Program Overview

•  MY

  Analyzing Malicious PDF

  Mahmud Ab Rahman (CyberSecurity Malaysia, MY)

  The increased prevalence of malicious Portable Document Format (PDF) files has generated interest in techniques to perform analysis on such document format. We have observed a lot of attacks trying to abuse the PDF vulnerabilities by hosting malicious pdf files on the Internet. The modus operandi involved in tricking victims to open malicious PDF files by using social engineering attack. This talk will highlight techniques and issues related to analyzing malicious PDF files.

  December 1, 2009 11:15-12:00

• Becoming Criminal - A Botnet Exercise

  ShadowServer

  This is a live malware demonstration and malicious activity class. We are NOT here to learn about reversing, protection, defense, nor detection. For that seek another class.

  We are here to have fun and play in the role of the bad guy, the herder, the script kiddie, and the see how much fun and easy it is to participate on the other side of the field.

  December 2, 2009 09:00-10:30, December 2, 2009 11:00-12:30

•  AU

  Case Study, Database Hack with a Twist

  Alex Tilley (AFP - Australia Federal Police, AU)

  The AFP recently undertook an investigation in the hacking of a database from a private company; this database was offered for sale on the open market. The sale of this database could have lead to large scale problems for Australia’s Internet presence. This investigation combined the use of specialist technical resources, covert Internet engagement and old-fashioned police work.

  December 1, 2009 16:00-16:45

•  GB

  Hands on with the Honeywall and virtual honeypots

  David Watson (Honeynet, GB)

  A chance to spend some hands on time learning about honeynet technologies in a safe, controlled manner. A brief background to the evolution of honeypots followed by an introduction to the Honeywall, which is one of the primary tools used for honeynet data control and data capture. Extracting high interaction I/O activity using Sebek, analysis of attacks against low and high interaction honeypots, using honeypots for automated malware collection and analysis, and an introduction to client honeypots. Hopefully both informative and fun, aiming to show you how honeypots can be used in the real world to improve information security.

  December 2, 2009 14:00-15:30, December 2, 2009 16:00-17:30

•  JP

  HTTP Protocol and Web Application Security

  Shiori Sato (JP)

  Recently, computer security incidents focus more on HTTP related world such as web application program. Understanding HTTP protocol is a key to understanding web-based security issues. This session will cover the knowledge of HTTP protocol and security issues related to web-based systems. Hands-on exercises using “Webgoat” from the OWASP project is included to understand real web application exploitation activity.

  December 2, 2009 14:00-15:30, December 2, 2009 16:00-17:30

•  DE

  Low Interaction Server Honeypot Evolution

  Mark Schloesser (Girraffe Honeynet, DE)

  The talk will give an introduction to our new low-interaction server honeypot called 'Dionaea'. Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls.

  The software is the result of all shortcomings we experienced with nepenthes, therefore it is meant to supersede nepenthes.

  December 1, 2009 16:45-17:30

•  US

  Network Forensics

  Ryan Connolly (US)

  It is critical that today's network security professionals have a solid understanding of the real-world tools that are being used to attack our systems. With a focus on how we can better defend our systems, in this class we'll control a botnet for ourselves and demonstrate common and detection strategies. As it is one of the most common and serious exploitation methods today, we'll also take a look at web drive-by attacks and explore basic techniques to analyze malware collected from such attacks.

  December 2, 2009 14:00-15:30, December 2, 2009 16:00-17:30

•  JP

  Network Monitoring and Traffic Analysis

  Keisuke Kamata (JPCERT Coordination Center, JP)

  Network monitoring is one of the ways to understand what is happening within the network. This session will cover the basic knowledge of network monitoring and issues that we should know (Ex: legal issues, privacy issues, encryption, covert channel, etc.). 2 types of hands-on trainings using malicious traffic data are included.

  December 2, 2009 09:00-10:30, December 2, 2009 11:00-12:30

•  BR

  New Developments on Brazilian Phishing Malware

  Jacomo Piccolini (ESR/RNP, BR)

  

  Jacomo Dimmit Boca Piccolini has an Engineer degree in Industrial Engineering at Universidade Federal de Sao Carlos - UFSCar, with two post-graduation one obtained on the Computer Science Institute and other on the Economics Institute of Universidade de Campinas - Unicamp. Hi is GCIA, GIAC Certified Intrusion Analyst and GCFA, GIAC Certified Forensics Analyst, working as a senior security analyst at the Brazilian Research and Academic Network CSIRT (CAIS/RNP). With 10+ years of experience in the security field his is the lead instructor of CAIS/RNP and hands-on coordinator for FIRST Technical Colloquiums. He is currently fighting the misuse of RNP backbone infrastructure by hackers.

  
  

  December 1, 2009 14:45-15:30

•  TN

  Security Informationa and Event Monitoring with OSSIM

  Haythem El MirHaythem El Mir (CSIRT.tn Keystone, TN)

  Security Information and Event Monitoring become a basic service for information system security management to provide real-time monitoring, alerts, log management as well as threat management by providing data correlation and analysis gathered from network security devices and applications. This session will cover the practical steps for deploying some open source solutions for security events monitoring. The main product will be OSSIM (Open Source Security Information Monitoring) as a mature solution for security event management; which will be coupled with several sensors such as Nagios and Snort.

  December 2, 2009 14:00-15:30, December 2, 2009 16:00-17:30

•  US

  State of Health of the Internet and our Networks

  Richard Perlotto (Shadowserver Foundation, US)

  This talk will cover what we should be expecting of the general cleanliness and health of the Internet and our own networks using Conficker and other infections as the vehicle to show what reality faces us all. Do not expect any happy endings.

  December 1, 2009 09:15-10:00

•  US

  The Emperor's New Cloud: An Analysis of the July 2009 RoK/USA DDoS Attacks

  Roland Dobbins (Arbor Networks, US)

  This talk will discuss the attack methodologies, observed impact, and lessons learned from the July 2009 RoK/USA DDoS attacks. Highlights include the following:

  • Technical details of the attacking botnet.
  • Technical details of the DDoS network traffic, including composition, rates, and scope.
  • Observed attacker behaviors during the DDoS attacks, and inferences drawn from same.
  • Why were the attacks successful in many cases?
  • Why were the attacks unsuccessful in some cases?
  • How those responsible for public-facing network infrastructure/servers/applications/services can harden and defend same against DDoS attacks, including a six-phased methodology for dealing with security incidents of all types.

  
  

  The talk will include data on the attacks derived from a worldwide network of Internet traffic sensors, a recounting of first-hand experiences detecting/classifying/tracing back/mitigating the DDoS attacks in question, and discussion of the implications of this incident in the context of the industry-wide migration towards virtualization and cloud computing services.

  December 1, 2009 12:00-12:45

•  US

  Threats to Our Security: Motivations and Targets

  Ryan Connolly (US)

  While network security is about intrusion detection, malware analysis, DDoS mitigation, etc, network security is also about the miscreants behind the malicious activity and their intentions. As long as the miscreant community is motivated to conduct malicious activity, we'll suffer from their actions. In order to better understand the fundamental reasons behind network attacks, this talk will explore what motivates the common miscreant and will examine what types of information and targets will help miscreants fulfill their objectives.

  December 1, 2009 10:30-11:15

•  MY

  Web Security Hands-on

  Adnan Shukor (MY), Hafiz Mat Tabrani (MY)

  Web Security Hands-on analysis offers an introduction to the computer security concepts important to those who develop web applications.

  Participants will learn the basics of secure coding, detection and prevention of abuses. The course is taught by focusing on PHP as the programming language and MySQL as the DMBS.

  This hands-on course covers:

  1. Web Intrusion: Practical analysis with OSS tools
  2. Web Application Security Common Problems
  3. Analysing Compromised Web Server: RFI
  4. Analysing Compromised Web Server: SQL injection
  5. Analysing Compromised Web Server : Code injection

  Particpants will be required to bring their own laptop. Vmware images will be distributed.

  December 2, 2009 09:00-10:30, December 2, 2009 11:00-12:30

•  AU

  Windows Live Forensics

  Jonathan Levine (AU), Zane Jarvis (AU)

  Windows Live Forensics is a short hands-on course that allows first responders to experience how to track down a system compromise. This will be achieved by having attendees run through a series of steps using open-source and freely available tools to find evidence of the compromise.

  December 2, 2009 09:00-10:30, December 2, 2009 11:00-12:30

• December 2009 FIRST TC
  • Program Overview
  • Hotel Information
  • Travel Information
  • Places of Interest
  • General Information