024
Size: 3 Mb
MD5: 1bbea410f26447e3530a08930e1e1e80
Format: application/pdf
Last Update: June 7th, 2024
Size: 245.3 Kb
MD5: ad1b4c7c9a94bcf9e1a2f00f4e181865
Format: application/pdf
Last Update: June 7th, 2024
Size: 980.41 Kb
MD5: 79baeb6232a2db57b2249d33da6b6847
Format: application/pdf
Last Update: June 7th, 2024
Size: 506.77 Kb
MD5: a95f80069dd5cc57660714360ed78a2e
Format: video/x-msvideo
Last Update: June 7th, 2024
Size: 4.31 Mb
MD5: ebb5126cbf3f41a73f01851eac24aadc
Format: video/x-msvideo
Last Update: June 7th, 2024
Size: 20.8 Mb
Chris Gormley (Tiversa, Inc., US)
Forget hacking and phishing – criminals, competitors, and the media are using the same P2P file sharing programs that teenagers use to obtain thousands of your sensitive, confidential, and classified documents each day putting your organization, customers, and partners at significant risk.
Real-life and highly concrete examples will be used for each part of the presentation.
Vancouver, CA
June 26, 2008 14:50-15:20, June 26, 2008 15:20-15:40
Hosted by FIRST.org
gormley-christopher-slides.pdf
MD5: aceb004ea81610707a91127cd8ae00b1
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.85 Mb
Peter Wood (First Base Technologies, GB)
What is a hacker: Someone who breaks into computer systems in order to steal or change or destroy information? Someone for whom computing is its own reward? Hacking is a way of thinking. A hacker is someone who thinks outside the box. It's someone who discards conventional wisdom, and does something else instead. It's someone who looks at the edge and wonders what's beyond. It's someone who sees a set of rules and wonders what happens if you don't follow them. Hacking applies to all aspects of life and not just computers. The new blended attack is social engineering plus technology. Over the past fifteen years, Peter Wood has conducted numerous penetration tests for some of the largest organisations in the world. His experience in simulating attacks for these organisations has led to a unique approach combining real-world criminal methods and tools in both the social engineering and technical spheres. This workshop will describe how criminals are succeeding in stealing information, often without the victims even being aware it. He will call on case histories and "war stories" to illustrate each type of blended attack, and demonstrate some techniques and tools in real time on the day.
Vancouver, CA
June 26, 2008 10:00-10:50, June 26, 2008 11:10-11:40, June 26, 2008 11:40-12:10
Hosted by FIRST.org
MD5: e2ac14c83a39caa6b68e970f1966ca78
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.1 Mb
Carol Overes, Piotr Kijewski (Research and Academic Computer Network in Poland, PL), Rogier J.L. Spoor (SURFnet, NL)
The Honeyclient Project is a joint venture between NASK/CERT Polska, GOVCERT.NL and SURFnet. The goal is to develop a complete open source honeyclient system, based on existing state-of- the-art client honeypot solutions and an advanced crawler. The system is focused primarily on attacks against, or involving the use of Web browsers. These include detection of drive-by downloads, malicious binaries and phishing attempts. Apart from identifying browser exploits (including 0day attacks), the system is expected to automatically obtain and analyze the attacking malware and ultimately generate its signature. The major incentive to start this project is the rapidly growing number of browser exploits involving varying degrees of user interaction. These types of attacks lie outside the scope of current monitoring systems in use by the three parties. Therefore we view this new system as an expansion of our current monitoring and early warning abilities. Interfaces with existing systems - the CERT Polska ARAKIS system and SURFnet IDS - will be designed. The system will improve situational awareness of what is happening on the Internet and improve security services offered by the parties to their constituents. The project itself is the result of very close cooperation of three different organizations from two different countries – such cooperation involving research into new areas and software development has been rare so far in the CERT community. The proposed article and presentation will include a short introduction of client honeypots and the state-of-the-art. It will then describe how attacks that involve malicious web servers are being carried out and what techniques attackers use to make analysis of such activity more difficult. The functional requirements and architecture of the solution will be presented. It will also briefly touch upon the lesson learned regarding international cooperation. Novel detection heuristics for low interaction client honeypots will be introduced. Finally, preliminary results of the functioning of the system will be published.
MD5: e03e30f100b00a2cac869f32eb878912
Format: application/pdf
Last Update: June 7th, 2024
Size: 610.58 Kb
Johnathan Nightingale (Mozilla, CA)
In this presentation, Johnathan Nightingale will share best practices for building secure applications when implementing an open source model. He will highlight the benefits of remaining open and transparent throughout the security process.
Developers generally agree on the importance of security, but there are options for incorporating security into the development environment. With threats emerging daily, the importance of building more secure applications is rising. A solid security process throughout the development lifecycle will provide a road map to guide the team in making and measuring security improvements during every step of application development.
Mozilla’s open source security model describes how to build security into a software project. Johnathan will share the 5 primary aspects of applying this model to the development environment:
nightingale-johnathan-slides.pdf
MD5: b6afccc924ac2cd7f9de358200ec53b5
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.18 Mb
Foy Shiver (The Anti Phishing Working Group, US)
The fight against Internet Fraud and Phishing is continually evolving as the miscreants change tactics in response to successful countermeasures by brand owners and fraud fighters. This presentation will discuss by example the current tactics employed by the fraudsters as seen by the APWG crime fighters such as fast-flux name servers and variants of the Rock phish and the future expectations. Additionally, current APWG and ICANN activities in making the DNS system less useful to phishers will be examined, along with the latest news from the DNS Whois Privacy discussions will be covered. The talk will close with recent APWG work on strategies to converse with customers with compromised web servers, how too recover useful forensic data from those servers; and how to report and remove fraudulent sites from the Internet.
Vancouver, CA
June 25, 2008 09:50-10:20, June 25, 2008 10:20-10:50
Hosted by FIRST.org
MD5: 2d1e98d70870cd0370ae8c155d8806bb
Format: application/pdf
Last Update: June 7th, 2024
Size: 10.68 Mb
Ryan Olson (Verisign/iDefense)
Modern Trojan horses frequently report their activities to a central command and control (C&C) server. Specifically, information stealing Trojans typically use a C&C server as the storage location for the data they steal. These servers are very numerous, reside on a variety of networks, and in many countries around the world, but exist much more frequently in certain locations. Attackers often use so called “bullet proof” hosting providers which are unresponsive to take-down notices to host these servers and ensure that they remain active. Tracking which networks new Trojans report their data allows security administrators to proactively monitor for traffic generated by clients infected with these Trojans and take appropriate action.
This presentation discusses how to detect traffic generated by toolkit-based information stealing Trojans using network based intrusion detection systems like Snort. The audience will receive an overview of popular toolkit-based Trojans and common locations used to host C&C servers based on their network and country of origin.
MD5: 5bf4a5d4318eca85b494d8e6c4aea3a1
Format: application/pdf
Last Update: June 7th, 2024
Size: 341.22 Kb
Haythem El MirHaythem El Mir (CSIRT.tn Keystone, TN)
Tunisia as an outstanding example for the developing country, have built its CERT and launched many projects to improve computer security in the national area. we are trying through this document, to present the used approach in order to set an ISAC in a specific environment and context, while taking in account several constraints as the socioeconomic factors.
Indeed, we will present the different components of the project as well as the deployed mechanisms, to achieve a collection, analysis and risk assessment system to inform about potential threat incurred by the national cyberspace.
MD5: d4e6099dad99b096538c2a6a1a89e3dc
Format: application/pdf
Last Update: June 7th, 2024
Size: 987.03 Kb
Michael H. Warfield (IBM Internet Security Systems, US)
Lately, the term "virtualization" has been all the rage in the news and in technology forums. For many, the term virtualization brings to mind products like VMware and Xen and virual machines. But virtualization has been around much longer than VMware or Xen and is much broader than either of these two specific examples. Virtualization is also well known in the security underground, where it is also a popular topic from both an offensive perspective and a defensive perspective.
Vancouver, CA
June 26, 2008 11:10-11:40, June 26, 2008 11:40-12:10
Hosted by FIRST.org
MD5: 4c924afa3337009d078a60c994c774de
Format: application/pdf
Last Update: June 7th, 2024
Size: 303.5 Kb
Kowsik Guruswamy (Mu Dynamics, US)
Many products simulate attacks on end-systems and validate whether or not the systems are up-to-date with their patches. However, there are very few, if any, analysis tools to verify that network infrastructure security enforcement devices such as Intrusion Prevention Systems, Firewalls, UTMs, or any deep-inspection device are vulnerable to 0-day attacks. In other words, nobody is watching the watchdogs.
There is an ongoing need to audit network infrastructure security enforcement devices to ensure that they have the ability to block attack and protect end-systems and networks as advertised.
This presentation will discuss the new security analyzer market and solutions, and why security analyzers are instrumental in providing systematic, comprehensive negative testing and auditing. The speaker will also discuss why it is essential that customers continuously audit and conduct negative testing on their network infrastructure in order to minimize the risk to their network, its users, and the corporation’s data.
MD5: 2984851ada3b1daeee00ccd79018d5cf
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.18 Mb