FIRST - Improving Security Together 9th Annual FIRST Conference - June 2007 - Seville, Spain
You don't need to be a FIRST Member to attend to the 19th Annual FIRST Conference

Supported by

Enisa - European Network and Security Agency

Diamond Sponsor

Platinum Sponsor

Local Host and Gold Sponsor

Gold & Beer 'n Geer Sponsor

Gold Sponsors

CCN-CERT
Enisa - European Network and Security Agency
La Caixa

Internet Sponsor

Network Sponsor

Silver Sponsors

Inteco
Q-CERT

Bronze Sponsors

Hitachi
Patchlink

Daily Global Security News Podcast Sponsor

Conference Program Coordination & USB Stick Sponsor

Conference Program Coordination Sponsor

Ice Breaker Reception Sponsor

Vendor Display & Beer 'n Gear Sponsors

Assuria
Matta
selex communications

Vendor Display

BorderWare
Endeavor Security

Polo Shirt Sponsor

Bags Sponsor

Conference T-shirt Sponsor

Conference Folder Sponsor

Lanyard/Badge Sponsor

USB Stick Sponsor

Security Challenge Sponsor



Program Overview



Back to TOC

Keynote Speakers

  • UK

    Lord Toby Harris of Haringey (House of Lords, UK)  [schedule]

    Lord Toby Harris was made a Life Peer in June 1998. He is Chair of the All-Party Parliamentary Group on Policing and Treasurer of the Parliamentary Information Technology Committee (PITCOM). He is also a member of the House of Lords Select Committee currently investigating Personal Internet Security.

    He was born in 1953 and graduated from Cambridge University in 1975, having studied Natural Sciences and Economics. His professional career began with four years in the Economics Division of the Bank of England. He then spent seven years at the Electricity Consumers’ Council, becoming Deputy Director in 1983. In 1987, he became Director of the Association of Community Health Councils for England and Wales (the national statutory body representing patients’ interests). He remained there until October 1998, when he established his own public affairs consultancy, Toby Harris Associates. Organisations he advises or has advised include KPMG, the National Grid, Unisys, the Anite Group, Transport for London, Wyeth Laboratories and the Commission for Patient and Public Involvement in Health.

    He was a member of the London Assembly from May 2000 to June 2004, on which he led the Labour Group. He was the first Chair of the Metropolitan Police Authority (MPA), during that period and a member of the Executive of the Association of Police Authorities from 2000 to 2006. He continues to sit on the MPA as the representative of the Home Secretary with a remit to oversee the national and international functions of the Metropolitan Police - primarily its counter-terrorism role.

    He was a member of Haringey Council from 1978 to 2002 and was its Leader from 1987 to 1999, having previously spent five years as Chair of Social Services. He was Chair of the Association of London Government, representing the 33 local authorities in London, from its formation in 1995 until 2000, having previously chaired the Association of London Authorities.

    From 1986 to 1993, he was Chair of the Association of Metropolitan Authorities’ Social Services Committee and led for local government in negotiations about the introduction of Community Care and the Children Act. He is Vice-President of and was formerly a member of the Executive of the Local Government Association.

    He has been a non-executive director of the London Ambulance Service, a Senior Associate of the Kings Fund, and a member of the Committee on the Medical Effects of Air Pollutants.

    He is a former member of the Committee of the Regions of the European Union.

    Prioritising Information Security

    Information security is not given a high enough priority by individuals, the corporate sector and by Government. There are a variety of reasons for this – emotional, cultural, financial and cynical. Is information security user-friendly enough? Whose responsibility is it anyway? What should the service providers be doing? What should Governments be doing? Does the global nature of the internet make solutions impossible? Is Microsoft’s Vista the answer? Is self-regulation sufficient or does there have to be legislation? Are market pressures a help or a hindrance? Who is going to clear the mess up when it all ends in tears?

  • EU

    Francisco García Morán (Director General, DG Informatics, European Commission, EU)  [schedule]

    Francisco García Morán holds a degree in Mathematics by the University of Sevilla and a degree in Computer Science by the Politechnic University of Madrid.

    He worked as a teacher at the University of Sevilla and as an IT analyst at its Data Centre between 1974 and 1976.

    He joined the Data Center of the Ministry of Education and Science in Madrid in 1976 where he held several positions as head of departments and he started the project of "decentralised IT" to Delegations of the Ministry.

    In 1982 he joined the Ministry of Education and Science of the Regional Government of Andalucia where he headed the IT department for nearly 4 years.

    He joined the Informatics Directorate of the European Commission in November 1986 and held several positions in charge of IT solutions for the office automation, information systems development and Data Centre environments.

    In 1998, he joined the Directorate General for Translation as Head of the IT unit until he was appointed in April 2001 Director of "Informatics" in the Directorate General for Personnel and Administration.

    Since May 2004, he has been heading the Directorate General for Informatics (DIGIT) where he was appointed Deputy Directorate General in July 2004. He was appointed Director General in November 2005.

    Since 01/01/2007 his Directorate General is responsible for the IDAbc (Interoperable Delivery of European eGovernment Services to public Administrations, Businesses and Citizens) programme

    He seats as representative of the European Commission in the Management Board of ENISA (European Network and Information Security Agency) and he also seats in the "Advisory Committee for eAdministration" to the Minister of Public Administration (MAP) in Spain.

    The speech will present the security strategy of the European Commission in the framework of the EU security policy as outlined by the European Council in 2004.

    After introducing the European Commission and its role in the EU institutional framework, the presentation will describe the EC's IT organisation and governance and will highlight the role of security in the "Roadmap towards an Integrated eCommission" the internal eGoverment initiative of the EC launched in the context of the i2010 initiative.

    The presentation will outline the principles inspiring the security policy , "a secure Europe in a better world", and will describe the EC strategy for Network and Information Security explaining the dimensions of the problem, from technical to social and ethical. Then the Research Security Policy will be introduced describing all the efforts and preparatory actions that had lead to the allocation of 1.4 M€ for security research in FP 7.

    It will also describe the initiatives regarding Safer Internet and those in the area of Justice, Freedom and Security.

    Finally, the EC internal security policy will be outlined and the implementation efforts regarding the policy will be presented including the description of the peripheral security infrastructure, security of IT configurations and Information Systems as well as the measures put in place to fight viruses and spam.

  • EU

    Andrea Pirotti (Executive Director, ENISA, EU)  [schedule]

    Andrea Pirotti, since 2004, is the Executive Director of the European Network and Information Security Agency (ENISA).

    He has been Vice President at the British owned Company Marconi spa and Managing Director- General Manager of Marconi subsidiaries Companies in Asia, South America and Spain.

    He held positions at the Italian Ministry of Communications, being Counsellor to the Italian Minister of Communication.

    During 1967-76 he was an Italian Army Signal Corps officer. He is a graduate of the Military Academy, Signal Corps, and holds a University Degree in Strategic Science.

    Why was ENISA created?

    ENISA was conceived in the spring of 2001, at a time when there was only limited co-operation and information exchange between the Members States of the European Union (EU), governments and industry in the field of Information Security. At the same time, the paramount importance of ensuring the continuing functioning of the Information Society was becoming increasingly clear, given its growing impact on everyday life, business and the Digital Economy.

    ENISA was created to bridge gaps, to promote good practice and to spread a culture of security across Europe. By using an –open method of co-ordination– between the Member States and industry, ENISA is facilitating and contributing to a significant improvement in the exchange of Information Security knowledge and best practices between the Member States. The Agency also acts as a spokesman on Network and Information Security (NIS) matters within the EU.

    Why is NIS important?

    It is not necessary to address the importance of Network and Information Security, as the audience at the FIRST AGM is fully aware of that. Just to sum up our mission:

    ENISA:

    • Is a Centre of Excellence for Member States and EU Institutions in Network and Information Security
    • Is a switchboard of information on Good Practice
    • Facilitates contacts between EU institutions, the Members States and private business and industry

    In these ways, ENISA contributes towards the modernisation of Europe and helps secure the smooth functioning of the Digital Economy and the Information Society.

    ENISA and the CERT communities

    CERTs in Europe identified very early on that co-operation was crucial for successful incident response as attacks from the Internet are global by nature and call for teamwork across traditional borders. CERTs collaborate in communities like Terenas Task Force CSIRT (TF-CSIRT) and the European Government CERT Group (EGC). Such communities are essential as rich sources of information, tools and activities for network and information security. In its role as a facilitator and information broker, ENISA promotes CERT co-operation and helps these communities grow stronger

    — in Europe and beyond!

    ENISA and FIRST

    ENISA acknowledges the importance of the FIRST as a worldwide facilitator of CERT cooperation. This is the reason why, since September 2006, ENISA is a Liaison Member of FIRST. The potential benefit is mutual:

    FIRST acts as a premier provider of (not only) CERT related security information and assembles under its umbrella a world-spanning network of Computer Emergency Response Teams, Hard- and Software Vendors and other security experts. ENISAs experts can learn much from the expertise and good practices collected and provided by FIRST.

    ENISA brings together the public and the private sectors to join forces in their efforts for a more secure Internet - a role that it shares with the FIRST. ENISA also acts as a contact point for the EU Member States and all EU Bodies, and acts as a premier channel for NIS related information to these stakeholders. So ENISA is the most obvious body to bring FIRSTs important messages and information to otherwise impossible to reach audiences.

    ENISA will be open for further collaboration with FIRST – in the field of CERT cooperation and beyond!

  • US

    Mary Ann Davidson (Chief Security Officer, Oracle, US)  [schedule]

    Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle product security, as well as security evaluations, assessments and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC), is a member of the Global Chief Security Officer Council and the editorial advisory board of SC Magazine. She was recently named one of Information Security’s top five “Women of Vision” and is 2004 Fed100 award recipient from Federal Computer Week.

    Ms. Davidson has a B.S.M.E. from the University of Virginia and a M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal.

    Securing the Brave New World

    The increasing reliance of organizations on information technology makes IT the backbone for much of critical infrastructure. At the same time, IT infrastructure has morphed from a model of well-defended castles of information to multiple “tents” housing disparate data, with, in some cases, a “welcome” mat in front of each tent. How can the security landscape evolve to effect a correct balance between openness and secrecy? How can the security community itself evolve – including users, guardians, and “police”of information - to ensure that cybercommunities continue to be inhabitable and hospitable, instead of “The Wild West?”

  • US

    George Stathakopoulos (General Manager of Product Security, Microsoft, US)  [schedule]

    As general manager of Microsoft product security for the Security Engineering and Communications Group, part of the Security Technology Unit at Microsoft Corp., George Stathakopoulos directs four teams of more than 100 people that collectively help make Microsoft® products and services more secure and help protect the company’s customers from online threats. The four teams have the following responsibilities:

    • The Security and Privacy Product Policy team creates internal policies and processes to ensure that security is a primary consideration during product development and throughout the security development lifecycle (SDL).
    • The Secure Windows® Initiative is designed to check for vulnerabilities in products and enforce the SDL, using methods hackers employ to find potential security weaknesses.
    • The Microsoft Security Response Center responds to externally reported vulnerabilities and coordinates the company’s response to viruses and worms.
    • The Security Community Team reaches out to security researchers, industry groups, and technology companies and governments to collaborate on security-enhancement projects and increase awareness about Microsoft’s security efforts.
    • Stathakopoulos began working for Microsoft in 1991. Before his current role, he helped several Microsoft product groups, including the Microsoft Internet Explorer and Windows groups, respond to security issues and enhance product security. He has been on the front line of Microsoft’s response to every major computer worm, including Melissa, I Love You, BubbleBoy and Zotob.

      After working on Microsoft Excel®, Windows 3.1, Windows 95 and Internet Explorer®, Stathakopoulos began focusing on security in 1996, spearheading Microsoft’s response to the first Internet Explorer security bugs. That same year he helped form the first Internet Explorer Security team, which was among the first monitors of the secure@microsoft.com e-mail address.

      Stathakopoulos joined Microsoft after graduating from Portland State University in Portland, Ore., where he earned a computer science degree in 1991. He also holds Certified Information Systems Security Professional (CISSP) certification.

      Born and raised in Greece, Stathakopoulos moved to the U.S. when he was 19. He remains fluent in Greek and visits his homeland at least once a year. Away from work, he enjoys scuba diving and photography.

    • General History of MS security efforts
    • Current situation in the ecosystem
    • Microsoft’s strategy
    • Call to action
  • UK

    Graham Whitehead (Futurologist, BT, UK)  [schedule]

    Graham Whitehead joined the British Post Office in 1968 as a Post Office University Student. He spent 12 months, before attending university, in all parts of the business from the chairman's office to the deepest, muddiest hole in the ground. He graduated from Leeds University in 1972 with a BSc honours degree in Mechanical Engineering. He is a member of the IMechE and IEE.

    He joined the BT Laboratories after graduation and has worked a wide variety of disciplines, such as mechanical connections and structures, optical transmission systems, the packaging and cabling of optical fibres, hydro space engineering. He was production manager of the optical receiver project which designed and manufactured the receivers used in the T AT-8, PTAT and NPC trans- Atlantic and trans- Pacific submarine systems. For the latter he was awarded the Queen's Award for Technology in 1990.

    In 1989 he moved to the USA on secondment to Du Pont as the production manager and co-ordinator for the manufacture of the optical amplifiers and tuneable narrow linewidth lasers which were part of product portfolio of BT&D, a joint venture of the two companies.

    In 1990 he returned to the BT Labs and was appointed manager of the Business Systems Group which investigates the modelling of business structures and their mutual interactions.

    In 1992 he became BT's Advanced Concepts Manager. Over the last few years he has specialised in presenting the work of the BT Labs to both customers and other parts of BT. He delivers more than 300 presentations every year, and has produced a series of video tapes. He also contributes to many journals, newspapers, radio and TV programmes.

    In 1999 he became one of BT's Principal Consultants looking at the future of telecomms and IT.

    In 2004 he was appointed as Visiting Professor at the Business School at Salford University.

    He lives in East Anglia and has two children Sarah, an Environmental Science graduate, and John, an Aerospace Engineering graduate. He is an active Morrisman, and plays and calls for most of the folk bands in East Anglia. To get away from it all he walks over mountains -a difficult task in the eastern counties!

    You Haven't Seen Anything Yet!……

    The human race has always been fascinated by numbers and computing. Recently I have been challenged that Moore's Law (created by Gordon Moore in 1968 that predicted that the number of transistors on a chip would double every two years and the price would halve in the same time) will not only cease being true but will saturate and flatten off. I do not believe this to be the case -I see in the next few years greater and greater computing power being available.

    The advent of Broadband connections, originally by ADSL, and new networks like BT’s 21CN will bring an era of AORT A (Always On Real Time Access). The human will be abstracted from the complexity of searching for information. Artificial Intelligent Agents will wander around this new information maze looking for information that might be of interest to you and push it towards you. These agents will have faces, voices, will hear and understand what you say, and might even have personalities! The whole process will get very conversational.

    But we will go further than just artificial people, we will start immersing ourselves in virtual environments. Imagine a virtual High Street where you can wander and visit the shops of your choice. These establishments will be "peopled" by avatars which look and behave just like the real people in the real shops -but there will be no queues.

    With the advent of the SmartCard we will be carrying enormous amounts of personal information and exchanging it in public places. One SmartCard could carry all your personal details from your ID card and passport to driving licence and medical history .I see everything having SmartCard readers (computers, phones, mobiles, TVs) and the appropriate information will be exchanged without the extreme efforts that are required of the human today -re-typing the same details on every web-page. I also see the security hologram on the card still being a visual security device, but also becoming a thumb print reader. The SmartCard becomes a "This is me -honestly it really is me" security token. With the advent of Web Services on the AORTA network, I could be at an electronic point-of-sale machine and the insertion of the token automatically brings all my relevant data (including current picture) to that point in the network.

    In the near future everything is going mobile. We will all have personal communicators (yes just like Star Trek!) which will connect us to voice communications and information. You will start asking your mobile phone questions and receive information that is pertinent to you at this time and at this location. Soon, with 3G type systems, we will be able to send and receive moving pictures. In fact in the very near future we will as carelessly pass images and moving images over these devices as we just talk to them today.

    And as we enter this new information age, we must look at how we will trade with our customers. It is vitally important that we target each individual customer and personalise our communication with him or her. Gone are the days when a simple advertisement was good enough, and we expected our customers to come and find us. Now we have to build a bridge and an interactive, proactive experience for our customers.

    Technology is changing very fast indeed. I predict that you will see more change in the next 10 years than has been experienced in the past 150 years. Technology is changing -the question is " Are you changing as fast" because if you do not you and your organisation might not be trading in the next few years!


Back to TOC

Side events

  • Annual General Meeting (AGM)  [schedule]

    * Limited to FIRST team members, FIRST liaison members and their invited guests, subject to approval by the Steering Committee

    The AGM is FIRST's Annual General Meeting, where the FIRST members meet and discuss and decide about FIRST and its road ahead. This includes the elections for the 5 Steering Committee slots that go vacant each year at the AGM.

    The 2007 FIRST AGM will take place on Thursday, June 21st, 2007 from 17:00 till approximately 18:50 local time in Seville, during the 2007 FIRST Conference.

    The AGM will be conducted in accordance with the FIRST Operational Framework.

    Attendance and participation at the FIRST Annual General Meeting is limited to FIRST team members, FIRST liaison members and their invited guests, subject to approval by the Steering Committee.


Back to TOC

Workshop

  • Train the Trainers Workshop  [schedule]

    (Members only)


Back to TOC

Tutorials

  • US

    Creating and Managing CSIRTs  [schedule]

    Robin Ruefle (CERT/CC, US)

    Robin Ruefle is a member of the technical staff of the CERT Program at the Software Engineering Institute at Carnegie Mellon University. She works as a member of the CERT® CSIRT Development team (CDT).

    Ruefle’s focus is on the development of management, procedural, and technical guidelines and practices for the establishment, maturation, operation, and evaluation of Computer Security Incident Response Teams (CSIRTs) worldwide. As a member of the CDT, Ruefle develops and delivers sessions in the suite of courses offered to CSIRT managers and incident handling staff, including Creating a CSIRT, Managing CSIRTs, Fundamentals of Incident Handling, and Advanced Incident Handling for Technical Staff. She also participates in the Train-the-Trainer program that licenses these products to existing CSIRTs.

    The CSIRT Development Team also provides guidance in the development of implementation strategies, policies, standard operating procedures, response plans, and training programs for new and existing CSIRTs. As part of that work, Ruefle has authored or co-authored publications including: Handbook for CSIRTs 2nd Edition, Organizational Models for CSIRTs Handbook, CSIRT Services, State of the Practice of CSIRTs, Defining Incident Management Processes for CSIRTs: A Work in Progress, The Role of Computer Security Incident Response Teams in the Software Development Life Cycle, as well as numerous other articles and best practice guides. These documents can be found on the CSIRT Development webpages at http://www.cert.org/csirts/.

    Ruefle has presented at numerous incident response and security conferences, including The Forum for Incident Response and Security Teams (FIRST), The US Government Forum for Incident Response and Security Teams (GFIRST), EDUCAUSE, SECURE IT, and other similar venues.

    Ruefle received a BS in political science and an MPIA (Master of Public and International Affairs) from the University of Pittsburgh. She has also taught courses in information technology, management information systems, and information retrieval and analysis as an adjunct faculty member in the Continuing Education and MBA programs at Chatham College and in the Graduate School of Public and International Affairs (GSPIA) at the University of Pittsburgh.

    Georgia Killcrece (CERT/CC – Carnegie Mellon University, US)

    Georgia Killcrece is a Member of the Technical Staff and joined the CERT® Coordination Center (CERT/CC) in 1989. The CERT/CC, established in 1988, is part of the CERT® Program based at the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh, Pennsylvania.

    Since 1999 Killcrece has led the CERT® CSIRT Development Team and takes an active role in promoting the development of computer security incident response teams (CSIRTs) worldwide. She has worked directly with a number of government, industry, and academic enterprises to facilitate the development of their incident management capabilities. She is internationally recognized as a leader in CSIRT development and has been invited to present at a number of international conferences. Killcrece also chaired the 2006 FIRST conference.

    Killcrece participates in the creation and delivery of public and onsite training courses, as well as facilitate workshops focused on CSIRT development. As part of broader outreach efforts in the CSIRT community, her team licenses the suite of CSIRT training materials to external transition partners. In 2003, to meet the need for trained incident handling staff, the CERT Program created and launched a certification program.

    From 1994 to 1999 Killcrece was a technical coordinator and incident response coordinator in the CERT/CC. In those roles, she gained firsthand knowledge of the processes involved in forming, operating, and managing incident response teams, including the dynamics of working in a fast-paced team environment.

    Killcrece is author or contributor to a suite of CSIRT documents and reports, available on the CERT web site at http://www.cert.org/csirts/. Killcrece can be reached directly by email at georgia@cert.org.

    This full-day tutorial is designed to provide those in the process of creating a CSIRT, those already managing a CSIRT and others who may interact with incident management and CSIRT staff with an overview of the issues involved in creating and operating a CSIRT. It will also provide an introductory view of CSIRTs for those new to the field who are interested in learning about a CSIRT and the type of activities a CSIRT performs.

    This tutorial will provide a discussion of best practices in creating and managing a CSIRT. The course provides an overview of the incident handling process and the types of tools and infrastructure needed to be effective. It also provides a high level overview of the key issues and decisions that must be addressed in establishing a CSIRT. The tutorial will explore the relationship between CSIRTs, incident management, and security management and discuss how successful incident management requires an enterprise view and approach.

  • US

    Creating, Managing and Using a Malware Lab  [schedule]

    Grant Deffenbaugh (CERT/CC, US)

    Grant Deffenbaugh is a member of the technical staff at the Software Engineering Institute's CERT® Coordination Center (CERT/CC). He currently is the team lead for CERT/CC's Malware Laboratory and has a PhD in Computer Systems Engineering from Rensselaer Polytechnic Institute. The Software Engineering Institute is a Federally Funded Research and Development Center (FFRDC) sponsored by the US Department of Defense (Under Secretary of Defense for Acquisition, Technology and Logistics) and managed by Carnegie Mellon University.

    Lisa Sittlerl (CERT/CC, US)

    Lisa Sittler is a member of the technical staff at the Software Engineering Institute’s CERT® Coordination Center (CERT/CC). Lisa is a system administrator for the CERT/CC’s Malware Lab. Prior to joining the CERT/CC, Lisa worked as a system administrator and as a quality assurance engineer for a well-known supplier of networking equipment. The Software Engineering Institute is a Federally Funded Research and Development Center (FFRDC) sponsored by the US Department of Defense (Under Secretary of Defense for Acquisition, Technology and Logistics) and managed by Carnegie Mellon University.

    Nick Ianelli (CERT/CC, US)

    Nicholas (Nick) Ianelli is a member of the technical staff at the Software Engineering Institute's CERT® Coordination (CERT/CC). Nick is an analyst on the CERT/CC's Artifact Analysis team researching malicious code. Prior to joining the CERT/CC, Nick worked as a network engineer at a national (US) Internet service provider. The Software Engineering Institute is a Federally Funded Research and Development Center (FFRDC) sponsored by the US Department of Defense (Under Secretary of Defense for Acquisition, Technology and Logistics) and managed by Carnegie Mellon University.

    During the first part of the day we will present a tutorial on what is required in building and managing a Malware Laboratory from a systems administration point-of-view. Network design, services and infrastructure will be covered. Special attention will be given to creating an environment for runtime analysis. Risk assessment and techniques for implementing network security will be examined. Other topics include developing policy and procedures to maintain a secure and reliable malicious code analysis environment.

    The second half of the day will cover collection of malicious code, safe handling practices, and platforms to perform analysis. We will focus on the use of virtualization technologies, discuss various analysis tools, and engaged in actual malware analysis.

    Participants are asked to bring a laptop with a valid VMware license pre-configured with a Windows guest. A sample Linux guest as well as tools and malicious code will be distributed during the tutorial.

  • DESE

    Do it yourself: The latest in forensic tools and techniques to examine Microsoft Windows  [schedule]

    Andreas Schuster (Deutsche Telekom AG, Group Security, DE)

    Andreas Schuster (GCFA) is a Senior Computer Forensic Examiner with the security department of Deutsche Telekom AG since December 2003. Previously he led a commercial computer incident response team and had worked in the internet business for about seven years. Andreas had got his first computer in 1981. Though times have significantly changed he regularly falls back to low-level tools like disassemblers and hex editors when he explores the inner mechanics of an operating system or a new piece of malware.

    Pär Österberg (Swedish IT Incident Centre, Sitic, SE)

    Pär Österberg (CISSP) started his career doing Unix and Windows network administration, but quickly migrated into doing only security related work, like administrating firewall and intrusion detection systems. After working several years doing penetration testing for various consulting firms, he started working for the Swedish Gvt CERT (Sitic), where he among other things has been handling IT incidents for the last five years.

    Responding to IT incidents and investigating computers looking for signs of a compromise can be a challenging and time consuming task. This full-day presentation with embedded hands-on exercises will describe methods and techniques to investigate a potential intrusion. The course aims at a technical audience, preferably incident responders and forensic examiners. Participants should be familiar with the Microsoft Windows platform.

    The morning session is dedicated to data acquisition. We will start up with building a “First Responders Toolkit”, a write protected media with trusted binaries which we will tweak so we avoid using system wide DLLs. We will also discuss several methods to obtain memory dumps and their specific pros and cons. After that participants will be able to choose the right tool for their environment.

    We will employ our toolkit to collect various pieces of evidence in the order of volatility: main memory, the swap file, NTFS meta data files, the Registry and lots more.

    During the second session we’ll then show how to analyze the data collected before. We will analyze the $Mft, the heart of NTFS, looking for Alternate Data Streams, commonly used File System Anti-Forensic techniques and discrepancies from user mode and the raw data. Further more we will demonstrate how to analyze the raw Windows Registry files, how to quickly analyze the binary files collected from the running system and how to effectively use databases of hashes from known operating system files.

    After an introduction into the basics of Windows memory management we will start to explore the memory dumps. We will focus on tools which are available for free, so participants can take them home and start working with them immediately. Additionally we’ll cover some of the leading-edge commercial tools in the field. For every tool we will discuss how it works and what its limitations are. Participants will try out the tools on sample images to uncover exploits and actual rootkit infections on their own.

    Participants are expected to bring their own laptop. Microsoft Windows will be required to run some of the programs provided. Sample files for analysis will be available during class. Detailed instructions will be publicized before the conference.

  • US

    System, Network and Security Log Analysis for Incident Response  [schedule]

    Anton Chuvakin (LogLogic, Inc., US)

    Dr Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Director of Product Management with LogLogic, a log management and intelligence company, he is involved with defining and executing on a product vision and strategy, driving the product roadmap, conducting research as well as assisting key customers with their LogLogic implementations. He was previously a Chief Security Strategist with a security information management company.

    A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3" and the upcoming book on PCI. Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs such as http://chuvakin.blogspot.com

    The presentation will cover the use of various system, network and security logs and audit trails in the incident response process, from methodology to practical case studies and tools. It will touch upon incident response practices and the role of logs in them, using logs for forensics and e-discovery as well as for pre-incident threat detection. The presentation will include several detailed case studies.

    Here is the brief summary:

    • Brief incident response process overview
    • Relationship between incident response and forensics
    • Logs: what are they and what are they for?
      • Log use at various stages of the response process: from incident detection to lessons learned
      • Use of logs from various sources (firewall, IDS, system, application, etc) during incident response
    • Log review and monitoring processes
      • Routine log review
      • In-depth log analysis and log mining for incident recognition
    • Log evidence integrity and DoJ criteria challenges
      • Raw vs parsed/tokenized logs as evidence
    • Practical scenarios
    • Conclusions
  • US

    Understanding & Analyzing Botnets  [schedule]

    Jeff Nathan (Arbor Networks, US)

    Jeff Nathan is a Senior Security Engineer within Arbor Networks' Arbor Security Engineering & Response Team (ASERT). In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) service and innovating new security technology. Prior to joining Arbor Networks, Jeff served as a Senior Software Engineer for Sygate Technologies Inc., where he developed intrusion detection technologies. Before Sygate, Jeff worked in various capacities at McKesson Corp., @stake Inc. and Hiverworld, Inc.

    During the past seven years, Jeff has also been a core member of the Snort project, an elected member of the Honeynet Project, lead developer of the Nemesis Project, and an occasional contributor to a number of open-source software projects.

    Jose Nazario (Arbor Networks, US)

    Jose Nazario

    Dr. Jose Nazario is a Senior Security Engineer within Arbor Networks' Arbor Security Engineering & Response Team (ASERT). In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) threat detection service.

    Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books "Defense and Detection Strategies against Internet Worms" and "Secure Architectures with OpenBSD." He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant. Dr. Nazario regularly speaks at conferences worldwide, with past presentations at CanSecWest, PacSec, Blackhat, and NANOG. He also maintains WormBlog.com, a site devoted to studying worm detection and defense research.

    This two-day workshop is designed to provide attendees with a thorough understanding of botnets: what they are, how they’re created, how to identify them, and how to stop them. The workshop will consist of both presentations and hands-on sessions where attendees can interact with the instructors for further support. The notion of "rapid response" is taken into consideration with each aspect of the workshop, focusing on techniques and methodologies that can be applied in timely manner. At the completion of this workshop, attendees will walk away with applicable real world knowledge that can be applied in their daily work.

    The goals of this training session are for the attendees to more fully understand botnets, build tools to identify their presence in the wild and build intelligence as to their presence on their own networks, and how to defend against their attacks. Attendees are expected to be technically savvy and in network or security operations.


Back to TOC

Geek Zone

  • UK

    A day in the life of a hacker... Things we get up to when nobody is looking, and that keep me awake at night.  [schedule]

    Adam Laurie (The Bunker Secure Hosting Ltd., UK)

    Adam Laurie is a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own -ApacheSSL - which went on to become the defacto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of reusing military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON (http://www.defcon.org) since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, where he is now a regular training instructor (http://www.blackhat.com), and he is also a member of the Bluetooth SIG Security Experts Group (http://www.bluetooth.org). His current focus is on RFID, and he has recently published an opensource RFID software library, written in Python, which can be found at http://rfidiot.org.

    In this session I will give a roundup of some the issues I've spoken about over the last year, which include:

    • Magstripes
    • InfraRed
    • RFID
    • ATM Machines

    Whilst I aim to make this reasonably technical, it will be fairly relaxed and informal, with live demonstrations and some room for experimentation if any of the participants are brave enough... :)

  • ESBR

    Botnet: Creation, usage, detection and eradication  [schedule]

    Francisco Monserrat (FIRST.org, ES)

    Guilherme Vênere (CAIS/RNP – Brazilian Academic and Research Network, BR)

    Jacomo Piccolini (CAIS/RNP – Brazilian Academic and Research Network, BR)

    Jacomo Dimmit Boca Piccolini has an Engineer degree in Industrial Engineering at Universidade Federal de Sao Carlos - UFSCar, with two post-graduation one obtained on the Computer Science Institute and other on the Economics Institute of Universidade de Campinas - Unicamp. Hi is GCIA, GIAC Certified Intrusion Analyst and GCFA, GIAC Certified Forensics Analyst, working as a senior security analyst at the Brazilian Research and Academic Network CSIRT (CAIS/RNP). With 10+ years of experience in the security field his is the lead instructor of CAIS/RNP and hands-on coordinator for FIRST Technical Colloquiums. He is currently fighting the misuse of RNP backbone infrastructure by hackers.

  • UK

    Espionage – Reality or Myth? A Demonstration of Bugging Equipment  [schedule]

    Emma Shaw (Esoteric Ltd, UK)

    Emma has been actively involved at all levels in both covert and overt investigations for approximately 20 years. The early part of her career was spent with the Royal Military Police, followed by a career in UK government. Emma is now the Managing Director of Esoteric Ltd, a specialist security and covert investigations company, which she founded in 1998. The company provide bespoke confidential services, which assist their clients to deal with issues such as Theft, Fraud, Counterfeiting, employment related issues, and economic and corporate espionage. Esoteric Ltd have been approved the National Security Inspectorate to the prestigious BS EN9001: 2000. Emma is a member of the Council for the Security Institute, the Registrar for the Validation Board of The Security Institute, Southern Region Chair for the Defence Industry Security Association (DISA), a member of the Professional Development Committee for the American Society of Industrial Security (ASIS) and the Counter Terrorist Committee with the Joint Security Industry Council (JSIC).

    The single greatest asset held by most companies is their information. Its protection is key to the success of any business, particularly in competitive markets where new designs, intellectual property and technological advance have significant commercial value. A growing number of companies and government departments are now taking proactive action to protect their information and so deter terrorists, criminals and others before damage can be done.

    Information is also key to the success of terrorists, criminals and others who need to obtain sufficient information on their targets if they are to achieve their aim.

    The threats from those wishing to steal information is real and there are many recent examples of this both in the UK and elsewhere. Your company is most likely already a target for this type of activity. It may involve staff collusion with external bodies, infiltration, or unauthorised access to gain information through physical or technical means.

    This presentation looks at the threats organisations face from espionage, and the impact the loss of vital information to the company. The presentation will provide an insight into the world of espionage, how it is conducted and by whom; the legalities of bugging, the vulnerabilities of emerging technologies, along with statistics, case studies and actual examples of bugging devices. We will examine the facts whether espionage is “Reality or a Myth”

    If time allows we can include a practical demonstration.

  • US

    Forensic Discovery  [schedule]

    Dr. Wietse Z. Venema (IBM Research – GSAL, US)

    Wietse Venema is known for his software such as the TCP Wrapper and the POSTFIX mail system. He co-authored the SATAN network scanner and the Coroner's Toolkit (TCT) for forensic analysis, as well as a book on Forensic Discovery.

    Wietse received awards from the System Administrator's Guild (SAGE), the Netherlands UNIX User Group (NLUUG), as well as a Sendmail innovation award. He served a two-year term as chair of the international Forum of Incident Response and Security Teams (FIRST).

    Wietse is a research staff member at the IBM T. J. Watson research center. After completing his Ph.D. in physics he changed career to computer science and never looked back.

    Wietse presents lessons learned about the persistence of information in file systems and in main memory of modern computers - not only how long information persists, but also why this happens, and what the limitations of that information are.

    After an introduction to the basic concepts of volatility and persistence, Wietse presents examples of how to recover time line information from a variety of network and host-based sources, including a walk-though of a post-mortem file system analysis.

    The presentation ends with results from file and memory persistence measurements. The results are based on measurements of a variety of UNIX and Linux systems, with some results for Windows/XP, including how to recover encrypted files without knowing the key.

    This presentation includes content from the "Forensic Discovery" book that was co-authored with Dan Farmer.

  • ZA

    I know what you (and your company) did last summer...  [schedule]

    Roelof Temmingh (Paterva, ZA)

    Born in South Africa, Roelof studied at the University of Pretoria and completed his Electronic Engineering degree in 1995. His passion for computer security had by then caught up with him and manifested itself in various forms. He worked as developer, and later system architect at an information security engineering firm from 1995 to 2000. Early in 2000 he started the security assessment and consulting firm SensePost along with some of the leading thinkers in the field. During his time at SensePost he was the Technical Director in charge of the assessment team and later headed the Innovation Centre for the company. Roelof spoke at various international conferences such as Blackhat, Defcon, RSA, Ruxcon, Hack-in-the-box and FIRST (2003). He also contributed to books such as “Stealing the network: How to own a continent”, “Penetration Tester's Open Source Toolkit” and was one of the lead trainers in the “Hacking by Numbers” training course. Roelof also authored several well known security testing applications like Wikto, Crowbar, BiDiBLAH and Suru. At the start of 2007 Roelof founded Paterva in order to pursue R&D in his own capacity. Paterva will be a vehicle for exploring a new train of thought in the information security industry.

    In recent times a lot of emphasis has been placed on the interaction and collaboration between individuals on the Internet – the old asymmetrical nature of the web has changed from a data producer/consumer model to a model where everyone is a producer and a consumer at the same time. This change has been very rapid without set guidelines or policies – it's best described as a phenomenon rather than a well thought out process – and it is indeed one that is driven by the community rather than an RFC. The challenges faced by the traditional producers of yesterday is now on the doorstep of individuals – with the difference that the environment and role players are a lot less defined. The high level of interaction and connections between produced information, the vague identity of the producer and the abundance of distribution channels make the Internet of today the ideal breeding ground for those with less-than-honest intentions that utilize trickery such as personal (online) identity theft, public opinion manipulation, viral campaigns or simply discovering valuable or restricted information by means of extensive data mining. These types of attacks could be performed by individuals with minimum technical knowledge and infrastructure.

    In this presentation I will look at how the abundance of information available on the Internet combined with a generation of less-questioning, more trusting Internet users can lead to vulnerabilities that are hard to delineate, hard to anticipate, hard to protect against, and, as will be shown in the presentation, a disturbing reality. The presentation will further look at possible ways to defend against this types of attacks as well as discussing and demonstrating a framework for generic information gathering that could be used in both a defensive and attacking role.

  • UK

    Identity theft in the corporate environment – demonstration and hands-on  [schedule]

    Peter Wood (First Base Technologies, UK)

    Peter’s innovative and entertaining style has led him to present to the boards of the largest international companies as well as at international conferences on many IT security-related topics.

    He was recently rated the British Computer Society’s number one speaker.

    Peter has worked in the electronics and computer industries since 1969. He has extensive experience of international communications and networking, with hands-on experience of many large-scale systems. Peter’s board-level responsibilities have included sales, marketing and technical roles, giving him a broad industry view.

    Founded in May 1989 as a vendor-independent consultancy, First Base Technologies now provides security testing and audit services to clients as diverse as B&Q, Bradford & Bingley, Brighton & Hove City Council, Co-operative Group, the Finance & Leasing Association, the Learning & Skills Council, Screwfix, Skipton Building Society and Trinity House Lighthouse Service. Peter has hands-on technical involvement in the firm on a daily basis, working in areas as diverse as penetration testing, social engineering and skills transfer.

    Peter is a Fellow of the British Computer Society and member of the Institute of Electrical and Electronics Engineers, the Information Systems Audit and Control Association and the Association of Computing Machinery. He is also a BCS Registered Security Consultant, a Microsoft Certified Product Specialist and a member of Mensa.

    Popular topics:

    • Casebook of an ethical hacker
    • Why penetration test?
    • Google Hacking - an ethical hacker’s view
    • Identity Theft in the Corporate Environment
    • An Ethical Hacker on Denial of Service Attacks.

    Identity theft and fraud is an important and growing problem. It affects individuals, government departments and private sector organisations, and often forms part of more serious criminal operations such as people trafficking and drug smuggling. It is estimated that more than 120,000 people are affected by identity theft in the UK each year. The latest estimate is that identity fraud costs the UK economy £1.7 billion.

    In the words of Fox Mulder, 'trust no-one.' If someone steals your password at work, it is a significant step towards stealing your identity. It won't just impact your employer but your personal life too. In fact it could easily leave you with a reputation for enjoying illegal pronography, a large credit card bill and even larger overdraft.

    Peter Wood has developed a set of methodologies to stimulate corporate identity theft attacks, both external and internal. He shares his experiences in perpetrating licensed attacks against a variety of clients over the last year, as well as the results of criminal investigations. His methods and recommendations should prove invaluable to any business.

  • US

    Insider Threat – The Visual Conviction  [schedule]

    Raffael Marty (ArcSight, Inc., US)

    Raffael Marty, GCIA, CISSP manages the solutions team at ArcSight, the global leader in Enterprise Security Management. Raffy's information security expertise includes log management, intrusion detection, insider threat, regulatory compliance and security data visualization. He is involved in security industry initiatives and standards efforts, such as the open vulnerability and assessment language (OVAL). Raffy has written a number of automation and visualization tools such as Thor (http://thor.cryptojail.net) and AfterGlow (http://afterglow.sourceforge.net) and is the founder of the security visualization portal http://secviz.org.

    Raffy has served as a contributing author to several security books including the Snort book and also presents on the topic of visualization at various occasions around the world. Before joining ArcSight, Raffy used to work as an IT security consultant for PriceWaterhouse Coopers and previously was a member of the Global Security Analysis Lab at IBM Research, where he participated in various intrusion detection related research projects.

    Insider Threat has increasingly been discussed in the past months. Information Leaks, Sabotage, and Fraud have been reported all over big institutions. One way to address the insider threat problem is to analyze log files and find suspicious behavior before it results in direct or indirect financial loss for the company.

    Signs of suspicious behavior or users lend themselves very well to visualization techniques. Visualization of data has proven to be the approach generating the best return on investment when it comes to complex data analysis problems. This workshop takes a step-by step approach to analyzing signs of insider threat. I will use a few open source tools to process the information and generate visual representations. Among them is a tool called AfterGlow (afterglow.sourceforge.net) which was written by the presenter. It is a very simple tool to visualize preprocessed information. The analysis I will go through in the workshop will show how early warning signs of insider activity manifest themselves in the log files, making it possible to prevent further damage and assess the impact of the activities.

    The goal of the talk is to leave the audience with the knowledge and tools to do visual log analysis on their own data.

  • NL

    Provider practicalities and paranoia: Modern ISP incident response – the tooling of incident response at a ISP  [schedule]

    Scott McIntyre (KPN-CERT, NL)

    As a follow-on from the Wednesday session on ISP response, this session will delve in deep to precisely the tech-tools we built, use and rely upon for detecting security incidents to and from our customers. A wide variety of tooling related topics will be covered, including some popular open-source and commercial solutions for incident detection and response. This detailed discussion of our methods and tooling will include specifics on: customer notification, walled-garden technology, darknet analysis, server security, log analysis and some of our many countermeasures employed. It is hoped that this session may serve as a springboard for a possible Tooling SIG within FIRST where specific incident response and mitigation tools can be shared amongst members. The session is meant to be highly interactive with others interested in detailed incident tooling!

  • UK

    Tools and techniques to automate the discovery of zero day vulnerabilities  [schedule]

    Joe Moore (Pentest, UK)

    Joe Moore has for the past four years been working as an IT Security Consultant with Pentest Limited, a leading UK based security consultancy.

    During his employment with Pentest Limited, Joe has specialized in penetration testing and vulnerability assessment, and has provided security consultancy services to a number of Pentest's clients.

    The scope of this consultancy has ranged from Internet based application and infrastructure testing, to on-site audits of large corporate networks.

    Joe also has a keen interest in software security research, and has been instrumental in the discovery and reporting of numerous critical vulnerabilities in a variety of software.

    Currently, Joe's research is focused on mobile device security and embedded operating system vulnerability research.

    Mark Rowe (Pentest, UK)

    Mark Rowe is a co-founder of Pentest Ltd a leading UK based security consultancy. Mark has specialised in vulnerability assessment and penetration testing, carrying out work for a wide range of clients including utilities, government agencies, financial institutions, and retail organisations.

    Mark is an active security researcher and has worked with software and hardware vendors such as Microsoft, IBM, Oracle, Skype, Sony, Widcomm, Bluetooth SIG and Nokia to identify and fix security vulnerabilities in their products.

    Mark was also major contributor to the SANS institute's Oracle Step-by-Step security guide. More recently Mark has been conducting leading edge research in the area of mobile device security, which includes Bluetooth wireless connectivity.

    Mark is also a member of the trifinite.group (http://www.trifinite.org), a loose group of computer experts that spend their free time doing research in wireless communications and related areas.

    This half day session will explore the software testing technique of fuzzing and how it can be used to find security defects. It will cover the advantages and disadvantages of fuzz testing and will give some practical insight into the current free tools and techniques available to security testers. During the session several demonstrations will be given showing how fuzzing may have been used in the past to discover some well publicised security vulnerabilities. The attendees will also be encouraged to gain some hands on experience.

  • US

    UNIX/C Programming traps and pitfalls  [schedule]

    Dr. Wietse Z. Venema (IBM Research – GSAL, US)

    Wietse Venema is known for his software such as the TCP Wrapper and the POSTFIX mail system. He co-authored the SATAN network scanner and the Coroner's Toolkit (TCT) for forensic analysis, as well as a book on Forensic Discovery.

    Wietse received awards from the System Administrator's Guild (SAGE), the Netherlands UNIX User Group (NLUUG), as well as a Sendmail innovation award. He served a two-year term as chair of the international Forum of Incident Response and Security Teams (FIRST).

    Wietse is a research staff member at the IBM T. J. Watson research center. After completing his Ph.D. in physics he changed career to computer science and never looked back.

    Neither the UNIX system, nor the C programming language were built with security as a primary goal. Consequently, building a secure program can be like building a house on quicksand. The challenge for the implementor is to avoid the mechanisms that are weak, and to carefully build on the few mechanisms that remain. This tutorial focuses on implementation errors, why these errors happen, and how an implementor can avoid making such errors.

    Security problems happen when system behavior does not match the user's expectation. Wietse illustrates this with a very small and obviously correct file shredder program that does not work at all, and for more reasons than most people can think of. This is followed by a segment that illustrates several flaws that were found in real applications that used the UNIX file system in an exploitable manner.

    The set-uid feature is unique to UNIX, and deserves its own segment. Wietse demonstrates why it is fundamentally impossible to write set-uid software without creating a security hole.

    Finally, Wietse presents the open source Postfix mail system, and how its partitioned design not only helped to build a secure mail system, but also helped to avoid code degeneration as the system expanded in size by more than four times.


Back to TOC

Main Conference

  • JP

    An Internet Threat Evaluation Method based on Access Graph of Malicious Packets  [schedule]

    Masaki Ishiguro (Mitsubishi Research Institute, Inc., JP)

    Masaki Ishiguro is a senior researcher at Information Security Research Group, Mitsubishi Research Institute, Inc. He received his master’s degree at the Graduate school of information science, the University of Tokyo in 1994 and then has been working for Mitsubishi Research Institute. He has been engaged in research and development projects for internet threat detection system, verification system for security protocols, medical image recognition system, formal methods etc.

    Hironobu Suzuki (Mitsubishi Research Institute, Inc., JP)

    Malicious packets generated by Internet worms or port scans can be captured by monitoring ports of IP addresses where any network service is provided. Several methods have been proposed for detecting threats over the Internet by monitoring malicious packets. Most of these methods apply statistical methods to time-series frequencies of malicious packets captured at each port.

    This paper proposes a new method for evaluating threats in the Internet based on access graph defined by the relation between sources and destinations of malicious packets. This method represents access relation between sources and destinations of malicious packets by bipartite graph and defines relation of threat and vulnerability between sources and destinations of malicious packets. In order to evaluate threats on the Internet, we apply a new method to this relation. This method evaluates threats by using spacial structure of access graph which has not been used by traditional methods. We applied our method to working examples monitored during the period of worm outbreaks to show the effectiveness of our method.

  • DE

    Assessing Incident Severity in a Network and Automatic Defense Mechanisms  [schedule]

    Klaus-Peter Kossakowski (SEI Europe GmbH, DE)

    Klaus-Peter Kossakowski is a Visiting Scientist at the SEI in Europe. He is currently researching the business processes related to incident response as integral part of - not only IT specific - risk management. He has defended his Doctorate Thesis in "Information Technology – Incident Response Capabilities" at the University of Hamburg. He also holds a first-class degree in Information Science from the University of Hamburg. After his studies he worked as a senior consulting and managing director for German based security providers and consulting companies. He has served for many years in various roles within the international CERT communities.

    • Moira J. West-Brown ; Don Stikvoort ; Klaus-Peter Kossakowski (1998) Handbook for Computer Security Incident Response Teams (CSIRTs), CMU/SEI-98-HB-001, Carnegie Mellon University, Pittsburgh, PA, USA
    • Georgia Killcrece ; Klaus-Peter Kossakowski ; Robin Ruefle ; Mark Zajicek (2003) Organizational Models for Computer Security Incident Response Teams (CSIRTs), CMU/SEI-2003-HB-001, Carnegie Mellon University, Pittsburgh, PA, USA

    Luis Francisco Servin Valencia (PRE-CERT – PRESECURE Consulting GmbH, DE)

    Luis Servin has worked since 2002 in the software development. Since 2004 he's been living in Germany while doing his Master of Science in Information and Communication Systems at the University of Technology in Hamburg-Harburg. He joined PRESECURE Consulting GmbH as a researcher to complete his Master Thesis. The topic of the thesis is the assessment of network security. His areas of interest include artificial intelligence, digital image and signal processing, and network security. Luis Servin studied Electrical Engineering in Mexico, at the Instituto Tecnológico y de Estudios Superiores de Monterrey at Mexico City.

    Till Dörges (PRE-CERT – PRESECURE Consulting GmbH, DE)

    Till Dörges joined PRESECURE Consulting GmbH as a researcher in 2002. The two major projects he's currently working on are a network of distributed IDS-sensors (evolved from the EC-funded project "eCSIRT.net") and the also EC-funded research project about proactive security monitoring in a policy-based framework ("POSITIF"). Both projects strongly relate to Intrusion Detection, Honeynets and (Security-) Policies.

    He also is the team representative of PRESECURE within the European community of accredited CSIRTs ("Trusted Introducer") as well as for FIRST.

    Till Dörges studied Computer Sciences in Hamburg, Toulouse and Leipzig. He holds a French "Maîtrise d'Informatique" and a German "Informatik-Diplom".

    Threat sources for computer networks are diverse and increasingly complex. Attackers usually make use of vulnerabilities or configuration mistakes to break the external lines of defense and into different hosts or pry on what should otherwise be a secure/private communication channel.

    Unfortunately, the means to defend from and react to attacks are scarce and work mostly isolated. Among these we can count firewalls,Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and honeypots, as well as the possibility of doing penetration tests from within or from outside the network.

    By using all these methods at hand, there is a lot of information available that has to be processed to assess the current situation. Based on this the security policies governing a network can be adjusted. This is by no means trivial and could overwhelm a person trying to do it manually.

    This paper presents a framework that concentrates the input from different sensor types, assesses the situation and decides on the action to take to counter a possible attack. This ranges from (semi-)automatically changing the security policies for the whole network, to reconfiguring a service within a host.

    In particular the processing method to make the assessment will be the core of this article.

  • PL

    Beyond the CPU: Defeating Hardware Based RAM Acquisition Tools  [schedule]

    Joanna Rutkowska (Invisible Things Lab, PL)

    Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted multiple times by international press and she is also a frequent speaker at security conferences around the world. In April 2007 she has founded Invisible Things Lab, a consulting company dedicated for cutting edge research into operating systems security.

    Many people believe that using a hardware based acquisition method, like e.g. a PCI card or a FireWire bus, is the most reliable and secure way to obtain the image of the volatile memory (RAM) for forensic purposes.

    This presentation is aimed at changing this belief by demonstrating how to cheat such hardware based solutions, so that the image obtained using e.g. a FireWire connection can be made different from the real contents of the physical memory as seen by the CPU. The attack does not require system reboot.

    The presented technique has been designed and implemented to work against AMD64 based systems, but it does not rely on hardware virtualization extensions.

  • US

    Building a scalable, accurate, actionable Incident Response system  [schedule]

    Dr. Ken Baylor (CISSP CISM, VP & CISO Symantec, US)

    Ken Baylor serves as Symantec's Chief Information Security Officer (CISO), and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Manager (CISM). As CISO, he is responsible for development of all information systems security policies, oversight of implementation of all security-related policies and procedures, and global protection of electronic and digital assets. He also works closely with internal products groups on security capabilities in Symantec products, head-ups the Information Security department and oversees Privacy issues.

    Ken Baylor has 15 years of experience leading global IT and security teams. Prior to joining Symantec in November 2006, Dr. Baylor led a number of strategic initiatives within McAfee, where he was recognized as an expert in Intrusion Prevention Systems and Risk Management. He was active in developing strategic alliances and creating the Service Provider program.

    Dr Baylor holds bachelors and doctorate degrees in Science from the National University of Ireland, a law degree from University of Wolverhampton, England and an MBA from the University of Texas. He is active within the security community.

    With a global presence and over 100k nodes, Symantec’s challenge is common to large enterprises. This presentation will focus on their deployment of technologies that form the basis of Symantec’s internal Incident Response and Risk Management capabilities. The approach taken by Symantec’s InfoSec team, in developing an end to end layered security infrastructure and compliance reporting framework will be described along with results to date.

  • US

    Cyber Fraud Trends and Mitigation  [schedule]

    Ralph Thomas (VERISIGN iDefense, US)

    Ralph Thomas

    Mr. Thomas heads the iDefense Malicious Code Operations Group, responsible for the active collection of open-source intelligence, and for the reporting and analysis of public reports and outbreaks of malicious code. Mr. Thomas also directs the malicious code research lab in iDefense, which is tasked with the development of tools for discovery and analysis of malicious code and related threats. Before joining iDefense, Mr. Thomas worked as Principal Computer Forensics Consultant in several data acquisition and litigation support projects and served as expert witness in federal court. Early in his career Mr. Thomas designed hardware and realtime software in the controls and digital television sectors before turning his attention to enterprise software. A Certified Lotus Specialist, he has expertise in e-mail archiving, document imaging, Siebel, SAP and Oracle Applications. Mr. Thomas holds a Master of Science degree in Electrical Engineering from the University of Dortmund in Germany.

    Phishing Trojan horse programs are not traditional bots, but sophisticated and original pieces of malicious code. Since iDefense began tracking this technique in May 2006, attackers have quietly seeded dozens of variants into the wild to target at least 30 specific banking institutions. These attackers had intimate knowledge of each targeted bank’s Web infrastructure and built a sophisticated command-and-control system that completely automated the attacks. The authors believe that criminal organizations are using these phishing Trojans to compromise millions of bank accounts across the globe. These Phishing Trojan attacks can defeat sophisticated authentication schemes that security experts previously thought rock solid.

    This presentation discusses mitigation techniques that work and fail in light of these new malicious code attacks. The audience will be given an overview on malicious code attacks against the financial infrastructure and an introduction to banking authentication schemes. The presentation also includes cyber fraud detection and mitigation strategies.

  • US

    Data on Data Breaches: Past, Present, and Future  [schedule]

    Chris Walsh (cwalsh.org, US)

    Currently an information security architect for a consumer goods firm operating in 180 countries, Chris has previously held information security and incident response roles in academia, and the financial sector, as a hands-on technologist, a consulting team lead, and a divisional manager.

    A number of high-profile data loss incidents have focused attention on questions surrounding the collection, storage, and protection of personal information.

    Measures aimed at protecting those whose personal information has been put at risk through such incidents have become widespread in the U.S., with increasing calls for similar regulation in the EU, Canada, and elsewhere.

    We examine past and present security breaches to illustrate the thesis that to understand, we must discuss. Effective measures to address security breaches can only be developed through empirical reserach. We can learn what contributes to such breaches, and their impact that on those whose information is revealed and on the breached entity.

    We conclude by discussing future steps that can be taken legislatively and by the research community to facilitate greater understanding in this area.

  • DE

    Dealing with Unreliable Software: Exile, Jail, and other Sentences  [schedule]

    Dr. Bernd Grobauer (Siemens-CERT, DE)

    Dr. Bernd Grobauer is a Senior Consultant with Siemens CERT. He received an M.Sc. degree in computer science in 1997 from the Munich University of Technology, Germany, and a Ph.D. degree from Aarhus Universitiy, Denmark. When joining Siemens CERT in March 2002, Bernd Grobauer turned his attention from program verification and program transformation — topics relevant for research towards more dependable systems — to IT security. Bernd Grobauer coordinates the research activities of the Siemens CERT services team and acts as security consultant regarding security governance topics.

    Dr. Martin Wimmer (Siemens-CERT – Siemens AG, Corporate Technology, CT IC CERT, DE)

    Martin Wimmer is Associate Consultant with Siemens CERT. After studying computer science at the University of Passau, where he received his Diploma degree in 2003, he worked as research assistant at the University of Passau and, from April 2004 on, at the Munich University of Technology. His research activities mainly focused on security requirements of upcoming service oriented IT infrastructures. In April 2007 he joined the research group of the Siemens CERT.

    Dr. Heiko Patzlaff (Siemens-CERT – Siemens AG, Corporate Technology, CT IC CERT, DE)

    Dr. Heiko Patzlaff is a security consultant with Siemens CERT. He received a MSc. degree in physics in 1993 from Martin-Luther University of Halle and a PhD in theoretical statistical physics in 1997 from the University of Leipzig. Before joining Siemens he worked in the Anti-Virus industry as a researcher and member of the systems development group of SophosLabs at Sophos PLC in the United Kingdom. Beside his continuing interest in anti-virus and malware topics, Dr. Heiko Patzlaff current responsibilities include forensics, security consulting and research.

    In terms of security, web browsers are most unreliable fellows: during the past few years, no other application type has been as error prone, inviting a plethora of attacks. Yet, modern business cannot do without web browsers any more. Other application types handling data accessed via the Internet such as messaging applications, document viewers, peer-to-peer applications, etc., are also increasingly under attack, but at least some of them cannot be done without. What is one to do?

    This talk discusses the possibilities of mitigating risk by separating unreliable software from production systems. We provide an overview of various methods of separation (exile on a dedicated system, jail in virtual or change-root-like environments, ...), discuss the security gain that can be achieved, and highlight the challenges in integrating such separated systems with the production environment so as to achieve satisfactory usability.

  • GR

    Developing a trusted partnership to prepare a framework for the collection of information security data  [schedule]

    Carsten Casper (ENISA, GR)

    Carsten Casper is a Senior Expert for Information Security Tools & Architectures at ENISA, the European Network and Information Security Agency.

    Mr. Casper conducts and moderates studies and research on information security topics such as information security certifications, security challenges in emerging applications and technologies, sharing of sensitive information on security incidents and consumer confidence, security and anti-spam measures of electronic communication service providers, and best practices for information security policies.

    Prior to working for ENISA, Mr. Casper worked as a Senior Research Analyst for Gartner and META Group. He holds a diploma in computer science from the Technical University of Berlin.

    Public and private decision makers need accurate statistical and economic data on information security. They need information about trends and volumes of security problems, but also about the level of confidence that clients and citizens put in information processing resources. Various public and private sources of such data exist, within an organisation, within a country and beyond borders. However, in most cases such data is kept in silos, not compared with data from other sources. This happens for technical reasons, but also because every incident is embarrassing for the owner of the technical infrastructure and most think that such information is best kept secret.

    ENISA, the European Network and Information Security Agency, has received the task to evaluate whether a trusted partnership can be developed and to prepare a framework for collection of such data. This could include Managed Security Service Providers, Electronic Communication Service Providers, vendors, users, government entities and others. The goal is not to actually share data - that would be too ambitious, given the sensitive nature of the information - but rather to discuss under which circumstances sharing of such sensitive data can be possible. In June 2007, first results of this relationship-building will be visible. The goal of this session is to present them to the public.

  • NZ

    Electronic Forensics: a Casefor First responders  [schedule]

    Dr. Henry B. Wolfe (University of Otago, NZ)

    Dr. Wolfe has been an active computer professional for 48 years. He has earned a number of university degrees culminating with a Doctor of Philosophy from the University of Otago (Virus Defenses in the MS/DOS Environment). The first ten years of his career were spent programming and designing systems in the manufacturing environment; the most notable was one of the first fully automated accounting systems in the U.S. The next ten years of ever increasing responsibility was devoted to serving in the U.S. Federal Government rising to the position of Director of Management Information Systems for the Overseas Private Investment Corporation.

    In 1979 Dr. Wolfe took up an academic post at the University of Otago and for the past twenty or so years has specialized in computer security (and is currently in the process of designing and creating an Information Assurance degree – based on the NSA model). During that period he has earned an international reputation in the field of forensics, encryption, surveillance, privacy and computer virus defenses.

    Dr. Wolfe writes about a wide range of security and privacy issues for Computers & Security, Digital Investigation (where he is also an Editorial Board Member), Network Security, the Cato Institute, Cryptologia (where he is also an Editorial Board Member), and the Telecommunications Reports. He is a Fellow of the New Zealand Computer Society. He is also a member of Standards New Zealand SC/603 committee on Security, Secretary of the AsiaCrypt Steering Committee (representing New Zealand), a member of the New Zealand Law Society’s Electronic Commerce Committee, and was on the Board of Directors of the International Association of Cryptologic Research finishing up in January 2003.

    He has provided advice on security matters to major government bodies within New Zealand and to Australian, Panamanian, Singaporean and U.S. Government organizations; and additionally to New Zealand businesses and the major New Zealand Internet Service Providers. He has been commissioned to provide training in electronic forensics for law enforcement organizations internationally (New Zealand, Australia and Singapore). Over the past fifteen years he has conducted and supervised computer security audits of more than one-hundred-twenty-five (125) New Zealand businesses and government bodies. His opinions are regularly sought by the various media organizations (newspaper, radio and television).

    Dr. Wolfe speaks on security and privacy issues (both technical and policy) regularly at international conferences – more than 55 in the past fourteen years (as an invited speaker and occasionally as a keynote speaker) – some of the most recent being in America, Australia, England, China, Greece, Ireland, Hong Kong, Japan, Korea, Malaysia, Panama, Poland, Portugal, Russia, Serbia, Singapore, Sri Lanka and of course in New Zealand. During the same period, he has been an invited speaker at 20 non-conference venues as well. His primary research interest is centered around the emerging discipline of computer forensics as well as private communications techniques, which focus on the implementation of various cryptographic algorithms that are currently available and the associated hardware and software necessary to implement such systems.

    Almost every aspect of our lives is touched or somehow controlled by technology driven processes, procedures and devices. It is therefore important to understand that because of this pervasive electronic influence, there is a high probability that a successful criminal or unacceptable incident will occur within the perimeter of an organization’s information and/or computer and network infrastructure. The difference between conducting a successful investigation resulting in a potential prosecution or failing these will often lie squarely in the lap of the electronic forensic investigator. If potential evidence is compromised at any point in the investigation, it will be unacceptable in a court of law. The highest risk of compromise occurs at the point prior to evidentiary acquisition. The first responder’s primary responsibility is to protect and preserve potential evidence and to see to it that suspect electronic devices and storage media are not tampered with by anyone until such time as the professional electronic forensics investigator (law enforcement or private) takes full control of the scene. This paper will explore electronic forensics demonstrating the need and making the case for the appointment and training of a first responder to incidents where electronic devices may have been used.

  • DE

    Experiences with Building, Deploying and Running remote-controlled easily installable Network Sensors  [schedule]

    Dr. Bernd Grobauer (Siemens-CERT, DE)

    Dr. Bernd Grobauer is a Senior Consultant with Siemens CERT. He received an M.Sc. degree in computer science in 1997 from the Munich University of Technology, Germany, and a Ph.D. degree from Aarhus Universitiy, Denmark. When joining Siemens CERT in March 2002, Bernd Grobauer turned his attention from program verification and program transformation — topics relevant for research towards more dependable systems — to IT security. Bernd Grobauer coordinates the research activities of the Siemens CERT services team and acts as security consultant regarding security governance topics.

    A remote manageable network sensor on a live CD may allow a CERT with little or no direct control over its networks to achieve improved situation awareness: because installation of such a sensor requires very little effort on part of local system administrators, the barrier of deploying IDS sensors is significantly lowered. Furthermore, an easily installable network sensor is a valuable tool for fast response to ongoing incidents in which network data must be collected.

    This talk reports about the experiences collected by Siemens CERT in creating an easily installable IDS sensor, deploying it within the company and running the sensor network: We describe the design of the sensor and sensor management console and report on lessons learned in interacting with local system administrators and operating the sensors. We also describe experiences with using remote sensors as honeypots rather than IDS sensors.

    Building on our experiences, other CERTs should be able to get up to speed fast with creating and rolling out network sensors in their network.

  • IT

    Flaws and frauds in the evaluation of IDS/IPS technologies  [schedule]

    Stefano Zanero (Politecnico di Milano T.U. & Secure Network S.r.l., IT)

    Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and a founding member of the Italian Chapter of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

    One of the things that amazes me on mailing lists and in conferences regarding intrusion detection is the symmetric presence of two concurrent issues:

    • customers asking "what is the better IDS for my architecture, or for this specific requirement ?"
    • vendors and scientists claiming "my IDS is better than that", all the time

    Both are very reasonable stances, per se. Trouble is, we don't have answers for those customers, and we don't have benchmarks to actually measure if one IDS is better than another. Since a key issue in developing technologies is measuring how well they compare with earlier attempts, it is an unsurprising result that we don't have really good IDS yet, just a very wide bunch of (often unconvincing) suggestions on how an IDS should be made.

    So, I'd like to help fellow practitioners and researchers by debunking claimed "performances" of current IDS systems, by demolishing current "testing methodologies" and by showing how practical testing architectures can be created to compare systems.

    The key points to take away from this lecture are:

    • how to easily debunk most current literature on the subject, in particular marketing material, and
    • how to devise tests that can efficiently help us choose among different technologies when implementing an IDS solution

  • US

    Forensics for Managers – Presenting and understanding forensics from the MBA point of view  [schedule]

    Mr. Ryan Washington (Crucial Security, US)

    Mr. Washington brings 14 years of experience in Military Intelligence, High Technology Administration and Federal Law Enforcement to Crucial Security. Along with experience leading small fire teams in the Marine Corps to managing larger projects in several technology companies, he is a Certified Information System Security Professional (CISSP), National Security Agency/Information Assurance Methodology (NSA/IAM) certified, Certified Computer Examiner (CCE), and Certified Ethical Hacker (CEH). Mr. Washington holds a Bachelor of Science in Management from National-Louis University and a Master of Business Administration (MBA) from Indiana University.

    This period of presentation delivers a basic understanding of forensics from an MBA's point of view. What is forensics? Why do we need it? Who wants our information? Why would someone attack us? Why do these tools cost so much? These questions and more will be answered from an easy to understand point of view. This class was designed to help mid-level and upper management understand and appreciate the cost, payback, and time needed to conduct an investigation, but is ideal for anyone desiring to understand exactly what is involved in digital media exploitation. This will not be an in-depth class, nor a vendor specific class, but common industry specific tools will be mentioned for their pro's and con's as used in a real-world environment.

  • SG

    Handling Less-Than-Zero-Day Attack – A Case Study  [schedule]

    Ma Huijuan (National University of Singapore, SG)

    Dr. Ma Huijuan is an IT Security Engineer with the InfoComm Security/QA Group of Computer Centre. She has about 6 years experience in the IT industry. Her duties include penetration tests, incident handling and response, security audits, network reviews, evaluating and testing of new technologies and user awareness training. Dr. Ma holds a PhD degree in Engineering.

    While some people are still suspicious about the existence and significance of zero-day threats and attacks, less-than-zero-day attacks have come into the scene. Less-than-zero-day attacks refer to those targeting vulnerabilities that haven’t been publicly disclosed. With the trend that hackers target more on financial gain instead of fame in recent years, it’s expected less-than-zero-day attacks will pose greater risk to organizations. However, it’s very difficult to defend against due to the fact that the vulnerabilities are unknown.

    In this presentation, I will share our experience in dealing with such attacks. Monitoring and alerting of the incident will be introduced first, followed by containment of the damage, analysis of the compromised system, and identification of less-than-zero-day attack. After that, I will talk about the process of reporting the unpublished vulnerability to Cert Coordination Centre and the relevant vendor, as well as assisting the vendor to fix it, so that organizations using this software can be protected. At the end, I will talk about the lessons learnt and the security measures we find useful in dealing with such kind of attacks.

    I hope by sharing our experience, more people will join in the efforts to combat against less-than-zero-day attacks, report unpublished attacks, and help the vendors to fix them, so that organizations globally are protected and the internet security as a whole can be improved.

  • UK

    How many RAT's do you know out there?  [schedule]

    Simon Gunning (Digilog UK Limited, UK)

    Simon, a co-founder of DigiLog, is responsible for directing and managing all IT related elements of DigiLog's AVS Solutions, including risk assessment, design, build, installation, configuration, testing and support.

    His extensive technical experience with Nemesysco's VRA technologies, when combined with the wide variety of successful AVS deployments, ensures that DigiLog has world leading capabilities in this field – both in terms of customerfacing provision and in enhancing the development of the VRA technologies according to AVS requirements.

    Simon has worked extensively in the field of Voice Risk Analysis with a variety of International Corporate and Public Bodies, including Police and National Security Services.

    He is a member of the Association of Certified Fraud Examiners (ACFE) and sits on the Executive of the UK Chapter. He is also a member of the Fraud Advisory Panel and is affiliated to the International Chamber of Commerce Cyber Crime Unit. In 2002, Simon was the author of the London UK Wireless Security Report.

    He is a regular and highly regarded speaker on VRA Technologies, ‘Cyber Crime' and Forensic IT Investigation.

    This session will be an insight to the world of the Remote Access Trojan (RAT).

    In this session we will explore some of the current RATS that are being deployed in the wild; the idea is to give an overview of their workings and some examples of deployments and connections. No RATs will be harmed during this session - except of course by anti-virus software ... but will the AV be able to detect them?.

  • UK

    How to Join FIRST  [schedule]

    Damir (Gaus) Rajnovic (Cisco PSIRT – Cisco Systems Co., UK)

  • UK

    Identity Management Systems: the forensic dimension  [schedule]

    Peter Sommer (London School of Economics, UK)

    Peter Sommer is a Research Fellow at the London School of Economics where his interest is "the legal reliability of information systems", a subject which includes e-commerce protocols, computer forensics and many other aspects of computer-derived evidence. He is also a Senior Visiting Research Fellow at the Open University where he is developing a course on computer incident response and forensics. Since 2005 he has been the Joint Lead Assessor for the computer evidence speciality at the UK Council for the Registration of Forensic Practitioners.

    He read law at Oxford and has had careers in both conventional book publishing and in electronic publishing. His first expert witness assignment was in 1985 and his casework has included the Datastream Cowboy / Rome Labs hack, the Demon v Godfrey Internet libel, NCS Operation Cathedral into large scale distribution of paedophile images, NHCTU Operation Blossom into global warez piracy and, very recently Operation Crevice (terrrorism) and a defamation action involving Sir Martin Sorell of WPP and some Italian former business associates. He is currently instructed in complex state corruption case in South Africa.

    He sits on a number of Whitehall advisory panels was Specialist Advisor for E-Commerce to the UK House of Commons Trade & Industry Select Committee to support their scrutiny of government policy and legislation.

    Identity Management Systems: the forensic dimension

    An identity management system consists of an enabling technology, a means of managing that technology, and a framework of policies, law and regulations. If all works out well we achieve a balance of reliability in authentication and appropriate levels of confidentiality for those taking part.

    But over a period of time the quality of the enabling technology and its management may become eroded. The technology may be less robust than first appeared, or advances may make compromise easier. A management system may show unexpected defects.

    We need to study these eroding factors in identity management systems as we do more widely in computer security systems.

    One of the least understood is the role of specialists in digital forensics. These people are constantly reverse-engineering hardware and software in order to identify digital footprints of activities which can then be used in legal proceedings. Their aims are often of the highest - to bring wrong-doers to justice. But in so doing in relation to identity management systems, they create the means by which people become prematurely de-anonymised and /or personal data is revealed in circumstances not originally envisioned.

    I propose to examine the dilemmas, produce some examples and suggest some remedies.

  • US

    Inside the Perimeter: 6 Steps to Improve Your Security Monitoring  [schedule]

    Chris Fry (Cisco Systems, US)

    Chris has been a member of Cisco's Computer Security Incident Response Team (CSIRT) for 3 years, focusing on deployment of intrusion detection and network monitoring tools. He began his career at Cisco in 1997 as an IT analyst, supporting Cisco's production services. His four years as a Network Engineer on Cisco IT's internal network support organization give him valuable knowledge and insight about production enterprise networks. Chris holds a BA in Corporate Financial Analysis and Master's Degree in Information and Communication Sciences from Ball State University.

    Martin Nystrom (Cisco Systems, US)

    Martin is a security architect for Cisco’s Computer Security Incident Response Team (CSIRT). He drives projects to improve security monitoring and response, and investigates security incidents. Since he began his career in 1991, he has worked as a software developer, analyst, and architect in the pharmaceutical and high-tech industries. Martin holds a BA from ISU, a Masters degree from NCSU, as well as a CISSP certification, and is the author of the soon to be published, “SQL Injection Defense Guide,” published by O’Reilly Media.

    Most attacks from the Internet are not actionable. They're automated, noisy distractions from the real problems your enterprise is facing. The threat has driven deeper into your enterprise; infected hosts are remote-controlled and attacking your naked infrastructure.

    For this reason, Cisco's Computer Security Incident Response Team's (CSIRT) has begun orienting its security monitoring toward internal threats. CSIRT engineers will describe their approach, topology, challenges, and lessons learned in the process. This highly practical session will illustrate security monitoring with CS-IPS version 5 and 6, CS-MARS 4, Netflow v7, and syslog. CSIRT engineers will describe how the global solution was deployed, tuned, and lessons learned in the process. Participants should expect to leave with practical insights and best practices in deploying internal monitoring for incident response.

  • NODE

    Long term instability of high priority incident response – A system dynamics simulation approach  [schedule]

    Johannes Wiik (Agder University, NO)

    Johannes Wiik is a PhD fellow at Agder University College and the University of Bergen. He is currently studying the main factors influencing the effectiveness of a CSIRT over time from a management perspective. The method chosen for this study is system dynamics modelling and simulation. He holds a master in System Dynamics from the University of Bergen. After his Master studies he spent several years working as an international consultant applying system dynamics modelling to strategic problems in a wide range of industries. In 2001, he became the head of the consulting department of Powersim AS. In 2003 he started working as an advisor for organisations in the area of crisis management and contingency planning before he started on his PhD research.

    • Johannes Wiik ; José J. Gonzalez ; Klaus-Peter Kossakowski (2006) Effectiveness of Proactive CSIRT Services, 18th Annual FIRST Conference, Baltimore, USA
    • Johannes Wiik ; José J. Gonzalez ; Klaus-Peter Kossakowski (2005) Limits to effectiveness in Computer Security Incident Response Teams, 23rd International System Dynamics Conference, Boston, Mass., USA
    • Johannes Wiik ; José J. Gonzalez ; Klaus-Peter Kossakowski (2005) Dynamics of Incident Response, 17th Annual FIRST Conference, Singapore
    • Johannes Wiik ; José J. Gonzalez ; Howard Lipson ; Tim Shimeall (2004) Dynamics of Vulnerability - Modeling the Life Cycle of Software Vulnerabilities, 22nd International System Dynamics Conference, Oxford, UK.

    Jose J. Gonzalez (Agder University, NO)

    Jose J. Gonzalez is Professor of system dynamics and information security at the Faculty of engineering and science, Agder University College, Norway. He leads the Security and Quality in Organizations group at Agder University College with two postdoctoral fellows and four PhD fellows. In addition, Dr. Gonzalez is adjunct professor at the Dept. of Informatics and Media Science, Gjøvik University College, Norway. At Gjøvik he is responsible for the Security Management course for the M.Sc. study in Information Security. In addition to numerous publications in the fields of system dynamics and information security, Dr. Gonzalez was co-founder of Powersim, developer of one of the leading system dynamics tools.

    • Johannes Wiik ; José J. Gonzalez ; Klaus-Peter Kossakowski (2006) Effectiveness of Proactive CSIRT Services, 18th Annual FIRST Conference, Baltimore, USA
    • Johannes Wiik ; José J. Gonzalez ; Klaus-Peter Kossakowski (2005) Limits to effectiveness in Computer Security Incident Response Teams, 23rd International System Dynamics Conference, Boston, Mass., USA
    • Johannes Wiik ; José J. Gonzalez ; Howard Lipson ; Tim Shimeall (2004) Dynamics of Vulnerability - Modeling the Life Cycle of Software Vulnerabilities, 22nd International System Dynamics Conference, Oxford, UK.

    Klaus-Peter Kossakowski (SEI Europe GmbH, DE)

    Klaus-Peter Kossakowski is a Visiting Scientist at the SEI in Europe. He is currently researching the business processes related to incident response as integral part of - not only IT specific - risk management. He has defended his Doctorate Thesis in "Information Technology – Incident Response Capabilities" at the University of Hamburg. He also holds a first-class degree in Information Science from the University of Hamburg. After his studies he worked as a senior consulting and managing director for German based security providers and consulting companies. He has served for many years in various roles within the international CERT communities.

    • Moira J. West-Brown ; Don Stikvoort ; Klaus-Peter Kossakowski (1998) Handbook for Computer Security Incident Response Teams (CSIRTs), CMU/SEI-98-HB-001, Carnegie Mellon University, Pittsburgh, PA, USA
    • Georgia Killcrece ; Klaus-Peter Kossakowski ; Robin Ruefle ; Mark Zajicek (2003) Organizational Models for Computer Security Incident Response Teams (CSIRTs), CMU/SEI-2003-HB-001, Carnegie Mellon University, Pittsburgh, PA, USA

    Effective incident response is dependent on detection. A CSIRT typically relies on detection via intrusion detection techniques, or reports from various sites. In this paper we only focus on high priority incidents reported from sites. If a CSIRT depends on its constituency as the primary source for incident detection and reporting, especially incidents of higher priority, then the service provided itself depends on these reports. One major factor is the pool of various sites inside and outside the constituency that accept the CSIRT as the point of contact and henceforth report such incidents. Due to this dependency, the relationship between the CSIRT and the reporting sites within the constituency as well to other cooperating sites and other CSIRTs is very important to maintain.

    However, empirical data we have found indicates that this relationship is very unstable over time. Viewed over a time frame of years, the number of reporting sites and the high priority workload seems to show an oscillatory behaviour pattern independent on the available resources to handle this workload. This is a problem, because such instability means that the effect, quality and efficiency of the incident response service is also unstable over time.

    This article therefore tries to address the following questions:

    1. What factors cause this instability and how does this influence the effectiveness of high priority incident response?
    2. What can be done to dampen this instability and make high priority incident response more effective?

    This research problem has been studied as a part of a larger PhD research project investigating the effectiveness of incident response in a well known context of a coordinating CSIRT. ASystem Dynamics simulation model has been developed to serve as a controlled environment to identify the main causal relationships creating the instability between certain key variables of interest:

    • The number of reporting sites
    • The number of high priority incidents
    • Quality of service

    The results from the simulation model indicate that the instability in these key variables are caused by long time delays in the interaction between CSIRT and reporting sites. Attraction of reporting sites is very much dependent on the past quality of service by the CSIRT. Building reputation takes time and so does losing reputation as well. At the same time the attraction of new reporting takes time. There is a tendency that a good quality of service (and thereby reputation) will lead to attraction of new reporting sites. This will increase the workload driving down the quality. However, the impact of lower quality on future attraction is delayed. Hence, there is a risk of overshoot in the workload before the perception about quality starts to decline. Conversely, the same delays can lead to undershoot in reporting and the workload despite improving quality. The behaviour pattern over time will thereby be oscillatory for the number of reporting sites, the number of high priority incidents reported, and the quality of service. However, it is very hard to identify because the delay times are so long that the pattern is only visible over several years.

    Through the model, the following policies of interest were tested:

    1. Decrease delay times to close the gap between perceived and actual quality of service among reporting sites.
    2. Add more people to the IRT staff

    The model showed that alternative 2 tended to dampen the oscillatory behaviour. Alternative 2 only gave a temporary solution, before the instability came back over the course of time.

  • BR

    Malware distribution trough software piracy: a case study  [schedule]

    Jacomo Piccolini (CAIS/RNP – Brazilian Academic and Research Network, BR)

    Jacomo Dimmit Boca Piccolini has an Engineer degree in Industrial Engineering at Universidade Federal de Sao Carlos - UFSCar, with two post-graduation one obtained on the Computer Science Institute and other on the Economics Institute of Universidade de Campinas - Unicamp. Hi is GCIA, GIAC Certified Intrusion Analyst and GCFA, GIAC Certified Forensics Analyst, working as a senior security analyst at the Brazilian Research and Academic Network CSIRT (CAIS/RNP). With 10+ years of experience in the security field his is the lead instructor of CAIS/RNP and hands-on coordinator for FIRST Technical Colloquiums. He is currently fighting the misuse of RNP backbone infrastructure by hackers.

    Trust no one or you will be assimilated! This is the current scenario inside the software cracking and piracy community. This paper focuses on the study of the usage of pirate software to infect systems and their abuse by miscreants. Statistics from collected malware related to software piracy will be presented.

    The author believes software piracy will always exist, here included operational systems, applications and games. The problem is directly related to the customer’s compulsory behavior for new features and releases leading the user to consume any product; even in beta version (sometimes faked versions) and piracy products.

    To deal with this demand, some specialized piracy groups had, for long time, supplied this market with diverse products, among others, we emphasize keygens, which are applications that can generate a registration key to allow software installation and cracks, which are modifications in files from the target software that allows their execution or removes existing protections.

    With the advance of software protection techniques, new forms to circumvent these protections and to make this content available are being offered, such as installation packages, cracked versions ready to run and CD emulators. The piracy community is always developing new ways to take care of the demand and to circumvent the protections that are implemented.

    The universe of software piracy possess multiple mechanisms of distribution: sites specialized in cracks, keygens and emulators (cd-roms), ftp servers, CDs being sold in streets or offered in sites and mainly P2P applications.

    The process of malware distribution uses any of these mechanisms, with only small differences. We must understand that miscreants are very creative and their main goal is to infect as many systems as possible. Files that are accessible through web pages are hosted in sites that explore vulnerabilities in navigators. Why wait for user to download and execute if the system can be infected and controlled through browser vulnerabilities?

    Even the malware files, available as keygens and cracks, possess different forms of infection; the great majority of analyzed specimens will infect a system in a second stage, after the installation and decompression. This technique is used only to make more difficult the file identification as malware. The main functionality of this type of malware also varies from simple downloaders and adware to botnets. From the miscreant’s point of view this is the perfect scenario, the end user is downloading and executing malicious code with their consent and without any restrictions.

    In 2006 one of the main sources of malware propagation through software piracy was the creation of dozens of crackers for the Windows Genuine Advantage. The constant updates of the WGA tool had made users of counterfeit versions of Windows to often search for new versions of crackers and, when they did not succeed, they simply started to install all available crackers. From the WGA cracking files collected, almost 70% were classified as downloaders and bots with elevated degree of sophistication and difficult removal process.

    The same issue occurred in the end of the 2006 with the launching of the new version of the Internet Explorer, whose installation only successes through the authentication of the operational system as being legit.

    This kind of exploitation and propagation is not restricted to Microsoft products; any popular software with some installation restriction is being used as an attack vector.

    The consumer of piracy software is at this moment being heavily targeted by the piracy community which only aims to infect and to control their system for illicit purposes and to feed the piracy industry, normally by stealing all serial numbers of installed software from the users system and later distribution on web sites, without forgetting the traditional use of the systems as part of botnets.

    The message here is simples, there is no crack or keygen or another tool related to software piracy that can be considered safe to use, even to download. Users must be discouraged to consume any kind of software piracy in order to avoid their personal information and systems being used my miscreants.

  • UK

    Managing Privacy in Network Operations: Learning from the Law  [schedule]

    Andrew Cormack

    Andrew Cormack joined UKERNA as Head of JANETCERT in March 1999. In January 2002 he took up the new post of Chief Regulatory Advisor, concentrating on the awareness, policy, legal and regulatory aspects of computer and network security. Andrew is active in promoting cooperation between organisations working on computer security in the UK and Europe. He is a member of TERENA's Technical Committee and of the Permanent Stakeholders Group of the European Network and Information Security Agency (ENISA). He spends a lot of time talking to people about the problem of computer insecurity and what to do about it. He is a regular presenter of training courses on IT security and policy development and a speaker at national and international conferences.

    In the past Andrew has worked for Cardiff University, where he looked after web servers and caches as well as dealing with security incidents; the NERC's Research Vessel Services, running scientific computer systems on board ships with uncertain power supplies and moving floors; and Plessey Telecommunications. He has degrees in mathematics from Cambridge University and law from the Open University, and is a European Chartered Engineer.

    System and Network Managers and Incident Response Teams can represent a serious threat to the privacy of individual users. To ensure smooth operation of their systems and ensure they are not a threat to others, administrators may need to be able to read, modify or block any file or communication, or to pass it to their Incident Response colleagues for investigation. However those same powers, if misused either accidentally or misguidedly, can cause serious harm to individuals and organisations. Lacking written guidance on how to exercise their considerable powers, many administrators are left to rely on their own consciences to find the balance between protecting the individual and protecting the wider community: this is not a comfortable position for the administrator, their organisation or their users.

    The European legal system has at least half a century of experience of protecting individual privacy, formalised in 1950 in Article 8 of the European Convention on Human Rights, which established the “right of respect for private and family life, home and correspondence”. This talk will suggest how principles established in the Convention and in subsequent European and national legislation to protect personal data and communications can be applied to network operations and incident response. The focus will be on developing good practice based on fundamental principles, so should benefit those from other legislative traditions as well as those who have to ensure that their practices comply with their particular local privacy law.

  • DE

    New Trends and technologies in Identity Theft  [schedule]

    Christoph Fisher (BFK Edv-Consulting Gmbh, DE)

  • SG

    NUS IT Security Landscape  [schedule]

    Fong Lian Yong (National University of Singapore, SG)

    Yong Fong Lian received the B. S in Computer Science from the National University of Singapore in 1981. She is currently working in the National University of Singapore, Computer Centre as the Manager of the InfoComm Security/Quality Assurance Group. She is also the chairperson of NUSCERT, the Computer Emergency Response Team of NUS.

    Universities have the dual challenge of creating an environment that fosters experimentation and learning while protecting the users against unauthorized access and other internet threats. In a large enterprise network like NUS, where there are more than 30 000 online nodes, this challenge is more acute. Universities are unlike corporations because they cannot impose overly restrictive policies that could hamper research and sharing. In corporate environments, network users are primarily rule-abiding employees. However, in university environments, majority of the network users are students.

    I will present the enterprise wide security framework adopted by NUS. This framework is built on PPT Methodology (i.e. People, Process and Technology). The People Element is the most important element and as the saying goes “Human is the weakest link in the security chain”. Under the people element, I will detail the strategy to address upper management, user buy-in, staff morale, user awareness and training requirements. Under the process element, I will discuss the process framework we adopt to track progress and success. Processes include vulnerability management, threat management, incident management, audits and penetration testing. etc. On the technology aspect, NUS has looked beyond the traditional firewalls, intrusion detection and prevention systems, antivirus, anti-spyware, anti-spam implementation. Many systems are developed inhouse as many off-shelf systems are not effective in a unique environment like NUS. Our blackholing mechanism, honeynet implementation and vulnerability management system are some examples of our innovative security implementations.

    I hope that sharing our experience with the strategy that helped us and the pitfalls to avoid can prove valuable to both universities and similar organizations in the that do not already have a similar strategy in place but are facing enterprise-level threat mitigation issues and inhibiting cost factors.

  • UK

    Our Own Worst Enemies  [schedule]

    Frank Wintle (PanMedia Ltd, UK)

    Frank Wintle runs the London-based communications consultancy PanMedia, offering courses in internal and external communications, individual coaching in communications skills, and agenda, production and presentation services for business seminars. His clients include Cisco Systems, HSBC Actuaries and Consultants, Virgin Money, E-ON Ruhrgas, Deloitte, and the international Forum of Incident Response and Security Teams. He also trains Peace Observers in reporting and diary-keeping before their tours of duty in the Middle East.

    In his writing and producing career for factual television Frank Wintle won gold and silver medals from the New York Film and TV Festival, the Golden Gate Award from the San Francisco Film and TV Festival, best programme award from the Royal Television Society and an Emmy nomination.

    He has written two books and continues to contribute to the national Press.

    In his address to the 18th FIRST annual conference in Baltimore, guru Bruce Schneier asked and answered a critical question: “How do you compel the home user to secure a PC against Trojans and worms? You don’t. You can’t.”

    Twelve months later, the theme of the 19th FIRST conference is Seville is digital privacy, in the wake of a year in which millions of items of personal data were lost or stolen from corporates with disastrous consequences for the reputation of e-commerce.

    These are the starting points for Frank Wintle’s presentation to Conference 19. Why don’t home users care and why don’t they act? Why, in the UK, did more than half a million people walk away from Internet banking in 2006? Why are phishers still able to pose as financial institutions, sucker innocents and detach them from $millions? What’s the root cause of corporate carelessness?

    Could one reason be that the Internet security industry has a huge communications problem?

    Wintle thinks that it is, and in this presentation he will argue that the “I’m-a-geek-and-I’m-proud-to-speak-geekspeak” attitude betrays the kind of pride which almost always goes before a big fall – if the fall isn’t happening already.

    He then goes on set out the principles of a communications approach which can make even the most arcane subject lucid and engaging for non-specialist audiences, and illustrates how effective communications can change attitudes and actions.

    Lastly, he discusses strategies and evaluation, exploring ways in which CERT’s within nations or organisations can define communications targets they want to reach and behaviours they want to change and then use appropriate PR techniques to reach their objectives.

  • ES

    Privacy matters in directories  [schedule]

    Javier Masa (University of Malaga, ES)

    Jose Alfonso Accino (University of Malaga, ES)

    Victoriano Giralt (University of Málaga, ES)

    Present main occupation since 2002: Systems and Telematics Services Manager at University of Málaga

    Member of the European Committee for Academic Middleware (ECAM).

    Directories activity leader for the TERENA TF-EMC2 task force on middleware issues.

    Member of the RedIRIS committee for updating the Spanish Academic directory schema.

    Over the past twelve years have been actively involved in the Spanish NREN community on issues ranging from systems administration to mail systems development and configuration to directory management matters. This involvement has produced several communications and papers presented to the tasks forces and annual meetings of the RedIRIS community.

    Career main milestones:

    1986 — Graduated as M.D. from University of Málaga
    1987-1990 — Application programmer at the University of Málaga
    1990-1995 — Systems manager at International Sports University (UNISPORT). During this tenure, I set up one of the first web servers in Spain.
    1995-2001 — Systems programmer at University of Málaga
    1992 — Technical coordinator of SPORTANDALUS project.
    1992 — Information systems manager for the Scientific Olympic Congress.
    1995 — Director of project "Acceso Fácil'95", for divulging Internet amongst Andalusian SMEs.
    1996 — Evaluator for the Telematics Applications Programme of the EC
    1998 — Technical director of project "Échanos un Cable", for cabling schools throughout Spain.

    Modern institutional directory services nowadays are confronting a clear conflict of interests. On the one hand, there is the need of members of the institution to find other members in the same or different institution. On the other hand, there are the privacy rights of the individuals.

    This has made us to develop a mechanism to solve this confrontation using information access controls that can be managed both by the institutions and the individuals.

    This presentation will discuss our implementation of such mechanism based on LDAP classes and attributes, and OpenLDAP Access Control Lists.

    We will also present information of adoption of the privacy control attributes in other institutions after more than a year of promoting them. This research is being carried out during the first quarter of 2007.

    The posibility of using the Access Controls in RedHat Directory Server is also being assessed during the first quarter of 2007 and we will also present how to do it in case the result are possitive as expected.

  • NL

    Provider Practicalities and Paranoia: Modern ISP incident response  [schedule]

    Scott McIntyre (KPN-CERT, NL)

    This session will be a glimpse into how an Internet Service Provider with a strong commitment to incident handling and preventing abuse goes about their daily work. Special attention to customer privacy, non-invasive techniques and the top threats that we, as a provider face whilst protecting our customers will be given. Topics will include items such as: active abuse/incident detection, mitigation techniques, visual tooling, darknets, malware analysis and “Next Generation” threats we’re facing as we develop products for customers.

  • UK

    Reviewing the VoIP Threat Landscape  [schedule]

    Peter Cox (Borderware, UK)

    Peter Cox is the Chief Technology Officer of the SIP solutions group in Borderware Technologies. This group is dedicated to analysing Voice over IP security problem and in developing solutions for those problems.

    Peter Cox began his career at the U.K. Metropolitan Police Forensic Science Laboratory where he pioneered the use of mini-computers for managing the large quantities of data generated in criminal investigations. In 1989, he moved to The Wollongong Group as European Technical Director promoting the early use of TCP/IP networks.

    In 1998 Peter co-founded BorderWare Technologies Inc. Peter ran the international operations for several years and lead a number of special projects including a total of three Common Criteria EAL4 certifications of the BorderWare Firewall Server, and of the MXtreme email security gateway. Two of these certifications included the higher level EAL5 vulnerability analysis and in both cases, BFS and MXtreme were the first products in their category to gain this level of certification.

    Peter holds a BSc in Biological Sciences and an MSc in Environmental Engineering from the University of Newcastle on Tyne and subsequently earned a post-graduate diploma in Information Science from City University London.

    Voice over IP (VoIP) services are, as the name suggests a method of running Voice Telephony over IP networks. The protocols used for VoIP and specifically the Session Initiation Protocol (SIP) also provide a number of other real-time communication services including Video Conferencing, Instant Messaging and Presence services. The latter provide intelligent call routing ensuring improving communications services.

    VoIP offers many business benefits, but in the rush to realise these benefits it is easy to forget that VoIP is an IP service and is subject to all the IP network level vulnerabilities and threats that other IP applications such as web and email have faced for the past 10 years or more. In addition, the real-time requirements of VoIP and Video Conferencing and the position of these services as a key-stone in business communication makes VoIP applications uniquely vulnerable to application and content vulnerabilities.

    This session reviews the VoIP threat landscape, highlighting the risks posed by these threats and outlining the security requirements for an effective and robust VoIP implementation.

  • US

    SafeSOA: Managing Privacy & Risk In The Global Service Oriented Environment  [schedule]

    Hart Rossman (SAIC, US)

    Hart Rossman is Assistant Vice President and Chief Security Technologist at SAIC’s Intelligence and Information Solutions Business Unit, SAIC’s center for information security and secure information sharing. In this role, he brings together people, process, and technology to create solutions that meet customers’ current challenges – and respond to issues they may not have foreseen. He leads the business unit’s exploration and assessment of existing and emerging technologies, vendors, tools, devices, and applications to promote continuous integration of the best into client and in-house solutions. He is a frequent speaker and contributor on security and information-sharing issues worldwide. Mr. Rossman is currently exploring the implications of risk management and system security in netcentric computing and is a co-founder of the SafeSOA initiative (www.safesoa.org).

    The ongoing convergence of Enterprise SOA and Web 2.0 require flexibly integrated security and business policies to thrive in the evolving enterprise risk model. This presentation will articulate the need to address the secure composibility challenge of services oriented solutions; shifting the market from an emphasis on system vulnerability to practicable, embedded, risk & capability management resulting in service oriented security. However, in the quest for service oriented security, privacy and identity management must be integral to the successful solution set. Prevailing enterprise identity and privacy solutions tend to emphasize the rights and needs of the corporation over the individual which is in many ways in opposition to consumer trends on the Internet that emphasize user-generated content and an architecture or participation. We will discuss the impact of Web 2.0 (characterized by user-generated content, wide-spread meta-data, extension of the systems integration value chain, architectures of participation, and a social computing culture) & and the Identity 2.0 movement on traditional privacy & security solutions and begin to bridge the gap between services oriented security, Web 2.0, and next generation constructs for identity management. Demonstrated through technical use cases, including sourcecode & implementation examples, of how top down system integration and bottom up application mashups converge to operationalize requirements at the point of use...intrepid Internet developers and consumers! We’ll end with a few thoughts on the impact these changes will have on incident management and the role privacy and user-generated content plays in incident response in the service oriented enterprises of the future.

  • US

    Security Risk Management: breaking through technology and market barriers – a real life story  [schedule]

    Avi Corfas (Skybox Security, Inc, US)

    Avi Corfas is a seasoned software, technology and security executive and entrepreneur, with 28 years of international experience. He manages the European business of Skybox Security – the recognised leader in security risk management automation software.

    Previously, Mr. Corfas was Executive Vice President (Europe, Middle East & Africa) for @stake, one of the world’s leading information security consulting companies, recently acquired by Symantec. Before joining @stake, Corfas held global executive positions with CommerceQuest Inc., Compaq and Digital Equipment (among other roles, he was Chief Operating Officer and VP International Sales & Services for CommerceQuest and World-wide Director for Electronic Commerce at Digital). In the mid-1990’s, he was the Chairman of EEMA, the European Forum for Electronic Business.

    In 1994, Avi Corfas co-founded FutureTense, Inc., a successful content management and publishing software vendor. Previously, he held software development and consulting positions with information technology companies in various countries in Europe, North and South America and the Middle East. He developed secure real-time and commercial systems and provided strategic and technical advice to large government, academic and business organisations.

    Mr. Corfas holds an Executive MBA from France’s Haute École de Commerce.

    Modern enterprise networks have many thousands of vulnerabilities, only a few of which are usually exposed to attack. Finding those exposures manually has proven to be a daunting task, especially in light of daily publishing of new vulnerabilities and constant network changes. Attack simulation is a new technology that helps security professionals prioritize vulnerabilities and focus on actual exposures. In addition to the technology challenges involved in security and network modelling, the creation of a new market category in the security space is a challenge in itself. This is an overview of the technology and its evolution from idea to a running business.

  • ES

    Setting up a governmental CERT: The CCN-CERT case study  [schedule]

    Carlos Abad (Spanish National Cryptologic Center (CCN), ES)

    Carlos Abad is the coordinator of the CCN-CERT (Governmental CERT) in the National Cryptology Centre (CCN) of Spain. Other duties in the CCN are to increase IT security awareness through guides and normative for the Spanish Administration organisms (CCN-STIC Guides), and work as assistant of the Common Criteria Accreditation team.

    Previously in the private sector: software testing engineer, analyser of UMTS protocols and IMS nodes tester, among other things.

    The CCN-CERT is the Spanish National Information Security Incident Response Team that was born in late 2006 with the mission of being the support and coordination centre of security incidents that affects public organizations, helping the governmental organisms to respond efficiently before the security threats affect their information systems.

    More than the standard basic steps that include the setting up of a CERT, the creation and development of a CERT with national government constituency entails some key problems and challenges.

  • DE

    Setting up a Grid-CERT – Experiences of an academic CSIRT  [schedule]

    Klaus Möeller (DFN-CERT, DE)

    Born 1967 in Sande, Germany, Klaus Möeller studied computer science and mathematics at the university of Oldenburg , specializing in network administration and operating systems, where he got his Diplom (masters degree) in 1995.

    From 1995 to 1998 he worked as a network administrator and computer security officer for the city of Hamburg.

    Since 1999 he is a member of DFN-CERT, the German academic research network emergency response team. His main areas of work include network monitoring, incident response and computer security training. He is also the team's representative within FIRST

    Introduction and Motivation

    Grid Computing has often been heralded as the next logical step after the World Wide Web. Instead of only accessing static content (i.e. web pages) users of Grids can access dynamic resources such as computer storage (for any sort of data) and use the computing resources (i.e. the CPU) of computers under the umbrella of a virtual organisation. Although Grid Computing is often compared to the World Wide Web, it is vastly more complex both in organisational and technical areas. This also extends into the area of security and incident response, where established academic CSIRTs face new challenges arising from Grids.

    The German ministry of education and research (BMBF) has started in 2005 a strategic initiative, D-Grid, to further Grid computing and usage within the German scientific community. This initiative is similar in many ways to those of other countries around the world. Part of that initiative is the establishment of CSIRT services for Grids.

    Cormack, et al. have argued in "that CSIRT activities for a Grid are not fundamentally different from those performed by a traditional CSIRT." In practice, there are many challenges to be overcome to establish a CSIRT for the specific needs of Grids and Grid users. The following two sections will give an overview about the challenges and experiences DFN-CERT has encountered while setting up a CSIRT for the D-Grid communities.

    Organisational Challenges

    One of the first lessons learned is, that there is not "the Grid", like "the Web" or "the Usenet". As in the case of the D-Grid project, there are, even at the beginning, no less than six Grid communities: high-energy physics, climate research, astrophysics, engineering and medicine. There is even a text-Grid for use in the humanities. Each has its own unique set of requirements that extend to the field of security. Researchers in physics for example, have few requirements about the protection of intellectual property from the participants in their Grids, contrary to that engineers place high emphasis on this particular area. Participants in a medical Grid have high requirementsabout the protection of patient data. Grids with practically no personal data, like climate research place no emphasis on this area. An academic CSIRT thus has to learn about the specific requirements of each and every Grid community within its constituency.

    One could argue, that the Grid communities are already part of the CSIRTs constituency and thus, this would be a simple task of asking the CSIRT of the local organisations. In practice, the local teams are often not aware of Grid activities and vice versa. Besides that, there are sometimes teams for the whole grid, that are not directly affiliated with one site. Also, many groups use the same terminology, but with different meaning and emphasis.

    A different approach is needed, that circumvents the problems of local groups. The D-Grid initiative provides an excellent forum because it establishes an exchange platform for the Grid communities in Germany. Making DFN-CERT known to the Grid communities is thus a simple matter of introducing it into these forums.

    Experience with CSIRT operation has shown, that international cooperation is imperative to successful establishment of CSIRTs. In the field of Grids, this means that an international web of cooperation has to be established as well. On one side, this extends into the CSIRT community, where organisations such as FIRST and Terenas TF-CSIRT are to be engaged, on the other side the Grid communities and organisations like the Global Grid Forum (GGF). As a result of these activities, "Incident handling and security guidelines of NREN Grids" have become part of Terenas TF-CSIRT terms of reference.

    Technical Challenges

    To handle the technical part of Grid incidents as well as to be able to proactively help sites in securing their Grid infrastructure, a CSIRT has to develop an understanding about the software used in the Gridsm of their constituency. With this understanding, more advanced services like Grid-honeypots may be build in the future.

    The underlying operating systems are common systems, like Linux, and these are well understood by CSIRTs. The next layer, the Grid middleware, is composed of big software packages like UNICORE, the Globus Toolkit or gLite, that facilitate access to storage and computing resources, as well as monitoring, directory services and authentification across virtual organisations.

    These software packages are very little understood by CSIRTs. Exacerbating this problem is that there are only a few people in the academic community itself that fully understand this software. Also, setting up test installations of the huge and complex Grid middleware requires far more resources than setting up ordinary software installations, like a workstation or web server. To gain experience in this area, cooperation with existing test installations is the way to go.

    Although the basic procedures of handling vulnerabilities are the same, whether for normal software or for Grid software, the concrete task of obtaining the information puts up some challenges. While Grid software is open source and developed among the same lines as standard open source packages, the standard security practices, like open mailing lists for security advisories or signed software packages, are often not followed.

  • Software Security: Integrating Security Tools Into a Secure Software Development Process  [schedule]

    Automated security tools are often used in software development, from static source code analysis tools to penetration testing tools. Unfortunately, due to a variety of reasons, many development organizations fail to get the maximum benefit from the tools. Worse, the way that many organizations use security tools may actually hamper effective development work. Penetration testing tools, for example, are commonly used for late life cycle “black box” testing. This forces, at best, knee jerk reactions to remediate any defects that are found, quite often at the expense of the application’s original design concepts. It also likely fails to find a great many security defects. To make matters worse, forced integration of tool technologies into existing workflows can be disruptive and counter productive.

    This talk delves into the automated tools associated with secure software development, and how they can be successfully integrated into a development workflow.

    Tool categories are first surveyed, and their utility and applicability to secure development reviewed. These include traditional information security tools such as network vulnerability scanners and application vulnerability scanners, as well as more focused development-only tools such as static source code analyzers. The pros and cons of each tool set is described in plain detail, with particular attention to how software developers can benefit from them.

    Next, individual tool categories are discussed with regards to how they can be integrated into a secure software development workflow process. This portion of the session starts by examining the pitfalls associated with how the tools are often put to use by software developers, and then provides a clear set of recommendations of how to best make use of the tools.

    Penetration testing tools (and processes), for example, are often used in a late life cycle approach that "verifies" an application's security level shortly before its deployment into production. This approach is inherently a "black box" one in which the application is assessed in an outside --> in perspective. This talk recommends an alternate approach to using penetration testing tools in an inside --> out manner that optimizes employee time and effort by prioritizing work based on identified business risks. That is, "white box" penetration testing can focus on the aspects of an application that have been identified as being weak during architectural risk analyses.

    Similarly, static source code analysis tools are often used in a late life cycle manner that leaves little time for remediation of identified coding defects. In this talk, we explore methods of integrating static source code analysis tools throughout the coding process in a way that greatly optimizes their likelihood of success and reduces the amount of effort necessary.

    Outline

    1. Overview of software security process “touchpoints”

      • Security activities that can be applied to various artifacts produced during software dev
    2. Survey of existing tools

      • Tools associated with Information Security

        • Network scanners
        • Vulnerability scanners
        • Application scanners
        • Strengths and weaknesses with regards to software security
      • Tools associated with Software Security

        • Static source code analysis tools
        • Testing tools
        • Strengths and weaknesses with regards to software security
    3. Integration into development workflow

      • Penetration testing

        • Inside-out process
        • Business risk prioritization of test activities
      • Code review

        • Iterative review vs. all-at-once review
        • Incorporation of code review in nightly builds
        • IDE plug-ins for easier workflow
        • Management features available in most commercial tools
          • Tracking and trending
          • Policy centralization
      • Application testing

        • Security testing tools for QA testers
        • Effective test scenario design

    Benefits

    • Students will learn about the benefits and pitfalls of the tools that can be used during secure software development. These pros and cons are spelled out in a vendor-neutral manner.
    • Students will gain insight into how tools can be best integrated into their own software development processes. Clear, practical, and easy to understand lists of recommendations are provided for each tool thatwill help the student succeed with each tool type discussed.

  • US

    Taming Packets: The Network Expect Framework for Building Network Tools  [schedule]

    Eloy Paris (Cisco PSIRT, US)

    Eloy has been with Cisco since July 2001. He spent three years in Cisco's Critical Infrastructure Assurance Group (CIAG), where he focused on the group's Incident Response Support initiative, providing support to Cisco's Incident Response teams like the Cisco Product Security Incident Response Team (PSIRT) and the internal Information Security team, and provided support to the CIAG's Research initiative by writing network tools used in security research of protocols like BGP and IPv6. Eloy has been an Incident Manager with the Cisco PSIRT since June 2004. In his current role, he is part of the team responsible for managing security vulnerabilities in all Cisco products.

    Eloy developed the Open Source Network Expect framework for building network tools to fill several needs that arose while working in Cisco's CIAG, PSIRT, and the Technical Assistance Center (TAC).

    Prior to joining Cisco, Eloy worked for 5 years at the Venezuelan subsidiary of Rockwell Automation originally as a Field Support Engineer supporting industrial automation equipment and later in the IT organization.

    Originally from Venezuela, Eloy holds a Bachelor's Degree in Electrical Engineering from Universidad Simon Bolivar in Caracas, Venezuela and an MBA from Carnegie Mellon University in Pittsburgh, PA, USA. Eloy participates in various Open Source Software projects, and works as a volunteer developer in the Debian GNU/Linux project. He also enjoys doing malware analysis and reverse engineering, and writing network tools.

    Network Expect is a framework that allows to easily build tools that can interact with network traffic. Following a script, traffic can be injected into the network, and decisions can be taken, and acted upon, based on received network traffic. An interpreted language provides branching and high-level control structures to direct the interaction with the network.

    Network Expect was heavily influenced by, and inspired on, the "Expect" program written by Don Libes, which allows to "talk" to interactive programs in a scripted fashion. Because of this, there are lots of similarities between commands in Network Expect and commands in Expect.

    A Network Expect script can send traffic to the network and then take decisions based on the received network traffic. The type of things that Network Expect can do are usually very low level network operations, which usually require writing a custom program in a language like C.

    Network Expect’s philosophy is based on the observation that network applications always operate on an action-reaction principle in which something is sent over the network to an application running on a remote host and a response is then received.

    Network Expect can generate arbitrary network traffic and inject it into a network at layer 2 or layer 3. A wide range of protocols is supported, including IP version 6 as well as protocol options like IPv4 options, IPv6 extension headers, and TCP options. Network Expect can also listen for network traffic, decode it, and take decisions based on the type of traffic received.

    These capabilities make it very easy to emulate network protocols to do vulnerability testing and auditing, penetration testing, network protocol research, etc.

    The presentation "Taming Packets: The Network Expect Framework for Building Network Tools" will give an introduction to the Network Expect framework and provide examples of how Network Expect has been used to solve real-life problems.

    Network Expect is Open Source Software that was developed by Eloy Paris from Cisco Systems.

  • US

    Targeted attacks (spear phishing): A demonstration and analysis of a former Office 0-day vulnerability  [schedule]

    Robert Hensing (MSCERT – Microsoft, US)

    Robert Hensing, a 9 year veteran of Microsoft, is a Software Security Engineer on the Microsoft Secure Windows Initiative team, a role which he has been in for the last 2 years. Robert works closely with the Microsoft Security Response Center with a focus on identifying mitigations and workarounds for product vulnerabilities that can be documented in advisories and bulletins to help protect customers. Prior to working on the Secure Windows Initiative team, Robert was a senior member of the Product Support Services Security team where he helped customers with incident response related investigations and spent most of his time engaged in hand to hand combat with miscreants.

    In 2006 and 2007 malicious Microsoft Office documents have been involved in limited targeted attacks against specific Microsoft customers. In this presentation we will examine a real-world Microsoft Office document that exploited a former 0-day vulnerability (patched in February 2007) in order to install a backdoor on the vulnerable system. In this presentation a malicious Office document will be opened in a virtual machine running an un-patched version of Office 2003 on Windows XP and Windows Vista in their default configurations. The privileges that are required for this attack to succeed will be discussed along with various strategies that could be employed to reduce the damage potential that could result from opening malicious Office documents.

  • DE

    Technical Evolution of Cybercrime  [schedule]

    Rolf Schulz (GNS-Cert, DE)

    Rolf Schulz is a renowned systems analyst and network specialist. His research work focuses on multilevel security (MLS), covert channel analysis and Intrusion Detection Systems (IDS). Today he is one of the leading experts in the field of Critical Information Infrastructure protection, combining deep technical skill with his long years of experience as a Manager and Consultant.
    After his studies in Information Technology in Europe and the United States, he immediately started working as an IT security specialist for military grade operating systems and networks. In the mid 80’s he founded his own company which later changed to “Global Network Security GmbH“, where he is working since as a managing director.
    The company provides a wide array of global security services for operators of critical infrastructure and Governments. The services offered include crisis management, incident response handling, network forensic and security assessments. The company’s forensic team is specialized in industrial espionage detection and defense.
    GNS GmbH is one of the very few companies experienced in security assessments for SCADA Systems or weak point analysis of complex Infrastructure.
    The world-wide scope of his company (covering the United States, Europe, and the Far East) has given Rolf a unique international perspective on security issues and he is a sought-after speaker for lots of conferences and seminars. The GNS Cert Team is a member of F.I.R.S.T and an accredited TI Member as well as a Level II Member of the German Cert Association

    Cybercrime is becoming more and more widespread, due to the flexibility and risk-free use of modern Trojans and other malware.

    When talking about Trojans and worms, most people think about phishing threats. Phishing and Pharming ARE major threats to all online users. Besides the immediate commercial damage, one of the most displeasing side effects of Phishing and Pharming is the destruction of TRUST in the quickly growing internet business.

    But Phishing is not the only threat targeting the end user. There are others, like industrial espionage or spear phishing which are not well-known in public but posed a real and more serious threat. In the past, we discussed the future potential of what used to be Remote Access Trojans (RATs), today this threat is represented by IP (intellectual property) worms, cryptoviral extortion schemes, or industrial espionage Zero-day exploits.

    Malware can also have national security implications, but discussions on these are again rare in public. For instance, in June 2005, Japanese nuclear data was leaked on the Internet through a virus on a personal computer. It exposed interiors, details of regular inspections of repair works, and names of workers.

    Other incidents in Israel and UK were reported only briefly in the news.

    This paper will change the focus of Trojans from online fraud to more serious threats - like industrial espionage and terrorism.

    Terrorism and phishing have one thing in common: Information gathering, manipulation - and money. Looking at a typical drop zone of a Trojan, you'll find all kinds of information, like passwords, IDs, credit card details etc.

    These information alone are not interesting, but in a combination, can create a major threat, e.g. to assemble a false ID. But who is collecting all this information? Who has access to this? Who is using it? This paper will show you how all these interact together in our today's world.

    Using a typical "latest design" worm, we will analyze the behavior, the communication and the impact of such malware. We will show you how to use trigger-based systems to collect data in an intranet, and how to use actual malware to make designer worms, undetectable by antivirus scanner for personal spying. We will discuss pattern-based detection versus anomaly behavior detection, and will close with a forecast on next generation malware.

  • NL

    The Art of RFID Exploitation  [schedule]

    Melanie Rieback (Vrije Universiteit Amsterdam, NL)

    Melanie Rieback is a final-year Ph.D. student in Computer Systems at the Vrije Universiteit in Amsterdam, where she is supervised by Prof. Andrew Tanenbaum. Melanie's research concerns the security and privacy of Radio Frequency Identification (RFID) technology, and she leads multidisciplinary research teams on RFID security (RFID Malware) and RFID privacy management (RFID Guardian) projects. Her research has attracted worldwide media attention, appearing in the New York Times, Washington Post, Reuters, UPI, Computerworld, CNN, BBC, MSNBC, and many other print, broadcast, and online news outlets. Melanie's research has received several awards (Best Paper: IEEE PerCom '06, Best Paper: USENIX Lisa '06, NWO I/O Prize, VU Mediakomeet, ISOC Award finalist), and Melanie has also served as an invited expert for RFID security discussions with both the American and Dutch governments. In a past life, Melanie also worked on the Human Genome Project at the Whitehead Institute / MIT Center for Genome Research.

    Radio Frequency Identification (RFID) malware, first introduced in my paper 'Is Your Cat Infected with a Computer Virus?', has raised a great deal of controversy since it was first presented at the IEEE PerCom conference on March 15, 2006. The subject received an avalanche of (often overzealous) press coverage, which triggered a flurry of both positive and negative reactions from the RFID industry and consumers. This presentation will serve as a forum to explain RFID malware, from a hacker's perspective. I will start by explaining the fundamental concepts behind RFID malware, and then offer some qualifications and clarifications, separating out the facts vs. the myth regarding the real-world implications.

  • UK

    The Benefits of FIRST: How to sell FIRST to your Upper Management  [schedule]

    Ray Stanton (BT, UK)

    Ray Stanton is the executive Global Head of BT’s Business Continuity, Security and Governance Practice (BCS&G). Ray has worked in information security for over 24 years. Ray is an experienced and recognised practitioner, particularly in the use and implementation of the BS7799 standard and incident management procedures. Ray is currently accountable for all BCS&G customer services for BT Globally.

    Ray has worked for both government and commercial organisations in a variety of security related roles including project management, security auditing, policy design, and the development of security management strategies.

    Before joining BT in 2004, Ray was head of UK security services for Unisys Corporation. Prior to that, Ray was head of information security for British Aerospace Limited, working primarily on its commercial projects, such as its role in Airbus. Ray also served in the UK Armed Forces for ten years.

    While at British Aerospace, Rays’ team provided extensive support to the company's internal audit department in carrying out systems security audits and business unit reviews against BS7799. Ray established the company’s information security group and was responsible for the introduction of production level secure web systems, secure e-mail, company-wide intrusion detection systems and full-scale public key infrastructure (PKI) pilots. Rays subject expertise remain Management and Incident investigation.

    Ray has a BA in Business Studies and was educated in Bristol, England. Ray has one seven year old daughter.

    Ray says …

    “If you’re looking for a quiet life, don’t go into security. The challenges are immense, and they change every day. Worse, lapses can be very expensive, so you’d better be ready to answer some tough questions if anything should go wrong. My advice?

    “Organisations are under threat as much from their own people and processes as they are from fraudsters, hackers and thieves. Even simple mistakes can have very damaging consequences – wiping out valuable data, for example. And if your processes aren’t right, you could be failing to meet legal or regulatory requirements in a way that could prove very expensive indeed. To really be secure, you have to look at your business top to bottom, and from every angle. Then you need to put the right measures in place. Starting with a strategy that is aligned to the current business strategy and objectives; this is an imperative to success, from this hangs your framework for building sustainable, repeatable projects, that flex and grow with your business–managing what and when ever something is thrown at it!”

    Topics best addressed by Ray

    • The global market for business continuity, security and governance
    • The threats and challenges faced by organisations worldwide
    • Incident Management and investigation
    • Future challenges and opportunities.

    Mr. Stanton's presentation is intended to give FIRST members an appreciation of the common market challenges that we all face: what forces are driving investment decisions, the competition for investment, and executive requirements and needs. This summary includes an analysis of specific member issues and an overview of competing organisations. Finally, Mr. Stanton will suggest ways to demonstrate value to senior management, and how to protect investment for future and ongoing activities.

  • ES

    The Evolution of Online Fraud  [schedule]

    David Barroso (S21sec, ES)

    David Barroso is the director of research for S21sec’s R&D division, S21Labs. In this role, he oversees the company’s research projects that are related to different information security domains: malware, RFID, wireless, VoIP, log management, pentesting, biometrics, … He also manages a tight cooperation with the S21sec SOC, and its online fraud service.

    Prior to S21Labs, Barroso worked as a security consultant in S21sec where he was specialized in forensics and penetration testing, and in AT&T, where his role was the Spain and Portugal Security Coordinator.

    Barroso has been involved in the security field since more than ten years, contributing to open source security tools (spamassassin, libnet, drac, honeysnap, gotek, wireshark, …), developing exploits (Microsoft IIS, Cisco VTP, …), writing different security articles and developing Yersinia, the framework for layer two attacks.

    He is a frequent speaker on different security topics in several conferences (BlackHat, NcN, Securmática, Respuestas SIC, …) and holds the GSEC, GCIA, CISSP, BS-7799 Lead Auditor and other security products certifications.

    There is a more and more popular threat arising in our daily tasks: online fraud attacks; those threats are now being migrated from real life to the Internet environment. It is very common to receive a phishing e-mail, a scam asking for money, or even malware that is silently stealing your identities while surfing the web.

    This presentation’s aim is to show the different online fraud methodologies detected during the years 2005-2006 and how the fraud is evolving. Besides, we will not focus only on the phishing and pharming attacks, but also in the malware techniques seen in the wild. Botnets and C&C are real threats and they are everywhere. We’ll show different C&C panels and explain the business model behind those attacks.

  • UK

    The Security needs of the State versus the rights of the individual  [schedule]

    Bob Ayers (Chatham House, UK)

    Bob is currently the Vice President for Homeland Security for Selex Sensors and Airborne Systems

    Prior to this, Bob was the Managing Director of Ayers & Associates, specialising in the provision of intelligence, counter-intelligence and security services.

    As Director for Critical National Infrastructure Defence and Homeland Security for Northrop Grumman Mission Systems Europe, bob was responsible for national-level business development and customer relations management.

    As Director of Business Risk Services with @Stake Ltd he provided Board-level professional security consulting services and business development.

    As Vice-President and Managing Director of Para-Protect Europe, an IT security company in the UK he managed an UK- based IT security business.

    From 1998-2000, he was the principal security consultant for Business Risk Management with Admiral plc, serving clients in the banking, financial, and telecommunications markets in the UK, Belgium, Singapore and Australia.

    Before moving to the UK, Bob had a distinguished career in the US Government.

    As Director, DoD-wide Information Systems Security Improvement Program, Bob established the 1st DoD Computer Emergency Response Team (CERT), the 1st Penetration Testing programme and the 1st Infosec training programme.

    As Director, Defensive Information Warfare Program Bob lead a DoD programme to protect all DoD systems from attack by a hostile nation state.

    A head of Computer Security in the Defence Intelligence Agency Bob was responsible for security of 40,000 intelligence systems at 55 worldwide locations.

    As SAFE Program manager, Bob managed a $300M development programme to automated the CIA and DIA workplaces, he then implemented the system in DIA.

    While serving in the DoD Indications and Warning System Secretariat, Bob conceived and implemented the DoD Worldwide Warning Indicator Monitoring System.

    As an Army Officer, Bob served in positions of Counter-Intelligence Agent, Command Intelligence Officer for a Nuclear capable unit and Strategic Intelligence Officer with the United Nations Command Korea and the DIA.

    Bob is a noted public figure, with over 600 appearances on television and radio in the US, Europe, and Asia.

    He is a frequent lecturer at Government, academic and business conferences on a variety of security and intelligence matters.

    The spectre of international terrorism has changed the traditional balance between the rights of the citizen to freedom privacy versus the needs of the Nation State to provide security for the population. In the United Kingdom, surveillance technology is already extensively deployed monitoring many aspect of daily life of the population, with even more intrusive programmes planned or under way. Is the loss of privacy the price we must pay for security and safety in the 21st century? What are the future consequences of this increasing loss of individual freedom and privacy?

  • TN

    Tunisia's experience in establishing the first public CSIRT in Africa, as a case example for developing countries, and some guidelines and schemes for International cooperation  [schedule]

    Nabil Sahli (CERT-TCC, National Agency for Computer Security, TN)

    Prof Nabil Sahli is the CEO of the National Agency for Computer Security and Header of the Public Tunisian CERT (CERT/Tcc) and adivsor of the Minister of Communication Technologies (Tunisia). He is professor in Computer Science and his teaching and research activities focus on IT security trends. From 2002, he was in charge of the establishment of a national strategy and action plan in IT security in Tunisia, which lead to the creation of, the first in the area, National Agency in IT security (ANSI: Agence Nationale de Sécurité Informatique) and CERT (CERT-Tunisian Coordination Center).

    As a case example for developing countries, we will first give a fast overview about the actions of the Tunisian strategy in ICT Security which led to the launch of the Tunisian CERT, the promulgation of “an original” law related to IT Security (mandatory security audit, mandatory declaration of attacks, ..) and the launch of an Agency specialized in ICT Security.

    We will then focus on the presentation of the activities of the public Tunisian CERT: the CERT-Tcc (Computer Emergency Response Team - Tunisian Coordination Center), by giving an overview about:

    • The awareness & information actions carried by the Cert-TCC and the specific actions carried out in the awareness field for parents and youth and common ICT users (besides ICT professionals), due to our position as a public CERT.
    • The launch of a CSIRT and the accompanying lawful measures (“mandatory declaration of incidents that can affect other information systems”, accordingly to the law N°5-2204).
    • The establishment of a Watch and Alert Center : the ISAC system “Saher” and the reaction plan “Amen”
    • Professional Training & Education actions, based on the launch of training sessions for trainers and on the launch of Masters in IT security
    • Research & Development strategy and actions, based on the open-source approach, for the rapid and efficient emergence of national R&D activities.
    • The role of NGO in consolidating the effort of the CERT-TCC and actions carried with NGO associations.

    We will conclude by presenting an overview about the urgent needs of developing countries and the interest of a regional approach and closes with a set of guidelines and key issues to consider for building efficient plans and strategies in IT security, coming from the Tunisian experience in that field, and which is partially based on the launch of the CERT-TCC.

  • US

    Unique Challanges for Incident Response in a Grid Environment  [schedule]

    Aashish Sharma (NCSA-IRST, US)

    James J. Barlow (NCSA-IRST – National Center for Supercomputing Applications, US)

    James J. Barlow is the Head of Security Operations and Incident Response at the National Center for Supercomputing Applications (NCSA). Jim has been at NCSA for over 12 years where he has been involved in system administration and security, and has been doing security full time for the last 6 years. He is also involved with some of the security research projects being done within the National Center for Advanced Secure System Research division (www.ncassr.org) and participates in the TeraGrid security working group (www.teragrid.org).

    Incident response within an organization can often be a challenging task. There are usually multiple levels within an organization, as well as multiple departments that you may have to work with when responding to an incident. What are the challenges when you now have a grid environment where you may have thousands of users using resources within your organization that you have no control over? Then when an incident does happen (that's not an "if"), how do the organizations within the grid work together to respond to the incident, which can usually have spillover to many sites within the grid. This work addresses the challenges of incident handling and response in the more complex environment of grid computing where there is a distributed user base and multiple physical entities composing a virtual organization. We will cover how the TeraGrid sites deal with coordinated incident response and give some real world examples on actual incidents.

  • DE

    Using instrumented browser instances for detecting 0-day exploits and filtering web traffic  [schedule]

    Dr. Heiko Patzlaff (Siemens-CERT – Siemens AG, Corporate Technology, CT IC CERT, DE)

    Dr. Heiko Patzlaff is a security consultant with Siemens CERT. He received a MSc. degree in physics in 1993 from Martin-Luther University of Halle and a PhD in theoretical statistical physics in 1997 from the University of Leipzig. Before joining Siemens he worked in the Anti-Virus industry as a researcher and member of the systems development group of SophosLabs at Sophos PLC in the United Kingdom. Beside his continuing interest in anti-virus and malware topics, Dr. Heiko Patzlaff current responsibilities include forensics, security consulting and research.

    In the past three years the main infection vectors of malware have shifted from network scanning worms targeting server software and social engineering based attacks such as email worms to attacks targeting vulnerabilities in client software. The most popular target of these attacks is Microsofts Internet Explorer. One idea that has been employed in the past to deal with scanning worms also proves useful in these new scenarios: honeypots.

    In the talk the idea of using a client honeypot to protect a small workgroup environment is explored. We present an architecture for integrating an automated instance of Internet Explorer into a web proxy to transparently filter malicious web sites. We provide implementation details, report on problems encountered and give measurements of run-time metrics such as latency.

  • US

    Using Intelligence to Forecast Risk and Allocate Resources: It's Not Hocus-Pocus Anymore  [schedule]

    Peter G. Allor (IBM Internet Security Systems, US)

    Peter Allor is the director of intelligence and special assistant to the General Manager for IBM Internet Security Systems where he is responsible for guiding the company’s overall security intelligence initiatives and participation in enterprise and government implementation strategies. He assists X-Force Research and Development Team with the collection, analysis and dissemination of information regarding cyber vulnerabilities, exploits, incidents, threats and early warning. This information is used to provide customers with information and resources to employ best practices to defend their networks from potential attacks.

    Allor is also the director of operations for the Information Technology - Information Sharing and Analysis Center (IT-ISAC) as part of the X-Force Internet threat intelligence services-- a task force that provides global information protection solutions analysis for securing IT infrastructure and defending key online assets and critical infrastructures from attack and misuse. He is responsible for managing ISAC operations where members report vulnerabilities, solutions, best security practices and track hackers globally. The ISAC operations center provides threat analysis and anonymous reporting of security vulnerabilities and shares solutions with all of its members.

    Allor participates on the ISAC Council, a private industry forum for sharing information, and is a member of the Georgia Business Force. He also participated in the formation of the Information Technology Sector Coordination Council (IT SCC). As a member of the ISS FIRST team, Allor has spoken at numerous events on security, information sharing and cyber intelligence, including Homeland Security for Networked Industries, GFirst National Conference, FIRST, Infragard National Conference, Forbes Corporate Security Forum, iSecuTech Taiwan and Secret Service San Francisco. In 2005, Allor was presented with IT* Security Magazine’s Individual Innovation Award.

    Prior to joining IBM Internet Security Systems, Allor served in the United States Army where he worked in a variety of security related positions reporting from Panama to Korea, as well as the Middle East.

    Allor holds a bachelor’s degree in business administration degree from Rollins College and a master’s degree in organizational management from the University of Phoenix. He is a graduate of the U.S. Army.

    Security administrators have spent years fighting an uphill battle - fending off point attacks with point defenses like IDS, AV and anti-spyware, while the hacker underground has meticulously researched and studied the security industry, learning its strengths and weaknesses, and changing its attack strategy to overcome each point solution. As a result, the war waged on today’s virtual battleground is no longer about protection from large-scale, widespread worms and network outages. Instead it is about guarding against stealthy, focused attacks that 'target' specific geographic regions, industry segments, and corporations.

    The point defenses are a reflection of security administrators’ reactive approach to security. However, technology has now reached an inflection point where organizations must begin to adopt a formalized proactive stance. This maturation process involves leveraging intelligence and data analysis to forecast risk and allocate resources and properly guard the network from attack – on an immediate, tactical level; quarterly; and as much as 18 months in advance.

    The key to winning the war is a structured reporting of data and a collaborative analysis of intelligence from multiple aspects. In this session, attendees will learn how to tie this threat intelligence to business and resource processes to address the short term, better reflect the mid-term, and more accurately plan for the long term. This session will challenge attendees to question how much risk they are willing to take and what resources are truly needed to overcome the threats. Attendees will also receive guidance on how to forecast inflection points to determine and create repeatable processes.

  • USJP

    Vulnerability Remediation Decision Assistance system  [schedule]

    Art Manion (CERT/CC, US)

    Art Manion is the Vulnerability Analysis Team Lead at the CERT Coordination Center (CERT/CC). The Vulnerability Analysis Team works with vendors, reporters, researchers, and other parties on vulnerability coordination, response, and disclosure. In addition, the team researches new ways to manage vulnerability information and improve software security. CERT/CC is a Federally Funded Research and Development Center (FFRDC) operated by the Software Engineering Institute at Carnegie Mellon University.

    Hal Burch (CERT/CC, US)

    Hal Burch is a member of technical staff at the CERT Coordination Center (CERT/CC). Hal's responsibilities at CERT/CC include the Secure Coding Initiative and development of tools for vulnerability handling at CERT/CC. CERT/CC is a Federally Funded Research and Development Center (FFRDC) operated by the Software Engineering Institute at Carnegie Mellon University.

    Yurie Ito (JPCERT/CC – JPCERT, JP)

    Yurie Ito is a Director of the Technical Operation of JPCERT/CC. Yurie is responsible for overall JPCERT/CC Technical Operation including Incident Response, Vulnerability Handling, Watch and Warning, and Situation Awareness program. She is a Director and Steering Committee member of the FIRST organization since 2005 to 2007. She is a Steering Committee member of the APCERT.

  • US

    What We Learn From Cyber Exercises, or Not  [schedule]

    James N. Duncan (BB&T Corporation, US)

  • DE

    Why Protection against Viruses, Bots, and Worms is so hard – Malware seen as Mobile Agents  [schedule]

    Till Dörges (PRE-CERT – PRESECURE Consulting GmbH, DE)

    Till Dörges joined PRESECURE Consulting GmbH as a researcher in 2002. The two major projects he's currently working on are a network of distributed IDS-sensors (evolved from the EC-funded project "eCSIRT.net") and the also EC-funded research project about proactive security monitoring in a policy-based framework ("POSITIF"). Both projects strongly relate to Intrusion Detection, Honeynets and (Security-) Policies.

    He also is the team representative of PRESECURE within the European community of accredited CSIRTs ("Trusted Introducer") as well as for FIRST.

    Till Dörges studied Computer Sciences in Hamburg, Toulouse and Leipzig. He holds a French "Maîtrise d'Informatique" and a German "Informatik-Diplom".

    Viruses, bots, worms, etc. are nothing else but mobile agents. Mobile agents in turn have been the scope of research in computer sciences for quite some years. Recently research on the security side of mobile agents has received increased attention, too.

    Perfectly securing mobile agents is generally impossible. While this is cumbersome for legitimate scenarios this is good news when trying to protect IT infrastructure. On the other hand, there are quite powerful protection methods for mobile agents so securing computers is far from trivial.

    In order to explain this simple truth the paper relates current as well as well established findings from (theoretical) computer sciences to the IT security world of practitioners.

    It is shown what methods are available to protect mobile agents, i. e. viruses, bots, and worms, from their environments, i. e. the computers they are running on. The limits of these protection methods are also explored.

  • FR

    WiMAX: Security Analysis and Experience Return  [schedule]

    Laurent Butti (France Telecom Orange, FR)

    Laurent is a network security expert at France Telecom R&D labs where he works on wireless security (IEEE 802.11, IEEE 802.16...), honeypots and malwares. He also spoke at numerous security-focused conferences (EuroSec, SSTIC, FIRST, LSM, ToorCon, ShmooCon, BlackHat...).

    WiMAX (Worldwide Interoperability for Microwave Access) is the new hyped broadband wireless access technology. Basically WiMAX is a radio technology that promises two-way data access at several megabits per second with ranges of several miles, either in line of sight (LOS) or non line of sight (NLOS) situations.

    IEEE 802.16-2004 standard will be analysed in terms of security, a critical analysis will be performed and fully described. Authentication, confidentiality and integrity on the radio side will be discussed. Some issues will be pinpointed and the presentation will focus on how they are adressed within IEEE 802.16e-2005 standard.

    Finally, we will describe some experimental deployments leaded by France Telecom, how they succeeded in bringing a Broadband Wireless Access to residential and enterprise architectures.


Back to TOC

Special Interest Groups

  • NL

    Abuse Handling (AH-SIG)  [schedule]

    Martijn van der Heide (KPN-CERT – Chairman KPN-CERT, NL)

  • US

    Artifact Analysis (AA-SIG)  [schedule]

    Kevin Houle (CERT Coordination Center, US)

    06
  • US

    Common Vulnerability Scoring System (CVSS-SIG)  [schedule]

    Gavin Reid (Cisco Systems, US)

  • US

    CSIRT Metrics  [schedule]

    Georgia Killcrece (CERT/CC – Carnegie Mellon University, US)

    Georgia Killcrece is a Member of the Technical Staff and joined the CERT® Coordination Center (CERT/CC) in 1989. The CERT/CC, established in 1988, is part of the CERT® Program based at the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh, Pennsylvania.

    Since 1999 Killcrece has led the CERT® CSIRT Development Team and takes an active role in promoting the development of computer security incident response teams (CSIRTs) worldwide. She has worked directly with a number of government, industry, and academic enterprises to facilitate the development of their incident management capabilities. She is internationally recognized as a leader in CSIRT development and has been invited to present at a number of international conferences. Killcrece also chaired the 2006 FIRST conference.

    Killcrece participates in the creation and delivery of public and onsite training courses, as well as facilitate workshops focused on CSIRT development. As part of broader outreach efforts in the CSIRT community, her team licenses the suite of CSIRT training materials to external transition partners. In 2003, to meet the need for trained incident handling staff, the CERT Program created and launched a certification program.

    From 1994 to 1999 Killcrece was a technical coordinator and incident response coordinator in the CERT/CC. In those roles, she gained firsthand knowledge of the processes involved in forming, operating, and managing incident response teams, including the dynamics of working in a fast-paced team environment.

    Killcrece is author or contributor to a suite of CSIRT documents and reports, available on the CERT web site at http://www.cert.org/csirts/. Killcrece can be reached directly by email at georgia@cert.org.

  • ES

    First Team Members Update Panel  [schedule]

    Francisco. (Paco) Monserrat (IRIS-CERT – RedIRIS, ES)

  • US

    Internet Infrastructure Vendors (Vendor SIG)  [schedule]

    Gaus . (Cisco Systems, US)

  • US

    IT-ISAC Tech SIG  [schedule]

    Peter G. Allor (IBM Internet Security Systems, US)

    Peter Allor is the director of intelligence and special assistant to the General Manager for IBM Internet Security Systems where he is responsible for guiding the company’s overall security intelligence initiatives and participation in enterprise and government implementation strategies. He assists X-Force Research and Development Team with the collection, analysis and dissemination of information regarding cyber vulnerabilities, exploits, incidents, threats and early warning. This information is used to provide customers with information and resources to employ best practices to defend their networks from potential attacks.

    Allor is also the director of operations for the Information Technology - Information Sharing and Analysis Center (IT-ISAC) as part of the X-Force Internet threat intelligence services-- a task force that provides global information protection solutions analysis for securing IT infrastructure and defending key online assets and critical infrastructures from attack and misuse. He is responsible for managing ISAC operations where members report vulnerabilities, solutions, best security practices and track hackers globally. The ISAC operations center provides threat analysis and anonymous reporting of security vulnerabilities and shares solutions with all of its members.

    Allor participates on the ISAC Council, a private industry forum for sharing information, and is a member of the Georgia Business Force. He also participated in the formation of the Information Technology Sector Coordination Council (IT SCC). As a member of the ISS FIRST team, Allor has spoken at numerous events on security, information sharing and cyber intelligence, including Homeland Security for Networked Industries, GFirst National Conference, FIRST, Infragard National Conference, Forbes Corporate Security Forum, iSecuTech Taiwan and Secret Service San Francisco. In 2005, Allor was presented with IT* Security Magazine’s Individual Innovation Award.

    Prior to joining IBM Internet Security Systems, Allor served in the United States Army where he worked in a variety of security related positions reporting from Panama to Korea, as well as the Middle East.

    Allor holds a bachelor’s degree in business administration degree from Rollins College and a master’s degree in organizational management from the University of Phoenix. He is a graduate of the U.S. Army.

  • USUKJP

    Law Enforcement / CSIRT Cooperation SIG  [schedule]

    Chris Painter (Department of Justice, US)

    Matthew Pemble (Vizuri Limited, UK)

    Yurie Ito (JPCERT/CC – JPCERT, JP)

    Yurie Ito is a Director of the Technical Operation of JPCERT/CC. Yurie is responsible for overall JPCERT/CC Technical Operation including Incident Response, Vulnerability Handling, Watch and Warning, and Situation Awareness program. She is a Director and Steering Committee member of the FIRST organization since 2005 to 2007. She is a Steering Committee member of the APCERT.

    At last year's FIRST Conference, the 1st "CSIRTs meet LEs, Les meet CSIRTs" workshop was held. The workshop was bridged the gap between two different communities by introducing their mission, policy and culture with regard to responding to cyber incidents and information handling. Also the case studies demonstrated the value of the partnership and collaboration between CSIRT and Law Enforcement.

    With the success and overwhelming response to the 1st workshop, this year FIRST and the G8 High Tech Crime Subgroup plan to hold the 2nd "CSIRTs meet LEs, LEs meet CSIRTs" workshop. This year's theme is "Forensics" and identifying what data is most useful for Incident Response teams to gather and present for successful Legal action to be taken and to working with LEs. There will be Forensics techniques and tools being introduced from both communities and best practices.


    View the workshop schedule in the conference schedule in PDF format.

  • NL

    Network Monitoring SIG  [schedule]

    Carol Overes (GOVCERT.NL, NL)

    Menno Muller (GOVCERT.NL, NL)


Back to TOC

Added Attractions

  • Beer 'n Gear  [schedule]

    The "Beer 'n’ Gear" event gives attendees a chance to socialize while checking out the latest equipment from sponsoring vendors
  • Conference Banquet – Hacienda El Visir  [schedule]

     
  • Daily Global Security News Podcast  [schedule]

    Outlining latest Security News, highlights from the Conference and interviews with Conference attendees.
  • FIRST Football Cup  [schedule]

    To take part please register with Martijn van der Heide via email: mheide@kpn-cert.nl or at the conference with Francisco Monserrat, Jordi Aquila, Don Stikvoort.

  • Lightning Talks  [schedule]

    Short presentations or speeches by any attendee on any topic, which can be scheduled into conference proceedings with the approval of the organisers.
  • Security Challenge  [schedule]

    For the first time, this year conference will host a security challenge inspired on the Capture the Flag competition event from DefCon. The idea behind the challenge is to provide a playground for the attendance in order to solve some security puzzles and retrieve a clue to go to a next level. All participants are invited to join the challenge respecting the rules of engagement. First participant to obtain all the flags will receive the first place gift from the challenge sponsor, S21SEC. The security challenge will run 24x7 beginning on Monday 18 after lunch and information will be available on the registration desk.

  • Vendor Booths  [schedule]

    Where sponsoring vendors demonstrate their equipment
  • Welcome Icebreaker Reception  [schedule]

    Sponsored by Juniper Networks