The FIRST Technical Colloquium (TC) event is restricted to FIRST members only and will be held in Jan 23-26, 2006.
Nevertheless, since this will be a joint event with TF-CSIRT - the European CSIRT regional initiative- there will be sessions open to TF-CSIRT members as well.
17th TF-CSIRT Meeting
TF-CSIRT and FIRST Seminar
FIRST Technical Colloquium – Hands-on Classes
17th TF-CSIRT Meeting | |
---|---|
10:00 – 11:00 | Meeting of TI-accredited CSIRTs Closed meeting |
11:00 – 11:30 | Coffee break (sponsored by Cisco) |
11:30 – 13:00 | Meeting of TI-accredited CSIRTs Closed meeting |
13:00 – 14:00 | Lunch |
14:00 – 14:10 | Welcome, Introductions and Apologies |
14:10 – 14:25 | Approval of Minutes and Status of Action Items |
14:25 – 14:55 | GB DE Andrew Cormack (GB); Marco Thorbrügge (ENISA, DE) |
14:55 – 15:25 | GB Compulsory Data Retention: Issues for CSIRTs Andrew Cormack (GB) |
15:25 – 16:00 | Coffee break (sponsored by Cisco) |
16:00 – 16:15 | Don Stikvoort (Open CSIRT Foundation) |
16:15 – 16:25 | Update on EC funded projects - GN2/JRA2 progress report Jacques Schuurman (SURFnet-CERT) |
16:25 – 16:35 | NL Karel Vietsch (NL) |
16:35 – 16:50 | DE Wilfried Woeber (ACOnet-CERT, DE) |
16:50 – 17:05 | Carlos Fuentes |
17:05 – 17:15 | GB Andrew Cormack (GB) |
17:15 – 17:20 | Status of the ToR and other TF-CSIRT work items / deliverables |
17:20 – 17:25 | Date and venue of next meetings |
17:25 – 17:30 | Any other business |
17:30 – 18:30 | Meeting of TI Review Board Closed meeting for TI staff and TI Review Board members only |
19:30 – 19:30 | RTIR Working Group Meeting Closed meeting for CSIRTs participating in RTIR project only — in the TERENA's office |
TF-CSIRT and FIRST Seminar | |
---|---|
09:30 – 09:45 | SESSION 1 09:30 – 11:00 Welcome. Overview of programme. Logistic announcements Gorazd Božič (SI-CERT) |
09:45 – 10:15 | NREN server certificate service Jan Meijer (SURFnet-CERT) |
10:15 – 10:30 | US JP Presentation about FIRST Mike Caudill (Cisco PSIRT, FIRST Chairman, US); Yurie Ito (JPCERT/CC, JP) |
10:30 – 11:00 | PL Presentation about Sender Policy Framework Przemyslaw Jaroszewski (CERT POLSKA, PL) |
11:00 – 11:30 | Coffee break (sponsored by Cisco) |
11:30 – 12:00 | SESSION 2 11:30 – 13:00 NL SURFnet IDS - A distributed intrusion detection system Rogier J.L. Spoor (SURFnet, NL) |
12:00 – 12:45 | Solaris 10 security design considerations Casper Dik (Sun) |
12:45 – 13:00 | Update on Vulnerability and Exploit Description and Exchange Format WG Ian Bryant, CSIA |
13:00 – 14:00 | Lunch |
14:00 – 14:30 | SESSION 3: HonetPots and worm detection 14:00 – 15:50 Herbert Bos, VU, LOBSTER project |
14:30 – 14:50 | DE Klaus Möeller (DFN-CERT, DE) |
14:50 – 15:20 | FR WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats Fabien Pouget (CERTA – French Government, FR) |
15:20 – 15:50 | NL An overview of the German Honeynet Project Thorsten Holz (NL) |
15:50 – 16:20 | Coffee break (sponsored by Cisco) |
16:20 – 16:50 | NL A civil rights' perspective on data retention Sjoera Nas (Bits of Freedom, NL) SESSION 4: Legal sessions 16:20 – 17:40 |
16:50 – 17:10 | CSIRT interactions with law enforcement and intelligence services Jacques Schuurman (SURFnet-CERT) |
17:10 – 17:40 | US Tara Flanagan (Cisco Systems – Cisco Systems Ltd., US) |
17:40 – 18:00 | US US Operational Security Exercise Charles Yun (Internet 2, US) |
19:00 – 21:00 | Social event "Moeders Mooiste", Heinekenplein, Amsterdam |
FIRST Technical Colloquium – Hands-on Classes | |
---|---|
09:00 – 11:00 | KR Advanced Malicious Code Analysis: Microsoft COM Yoojae Won (KrCERT/CC – Korea Information Security Agency, KR) Mark Rowe, Tim Hurman (Pentest) Francisco. (Paco) Monserrat (IRIS-CERT – RedIRIS) Exploring the WWW - Web Application Security in practice Daniel Sayk (Telekom-CERT) |
11:30 – 12:30 | KR Advanced Malicious Code Analysis: Microsoft COM Yoojae Won (KrCERT/CC – Korea Information Security Agency, KR) Mark Rowe, Tim Hurman (Pentest) Francisco. (Paco) Monserrat (IRIS-CERT – RedIRIS) Exploring the WWW - Web Application Security in practice Daniel Sayk (Telekom-CERT) |
13:00 – 14:00 | Lunch |
14:00 – 15:00 | Advanced Malicious Code Analysis: Microsoft COM Jason Milletary (CERT/CC) Mark Rowe, Tim Hurman (Pentest) Francisco. (Paco) Monserrat (IRIS-CERT – RedIRIS) Exploring the WWW - Web Application Security in practice Daniel Sayk (Telekom-CERT) |
15:00 – 15:30 | Coffee break |
15:30 – 17:30 | Advanced Malicious Code Analysis: Microsoft COM Jason Milletary (CERT/CC) Mark Rowe, Tim Hurman (Pentest) Francisco. (Paco) Monserrat (IRIS-CERT – RedIRIS) Exploring the WWW - Web Application Security in practice Daniel Sayk (Telekom-CERT) |
Sjoera Nas (Bits of Freedom, NL)
January 24, 2006 16:20-16:50
MD5: e45c8605a87c72f3b83469e0a55992ae
Format: application/pdf
Last Update: June 7th, 2024
Size: 689.37 Kb
Yoojae Won (Korea Information Security Agency, KR)
The analysis of malicious code often requires deeper understanding of certain technologies that are used or targeted by malware authors. In this class we will examine the capabilities of Microsoft COM that are often utilized by malware to perform malicious activity such as stealing information. Included will be an overview of Microsoft COM technology along with hands-on reverse engineering of code samples.
Format — Attendees wishing to participate in the hands-on will need to provide a laptop with a copy of the IDA Pro disassembler v4.9. Participants are also encouraged to install VMWare with a Windows XP guest operating system. Other tools will be provided by the instructor.
January 25, 2006 09:00-11:00, January 25, 2006 11:30-12:30
Thorsten Holz (NL)
January 24, 2006 15:20-15:50
MD5: 81cd69bbb0fc840b7eec664c7e279a17
Format: application/pdf
Last Update: June 7th, 2024
Size: 440.3 Kb
Mark Rowe, Tim Hurman
This class will explore known security issues surrounding Bluetooth and demonstrate how these can be exploited. It will also provide a number of hands-on exercises explaining techniques that can be used during a penetration test or while auditing Bluetooth devices.
Format — Presentation and hands-on, students should have a laptop with bootable CD drives, bluetooth laptop are recommended (bluetooth adaptors are ok), students are invited to bring bluetooth devices that they would like to test.
January 25, 2006 09:00-11:00, January 25, 2006 11:30-12:30
Francisco. (Paco) Monserrat (RedIRIS)
How to find malware associated to a botnet and perform a behavior analysis of the binaries and how to investigate and find the bot password.
Format — Students use their own laptops to make malware analysis. Before the hands-on students must install vmware (there is a 30 day license demo) and a running copy of Windows XP on it.
January 25, 2006 09:00-11:00, January 25, 2006 11:30-12:30
Andrew CormackAndrew Cormack (GB)
Andrew Cormack trained as a Mathematician well before the Internet went mainstream. After five years on a research vessel managing the science IT, he joined the University of Cardiff as Postmaster, where it was suggested he might like to investigate “this world wide web thing” and assess whether it had a future. A few years later he started the UK’s academic CERT as well as managed the EuroCERT project. Since then IT Security was Andrew’s passion. During his career at JISC he transitioned to the organizations Chief Regulatory Advisor and pursued Law studies in which he graduated as a Master of Law.
Andrew’s contributions to the Incident Response community are many and broad: He was one of the initial TRANSITS trainers and thus shaped the careers of hundreds of incident responders. Andrew’s ability to listen beyond the mere words that people speak, combined with his vast knowledge, allowed him over and over again to build bridges to other fields. One particular area of focus was the governance and legal frameworks related to Incident Response, where he helped policy makers recognize the importance of CSIRTs. Andew was a member of ENISA’s Permanent Stakeholder Group and sat on the boards of ORCID and the Internet Watch Foundation. He was a regular attendee and presenter at security conferences, and the Program Chair of the 2019 FIRST annual conference in his native Edinburgh.
Andrew Cormack passed away on April 12 2023, only two weeks after having learned about his induction in the IR Hall of Fame.
January 23, 2006 14:55-15:25
MD5: 2aabc53951285f3ee00a53a7b03dfd7b
Format: application/pdf
Last Update: June 7th, 2024
Size: 31.49 Kb
Jacques Schuurman
January 24, 2006 16:50-17:10
MD5: 7b81bc4710c06837b2c950dd302f5a82
Format: application/pdf
Last Update: June 7th, 2024
Size: 248.68 Kb
Andrew CormackAndrew Cormack (GB), Marco Thorbrügge (ENISA, DE)
Andrew Cormack trained as a Mathematician well before the Internet went mainstream. After five years on a research vessel managing the science IT, he joined the University of Cardiff as Postmaster, where it was suggested he might like to investigate “this world wide web thing” and assess whether it had a future. A few years later he started the UK’s academic CERT as well as managed the EuroCERT project. Since then IT Security was Andrew’s passion. During his career at JISC he transitioned to the organizations Chief Regulatory Advisor and pursued Law studies in which he graduated as a Master of Law.
Andrew’s contributions to the Incident Response community are many and broad: He was one of the initial TRANSITS trainers and thus shaped the careers of hundreds of incident responders. Andrew’s ability to listen beyond the mere words that people speak, combined with his vast knowledge, allowed him over and over again to build bridges to other fields. One particular area of focus was the governance and legal frameworks related to Incident Response, where he helped policy makers recognize the importance of CSIRTs. Andew was a member of ENISA’s Permanent Stakeholder Group and sat on the boards of ORCID and the Internet Watch Foundation. He was a regular attendee and presenter at security conferences, and the Program Chair of the 2019 FIRST annual conference in his native Edinburgh.
Andrew Cormack passed away on April 12 2023, only two weeks after having learned about his induction in the IR Hall of Fame.
January 23, 2006 14:25-14:55
MD5: 9b2167f3c7f5787b0d8c2f07aae6b952
Format: application/pdf
Last Update: June 7th, 2024
Size: 403.9 Kb
Daniel Sayk
Over the last years security analysts got a new player in the field of vulnerabilities. Drifting slighlty away from software security (i.e. Buffer Overflows etc.) the cracker's focus aims more and more at (web)application security. Simple misconfigurations can lead to a wide spectrum of attack scenarios, for example code injection or bypassing of authentication. This course will give an overview of basic webapplication attack techniques and their origin. Attendees will be playing around with common tools to attack a webserver which demonstrates major vulnerabilities regularly found "in the wild".
Format — Students wishing to participate in the hands-on will need to provide a laptop with bootable cd unit, since the will be using it to boot a live linux CD given by the instructor.
January 25, 2006 09:00-11:00, January 25, 2006 11:30-12:30
Wilfried Woeber (DE)
January 23, 2006 16:35-16:50
MD5: 9c752495f14cc0aa99e6cfaa086acd15
Format: application/pdf
Last Update: June 7th, 2024
Size: 128.42 Kb
Klaus Möeller (DE)
January 24, 2006 14:30-14:50
MD5: 7f51b10c6c46c7452b0afbf6baeb92b2
Format: application/pdf
Last Update: June 7th, 2024
Size: 98.65 Kb
Jan Meijer
January 24, 2006 09:45-10:15
MD5: ec99d90991b5d123dd12039be044a690
Format: application/pdf
Last Update: June 7th, 2024
Size: 244.74 Kb
Przemyslaw Jaroszewski (PL)
Przemyslaw Jaroszewski is a security specialist in CERT Polska. For the past seven years he has been involved in incident response, advocating and coaching in computer security, as well as taking part in various security-related projects. One of his main areas of interest is e-mail security and spam. He was managing processes of development and implementation of a prototype database in the SPOTSPAM project.
January 24, 2006 10:30-11:00
jaroszewski-przemek-slides.pdf
MD5: 10dc7056784b506ded34990914822edc
Format: application/pdf
Last Update: June 7th, 2024
Size: 196.44 Kb
Tara Flanagan (Cisco Systems Ltd., US)
Tara Flanagan is the Director of Legal Services for Cisco System's world wide services organization, and has supported Cisco's security reporting team (PSIRT) for seven years. Prior to joining Cisco in 1997, she worked as a government contracts attorney and commercial litigator with the Los Angeles law firm of McKenna, Conner and Cuneo. During her tenure as outside counsel, she represented large and small companies engaged in business with the U.S. government (i.e. represented FMC Corporation in lawsuit against the Goodyear Tire and Rubber Company resulting in $32M judgement for FMC), as well as pro bono cases in which she represented children and for which she received several pro bono awards. She holds a B.A. cum laude from Tulane University (New Orleans, LA) and a J.D. cum laude Pepperdine University (Malibu, CA). She is licensed to practice law in California and is registered inhouse counsel in Virginia.
January 24, 2006 17:10-17:40
MD5: e8b97a1efa75ca5124af0ab207cc17a9
Format: application/pdf
Last Update: June 7th, 2024
Size: 245.51 Kb
Casper Dik
January 24, 2006 12:00-12:45
MD5: acf27b9cb33bd98191701b2ec686206a
Format: application/pdf
Last Update: June 7th, 2024
Size: 179.76 Kb
Rogier J.L. Spoor (SURFnet, NL)
Rogier Spoor graduated in Bioprocess Engineering at the Wageningen University and Research Centre. His first job was working as a Technical Linux and Network Engineer. Currently, Rogier works as an Account Advisor at SURFnet and is in charge of the D-IDS project.
January 24, 2006 11:30-12:00
MD5: 8fa536c7514a40c88d722b1f253181c9
Format: application/pdf
Last Update: June 7th, 2024
Size: 455.15 Kb
Karel Vietsch (NL)
January 23, 2006 16:25-16:35
MD5: 971b9701c3d4a2c8388e948350cc0b3c
Format: application/pdf
Last Update: June 7th, 2024
Size: 269.06 Kb
Andrew CormackAndrew Cormack (GB)
Andrew Cormack trained as a Mathematician well before the Internet went mainstream. After five years on a research vessel managing the science IT, he joined the University of Cardiff as Postmaster, where it was suggested he might like to investigate “this world wide web thing” and assess whether it had a future. A few years later he started the UK’s academic CERT as well as managed the EuroCERT project. Since then IT Security was Andrew’s passion. During his career at JISC he transitioned to the organizations Chief Regulatory Advisor and pursued Law studies in which he graduated as a Master of Law.
Andrew’s contributions to the Incident Response community are many and broad: He was one of the initial TRANSITS trainers and thus shaped the careers of hundreds of incident responders. Andrew’s ability to listen beyond the mere words that people speak, combined with his vast knowledge, allowed him over and over again to build bridges to other fields. One particular area of focus was the governance and legal frameworks related to Incident Response, where he helped policy makers recognize the importance of CSIRTs. Andew was a member of ENISA’s Permanent Stakeholder Group and sat on the boards of ORCID and the Internet Watch Foundation. He was a regular attendee and presenter at security conferences, and the Program Chair of the 2019 FIRST annual conference in his native Edinburgh.
Andrew Cormack passed away on April 12 2023, only two weeks after having learned about his induction in the IR Hall of Fame.
January 23, 2006 17:05-17:15
Don StikvoortDon Stikvoort (Open CSIRT Foundation)
Don Stikvoort is founder of the companies “S-CURE” and “Cross Your Limits”. S-CURE offers senior consultancy in the area of cyber security – specialising in CSIRT matters. Cross Your Limits coaches and trains in the human area. Based in Europe, Don’s client base is global.
After his MSc degree in Physics, he became Infantry platoon commander in the Dutch Army. In 1988 he joined the Dutch national research network SURFnet. In that capacity he was among the pioneers who together created the European Internet since November 1989. He recognised “security” as a future concern in 1991, and was chair of the 2nd CSIRT in Europe (now SURFcert) from 1992-8, and FIRST member since 1992. Today Don is a FIRST Liaison Member.
Together with Klaus-Peter Kossakowski he initiated and built the closer cooperation of European CSIRTs starting in 1993 – this led to the emergence of TF-CSIRT in 2000. In 1998 he finished the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC. He was active in the IETF and RIPE (co-creator of the IRT-object). Don chaired the Program Committee for the 1999 FIRST conference in Brisbane, Australia, and kick-started the international FIRST Secretariat in the same year. From 2001-2011 his company ran TF-CSIRT’s Trusted Introducer service. He wrote and taught several training modules for the CSIRT community.
In 1998 Don started his first company. A first assignment was to build the network connecting over 10,000 schools in The Netherlands. Many CSIRTs were created with his help and guidance, among which the Dutch national team (NCSC-NL). Second opinions, audits and maturity assessments in this field have become a specialty – and in that capacity Don developed SIM3 in 2008, the maturity model for CSIRTs which is used worldwide today for maturity assessments and certifications. SIM3 has is now under the wings of the “Open CSIRT Foundation” (OCF). Don was one of the founders in 2016 and now chairs its board.
Starting in 1999, Don was certified in NLP, Time Line Therapy®, Coaching and Hypnotherapy, and brought that under the wing of “Cross Your Limits”, which portfolio is life & executive coaching, and training courses in what Don likes to call “human arts”. He also trains communicators, presenters and trainers, including many in the CSIRT field.
Don thrives as motivational and keynote speaker. He enjoys to share his views on how the various worlds of politics, economics, psychology and daily life, but also cyber security, all intertwine and relate – and how deeper understanding and a better ability to express ourselves, increase our ability to bring good change to self as well as the world around us. He has discussed such topics all over the world, from Rome to the Australian Outback. His goal is to challenge his audience to think out-of-the-box, and motivate them to be the difference that makes the difference, along the lines of the old African proverb:
“If you think you’re too small to make a difference, try sleeping in a closed room with a mosquito”.
January 23, 2006 16:00-16:15
MD5: f7671402d537a9bf6d60214d3cebc074
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.34 Mb
Jacques Schuurman
January 23, 2006 16:15-16:25
MD5: 86c08e0d020da9c0cea5db1320e2fcb5
Format: application/pdf
Last Update: June 7th, 2024
Size: 66.87 Kb
Carlos Fuentes
January 23, 2006 16:50-17:05
MD5: d087ec7298d652b77561721d02874fa3
Format: application/pdf
Last Update: June 7th, 2024
Size: 208.87 Kb
Ian Bryant, CSIA
January 24, 2006 12:45-13:00
MD5: 5555e9e1e3f2645d3265d242f4433955
Format: application/pdf
Last Update: June 7th, 2024
Size: 247.24 Kb
Charles Yun (Internet 2, US)
January 24, 2006 17:40-18:00
MD5: eae81483d865a0b36fa6aab2efb9e48e
Format: application/pdf
Last Update: June 7th, 2024
Size: 87.56 Kb
Fabien Pouget (French Government, FR)
Fabien Pouget has a PhD degree from the Institut Eurecom (ENST Paris), France.
He received his master of Science from the Ecole Nationale Superieure des Telecommunications in 2002 after having worked as internship student in the IBM Research laboratory in Zurich, Switzerland. He joined the Network Security Team (nsteam) at Eurecom the same year. His research and teaching interests include computer and network security. He is involved in many projects on intrusion detection systems and honeypots and his PhD subject dealt with alert correlation.
He co-founded with Pr. Marc Dacier the Leurré.com project (www.leurrecom.org).
He is currently working for the French administrative CSIRT, CERTA.
January 24, 2006 14:50-15:20
MD5: 2410a9d0a98c4270bd54b4951e9fca24
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.3 Mb
Herbert Bos, VU, LOBSTER project
January 24, 2006 14:00-14:30
MD5: 7fd845194a436b64ef9f5ebe895b037c
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.1 Mb