Masato Terada received M.E. in Information and Image Sciences from University of Chiba, Japan, in 1986. From 1986 to 1995, he was a researcher at the Network Systems Research Dept., Systems Development Lab., Hitachi. Since 1996, he has been Senior Researcher at the Security Systems Research Dept., Systems Development Lab., Hitachi. Since 2002, he had been studying at Graduate School of Science and Technology, Keio University and received Ph.D in 2005. Since 2004, he has been with the Hitachi Incident Response Team. Also, he is a visiting researcher at Security Center, Information - Technology Promotion Agency, Japan (ipa.go.jp), and JVN associate staff at JPCERT/CC (jpcert.or.jp), as well.

This will be a hand-on presentation in which students must practice with several malware specimens. Students must bring their own laptops that must be able to:

• Run a Virtual machine with Windows XP/200X.
• Run a Linux virtual machine (provided by the instructor)

It's recommendable that the laptop has also a VD reader, in order to copy additional files to the laptop. Laptops must preferably run a Vmware or other virtual machine system that is able to execute virtual machines in the x86 platform, it's possible to use a Mac, but we could not guarantee the execution with the other virtual environments.

Students must install a virtual machine environment (vmware , http://www.vmware.com ) provides a 30 day license copy of VMware workstation, and setup a Windows XP /200X virtual machine in it.

The Linux Virtual machine, and additional software will be provided in the class.

Matthew Geiger is a forensic specialist and researcher at CERT. His recent work has focused on counter-forensic tool performance and on new utilities for live-system forensics. Prior to joining CERT, Matthew resided for about 14 years in Asia. As a forensic analyst in the private sector, Matthew conducted investigations involving corporate fraud, network intrusion, proprietary data theft, corruption and official misconduct for clients that included Fortune 500 companies. His professional background also includes network security design and implementation, incident response and security assessment for international media and financial services groups.

Matthew holds an MS degree in information security from Carnegie Mellon University. His professional accreditations include the SANS Institute's GCFA forensic certification.

Robert Lowe joined AusCERT in June 2003 as a Computer Security Analyst. His work in the AusCERT coordination centre has included incident response, analysis of computer security threats, trends and vulnerabilities, delivery of AusCERT training courses and general system programming and administration tasks. Prior to joining AusCERT Robert was a Senior Client Services Engineer for an Internet gambling software provider. Robert's previous experience includes Sun Solaris and Oracle administration, C++ and Java development, training, as well as application integration and support. Robert graduated from the University of Technology, Sydney in 1999 with a Bachelor of Science (Computing).

Cristine Hoepers is a Senior Security Analyst and the General Manager of the CERT.br (Computer Emergency Response Team Brazil), formerly known as NBSO/Brazilian CERT. CERT.br is the Brazilian National Coordinating CSIRT, sponsored by the Brazilian Internet Steering Committee. Cristine has been a speaker at several Brazilian Security Symposiums and also at International Forums. She has been involved with the OAS (Organization of American States) Working Group on the development of an Inter-American Cybersecurity Strategy, for the creation of an Inter-American CSIRT Network. The focus of her work at CERT.br is to raise security awareness and help Brazilian Intitutions to stablish their CSIRTs. She has also been involved since 2001 with the development of the Honeynet.BR Project, which has been a member of the Honeynet Research Alliance since June 2002. Since September 2003 she has also been involved with the deployment of a network of distributed honeypots in Brazil -- The Brazilian Honeypots Alliance. Cristine is a CERT-Certified Computer Security Incident Handler, an authorized instructor of Carnegie Mellon CERT/CC courses and is currently pursuing her PhD in Computer Security at the Brazilian National Institute for Space Research (INPE).

Cristine Hoepers is a Senior Security Analyst and the General Manager of the CERT.br (Computer Emergency Response Team Brazil), formerly known as NBSO/Brazilian CERT. CERT.br is the Brazilian National Coordinating CSIRT, sponsored by the Brazilian Internet Steering Committee. Cristine has been a speaker at several Brazilian Security Symposiums and also at International Forums. She has been involved with the OAS (Organization of American States) Working Group on the development of an Inter-American Cybersecurity Strategy, for the creation of an Inter-American CSIRT Network. The focus of her work at CERT.br is to raise security awareness and help Brazilian Intitutions to stablish their CSIRTs. She has also been involved since 2001 with the development of the Honeynet.BR Project, which has been a member of the Honeynet Research Alliance since June 2002. Since September 2003 she has also been involved with the deployment of a network of distributed honeypots in Brazil -- The Brazilian Honeypots Alliance. Cristine is a CERT-Certified Computer Security Incident Handler, an authorized instructor of Carnegie Mellon CERT/CC courses and is currently pursuing her PhD in Computer Security at the Brazilian National Institute for Space Research (INPE).

After obtaining a B.Sc. degree in computer science from University in Ljubljana, Slovenia, Gorazd Božič started working for ARNES (Academic and Research Network of Slovenia) in 1994 and in the same year initiated the formation of the first IRT in Slovenia, SI-CERT. Currently he is the head of SI-CERT and also the chairman of TF-CSIRT TERENA Task Force.

Robin Ruefle is a member of the technical staff in the CERT CSIRT Development Team at the Software Engineering Institute at Carnegie Mellon University. Her work focuses on the development of best practice standards and guidelines for helping new and existing CSIRTs improve and expand their services. She also develops and delivers training courses for CSIRT managers and staff. She is currently working with the rest of the CSIRT Development Team on developing an incident management framework and a methodology for assessing CSIRT operations.

She is co-author of the Handbook for CSIRTs (2nd Edition), Defining Incident Management Processes for CSIRTs: A Work in Progress, The State of the Practice of CSIRTs, Organizational Models for CSIRTs, and the CSIRT Services List.

Open source tools (like nfdump/nfsen, flowd) as well as tools and extensions developed within SURFnet-CERT will be presented. The main goal is to gain enough experience to setup a netflow environment best suited for their own network. Combined with some real world examples.

To participate students are advised to install vmware (www.vmware.com). Images will be provided during class.

Robert Lowe joined AusCERT in June 2003 as a Computer Security Analyst. His work in the AusCERT coordination centre has included incident response, analysis of computer security threats, trends and vulnerabilities, delivery of AusCERT training courses and general system programming and administration tasks. Prior to joining AusCERT Robert was a Senior Client Services Engineer for an Internet gambling software provider. Robert's previous experience includes Sun Solaris and Oracle administration, C++ and Java development, training, as well as application integration and support. Robert graduated from the University of Technology, Sydney in 1999 with a Bachelor of Science (Computing).

Born in the Netherlands in 1952, Arjen has been working in IT since 1972. Starting off as programmer in Assembler and RPG (not RPG II yet in those days J) on IBM 360-20, he was hired by NCR in 1974 and became educator in 1978 for the NCR mainframe operating systems, programming languages such as Cobol, etc. Moved to Sperry Univac in 1980, he continued to work with Sperry as consultant after migrating to New Zealand in 1984.

Since then Arjen was employed as Sr IT Consultant with KPMG NZ for 3 years and worked as independent IT consultant with the major NZ accountant and management firms. He started his own IT Services Company, Co-Logic Ltd in 1995.


Originally focusing on general IT project management and services, Co-Logic became increasingly specialized in managing IT Security from 1996 onwards. A couple of large projects, involving the response to and resolution of IT security breaches in some NZ and Australian Banks, Corporates and Telecommunication Companies, Arjen set to design an in-house tool for the keeping track of Security Issues and Vulnerabilities in 1998. Customers invited Co-Logic in 1999 to expand this tool and make it available as a Service for their own use: E-Secure-IT was born.


In 2001 Arjen decided to fully focus on further developing E-Secure-IT and established Co-Logic Security Ltd. With Head offices in New Zealand, E-Secure-IT IT Security Action Response Centers are now established in New Zealand (Auckland), India (Calcutta), Europe (Netherlands), with a fourth Centre to be established in the US this year.

A European Investment Firm took an interest in the company in 2005, and with their financial backing, 10 years of dedicated IT Security Experience, 6 years of experience in running the Alert Service and feedback from the many customers in the Asia Pacific Region, E-Secure-IT was completely re-designed and re-written, and launched in Europe and the US in 2006.

Through his interest in Unix (starting in 1979) and IT Security over the years Arjen has been a board member at the NZ UNIFORUM (1985-86), involved in the NZCS (New Zealand Computer Society), the NZISF, the NZ Information Security Forum, and been the New Zealand representative IT and Telecommunication for the PECC (Pacific Economic Co-operation Council), the founding body of the APEC (Asia Pacific Economic Council) until he moved back to Europe in mid 2003, to spearhead the European and US expansion of Co-Logic Security.


Over the years Arjen has been a higly regarded keynote speaker on IT and Security at many international conferences in the Asia Pacific Region, and part-time lecturer on IT Security and TQM for Asia Pacific Universities, including Massey University in Auckland, and Monash in Melbourne.

Once a rare occurrence a decade ago, security advisories are now produced many times a day. For each one, there are multiple other companion advisories or commentaries produced in response, and each of those have slightly different information from different sources, are produced or collected at different times, and are written in different styles with different ultimate goals.

Is it any wonder that we are confused? And we are the experts!

The existing state of the art is complex and so are the products, but the goal of this hands-on class is simple: Find the common elements of advisory construction that are _good_, eliminate the _bad_, and develop a framework for producing better future advisories.

The class will be consensus-led. The instructor will provide background and examples, propose one or more vulnerabilities to study, encourage discussion, and collate material contributed by the participants. Attendees are expected to contribute to discussion and commentary, identify desirable and undesirable elements of advisories, compose (or help with composing) sections of text as a result of what has been learned, and then develop rules for ensuring better content in future security advisories.

Laptops are recommended highly but are not required; pen and paper will be adequate. Attendees will compose some sections separately at the same time to compare with others, and at other times attendees will work in parallel on different sections of an advisory to be collated by the instructor. Experience with more than one language will be valuable but is not required.