Program Overview

The FIRST Technical Colloquium (TC) event is restricted to FIRST members only and will be held in Jan 27-31, 2008.

Nevertheless, since this will be a joint event with TF-CSIRT - the European CSIRT regional initiative- there will be some sessions restricted to TF-CSIRT members only and others open to both communities.

Steering Committee Meeting

On January 30th (Wednesday) to January 31st (Thursday), 2008 – 2 full days – there'll be the SC Meeting, open to FIRST Members. Due to logistic reasons, it'll be necessary to send mail to first-sec@first.org in case attendance is planned (well in advance please).

Lunch

Sun Microsystems Inc. has kindly offered their local travel agency (AMCA) to provide support for lunch reservation at the hotel venue (Hotel Olympik) during the event.

This is obviously not mandatory, however attendees must be aware that pubs and restaurants around are not that close to the venue (distance for taking a tram and it can take a while).

In the case people are not interested, they can go for a lunch outside on their own based on the list of restaurants around

•  GB

  An evening in the life of a hacker

  Adam Laurie (RFIDIOt, GB)

  Not content with breaking (into) other people's hardware, Adam Laurie likes to get up on his own roof and tinker with his satellite dish, and has also been known to discharge projectile weapons at perfectly serviceable computer equipment... Following up on his "a day in the life of..." talk, Adam will present some of his works in progress, and will attempt to answer fundamental questions that bother him after a hard day's hacking, such as "What would happen if I fire this real gun at an online computer game?" and "Is that a satellite, or are you just pleased to see me?".

  January 29, 2008 16:40-17:30

  laurie-adam-slides.pdf

  MD5: 12f0fe5310b585f702669b28e7bd3ada

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 2.2 Mb

•  SI

  Approval of minutes and status of action items

  Gorazd Bozic (TF-CSIRT chair, SI)

  After obtaining a B.Sc. degree in computer science from University in Ljubljana, Slovenia, Gorazd Božič started working for ARNES (Academic and Research Network of Slovenia) in 1994 and in the same year initiated the formation of the first IRT in Slovenia, SI-CERT. Currently he is the head of SI-CERT and also the chairman of TF-CSIRT TERENA Task Force.

  January 28, 2008 13:40-13:50

•  NL

  Building a simple & effective Walled Garden

  Scott McIntyre (NL)

  Walled Garden or "quarantine" networks can protect your users/customers whilst still allowing them to perform necessary updates. This 30 minute talk will discuss the technologies used by one ISP in building their Walled Garden and how such technology can be useful for incident responders as well as security analysts within an organisation. The technology discussed is low cost & mostly open source based.

  January 29, 2008 13:40-14:10

  mcintyre-scott-slides.pdf

  MD5: 671cc13bf5ac45285321d2fcfef4eba3

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 6.24 Mb

•  GB

  ENISA update

  Andrew CormackAndrew Cormack (GB)

  Andrew Cormack trained as a Mathematician well before the Internet went mainstream. After five years on a research vessel managing the science IT, he joined the University of Cardiff as Postmaster, where it was suggested he might like to investigate “this world wide web thing” and assess whether it had a future. A few years later he started the UK’s academic CERT as well as managed the EuroCERT project. Since then IT Security was Andrew’s passion. During his career at JISC he transitioned to the organizations Chief Regulatory Advisor and pursued Law studies in which he graduated as a Master of Law.

  Andrew’s contributions to the Incident Response community are many and broad: He was one of the initial TRANSITS trainers and thus shaped the careers of hundreds of incident responders. Andrew’s ability to listen beyond the mere words that people speak, combined with his vast knowledge, allowed him over and over again to build bridges to other fields. One particular area of focus was the governance and legal frameworks related to Incident Response, where he helped policy makers recognize the importance of CSIRTs. Andew was a member of ENISA’s Permanent Stakeholder Group and sat on the boards of ORCID and the Internet Watch Foundation. He was a regular attendee and presenter at security conferences, and the Program Chair of the 2019 FIRST annual conference in his native Edinburgh.

  Andrew Cormack passed away on April 12 2023, only two weeks after having learned about his induction in the IR Hall of Fame.

  Article: Remembering Andrew Cormack - by Serge Droz

  January 28, 2008 15:30-15:50

•  CZ

  Enriching security toolbox in Solaris with Netcat

  Vladimir Kotal (CZ)

  Netcat is often called "TCP/IP Swiss army knife" and used by both system administrators and hackers. Up to now Solaris lacked the implementation of Netcat. The talk will describe the process of integration of nc(1) into OpenSolaris. The talk will also cover processes specific for (Open)Solaris development such as code review, architectural review and testing. Also, future plans for extensions and enhancements will be laid out.

  January 29, 2008 10:40-11:10

  kotal-vladimir-slides.pdf

  MD5: 9569d5de7112f289a946b96ca8a78c4a

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 595.32 Kb

•  US

  Exporting, configuring, and analyzing netflow lab

  Michael Scheck (Cisco CSIRT, US)

  This is a configuration lab to learn how to export, configure and analyze netflow data. The main goal is to gain enough experience to setup a netflow environment best suited for their own network.

  Format

  To participate students are advised to install vmware (www.vmware.com) in order to boot a linux system on an usb pen-drive provided by the instructor.

  January 30, 2008 09:00-10:20, January 30, 2008 10:40-12:00

•  US

  FIRST Update

  Derrick Scholl (FIRST Chair, US)

  A brief update on FIRST activities and the Steering Committee

  January 29, 2008 09:50-10:20

  scholl-derrick-slides.pdf

  MD5: 4cc6f7a8ee30fdf30afb1deff7e6dac9

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.67 Mb

•  SI

  Future of TF-CSIRT

  Gorazd Bozic (TF-CSIRT chair, SI)

  After obtaining a B.Sc. degree in computer science from University in Ljubljana, Slovenia, Gorazd Božič started working for ARNES (Academic and Research Network of Slovenia) in 1994 and in the same year initiated the formation of the first IRT in Slovenia, SI-CERT. Currently he is the head of SI-CERT and also the chairman of TF-CSIRT TERENA Task Force.

  January 28, 2008 16:15-16:30

•  NL

  London Action Plan

  Wout De Natris (London Action Plan, NL)

  Mr. De Natris will talk about the London Action Plan (LAP), a world wide informal organisation on the cooperation against cyber crime and spam. His presentation will touch on the mission statement of LAP, the goals, the results and who can participate. He will also tell us something on the work of OPTA - the Dutch Independent Post and Telecommunication Authority, and as such the internet safety enforcer of the Netherlands - and their aims to cooperate nationally and internationally.

  January 29, 2008 11:40-12:10

  natris-de-wout-slides.pdf

  MD5: bf752f66ee1d65932e3bda4ebeb84d80

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 107.64 Kb

•  GB

  Open Source Intelligence Gathering on a Shoestring

  Ian CookIan Cook (GB)

  This presentation outlines some free or inexpensive tools that can be used in Open Source Intelligence Gathering.

  January 29, 2008 14:10-14:40

•  ES

  RADARE: Easing binary analysis for fun and profit

  Roman Valls (ES)

  The project aims to create a complete free *nix-like toolchain for working with binary files.

  Its core is a commandline block-based hexadecimal editor which handles everything as a file. A process, file, disk, memory. This flexibility offers nice scripting features which can be mixed with perl, python and Vala.

  A data block can be visualized in the way you want, making easier to recognize data structures. One of them is a disassembler print format which currently supports intel, arm, powerpc, m68k and java architectures. Here's a pseudocode representation of an intel program.

  
  

  radare comes with some other utilities:

  • radare: command line hexadecimal editor with IO plugin extensions
  • rabin: get info from ELF/MZ/PE/CLASS files
  • rasc: shellcode generator and tester (outputs in raw, hexpairs or C)
  • xrefs: find crossed references on raw images for ppc, arm and x86
  • hasher: calculate different algorithms over data blocks of a file or stream
  • rsc: command line helpers written in shellscript or perl
  • javasm: minimalistic java assembler/disassembler/classdumper
  • armasm: minimalistic arm assembler
  • xc: converts between multiple radix numeric bases

  The abstraction layer is done by IO plugins which wraps all the open/read/..

  • ewf EnCase (R) forensic disk images
  • winedbg WineDebugger interface ( winedbg://./program.exe )
  • haret Remotely read WindowsCE memory ( haret://host:port )
  • ptrace Debugs or attach to a process ( dbg://file or pid://PID )
  • sysproxy Connects to a remote syscallproxy server
  • remote TCP IO ( listen://:port or connect://host:port )
  • gdb Debugs or attach to a process using gdb (gdb://file, gdb://PID, gdb://host:port)
  • w32 posix to native w32 api io
  • posix plain posix file access

  Currently the debugging IO layer works on *BSD and Linux on x86 and arm. w32 port is planed.

  Here'r the list of current features:

  • Support for x86/arm linux, *bsd
  • step / step-over
  • dump / restore memory and cpu state from/to disk (step-back)
  • continue / until user code / until syscall / until fork
  • trace execution (running TRACECMD at a certain debug level)
  • filedescriptor manipulator
  • thread support on linux
  • memory allocation on the child process
  • process memory maps permissions manipulation
  • map files on process memory
  • run syscalls on the child process
  • DRx registers control on Linux
  • breakpoints / watchpoints (hardware and software) support
  • conditional watchpoint expressions
  • force core dump, jmps and calls
  • trace user code execution to disk
  • signal manipulation
  • process tree
  • code analysis

  
  

  January 29, 2008 11:10-11:40

  valls-roman-slides.pdf

  MD5: 36261bc5955c06de9493c282302aa6b2

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 432.17 Kb

•  GB

  RFID workshop

  Adam Laurie (RFIDIOt, GB)

  This class will explore issues surrounding RFID and demonstrate how these can be exploited.

  Format

  Demonstration workshop. 1 hour lecture plus 2 hours practical/hands-on. Students should bring a linux laptop (windows is acceptable, but driver and software installation may be required).

  January 30, 2008 09:00-10:20, January 30, 2008 10:40-12:00

•  NL

  SURFids overview

  Kees Trippelvitz (SURFnet, NL), Wim Biemolt (NL)

  To provide the institutions connected to SURFnet a better insight in malicious traffic, SURFnet developed the SURFids service. An easy to deploy and manage distributed Intrusion Detection System (IDS). Topics of this class will be analysis of attacks, doing some attacks ourselves directed at the SURFids sensors, ARP poisoning and several features of the SURFids webinterface.

  Format

  There will be a live demonstration and a hands-on part where participants can get some first hand experience with the SURFids. To fully participate students are advised to install VMware(www.vmware.com, VMware workstation 5+, VMware player or VMware server). VMware images will be provided during class.

  January 30, 2008 09:00-10:20, January 30, 2008 10:40-12:00

•  NL

  SURFids overview

  Kees Trippelvitz (SURFnet, NL), Wim Biemolt (NL)

  To provide the institutions connected to SURFnet a better insight in malicious traffic, SURFnet developed the SURFids service. An easy to deploy and manage distributed Intrusion Detection System (IDS). Topics of this class will be analysis of attacks, doing some attacks ourselves directed at the SURFids sensors, ARP poisoning and several features of the SURFids webinterface.

  Format

  There will be a live demonstration and a hands-on part where participants can get some first hand experience with the SURFids. To fully participate students are advised to install VMware(www.vmware.com, VMware workstation 5+, VMware player or VMware server). VMware images will be provided during class.

  January 30, 2008 13:30-15:30, January 30, 2008 15:50-17:00

•  QA TN FI JP NO GR DE LT

  Teams Update/Work in progress session

  Yoshiki SugiuraChris Bateman (QA), Cyril Gayet, Helmi Rais (TN), Kauto Huopio (CERT-FI, FI), Masato Terada (IPA, JP), Mirek Maj, Per Arne Enstad (NO), Stelios Maistros (GRNET CERT, GR), Udo Schweigert (FIRST Membership Committee Chair, DE), Vytautas Krakauskas (LT), Yoshiki Sugiura (JP)

  

  Masato Terada received M.E. in Information and Image Sciences from University of Chiba, Japan, in 1986. From 1986 to 1995, he was a researcher at the Network Systems Research Dept., Systems Development Lab., Hitachi. Since 1996, he has been Senior Researcher at the Security Systems Research Dept., Systems Development Lab., Hitachi. Since 2002, he had been studying at Graduate School of Science and Technology, Keio University and received Ph.D in 2005. Since 2004, he has been with the Hitachi Incident Response Team. Also, he is a visiting researcher at Security Center, Information - Technology Promotion Agency, Japan (ipa.go.jp), and JVN associate staff at JPCERT/CC (jpcert.or.jp), as well.
  

  After school and military service, Udo Schweigert finished university with a masters degree in Computer Science, and served as an assistant professor at two German universities for three years. In 1989 he joined Siemens, where he was doing work as software engineer for the OS-development of SINIX (a SVR4-derivate very similar to SUN Solaris). Later he developed security products for these OSes. In 1996 he switched internally to the central research and development department of Siemens, where he (in 1998) founded Siemens CERT.

  At the moment Mr. Schweigert is the team lead of Siemens CERT leading a team of 15 people deploying the CERT services internally to the whole Siemens group.

  In his spare time he also contribute to the FreeBSD project as a port maintainer (nessus and mutt).

  Mr. Schweigert is a member of the Steering Committee of the FIRST (his term ends in 2008) serving as the vice-chair and additionally he is the chair of membership committee of FIRST which is in charge of reviewing every membership application submitted to FIRST.

  Yoshiki Sugiura has 24-year experience on CSIRTs. He used to be a member of JPCERT/CC since 1998. He works for two CSIRTs, IL-CSIRT and NTT-CERT now. He is also a board member of Nippon CSIRT Association. On SIM3 he is a certified trainer and auditor. He is a specialist in management of CSIRT.

  January 29, 2008 15:00-16:40

  bateman-chris-slides.pdf

  MD5: b9c7a257175aad0aeb52163e9c56579e

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 428.3 Kb

  enstad-per-slides.pdf

  MD5: 437b125f09bef6270c0bd41cccf49887

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 658.45 Kb

  krakauskas-vytautas-slides.pdf

  MD5: ecb23d19cd2fc86f636568fd1e48ff63

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 250.99 Kb

  sugiura-yoshiki-slides.pdf

  MD5: be6a4ac98026a5009a66b6ec5bcdd605

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 688.47 Kb

  rais-helmi-slides.pdf

  MD5: 01291fd4987216dfea4bcfef70b7522a

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 3 Mb

  maj-mirek-slides.pdf

  MD5: 1bbea410f26447e3530a08930e1e1e80

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 245.3 Kb

  maistros-stelios-slides.pdf

  MD5: ad1b4c7c9a94bcf9e1a2f00f4e181865

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 980.41 Kb

  gayet-cyril-slides.pdf

  MD5: 79baeb6232a2db57b2249d33da6b6847

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 506.77 Kb

  terada-masato-slides.wmv

  MD5: a95f80069dd5cc57660714360ed78a2e

  Format: video/x-msvideo

  Last Update: June 7th, 2024

  Size: 4.31 Mb

  terada-masato-slides.avi

  MD5: ebb5126cbf3f41a73f01851eac24aadc

  Format: video/x-msvideo

  Last Update: June 7th, 2024

  Size: 20.8 Mb

•  SI

  TF-CSIRT Update

  Gorazd Bozic (TF-CSIRT chair, SI)

  After obtaining a B.Sc. degree in computer science from University in Ljubljana, Slovenia, Gorazd Božič started working for ARNES (Academic and Research Network of Slovenia) in 1994 and in the same year initiated the formation of the first IRT in Slovenia, SI-CERT. Currently he is the head of SI-CERT and also the chairman of TF-CSIRT TERENA Task Force.

  January 29, 2008 09:20-09:50

•  BR

  Web vulnerability and exploits

  Atanaí Sousa Ticianelli (Brazilian Academic and Research Network, BR)

  Web applications have become an interesting target to attacks due the high quantity of sensible data put online. Unfortunately, keep these applications safe rely on from server secure installation to the planned application development and tests. We are going to demonstrate how some attacks can take advantage of simple systems vulnerabilities or even very complex ones to compromise web applications.

  Format

  It will be done a brief introduction about web applications threats followed by two exercises showing the exploration of vulnerabilities on web applications. To participate students are advised to install vmware (www.vmware.com). Images will be provided during class.

  January 30, 2008 09:00-10:20, January 30, 2008 10:40-12:00

•  SI

  Welcome, introductions and apologies

  Gorazd Bozic (TF-CSIRT chair, SI)

  After obtaining a B.Sc. degree in computer science from University in Ljubljana, Slovenia, Gorazd Božič started working for ARNES (Academic and Research Network of Slovenia) in 1994 and in the same year initiated the formation of the first IRT in Slovenia, SI-CERT. Currently he is the head of SI-CERT and also the chairman of TF-CSIRT TERENA Task Force.

  January 28, 2008 13:30-13:40

• TC January 2008
  • Program Overview
  • Hotel Information
  • Travelling to Prague
  • Social Event
  • General Information
  • Restaurants Around