- US
A Common Vulnerability Scoring System
Art Manion (US)
The Common Vulnerability Scoring System (CVSS) is designed to provide open and universally standard severity ratings for vulnerabilities. CVSS seeks to help organizations reduce effort and confusion in prioritizing responses to vulnerabilities. The FIRST CVSS Special Interest Group hosts CVSS and interested members are invited to participate to provide feedback and contribute to further development:
- TW
A Distributed Intrusion Alert System
Chih-Yao Lin (TW)
In this paper, a distributed intrusion alert system which is based on Honeypot technology is proposed. It is used to monitor unexpected actions appearing in different organizations. The motivation of this project comes from the hardness of detecting malicious activities without further assistance. The main advantage of this system is that it can monitor many IP addresses in different organizations at the same time to find unexpected actions. This system is named DIAS and has two parts. One of them consists of a number of Intrusion Alert Systems (IASs). Each Intrusion Alert System (IAS) is connected to the intranet of an organization to detect unexpected actions. The other part is Alerts Analyzing System (AAS) which is used for data collecting and analyzing. In this paper we not only discuss the system model but also the implementation of this system. The practical experiment shows the benefit of this system. The future works to improve this system are also discussed in this paper.
speaker21-paper-1.pdf
MD5: 4871f3264290cdbf18682e23101fd6f3
Format: application/pdf
Last Update: June 7th, 2024
Size: 167.79 Kb
- BR
A National Early Warning Capability Based on a Network of Distributed Honeypots
Cristine Hoepers (CERT.br - Brazilian Internet Steering Committee, BR)
We present here the work developed by NBSO/Brazilian CERT, in the ``Brazilian Honeypots Alliance -- Distributed Honeypots Project'', to centralize the data gathered in several honeypots and to process this data to be used for early warning and incident response. We shortly describe how the honeypots are deployed and how the data is centralized, then focus on how the data is being used by NBSO to generate statistics and to notify networks potentially compromised or infected.
An evening with Kha0s
Sebastián García, CITEFA
On March 10th, 2005, a Romenian intruder got access to an Army Force´s server of Argentinian Government. We allowed him to do that.
Later, others would add. For a six-month time period we studied, tested, provoked, analyzed them and of course we learned a lot from them.
We learned how to classify and identify as a result of their interaction with our systems. This presentation they will be shown investigative techniques, cases, motivations, the tools they had used and the ones we had to develop, the frustrations, the methodology, results and the actions these miscreants use to perform in real life.
- US
Artifact Analysis
Kevin Houle (CERT Coordination Center, US)
In order to understand the nature of the evolving threats in Internet security, it is important to understand the tools used to execute attacks. Malicious code developed and deployed on the Internet continues to evolve to enable more organized and sophisticated attacks. Defending systems and networks today now extends beyond just leveraging technology into a need to understand attacker capability. Artifact analysis is the study of Internet attack tools and malicious code. This tutorial will examine
- the role artifact analysis plays in Internet security
- the goals of artifact analysis
- common components of an artifact analysis capability
- relationship between artifact analysis and forensics
- an overview of artifact analysis methodologies and tools
This tutorial is at an introductory technical level aimed at an audience who is recently engaged in artifact analysis, is considering an artifact analysis capability, or wants to gain insight into artifact analysis as a capability.
kevin-houle-slides-1.pdf
MD5: b84c422cffaa1b4ebdc0a9861a40ccd2
Format: application/pdf
Last Update: June 7th, 2024
Size: 912.75 Kb
- US
Building a Logging Infrastructure
Abe Singer (San Diego Supercomputer Center, US)
This tutorial will describe how to build an infrastructure to collect, preserve, and extract useful information from computer operating system and application logs -- ultimately to help the system and security administrator get more useful information out of logs.
The focus will be primarily on UNIX syslog, with some discussion of Windows logging and other sources of log data. Logfiles hold a wealth of information, from resource utilization diagnostics to problems with hardware and software, security problems, and forensic traces of intrusions. Examples are heavily weighted toward security issues, but provide some examples of resource and diagnostic monitoring. Many real-world examples from logs are included throughout the presentation.
The presentation includes
Configuring basic logging
Configuring services to improve the quality of information logged
Tools to generate useful log information
Centralized logging architectures
Building a central loghost
Archiving and preserving log data
The syslog protocol and syslogd configuration
Log parsing and analysis
Attack examples
The Windows Event log, and forwarding the event log to syslog
abe-singer-slides-1.pdf
MD5: 68689977cffb519486e28683a3d936bd
Format: application/pdf
Last Update: June 7th, 2024
Size: 350.92 Kb
Cisco PSIRT - Incident Management
Dario Ciccarone, Cisco PSIRT
This presentation talks about the internal and external groups the PSIRT team works with, relationship with external researchers, internal process to fix software, internal advisory process,factors driving timing of public disclosure.
- DE
Common Vulnerabilities Score Systems
Marco Thorbrügge (ENISA, DE)
This class will first go over CVSS basics. Then have the participants score some test vulnerabilities themselves. We will then go over the results and attempt to identify any discrepancies.
Format: students use their own laptops to run a .xls file
to score vulnerabilities.
Oct 2005 FIRST TC
Buenos Aires, AR
October 6, 2005 09:20-10:40, October 6, 2005 11:00-12:30, October 6, 2005 14:20-15:40, October 6, 2005 16:00-17:30
Hosted by ArCert
art-manion-paper-1.pdf
MD5: 7df22aec593f49008375a5e7051236c4
Format: application/pdf
Last Update: June 7th, 2024
Size: 201.33 Kb
- US
Computer Forensics as Part of a Security Incident Response Plan
Raemarie J. Schmidt (Digital Intelligence, Inc., US)
Corporations have response plans that identify steps to be taken when a security incident is suspected or identified. Historically these incident response plans have included methods to identify the cause of the security breach, perform remedial activities to eliminate the vulnerability and return the affected systems to normal service as soon as possible. Computer Forensics, traditionally a tool used by law enforcement to investigate crimes, is frequently being included as part of a security incident response plan. This presentation will discuss the types of information that can be recovered when a duplicate image (forensic copy) of the affected systems is created and subjected to forensic examination, potential uses of computer forensics in a corporation, hardware and software designed to assist the examiner, and considerations for determining whether to perform the examination in-house, or out-source to a 3rd party.
- US
Creating and Managing CSIRTs
Audrey Dorofee (Carnegie Mellon University, US), David Mundie (CERT Program), Robin Ruefle (Carnegie Mellon University, US)
This tutorial is designed to provide an overview of the issues involved in creating and operating an effective computer security incident response team (CSIRT). It will also provide an introductory view of CSIRTs to anyone new to the field who is interested in what a CSIRT is and what type of activities a CSIRT performs. Basic topics covered will include: the purpose and structure of CSIRTs, key steps in designing and implementing a CSIRT, an overview of CSIRT services, and a discussion of best practice incident handling processes.
robin-ruefle-slides-1.pdf
MD5: 8cb98e7f9e43ca4aff6cd0e36284de13
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.57 Mb
- FR
Marie-Dominique Bonardi (FR)
Part one: Understand the Press Tricks&Techniques, Principles and fundamentals of media work , Interview techniques.
Part two: Develop efficient responses to the media in a crisis situation, Develop the right message according the press you address, Win the press over to your point of view.
Case Study - Security Incident Response Communications
- DE
Dr. Bernd Grobauer (DE)
During the last few years, a clear trend towards standardized names
and exchange formats could be observed in the world of IT
security. For example: (1) Vulnerability Information: CVE allows easy
cross-referencing of vulnerabilities, while the EISPP/DAF format
allows exchange of security-advisory information; (2) Incident
Information: The IODEF format is used for exchanging incident
information between CERTs; (3) Vulnerability Checks and Remediation:
OVAL is a standardization effort regarding executable descriptions of
vulnerability checks (4) Malware Information: Recently, the US-CERT
announced an initiative to introduce CME, a Common Malware
Enumeration.
A problem that has not been tackled so far is the standardization of
system information. Similarly to CVE, system information is orthogonal
to other information exchange formats: Which systems are affected by
the vulnerability described in an advisory? What kind of system was
involved in a security incident? For which kind of system is a
vulnerability check? As CVE did, a common naming scheme for
(machine-readable) system information would increase the potential of
standards for information exchange: automated handling based on system
information, e.g., for statistical purposes, correlation and
filtering, becomes possible. Can a common naming scheme for system
information be established? This article describes the approach taken
by a group of German CERTs towards a common model of system
informa
Digital crimes under different perspectives
Various
Digital Crimes Under the perspective of a lawyer, a public prosecutor, the police, a CSIRT Representative.
pizzoli-diego-slides.pdf
MD5: 2cc8b0b096a287fa07d3e39066a424c8
Format: application/pdf
Last Update: June 7th, 2024
Size: 327.41 Kb
savaro-slides.pdf
MD5: 1861dc7b909b1e894f488b8048ddf34e
Format: application/pdf
Last Update: June 7th, 2024
Size: 128.19 Kb
- NO DE
Dynamics of Incident Response
Klaus-Peter KossakowskiJohannes Wiik (Agder University, NO), Klaus-Peter Kossakowski (DFN-CERT Services GmbH, DE)
In a continuously changing environment, a Computer Security Incident Response Team (CSIRT) has to evolve to sustain or improve its effectiveness. The main task of a CSIRT is to mitigate the effects of computer security incidents. A frequently identified problem is that CSIRTs are over-worked, under-staffed and under-funded. We present a conceptual model of such conditions based on a case study. The model is a first attempt to understand the main factors influencing a CSIRT’s effectiveness, and to improve its performance. Based on theory from process improvement and information from the case study, we identified that short-term pressure from a growing incident work load prevents attempts for developing more response capability long-term, leading the CSIRT into a “capability trap”. Fundamental solutions will typically involve a worse-before-better trade-off for management. Short term the CSIRT will lower its response capability while new capability is developed. Long term the CSIRT will get an automated response capability independent from limited human resources. Hence, it can automatically scale to future increases in workload.
speaker14-paper-1.pdf
MD5: 7d4fe17cc13c82f9a7c2b77a1f43f011
Format: application/pdf
Last Update: June 7th, 2024
Size: 981.56 Kb
- NL SI
European CSIRT Update
Don StikvoortDon Stikvoort (NL), Gorazd Bozic (TF-CSIRT chair, SI)
Gorazd Bozic (SI-CERT) and Don Stikvoort (S-CURE) will give a short update on European CSIRT (related) initiatives, especially on TF-CSIRT, ENISA, Trusted Introducer and E-COAT.
- DE
Klaus-Peter KossakowskiKlaus-Peter Kossakowski (DFN-CERT Services GmbH, DE)
It is definitely time for early warning information systems (EWIS). Each of us working or being responsible for a security team, incident response team or security management is asked for it by our superiours. With the raise of new threats that minimizes the time between the discovery of some knowledge and its application in large scale attacks from month/weeks to days/hours/minutes, it is no longer possible, to take a reactive approach. But the desires we are confronted with are too demandful. Instead asking for what can reasonably be done, superiours ask for something nobody can do: „Predict the future!“
Therefore the presentation will carefully analyze, what can be done immediately and what value can be realized right now by putting pieces already in existance together and remove the limitations established by an attitude of not sharing important information.
As the title implies, it is possible to build such system in 80 days. By no means will this system solve all problems, but it will immediately provide a value added service not available today and will allow further work to build upon it, integrate methods and algorithms that are not readily available yet.
- CN
Fighting Phishing site at the front line
Larry Yang Liu (CNCERT/CC, CN)
Phishing attacks use 'spoofed' e-mails and fake websites designed to bamboozle recipients into revealing confidential information with economic value such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brand of famous bank, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them. Some phishing also combine with worms, viruses or keyloggers. Worldwide financial and network security organizations start to consider it as a serious scam and fraud. Since first time closing down a phishing site in China reported from AusCERT in Nov. 2003, CNCERT/CC has never stopped fighting against Phishing sites.
First of all,this paper will state the phishing concept and the different situation which victims and relevant people should be aware of, such as financial organization victims, stolen account owners, intruded host owners, and CERTs. Meanwhile, the paper will demonstrate how CNCERT/CC coordinates with ISPs, host owners and victims to deal with the phishing sites. As phishing compromises quite a lot of people, organizations and community, anti-phishing should be regarded as everyone’s responsibility. Not only foreign banks but also Chinese domestic banks are confronted with the challenges from phishing attack, so how promptly a phishing site can be detected and closed down depends on how well the relevant can cooperate.
The characteristic of CNCERT/CC
larry-yang-liu-slides-1.ppt
MD5: b8bc5cf94b0491427b9f080108c7dbf5
Format: application/vnd.ms-powerpoint
Last Update: June 7th, 2024
Size: 890 Kb
- DE
FIRST 2005 Welcome
Klaus-Peter KossakowskiKlaus-Peter Kossakowski (DFN-CERT Services GmbH, DE)
Prof. Dr. Klaus-Peter Kossakowski has worked in the security field for more than 30 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg where he focused on malicious network programs. In January 1993 when DFN-CERT became the first German CERT for an open network he started to work there and became managing director of it in 2003. He also founded PRESECURE Consulting GmbH, a privately-owned company specialized in cyber security, critical information infrastructure protection, situational awareness, early warning and developing specialized services like CERTs or SOCs. He successfully led the team from a research effort to a functional and well-respected operational entity. He was a visiting professor at the University of Hamburg from 2008 to 2011 and became a full professor at the University of Applied Science in Hamburg in 2014.
Since 1998 he is continuously providing feedback on research topics, operational experiences and lessons learned to the community. This started with the “CSIRT Handbook” in 1998, republished in 2003, that he co-authored with Moira West-Brown and Don Stikvoort. His research work was mostly supported by the CERT Coordination Center at the CMU/SEI for which he worked as visiting scientist from 1998 to 2011.
He was elected as a member of the FIRST Steering Committee in 1997 and had been on the committee until 2005, being re-elected three times and served the two last years as Chair of the FIRST Steering Committee. Frequently he has been involved with FIRST Conferences as volunteer, organizer and presenter or served on the program committee. In 2015 he was representing the local host of the FIRST Conference in Berlin, in 2017 he was the Program Chair for the FIRST Conference on Puerto Rico.
Together with Don Stikvoort he developed the accreditation and certification frameworks for CERTs and security teams including the now commonly accepted SIM3 maturity model adopted by ENISA and now maintained by the openCSIRT Foundation. Since 2011 he coordinates the Trusted Introducer framework providing infrastructure services, accreditation and certifications to nearly 400 security, product security and incident response teams internationally. Through the Trusted Introducer service and the support of his university he promotes and supports approaches like SIM3 or emerging frameworks or taxonomies for CERTs, most namely the “FIRST CSIRT Services Framework” and the “eCSIRT Incident Taxonomy”, which goes back to the eCSIRT.net project of 2003 successfully lead by him.
Prof. Dr. Kossakowski helped considerably to raise the awareness for CERTs concentrating on international issues, information sharing and coordinated cooperation, and establishing an international infrastructure for Cyber Defense.
FIRST: Global Incident Handling
FIRST Board Member
FIRST (the Forum of Incident Response and Security Teams) was formed in response to one of the original incidents to affect the Internet in 1989 – a year after the original CERT was formed. FIRST was formed to enable response teams to liaise with each other, form trusted relationships, exchange tools and information and assist each other is responding to incidents.
Membership of FIRST allows teams to join a global group specifically setup to improve the state of the internet. Why should you join? What benefits would it bring you and your organization?
duncan-james-slides.pdf
MD5: 97089874de2c339611b30a79d8394793
Format: application/pdf
Last Update: June 7th, 2024
Size: 146.02 Kb
Forensics Discovery
Wietse Venema, FIRST Liason Member
Wietse presents lessons learned about persistence of information in file systems and in main memory of modern computers – how long information persists and why. The results are based on measurements of a variety of UNIX and Linux systems, with some results for Windows/XP, including how to recover encrypted files without knowing the key.
venema-wietse-slides.pdf
MD5: ff7e911451104a72caec18c5122de0f7
Format: application/pdf
Last Update: June 7th, 2024
Size: 426.22 Kb
Fraud and Phishing Scam Response Arrangements in Brazil
Marcelo H P C Chaves, CERT.br
Brazil has seen a huge increase in incidents related
with frauds and phishing scams, specially schemes based on the use of trojan horses. In this presentation CERT.br will discuss how we are responding to these issues in Brazil, including technical analysis and coordination with AV vendors and the financial sector.
- US
Getting Ahead: Integrating Development and Response for Improved Security
Steve Lipner (Microsoft Corporation, US)
Microsoft has developed an integrated approach to security that spans the software life cycle from development through deployment. The Security Development Lifecycle (SDL) adds a series of steps and deliverables to the development process that are intended to prevent the introduction of vulnerabilities, and to detect and remove vulnerabilities where necessary. Microsoft’s security response process and the Microsoft Security Response Center (MSRC) complement the SDL by acting to protect customers when remaining vulnerabilities are discovered in the field. The response process encompasses both the orderly production and release of software updates and an emergency response process that acts rapidly when vulnerabilities are exploited or when customers’ systems may be at risk. The feedback loop from the response process to the SDL provides a vehicle for updating development processes as new classes of security vulnerabilities are discovered. This presentation will discuss Microsoft’s SDL, the MSRC, the emergency response process, and their interactions aimed at improving software security and protecting customers.
steve-lipner-slides-1.ppt
MD5: a749ebab4da3e68d1b079bf51877a092
Format: application/vnd.ms-powerpoint
Last Update: June 7th, 2024
Size: 4.44 Mb
Honeypots for Security Operations
James J. Barlow, NCSA-IRST
This presentation covers some real live cases of using honeypots for investigating some security incidents.
barlow-james-slides.pdf
MD5: 6aa8c305deaac14db9886d9666625513
Format: application/pdf
Last Update: June 7th, 2024
Size: 36.54 Kb
ICMP Attacks Against TCP
Fernando Gont, UTN (Invited)
The ICMP protocol is a fundamental part of the TCP/IP protocol suite, and is used mainly for reporting network error conditions. However, the current IETF specifications do not recommend any kind of security checks on the received ICMP error messages, thus leaving the door open to a variety of attacks. ICMP can be used to perform a number of attacks against the TCP protocol, which include blind connection-reset, blind throughput-reduction, and blind performance degrading attacks.
Fernando will introduce the attacks that can be performed against TCP by means of ICMP, and will discuss the possible counter-measures against them. Of particular interest will be a discussion of a counter-measure for the blind performance-degrading attack, and a discussion of advanced packet filtering policies that could be used to mitigate the impact of these attacks. Furthermore, Fernando will also discuss why existing security mechanisms do not help to protect TCP from these ICMP-based attacks.
Last, but not least, Fernando will discuss the disclosure process of these security vulnerabilities, and the ongoing work at IETF on these issues.
gont-fernando-slides.pdf
MD5: d32246277ee991a5eec9e34f5f8b8a82
Format: application/pdf
Last Update: June 7th, 2024
Size: 880.37 Kb
- TH
IEEE 802.16 WiMax Security
Kitti Wongthavarawat (ThaiCERT, NECTEC, TH)
In this paper we overview the security features in IEEE 802.16 Broadband Wireless Access or WiMAX. We introduce the security model consisting of the required security functionality to protect the networks against common threats. Based on the security model, we examine IEEE 802.16 security to see how well it protects the network and possible vulnerabilities. We also discuss some solutions proposed in IEEE 802.16 Working Group.
Incident Response and Early Warning Initiatives in Brazil
Marcelo H P C Chaves, CERT.br
This presentation will show Incident Response Initiatives in Brazil, specially the The Early Warning Capabilty Based on a Network of Distributed Honeypots.
chaves-marcelo-slides.pdf
MD5: 59b8fd42651f8d629c70de98675c2356
Format: application/pdf
Last Update: June 7th, 2024
Size: 899.14 Kb
Incident Response in Latin America
Latin American CSIRTs
Incident Response Activities in Latin America. Experiences from Argentina, Brazil, Mexico and Spain.
franco-gaston-slides.pdf
MD5: 7add861066b345051de3edb908e35c22
Format: application/pdf
Last Update: June 7th, 2024
Size: 108.08 Kb
solha-liliana-slides.pdf
MD5: cc7c4b61a999423085dbc51c4129190f
Format: application/pdf
Last Update: June 7th, 2024
Size: 385 Kb
Iván Arce, Core Security Technologies
A review of current attack tools, methods, and trends as viewed by Ivan Arce, Core Security Technologies CTO and author of IEEE Security & Privacy Magazine Attack Trends column will be presented.
arce-ivan-slides.pdf
MD5: 72e1ed030afb99a7d49ff7d459f53072
Format: application/pdf
Last Update: June 7th, 2024
Size: 247.46 Kb
Latin-American Forensic challenge V.2: Conclusion
UNAM-CERT, IRIS-CERT
The two major academic computer security related organizations from Mexico and Spain, UNAM through UNAM-CERT and the public company Red.es
through RedIRIS security group organized the forensic challenge V2.0, motivating system forensics development in Latin-America. 960 incident handlers were dissecting an image of a compromised Linux system and their reports were evaluated by specialist from Mexico, Spain
and Brazil last spring.
For this presentation we will discuss our Experinces and lessons learned about this work and what tools are being used by the community in
Latinamerica for this Forensic Challenge.
- FR
Mitirating Rogue Access Points in Corporate Environments
Laurent Butti (France Télécom R&D, FR)
The paper describes a design-from-scratch of a fully-featured wireless IDS. It will pinpoint all technical constraints and choices during the implementation, and will provide the reader with a precise snapshot of mandatory features of a wireless IDS. After the theorical part, a case study will be exposed: how to deal with illegitimate access points in corporate environments?
laurent-butti-slides-1.ppt
MD5: 11ef085b3c06d0e34559c4bc559c2638
Format: application/vnd.ms-powerpoint
Last Update: June 7th, 2024
Size: 4.31 Mb
Network Monitoring on Large Networks
Yao Chuan Han
speaker19-slides-1.pdf
MD5: babdfd11a2be4f9456f9c4182cff89b9
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.03 Mb
- US
New Security Features in Solaris 10 and DTrace
Chandan B.N (Sun Microsystems, US)
The most significant developments from security perspective, in Solaris 10 are improved hardening and minimization, application
of principle of least privileges, introduction of zones and a new cryptographic framework. Apart from
these there are a number of minor additions and enhancements that help in improving the OS security. This paper illustrates how the new security features and improvements in the latest release of Solaris Operating Environment can help defend system integrity, enable secure computation with ease of deployment and manageability. There also an introduction to DTrace which is a powerful infrastructure to observer the behaviour of the system.
chandan-b.n-paper-1.pdf
MD5: 1b44d07fb507930506eca421e7144722
Format: application/pdf
Last Update: June 7th, 2024
Size: 156.83 Kb
- DE
Passive DNS Replication
Florian Weimer (DE)
Passive DNS replication is a new technology for gathering data from the public DNS system and archive it in a database. This database supports a broader set of queries than the public domain name system, and it also stores historical data for later reference.
The presentation shows that the query types the public DNS offers are insufficient for some applications, provides a rough overview of the architecture of a passive DNS replication implementation called "dnslogger", and documents real-world use cases.
The intended audience are network operators and CSIRT members who focus on network-wide mitigation. The presentation includes a brief introduction to the relevant technical aspects of DNS, so detailed knowledge in this area is not strictly necessary.
- US
Pondering and Patrolling Network Perimeters
Bill Cheswick (Lumeta Corp, US)
Most Internet users rely on perimeter protection as part of their Internet defenses. How well are these working, and what lies behind perimeter defenses? Telephone networks have their intelligence in the center of the net, and internets at the edge. The talk will describe technologies that help scope out the extent of intranets, and find perimeter breaks.
bill-cheswick-slides-1.ppt
MD5: 9cc97d6860eecd8da66d5b2575f2c843
Format: application/vnd.ms-powerpoint
Last Update: June 7th, 2024
Size: 11.89 Mb
- JP
Proposal for the experimental environment for Network Worm infection
Masato Terada (IPA, JP), Norihisa Doi (Graduate School of Science and Engineering, Chuo University.), Shingo Takada (Graduate School of Science and Technology, Keio University.)
Code analysis and simulation of network worm infection are useful methods to evaluate how it spreads and its effects. But a bug in infection algorithm or the way of implementing a random number generator etc. affects the retrieval behavior of network worm infection. It is important to evaluate the retrieval behavior of network worm infection in an experimental environment for complementing code analysis. This paper describes a prototype of experimental environment for network worm infection and actual data about network worm infection. The purpose of experimental environment is to investigate retrieval behavior and infection mechanisms in network worm behavior. For example, there are a mapping of retrieved IP addresses and a ratio of IP addresses retrieved and port numbers used by network worms. Also we implemented a prototype system to show the validity of our approach.
masato-terada-paper-1.pdf
MD5: 3825329c649459c5b06ddde6efb0dd6f
Format: application/pdf
Last Update: June 7th, 2024
Size: 626.15 Kb
Recent Activity in Phishing Malware
Jason Milletary
This presentation will provide an overview of the capabilities that CERT/CC has observed being implemented within malicious code designed to steal sensitive user information for online banking, commerce, and payment system sites.
Recycling IPv4 exploit for IPv6
Franciso Jesús Monserrat Coll , IRIS-CERT
There is the false though in some people that IPv6 will be more "secure" than IPv4, mainly for the inclusion of IPSec . This presentation show that some of this ideas are not real and that it would be very easy to convert the current exploits (that propagates using IPv4) to use IPv6.
Regional Initiatives in Incident Response
Various FIRST Members
Regional Initiatives in Asia-Pacific, Europe, and Latin American
Academic Networks.
ito-yurie-slides.pdf
MD5: 5976bb7e26603afd08a6485c961d8427
Format: application/pdf
Last Update: June 7th, 2024
Size: 159.97 Kb
- US
Rakesh Bharania, Catherine B. Nelson (Cisco Systems, US)
Security architecture teams are being called upon to provide expert security assistance to their clients at ever increasing rates. How can a security team manage resources and ensure that those resources are being applied to mitigate the most significant security risks to the enterprise?
This paper discusses the need for risk triage and prototyping, how existing risk models do not meet those needs, the development of the Rapid Risk model, and its success at improving information security at Cisco.
speaker43-paper-1.pdf
MD5: aa9392e5c3de61764527f08effa09fe0
Format: application/pdf
Last Update: June 7th, 2024
Size: 141.92 Kb
speaker43-slides-1.pdf
MD5: 99ffbef95a091ffcc2272e0e36a6f1f5
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.59 Mb
- AU
Security Bulletin Publication at AusCERT using "EzESB"
Matthew Braid (AU), Robert Lowe (AusCERT, AU)
This paper examines a problem - the publication of large volumes of security bulletins via various media (such as web and email). It then goes on to discuss the requirements of a tool which may be used to automate much of this manual work. Finally, the development, current features and future enhancement of the tool (EzESB) used by AusCERT for this purpose, will be discussed.
The objective of this paper is to give other members of FIRST insight into the development and use of this tool and more details about how AusCERT publishes bulletins. Other FIRST members may be offering similar services or may have a future requirement for such a service. We hope that this paper will stimulate discussion between teams with an interest in the publication of security bulletins.
The paper does not go into any real technical depth. Anyone who disseminates (a large number of) security bulletins would probably be interested in this paper. Analysts and software engineers developing tools for the publication of security advisories may find AusCERT's solution to this particular problem interesting. Managers directly involved in the work flow of such teams or team members may also find this paper of interest.
Introduction
AusCERT (the Australian Computer Emergency Response Team, Australia's National CERT) is funded primarily by member subscriptions. Members vary in size and include commercial, government and educational organisations. Accurate and timely notification of security th
speaker18-paper-1.pdf
MD5: 1de43ae89443307b8e08cb698bd8ae6f
Format: application/pdf
Last Update: June 7th, 2024
Size: 408.01 Kb
speaker18-slides-1.pdf
MD5: 540312f65c9ac3ba13a6a489ab318095
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.18 Mb
- US
Security Challenges on the Road Ahead
Tim Mather (Symantec, US)
Tim Mather is Symantec's Chief Information Security Officer (CISO), and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Manager (CISM). As CISO, he is responsible for development of all information systems security policies, oversight of implementation of all security-related policies and procedures, and all information systems audit-related activities. He also works closely with internal products groups on security capabilities in Symantec products. Prior to joining Symantec in September 1999, Mr. Mather was the Manager of Security at VeriSign. Additionally, he was formerly Manager of Information Systems Security at Apple Computer. Mr. Mather’s experience also includes seven years in Washington, D.C. working on secure communications for a classified, national-level command, control, communications, and intelligence (C3I) project, which involved both civilian and military departments and agencies.
Mr. Mather holds Masters Degrees in National Security Studies from Georgetown University, and International Policy Studies from Monterey Institute of International Studies. He holds a Bachelor’s Degree in Political Economics from the University of California at Berkeley.
tim-mather-slides-1.pdf
MD5: 84f5f943c56316f7b2b40e2f65ed9399
Format: application/pdf
Last Update: June 7th, 2024
Size: 813 Kb
- US
Sharing Incident Data; History, Perspective, and a View for the Future
Patrick. Cain (The Cooper-Cain Group, Inc, US)
As the conference theme is to "Join the Global Network", this talk addresses sharing incident data for the betterment of all net citizens. It starts with an introduction to information sharing and some common definitions, then meanders through the history of information sharing, identifying discovered problems and attempted solutions. The talk concludes with an overview of the Anti-Phishing Working Group's (APWG) phishing and phraud activity sharing initiative and some perspective on why this attempt will be successful.
speaker25-slides-1.ppt
MD5: 77f81ddc1465da2108db51f4e63900e8
Format: application/vnd.ms-powerpoint
Last Update: June 7th, 2024
Size: 393 Kb
- DE
SIRIOS, a Framework for CERTs
Thomas Klingmueller (CERT-Bund, Federal Office for Information Security, DE)
Framework for CERTs
With the project SIRIOS CERT-Bund developed an open source framework for tools and workflows in use within CERT-Bund. This gives CERT-Bund the ability to implement its internal workflows in the framework so that they can be edited, logged and optimised.
The system and its databases can be implemented as a classic client/server architecture in a closed environment (Intranet). Alternatively it can be set up to as a decentralised open framework with distributed databases and systems working together.
With SIRIOS exchanging incident or vulnerability information between CERTs is no longer a problem: SIRIOS internal data structures got derived from international acknowledged data formats such as IODEF for incident information and EISPP/DAF for advisory/vulnerability information. As a result the formats for exporting these objects are well defined and can get used by any CERT regardless of the usage of SIRIOS.
The system got developed whilst CERT-Bund was still setting up. In early 2002 when CERT-Bund became operational, a trouble ticket system to structure and log CERT-Bund's workflows was missing. An analysis of tools and workflows in other CERT environments revealed that many CERTs used tools developed on their own. Such toolboxes consisted of Office components for writing advisories and several task-specific tools. As a consequence out of missing standards for CERT specific information and tools that implemented these standards, information sharing was re
Strategies for Achieving Network Intelligence
Adam D'Amico
In order for security efforts to be effective in the contemporary threat environment, network professionals who have some responsibility for operational security or incident response in an organization will need actionable knowledge regarding network activity. This paper describes a strategic model for implementation of appropriate technologies, policies and procedures in pursuit of that goal. The content is not meant to be an exhaustive methodology, but rather one possible paradigm based on lessons learned in several distinct categories of organizations over the past decade. The approach will be most relevant to those in positions of management, but will also present information useful to anyone wishing to better understand the issues that surround network monitoring and security.
adam-damico-slides-1.pdf
MD5: f07bd38e63738868bf98534bc6292ea6
Format: application/pdf
Last Update: June 7th, 2024
Size: 96.42 Kb
Taxonomy of Mexican Online Banking 2005: Threats and Mitigation
Juan Carlos Guel, David Gimenez, UNAM-CERT
Last spring UNAM-CERT presented within the Computer Security Congress 2005 in Mexico an study about 25 financial organizations, assessing Internet Banking computer security threatens and incident handlers
based reports like phishing, scam, pharming, etc.
This study discusses the need to bring on communications and coordinations channels in order to reduce the threatens faced by Internet Banking and anticipating new kinds of cyber-crime. Finally we
will present a work in progrees between UNAM-CERT and Mexican financial institutions.
guel-juan-slides.pdf
MD5: 1f0c984ad3ce6bef44a6b3eea9fe74c3
Format: application/pdf
Last Update: June 7th, 2024
Size: 206.18 Kb
- US
TeamDefend Organizational and Inter-Organizational Cyber Defense Training
Hart Rossman (SAIC, US), Scott C. Kennedy (SAIC, US)
TeamDefend addresses the weakest computer network link in that Infrastructure: The Network Defense Team. Using an on-site, real-time training system, our TeamDefend tutorial prepares and evaluates a FIRST member team’s ability to recognize and effectively deal with the cyber threat. Using the on-site, real-time training system, we are using TeamDefend during the 17th Annual FIRST Conference (2005) as a compelling addition to the tutorial track. We will provide a venue, which will prepare and evaluate a FIRST member team’s ability to recognize and effectively deal with the cyber threat. Further, we will be adapting the tutorials to highlight inter-team coordination. The focus will be to allow FIRST member teams to literally “train as they fight” going beyond traditional information collaboration & dissemination during an incident to exhibiting through the hands-on environment of TeamDefend how teams can work together at a technical level to resolve threats in real-time and receive feedback based on the Neutral Team and the automated scoring mechanisms. TeamDefend will raise your Team’s level of proficiency in a measurable way.
- BE
The Looming Privacy Rights Debacle: How Data Protection Law Will Shape Response Team Activities
Thomas Daemen (Microsoft, BE)
There is no dispute that international efforts to improve network security are both warranted and necessary. Indeed, virtually the entire 17th Annual FIRST Conference is dedicated to exploring global responses to the global phenomena of cybercrime. What is less clear, however, is the extent to which incident response teams working on these challenging problems can cooperate and collaborate by sharing key information without violating data protection laws and requirements. This presentation will analyze these issues and identify steps that response teams should take to ensure that their collaborative efforts do not violate individual privacy rights and data protection law.
thomas-daemen-slides-1.ppt
MD5: 205ca7393a447ebc1fc197335ab15700
Format: application/vnd.ms-powerpoint
Last Update: June 7th, 2024
Size: 80 Kb
Johannes Ullrich, SANS Internet Storm Center
The talk will outline how the SANS Internet Storm Center works, and how it attempts to inform about and mitigate current threats. The basic principles will be illustrated using the example of a DNS poisoning attack from earlier this year. In conclusion, the talk will suggest future trends and threats as they are currently being observed by the ISC.
Trends in Internet Attack Technology and the Role of Artifact
Jason Milletary, Cert/CC
Observation of recent attack trends have demonstrated the shifting of Internet attack technology to support financial gains. Attacks are increasingly targeting the end-user in an attempt to gather valued information and resources. An overview of these trends and the
role of artifact analysis in understanding and countering these threats will be presented.
- AU
Trends in Malware Enabled Identity Theft
Matthew Braid (AU), Matthew McGlashan (AusCERT)
- US
Wireless Security
Michael H. Warfield (IBM Internet Security Systems, US)
This session is an overview of the current state of 802.11* wireless
standards, security profiles, developments, and practices.
As hardware costs plumet, wireless networks are proliferating rapidly.
Many are badly configured and highly insecure, in spite of improvements
in standards and default configurations. This talk on Wireless Security
will be an update on the state of the art in 802.11 [abgix] security
and security practices. Included will be some recent developments
in standards, security incidents, and developments in the field as well
as recommendations on securing wireless infrastructure.
Work in Progress Session
Various FIRST Members
Short update presentations on ongoing FIRST members projects, initiatives, etc.
Oct 2005 FIRST TC
Buenos Aires, AR
October 5, 2005 11:50-13:00, October 5, 2005 14:30-15:00
Hosted by ArCert
baader-rodolfo-slides.pdf
MD5: 06e3227bd703d09015ff0a6683099caa
Format: application/pdf
Last Update: June 7th, 2024
Size: 758.14 Kb
guel-juan-slides-1.pdf
MD5: 1c7c998bb7c34307b3bd17181d071416
Format: application/pdf
Last Update: June 7th, 2024
Size: 46.58 Kb
osterberg-par-slides.pdf
MD5: a40a0da3f211b24fa0becee82ff7f362
Format: application/pdf
Last Update: June 7th, 2024
Size: 474.19 Kb
terada-masato-slides.pdf
MD5: 8dc4e9db1740e4ca7af54c316dd32288
Format: application/pdf
Last Update: June 7th, 2024
Size: 9 Mb
watasi-jumpei-slides.pdf
MD5: 15c3b8980c058f8bada33e4a254198a5
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.06 Mb
