Program Overview

The FIRST Technical Colloquium (TC) event is restricted to FIRST members only and will be held in January 29-31, 2007.

Nevertheless, since this will be a joint event with TF-CSIRT, their participation will be opened, and there will be an additional event. This event is the 20^th TF-CSIRT Meeting.

Steering Committee Meeting

On January 31st (Wednesday) to February 1st (Thursday), 2007 ?2 full days? there'll be the SC Meeting, open to FIRST Members. Due to logistic reasons, it'll be necessary to send mail to first-sec@first.org in case attendance is planned (well in advance please).

•  UY

  Botnet Malware Analysis

  A/P Federico Monteverde (AGESIC, UY)

  How to find malware associated to a botnet and perform a behavior analysis of the binaries and how to investigate and find the bot password. During the class students will perform analysis of several malware files.

  Format

  This will be a hand-on presentation in which students must practice with several malware specimens. Students must bring their own laptops that must be able to:

  • Run a Virtual machine with Windows XP/200X.
  • Run a Linux virtual machine (provided by the instructor)

  It's recommendable that the laptop has also a DVD reader , in order to copy additional files to the laptop. Laptops must preferably run a Vmware or other virtual machine system that is able to execute virtual machines in the x86 platform, it's possible to use a Mac, but we could not guarantee the execution with the other virtual environments.

  Students must install a virtual machine environment (vmware , http://www.vmware.com) provides a 30 day license copy of VMware workstation, and setup a Windows XP /200X virtual machine in it.

  The Linux Virtual machine, and additional software will be provided in the class.

  January 31, 2007 09:00-10:30, January 31, 2007 11:00-12:00, January 31, 2007 13:30-15:30, January 31, 2007 16:00-17:00

•  ES

  RTIR installation and usage

  Carlos Fuentes (ES)

  This hands-on class will show how to install and configure the software RTIR (Request Tracker for Incident Response), and how to use it to manage the incidents.

  Format

  Students must bring a laptop with a copy of vmware installed on it, a base image of a linux system, used for the installation of RTIR will be provided.

  Note

  This class has an attendance restriction to 15 students.

  January 31, 2007 09:00-10:30, January 31, 2007 11:00-12:00

• The current state of Bluetooth and WiFi vulnerabilities

  Tim Hurman

  This class will explore current state of security issues surrounding Bluetooth and WiFi and will demonstrate how these can be exploited. It will also provide some hands-on exercises explaining techniques that can be used during a penetration test or while auditing Bluetooth and WiFi devices.

  Format

  Students must bring a laptop with CD unit. Will be provided a bootable CDs with all the required software.

  January 31, 2007 09:00-10:30, January 31, 2007 11:00-12:00, January 31, 2007 13:30-15:30, January 31, 2007 16:00-17:00

•  US

  Writing Good Security Advisories: A Hands-On Guide to Delivering Bad News in the Best Possible Way

  Jim Duncan (US)

  Once a rare occurrence a decade ago, security advisories are now produced many times a day. For each one, there are multiple other companion advisories or commentaries produced in response, and each of those have slightly different information from different sources, are produced or collected at different times, and are written in different styles with different ultimate goals.

  Is it any wonder that we are confused? And we are the experts!

  The existing state of the art is complex and so are the products, but the goal of this hands-on class is simple: Find the common elements of advisory construction that are _good_, eliminate the _bad_, and develop a framework for producing better future advisories.

  Format

  The class will be consensus-led. The instructor will provide background and examples, propose one or more vulnerabilities to study, encourage discussion, and collate material contributed by the participants. Attendees are expected to contribute to discussion and commentary, identify desirable and undesirable elements of advisories, compose (or help with composing) sections of text as a result of what has been learned, and then develop rules for ensuring better content in future security advisories.

  Laptops are recommended highly but are not required; pen and paper will be adequate. Attendees will compose some sections separately at the same time to compare with others, and at other times attendees will work in parallel on different sections of an advisory to be collated by the instructor. Experience with more than one language will be valuable but is not required.

  January 31, 2007 09:00-10:30, January 31, 2007 11:00-12:00, January 31, 2007 13:30-15:30, January 31, 2007 16:00-17:00

• TC January 2007
  • Program Overview
  • Hotel Information
  • Travelling to Budapest
  • General Information