The FIRST Technical Colloquium (TC) event is restricted to FIRST members only and will be held in Oct 5-7, 2005.
Nevertheless, since this will be a joint event with other CSIRT initiatives in the region, there will be two additional events adjacent to the TC in order to achieve non-FIRST-members as well. These two events are the FIRST/TRANSITS Course (Oct 1-2) and the Latin American Security Workshop (Oct 3-4).
FIRST/TRANSITS course
Security workshop
Security workshop
Technical Colloquium – Plenary Session
Technical Colloquium – Hands-On Class
Technical Colloquium – Laboratory
Security workshop | |
---|---|
09:20 – 11:00 | Incident Response in Latin America Latin American CSIRTs |
11:20 – 11:50 | FIRST: Global Incident Handling FIRST Board Member |
11:50 – 13:00 | Regional Initiatives in Incident Response Various FIRST Members |
14:30 – 15:10 | Taxonomy of Mexican Online Banking 2005: Threats and Mitigation Juan Carlos Guel, David Gimenez, UNAM-CERT |
15:10 – 16:10 | Cisco PSIRT - Incident Management Dario Ciccarone, Cisco PSIRT |
16:30 – 18:00 | Digital crimes under different perspectives Various |
Security workshop | |
---|---|
09:00 – 09:50 | Sebastián García, CITEFA |
09:50 – 10:50 | Wietse Venema, FIRST Liason Member |
11:10 – 12:10 | Information Security Attack Trends Iván Arce, Core Security Technologies |
12:10 – 13:00 | Recycling IPv4 exploit for IPv6 Franciso Jesús Monserrat Coll , IRIS-CERT |
14:30 – 15:20 | Trends in Internet Attack Technology and the Role of Artifact Jason Milletary, Cert/CC |
15:20 – 16:10 | Incident Response and Early Warning Initiatives in Brazil Marcelo H P C Chaves, CERT.br |
16:30 – 16:50 | Latin-American Forensic challenge V.2: Conclusion UNAM-CERT, IRIS-CERT |
16:50 – 17:40 | The SANS Internet Storm Center (ISC): A Collaborative Information Security Community Johannes Ullrich, SANS Internet Storm Center |
Technical Colloquium – Plenary Session | |
---|---|
09:20 – 09:50 | Honeypots for Security Operations James J. Barlow, NCSA-IRST |
09:50 – 10:20 | A Tool to Capture BruteSSH attacks related info Ivo Carvalho Peixinho, CAIS/RNP |
11:50 – 13:00 | Various FIRST Members |
14:30 – 15:00 | Various FIRST Members |
15:00 – 15:30 | Recent Activity in Phishing Malware Jason Milletary (CERT/CC) |
15:30 – 16:10 | Fernando Gont, UTN (Invited) |
16:30 – 17:00 | Fraud and Phishing Scam Response Arrangements in Brazil Marcelo H P C Chaves, CERT.br |
17:00 – 17:30 | Yet another Windows auditing tool Juan Carlos Guel, David Gimenez, UNAM-CERT |
17:30 – 18:00 | Peter Quick, Deutsche Telekom, T-Com CERT |
Technical Colloquium – Hands-On Class | |
---|---|
09:20 – 10:40 | Francisco Jesus Monserrat Coll (IRIS-CERT) DE Common Vulnerabilities Score Systems Marco Thorbrügge (ENISA, DE) AR Cryptography in forensics & reverse engineering Ariel Waissbein (CORE Security Technology, AR); Ariel Futoransky, Gerardo Richarte (CORE Security Technologies, AR) US Hands-on analysis of a compromised Linux machine Dr. Wietse Z. Venema (IBM, US) |
11:00 – 12:30 | Francisco Jesus Monserrat Coll (IRIS-CERT) DE Common Vulnerabilities Score Systems Marco Thorbrügge (ENISA, DE) AR Cryptography in forensics & reverse engineering Ariel Waissbein (CORE Security Technology, AR); Ariel Futoransky, Gerardo Richarte (CORE Security Technologies, AR) US Hands-on analysis of a compromised Linux machine Dr. Wietse Z. Venema (IBM, US) |
14:20 – 15:40 | Francisco Jesus Monserrat Coll (IRIS-CERT) DE Common Vulnerabilities Score Systems Marco Thorbrügge (ENISA, DE) AR Cryptography in forensics & reverse engineering Ariel Futoransky, Gerardo Richarte (CORE Security Technologies, AR); Ariel Waissbein (CORE Security Technology, AR) US Hands-on analysis of a compromised Linux machine Dr. Wietse Z. Venema (IBM, US) |
16:00 – 17:30 | Francisco Jesus Monserrat Coll (IRIS-CERT) DE Common Vulnerabilities Score Systems Marco Thorbrügge (ENISA, DE) AR Cryptography in forensics & reverse engineering Ariel Waissbein (CORE Security Technology, AR); Ariel Futoransky, Gerardo Richarte (CORE Security Technologies, AR) US Hands-on analysis of a compromised Linux machine Dr. Wietse Z. Venema (IBM, US) |
Technical Colloquium – Laboratory | |
---|---|
09:00 – 10:40 | US Botnets Lab: From Soup to Nuts Guilherme Vênere (CAIS/RNP – Brazilian Academic and Research Network); Stephen Gill (Cymru Team, US) |
11:00 – 13:00 | US Botnets Lab: From Soup to Nuts Guilherme Vênere (CAIS/RNP – Brazilian Academic and Research Network); Stephen Gill (Cymru Team, US) |
Ivo Carvalho Peixinho, CAIS/RNP
This paper describes a tool that emulates the capabilities of a SSH server and is capable of monitoring the behavior of brute force ssh attacks. The tool was developed for using as a stand-alone tool or integrated on a honeypot. It was designed to obtain information about connections, users, passwords, SSH protocol version and commands entered by a successful attack attempt. An experiment using the same tool is also described. The experiment aimed to obtain information, statistics and a profile about this kind of attack. Some of the experiment results are presented at the end of the presentation.
October 5, 2005 09:50-10:20
Sebastián García, CITEFA
On March 10th, 2005, a Romenian intruder got access to an Army Force´s server of Argentinian Government. We allowed him to do that.
Later, others would add. For a six-month time period we studied, tested, provoked, analyzed them and of course we learned a lot from them.
We learned how to classify and identify as a result of their interaction with our systems. This presentation they will be shown investigative techniques, cases, motivations, the tools they had used and the ones we had to develop, the frustrations, the methodology, results and the actions these miscreants use to perform in real life.
October 4, 2005 09:00-09:50
MD5: 409bb98963b5bc6d2839ce71979bb01f
Format: application/pdf
Last Update: June 7th, 2024
Size: 665.24 Kb
Francisco Jesus Monserrat Coll
How to find malware associated to a botnet and perform a behavior analysis of the binaries and how to investigate and find the bot password. Format: students use their own laptops to make malware analysis on a Unix enviroment.
October 6, 2005 09:20-10:40, October 6, 2005 11:00-12:30, October 6, 2005 14:20-15:40, October 6, 2005 16:00-17:30
Guilherme Vênere (Brazilian Academic and Research Network), Stephen Gill (Cymru Team, US)
The basics of botnet operations will be demonstrated in this lab from the initial moment of infection and miscreant abuse, to methods of spotting bot, and network cleanup. This lab will attempt to dispel some security myths along the way such as the protection of NAT firewalls, safety of non-Windows operating systems, and miscreant motivations. It will also show how botnets can be used to perform illicit actions such as keylogging, scanning, exploiting, and launching denial of service attacks.
October 7, 2005 09:00-10:40, October 7, 2005 11:00-13:00
Dario Ciccarone, Cisco PSIRT
This presentation talks about the internal and external groups the PSIRT team works with, relationship with external researchers, internal process to fix software, internal advisory process,factors driving timing of public disclosure.
October 3, 2005 15:10-16:10
MD5: db82df4581aed7a55325c2eb0c73a865
Format: application/pdf
Last Update: June 7th, 2024
Size: 239.9 Kb
Marco Thorbrügge (ENISA, DE)
This class will first go over CVSS basics. Then have the participants score some test vulnerabilities themselves. We will then go over the results and attempt to identify any discrepancies. Format: students use their own laptops to run a .xls file to score vulnerabilities.
October 6, 2005 09:20-10:40, October 6, 2005 11:00-12:30, October 6, 2005 14:20-15:40, October 6, 2005 16:00-17:30
MD5: 7df22aec593f49008375a5e7051236c4
Format: application/pdf
Last Update: June 7th, 2024
Size: 201.33 Kb
Ariel Futoransky (CORE Security Technologies, AR), Ariel Waissbein (CORE Security Technology, AR), Gerardo Richarte (CORE Security Technologies, AR)
Cryptography can be effectively used to improve the strength of communication, authentication and logging systems, but can also help the attacker in several different ways. Cryptographic obfuscation tools, can be used by an attacker to effectively hide the intent of tools deployed on compromised systems, complicating the analysis and limiting the information that can be obtained in a forensic process. This also applies to the payload of exploits and massive worms. A family of cryptographic obfuscation methods based on one-way-hash-functions will be presented and available analysis tools discussed. Format: demo
October 6, 2005 09:20-10:40, October 6, 2005 11:00-12:30, October 6, 2005 14:20-15:40, October 6, 2005 16:00-17:30
Various
Digital Crimes Under the perspective of a lawyer, a public prosecutor, the police, a CSIRT Representative.
October 3, 2005 16:30-18:00
MD5: f2a51b5209c591c6c6a8569e326d81f3
Format: application/pdf
Last Update: June 7th, 2024
Size: 84.62 Kb
MD5: 2cc8b0b096a287fa07d3e39066a424c8
Format: application/pdf
Last Update: June 7th, 2024
Size: 327.41 Kb
MD5: 1861dc7b909b1e894f488b8048ddf34e
Format: application/pdf
Last Update: June 7th, 2024
Size: 128.19 Kb
FIRST Board Member
FIRST (the Forum of Incident Response and Security Teams) was formed in response to one of the original incidents to affect the Internet in 1989 – a year after the original CERT was formed. FIRST was formed to enable response teams to liaise with each other, form trusted relationships, exchange tools and information and assist each other is responding to incidents.
Membership of FIRST allows teams to join a global group specifically setup to improve the state of the internet. Why should you join? What benefits would it bring you and your organization?
October 3, 2005 11:20-11:50
MD5: 97089874de2c339611b30a79d8394793
Format: application/pdf
Last Update: June 7th, 2024
Size: 146.02 Kb
Wietse Venema, FIRST Liason Member
Wietse presents lessons learned about persistence of information in file systems and in main memory of modern computers how long information persists and why. The results are based on measurements of a variety of UNIX and Linux systems, with some results for Windows/XP, including how to recover encrypted files without knowing the key.
October 4, 2005 09:50-10:50
MD5: ff7e911451104a72caec18c5122de0f7
Format: application/pdf
Last Update: June 7th, 2024
Size: 426.22 Kb
Marcelo H P C Chaves, CERT.br
Brazil has seen a huge increase in incidents related with frauds and phishing scams, specially schemes based on the use of trojan horses. In this presentation CERT.br will discuss how we are responding to these issues in Brazil, including technical analysis and coordination with AV vendors and the financial sector.
October 5, 2005 16:30-17:00
MD5: 634e05580fa273de8a48df56610f8513
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.99 Mb
Dr. Wietse Z. Venema (IBM, US)
Wietse presents lessons learned about persistence of information in file systems and in main memory of modern computers - how long information persists and why. The results are based on measurements of a variety of UNIX and Linux systems, with some results for Windows/XP, including how to recover encrypted files without knowing the key.
October 6, 2005 09:20-10:40, October 6, 2005 11:00-12:30, October 6, 2005 14:20-15:40, October 6, 2005 16:00-17:30
James J. Barlow, NCSA-IRST
This presentation covers some real live cases of using honeypots for investigating some security incidents.
October 5, 2005 09:20-09:50
MD5: 6aa8c305deaac14db9886d9666625513
Format: application/pdf
Last Update: June 7th, 2024
Size: 36.54 Kb
Fernando Gont, UTN (Invited)
The ICMP protocol is a fundamental part of the TCP/IP protocol suite, and is used mainly for reporting network error conditions. However, the current IETF specifications do not recommend any kind of security checks on the received ICMP error messages, thus leaving the door open to a variety of attacks. ICMP can be used to perform a number of attacks against the TCP protocol, which include blind connection-reset, blind throughput-reduction, and blind performance degrading attacks.
Fernando will introduce the attacks that can be performed against TCP by means of ICMP, and will discuss the possible counter-measures against them. Of particular interest will be a discussion of a counter-measure for the blind performance-degrading attack, and a discussion of advanced packet filtering policies that could be used to mitigate the impact of these attacks. Furthermore, Fernando will also discuss why existing security mechanisms do not help to protect TCP from these ICMP-based attacks.
Last, but not least, Fernando will discuss the disclosure process of these security vulnerabilities, and the ongoing work at IETF on these issues.
October 5, 2005 15:30-16:10
MD5: d32246277ee991a5eec9e34f5f8b8a82
Format: application/pdf
Last Update: June 7th, 2024
Size: 880.37 Kb
Marcelo H P C Chaves, CERT.br
This presentation will show Incident Response Initiatives in Brazil, specially the The Early Warning Capabilty Based on a Network of Distributed Honeypots.
October 4, 2005 15:20-16:10
MD5: 59b8fd42651f8d629c70de98675c2356
Format: application/pdf
Last Update: June 7th, 2024
Size: 899.14 Kb
Latin American CSIRTs
Incident Response Activities in Latin America. Experiences from Argentina, Brazil, Mexico and Spain.
October 3, 2005 09:20-11:00
MD5: 93deb08ff41527bc7adb5b5e751c19d4
Format: application/pdf
Last Update: June 7th, 2024
Size: 129.97 Kb
MD5: 7add861066b345051de3edb908e35c22
Format: application/pdf
Last Update: June 7th, 2024
Size: 108.08 Kb
MD5: cc7c4b61a999423085dbc51c4129190f
Format: application/pdf
Last Update: June 7th, 2024
Size: 385 Kb
Iván Arce, Core Security Technologies
A review of current attack tools, methods, and trends as viewed by Ivan Arce, Core Security Technologies CTO and author of IEEE Security & Privacy Magazine Attack Trends column will be presented.
October 4, 2005 11:10-12:10
MD5: 72e1ed030afb99a7d49ff7d459f53072
Format: application/pdf
Last Update: June 7th, 2024
Size: 247.46 Kb
UNAM-CERT, IRIS-CERT
The two major academic computer security related organizations from Mexico and Spain, UNAM through UNAM-CERT and the public company Red.es through RedIRIS security group organized the forensic challenge V2.0, motivating system forensics development in Latin-America. 960 incident handlers were dissecting an image of a compromised Linux system and their reports were evaluated by specialist from Mexico, Spain and Brazil last spring.
For this presentation we will discuss our Experinces and lessons learned about this work and what tools are being used by the community in Latinamerica for this Forensic Challenge.
October 4, 2005 16:30-16:50
monserrat-francisco-slides-3.pdf
MD5: e00742a5779d5070e0c13026be006688
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.11 Mb
Jason Milletary
This presentation will provide an overview of the capabilities that CERT/CC has observed being implemented within malicious code designed to steal sensitive user information for online banking, commerce, and payment system sites.
October 5, 2005 15:00-15:30
MD5: bb26363796fcf9fb25586ba8c50d0f3e
Format: application/pdf
Last Update: June 7th, 2024
Size: 586.41 Kb
Franciso Jesús Monserrat Coll , IRIS-CERT
There is the false though in some people that IPv6 will be more "secure" than IPv4, mainly for the inclusion of IPSec . This presentation show that some of this ideas are not real and that it would be very easy to convert the current exploits (that propagates using IPv4) to use IPv6.
October 4, 2005 12:10-13:00
monserrat-francisco-slides.pdf
MD5: 1357af57c144eef3b76c2b8a4ca286ff
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.35 Mb
Various FIRST Members
Regional Initiatives in Asia-Pacific, Europe, and Latin American Academic Networks.
October 3, 2005 11:50-13:00
MD5: 5976bb7e26603afd08a6485c961d8427
Format: application/pdf
Last Update: June 7th, 2024
Size: 159.97 Kb
monserrat-francisco-slides-2.pdf
MD5: 771763bc098d1b45cd6a7a8c96d7c50d
Format: application/pdf
Last Update: June 7th, 2024
Size: 323.97 Kb
MD5: 62c3f15e7f912e3b08ec15385ca3c68f
Format: application/pdf
Last Update: June 7th, 2024
Size: 162.87 Kb
MD5: 73955f03a271694d0e67d1a3df370edd
Format: application/pdf
Last Update: June 7th, 2024
Size: 258.96 Kb
Juan Carlos Guel, David Gimenez, UNAM-CERT
Last spring UNAM-CERT presented within the Computer Security Congress 2005 in Mexico an study about 25 financial organizations, assessing Internet Banking computer security threatens and incident handlers based reports like phishing, scam, pharming, etc.
This study discusses the need to bring on communications and coordinations channels in order to reduce the threatens faced by Internet Banking and anticipating new kinds of cyber-crime. Finally we will present a work in progrees between UNAM-CERT and Mexican financial institutions.
October 3, 2005 14:30-15:10
MD5: 1f0c984ad3ce6bef44a6b3eea9fe74c3
Format: application/pdf
Last Update: June 7th, 2024
Size: 206.18 Kb
Johannes Ullrich, SANS Internet Storm Center
The talk will outline how the SANS Internet Storm Center works, and how it attempts to inform about and mitigate current threats. The basic principles will be illustrated using the example of a DNS poisoning attack from earlier this year. In conclusion, the talk will suggest future trends and threats as they are currently being observed by the ISC.
October 4, 2005 16:50-17:40
MD5: 8065b76933fc5f13a5d93aea8aff35ea
Format: application/pdf
Last Update: June 7th, 2024
Size: 574.72 Kb
Jason Milletary, Cert/CC
Observation of recent attack trends have demonstrated the shifting of Internet attack technology to support financial gains. Attacks are increasingly targeting the end-user in an attempt to gather valued information and resources. An overview of these trends and the role of artifact analysis in understanding and countering these threats will be presented.
October 4, 2005 14:30-15:20
MD5: 8c6c4de20dea75cfa7ccfda5b0ffad23
Format: application/pdf
Last Update: June 7th, 2024
Size: 158.82 Kb
Peter Quick, Deutsche Telekom, T-Com CERT
Although VoIP is a new revolutionary technology in the world of communications, it presents some drawbacks in aspects of information security. The fact that it is based mostly on standard Computer-Environment makes it vulnerable to all well known security threats such as computer fraud. This presentation will focus on some fraud scenarios, such as subscriber fraud and PSTN fraud.
October 5, 2005 17:30-18:00
Various FIRST Members
Short update presentations on ongoing FIRST members projects, initiatives, etc.
October 5, 2005 11:50-13:00, October 5, 2005 14:30-15:00
MD5: 06e3227bd703d09015ff0a6683099caa
Format: application/pdf
Last Update: June 7th, 2024
Size: 758.14 Kb
MD5: 1c7c998bb7c34307b3bd17181d071416
Format: application/pdf
Last Update: June 7th, 2024
Size: 46.58 Kb
monserrat-francisco-slides-1.pdf
MD5: cf0842a6fb6e2cc4a7d2df6cfbd641ca
Format: application/pdf
Last Update: June 7th, 2024
Size: 662.81 Kb
MD5: a40a0da3f211b24fa0becee82ff7f362
Format: application/pdf
Last Update: June 7th, 2024
Size: 474.19 Kb
MD5: 8dc4e9db1740e4ca7af54c316dd32288
Format: application/pdf
Last Update: June 7th, 2024
Size: 9 Mb
MD5: 15c3b8980c058f8bada33e4a254198a5
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.06 Mb
Juan Carlos Guel, David Gimenez, UNAM-CERT
Since every day we can get lots of logs in ours systems, debug them is a overwhelming task. We can identify events showing failed login attempts, privileges changes, and further intrusion attempts within the events in the system. But within a huge network architecture it could be an impossible task even when we were talking about the same operative system.
The tool described in this paper gathers all the events in remote host that are suspicious of being about a possible intrusion attempt. All the data is stored in a data base an the administrator is alerted in order to reduce the time in response. It's a client-server architecture and could be used within a domain or not. All the information is encrypted before send it through the network. The administrators can get HTML or text reports from the computer they wish.
October 5, 2005 17:00-17:30