Program Overview

The FIRST Technical Colloquium (TC) event is restricted to FIRST members only and will be held in Oct 11-12, 2006.

Nevertheless, since this will be a joint event with other CSIRT initiatives in the region, there will be two additional events adjacent to the TC in order to achieve non-FIRST-members as well. These two events are the FIRST/TRANSITS Course (Oct 7-8) and the Latin American Security Workshop (Oct 9-10).

• Argentina's Government Strategies on the use of Mandatory Information Security Policies

  Rodolfo Baader (Argentine Government)

  
  

  October 9, 2006 12:00-12:20

•  US

  Auditing and Protecting Wireless Networks

  Jason Falciola (IBM, US)

  This session provides exposure to existing and emerging tools and techniques that can be used to audit (or compromise) wireless networks. In addition, a demo of the capabilities of a WIDS/WIPS (Wireless Intrusion detection/Prevention System) will be given, with specific attention paid to the attacks discussed in class.

  Students use their own laptops to boot from provided CDs with a customized Linux distribution. Wireless cards are required to perform many of the exercises. Cards based on the Prism 2/2.5 & Atheros chipsets (except USB adapaters) are recommended, and a limited number will be available for use. See the following links to check the chipset of your card:

  <http://www.atheros.com>
  <http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Wireless.html>
  <http://hostap.epitest.fi>

  October 11, 2006 11:20-11:50

• Botnet Malware Analysis

  Francisco. (Paco) Monserrat (RedIRIS)

  How to find malware associated to a botnet and perform a behavior analysis of the binaries and how to investigate and find the bot password. During the class students will perform analysis of several malware files.
  This will be a hand-on presentation in which students must practice with several malware specimens. Students must bring their own laptops that must be able to:
  - Run a Virtual machine with Windows XP/200X.
  - Run a Linux virtual machine (provided by the instructor)
  It's recommendable that the laptop has also a DVD reader , in order to copy additional files to the laptop. Laptops must preferably run a Vmware or other virtual machine system that is able to execute virtual machines in the x86 platform,
  it's possible to use a Mac, but we could not guarantee the execution with the other virtual environments.
  Students must install a virtual machine environment (vmware , http://www.vmware.com ) provides a 30 day license copy of VMware workstation, and setup a Windows XP /200X virtual machine in it.The Linux Virtual machine, and additional software will be provided in the class.

  October 12, 2006 08:30-12:00, October 12, 2006 13:30-17:00

•  BR

  Brazilian Underground Hacker Activities

  Jacomo Piccolini (ESR/RNP, BR)

  
  

  October 11, 2006 16:50-17:30

•  BR

  Cracking-down Phishing Infrastructure in Brazil

  Sérgio Luís Fava (Brazilian Federal Police, BR)

  Presence of Police Task Force in the incident response context. The Brazilian Federal Police actions on combat to phishing. The actions made by other Brazilian Police. Chalenges on Computational Forensic. The effects of low security standarts related to the investigation work. A keyloger demonstration.

  October 10, 2006 16:10-16:50

•  BR

  CTIR: Brazilian Government CSIRT

  André Caricatti (Brazilian Government, BR)

  Brazilian Federal Criminal Expert, Master on Computer Science from Brasilia Univesity, nowadays works as Coordinator of Center of Treatment of Incidents on Brazilian Federal Government Networks.

  October 9, 2006 14:30-15:00

•  US

  CVSS trainning

  Gavin ReidGavin Reid (HUMAN Security, US), Mike Scheck (US)

  This class will first go over CVSS basics. Then have the participants score some test vulnerabilities themselves. We will then go over the results and attempt to identify any discrepancies.
  Students use their own laptops to run a .xls file to score vulnerabilities.

  October 12, 2006 08:30-12:00, October 12, 2006 13:30-17:00

•  US

  Cyber Security - Real World Threats

  Ewerton Vieira (Arbor Networks, US)

  
  

  October 10, 2006 11:20-12:00

• Cybercrimes and the Brazilian Law

  (FIRST SC Liaison)

  
  

  October 9, 2006 10:20-11:00

•  DE

  Early Warning Systems and Politics' Quest for the Silver Bullet

  Till Dörges (PRESECURE Consulting GmbH, DE)

  

  Till Dörges joined PRESECURE Consulting GmbH as a researcher in 2002. The two major projects he's currently working on are a network of distributed IDS-sensors (evolved from the EC-funded project "eCSIRT.net") and the also EC-funded research project about proactive security monitoring in a policy-based framework ("POSITIF"). Both projects strongly relate to Intrusion Detection, Honeynets and (Security-) Policies.
  
  He also is the team representative of PRESECURE within the European community of accredited CSIRTs ("Trusted Introducer") as well as for FIRST.
  
  Till Dörges studied Computer Sciences in Hamburg, Toulouse and Leipzig. He holds a French "Maîtrise d'Informatique" and a German "Informatik-Diplom".
  

  October 11, 2006 14:00-14:30

•  US

  FIRST and APWG working together

  Patrick Cain (Anti-Phishing Working Group, US)

  
  

  October 11, 2006 10:40-11:20

•  GB

  FIRST: Improving Security Together

  Chris GibsonChris Gibson (FIRST.org, GB)

  
  

  October 9, 2006 09:30-10:00

• FIRST SC Update

  SC Members (FIRST.Org)

  
  

  October 11, 2006 14:30-15:00

• Forensic Challenge III

  Francisco. (Paco) Monserrat (RedIRIS)

  
  

  October 10, 2006 10:50-11:20

•  US

  Hands-on analysis of a compromised Linux machine

  Dr. Wietse Z. Venema (IBM, US)

  Students collect host-based information from a compromised Linux system and analyze it with TCT (Dan&Wietse) and TASK (@stake) forensic tools. At the end is a brief into into Argus netflow analysis.
  Students use their own laptops as telnet/ssh/ftp terminals, data is collected and analyzed on a dedicated server.

  October 12, 2006 08:30-12:00, October 12, 2006 13:30-17:00

• Internet Security in Brazil: Studies and Initiatives

  Marcelo H. P. C. Chaves (The Brazilian Internet Steering Committee)

  
  

  October 9, 2006 13:50-14:30

•  BR

  Internet Storm Center: New Challenges

  Pedro Bueno (SANS Institute, BR)

  
  

  October 10, 2006 09:00-09:30

• Keynote Speaker: An APWG Perspective on the Phishing Battle

  Anti-Phishing Working Group

  Patrick Cain is a Research Fellow of the Anti-Phishing Working Group (APWG), and the President of The Cooper-Cain Group, Inc, a computer and Internet security consultancy. He has been associated with information security development and operations for over twenty years. He was previously the Security Advocate in the Office of the Chief Technology Officer, at Genuity Inc., a large Internet Service Provider. He is a Certified Information Systems Auditor (CISA), a Certified Information System Manager (CISM), and an associate member of the American Bar Association.

  Mr. Cain participated in the FSTC Counter-Phishing project, is a research member of the Anti-Phishing Working Group, and currently leads the effort in the IETF to standardize phishing and electronic crime reports. He is the co-chair of the IETF Operations Security Working Group and has participated in a US White House working group identifying and addressing the vulnerabilities of the Internet.

  October 9, 2006 11:00-12:00

•  US

  Keynote Speaker: Forensic Discovery

  Dr. Wietse Z. Venema (IBM, US)

  
  

  October 10, 2006 14:50-15:50

•  US

  Keynote Speaker: Phishing Incident Reporting and Termination

  Paul Laudanski (CastleCops, US)

  
  

  October 10, 2006 16:50-17:40

•  PL

  Keynote Speaker: Stealth Malware - Can Good Guys Win?

  Joanna Rutkowska (COSEINC, PL)

  October 10, 2006 09:30-10:30

• Malware Collection and Analysis in Argentina

  Rodolfo Baader (Argentine Government)

  
  

  October 11, 2006 09:50-10:20

•  BR

  Open Session

  Liliana Solha (FIRST.Org, BR), Nelson Simões (Brazilian Academic and Research Network, BR)

  
  

  October 9, 2006 09:00-09:30

•  GB BR US DE

  Panel: A Security Incident seen under Different Perspectives

  Chris Gibson (GB), Jacomo Piccolini (ESR/RNP, BR), Omar Kaminski (CAIS/RNP, BR), Patrick Cain (Anti-Phishing Working Group, US), Paul Laudanski (CastleCops, US), Till Dörges (PRESECURE Consulting GmbH, DE)

  
  

  October 9, 2006 16:00-18:00

• PHP attacks and exploitation in Brazil

  Ivo Carvalho Peixinho (Brazilian Academic and Research Network)

  
  

  October 11, 2006 09:10-09:50

• Security Challenges in Academic Networks

  Francisco. (Paco) Monserrat (RedIRIS), Guilherme Vênere (Brazilian Academic and Research Network)

  
  

  October 9, 2006 15:00-15:40

•  PE

  Security Policies in LA : Which is the Focus of the Regional Strategies?

  Erick Iriarte Ahon (LacTld, PE)

  This presentation will talk about WSIS and eLAC 2007 documents, as well as various documents that Latin America States signed in the last year related to Security, and what tendencies these agreement and compromises present. Also it will be analyse to what extend these agreements developed inside these countries. The Security Policies are not only generated by the players involved in this matter, but also by policy design sphere that do not have contact with the base. Neverthless, it's necessary to generate mechanisms to coordinate both spheres, without missing sight that those policies are in focus of Information Society policy.

  October 10, 2006 14:00-14:50

•  SE

  Solaris Auditing

  Martin Englund (Sun Microsystems, SE)

  This class will give an overview of how to enable, configure and administrate Solaris Audit (formerly known as BSM). Auditing provides the ability to get accountability for all user actions on a system, but it can also very quickly generate an enormous amount of information if configured incorrectly.
  The second part of the class will be a hands on session, where the participants will get to search for anomalities in an audit trail. They will learn how to separate the actions taken by individual users on a multiuser system, to be able to trace just one user.
  Demo and hands-on, students will need a laptop to access a Solaris system to be able to runcommands.

  October 12, 2006 08:30-12:00, October 12, 2006 13:30-17:00

•  JP

  Subverting Vista Kernel for Fun and Profit (Invited Speaker)

  Tomohiko Yamakawa (NTT DATA, JP)

  The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista RC1 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot.

  Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth.

  The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'.

  October 11, 2006 11:50-13:00

•  US

  Wireless @ DefCon

  Luiz Eduardo dos Santos (Aruba Networks, US)

  
  

  October 10, 2006 12:00-12:40

• Work in Progress Session

  Various FIRST Members

  
  

  October 11, 2006 15:00-16:30

• TC October 2006
  • TC Format
  • Program Overview
  • Hotel Information
  • Travelling to Rio de Janeiro
    • Visa related information
  • General Information