- NL
A civil rights' perspective on data retention
Sjoera Nas (Bits of Freedom, NL)
nas-sjoera-slides.pdf
MD5: e45c8605a87c72f3b83469e0a55992ae
Format: application/pdf
Last Update: June 7th, 2024
Size: 689.37 Kb
- US
A Framework for Effective Alert Visualization
Jon Ramsey (SecureWorks, US), Uday Banerjee (SecureWorks, US), Uday Banerjee (SecureWorks, US)
Any organization/department that provides security typically deals with a large volume of alerts and logs generated from a variety of sources. These could originate from firewalls, intrusion detection/prevention devices and agents, vulnerability scanners, etc. It would seem like a good idea to apply as much correlation as possible to this data in order to be able to see things from a bird's eye perspective. Even at this point, a human could use some additional help in deciphering the situation. The authors believe that visualization is a key component to this end. This paper describes general methods and principles that allow the use visualization as an efficient tool for alert analysis. The paper is organized as follows: Section 1 talks about related work in the field of visualization to aid alert analysis and anomaly detection. Section 2 details some fundamental requirements and considerations that must be incorporated into the design of visualizations and related tools. Section 3 discusses a visualization tool used within our organization to aid in alert and anomaly analysis - while highlighting its place within the framework of requirements. Section 4 discusses a sample visualization, and how its design allows for intuitive analysis. Finally, the paper concludes by pointing out a few key areas where improvements could be made to improve existing visualization methodologies.
banerjee-uday-papers.pdf
MD5: 2511f8524c40ed3b3a4330cc0f468cfc
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.02 Mb
banerjee-uday-slides.pdf
MD5: 9b961da0549c111d2303a8f01fc83083
Format: application/pdf
Last Update: June 7th, 2024
Size: 731.78 Kb
- SG
A Strategy for Inexpensive Automated Containment of Infected or Vulnerable Systems
Steven Sim Kok Leong (National University of Singapore, SG), Steven Sim Kok Leong (National University of Singapore, SG)
Early warning and detection mechanisms including distributed intrusion detection systems and honeynets are often deployed to detect new worm and virus infected machines. In a large enterprise network, especially in universities with more than 30,000 online nodes, it is often a challenge to cost-effectively contain and remedy these infected or critically vulnerable machines. Universities are unlike corporations because they cannot impose overly restrictive policies that could hamper research and sharing. In corporate environments, network users are primarily rule-abiding employees. However, in university environments, bulk of their network users are student customers.
In this paper, I shall detail an inexpensive strategy currently deployed in the National University of Singapore that has proven pretty effective in containment and remediation of these infected or critically vulnerable machines. The strategy involves in-house integration of opensource early warning and detection mechanisms coupled with self-developed quarantine mechanisms and self-help portals on the technology side as well as user process workflow formalization.
With the framework and infrastructure in place, we are able to contain both infected and vulnerable systems rapidly and sent new virus variants undetected in our environment for our corporate antivirus vendor to come up with new detects. In the period of from Jan 2005 till Sep 2005 alone, we submitted more than 30 binaries.
This strategy plays an important role in aiding the National University of Singapore to become one of three finalists in the MIS Asia Best IT Security Strategy international award 2005.3
I will discuss how management approval for this project was justified, how the project involving multiple groups including helpdesk and network teams was implemented, what successful steps that could be followed and the pitfalls to avoid. Through this paper, I hope that sharing our experience with the strategy that helped us and the pitfalls to avoid can prove valuable to both universities and similar organisations in the FIRST community that do not already have a similar strategy in place but are facing enterprise-level threat mitigation issues and inhibiting cost factors.
leong-steven-slides.pdf
MD5: 2cb597ad6a80679776a3c9f8fadadc53
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.56 Mb
- GB
A Year's Evolution on Attacks Against Online Banking Customers
Matthew Pemble (RBSG – Royal Bank of Scotland, GB), Matthew Pemble (RBSG – Royal Bank of Scotland, GB)
Matthew Pemble is currently the ISIRT Manager for a major international bank. An experienced Security Architect and Consultant, as well as an Incident and Investigations Manager and Computer Forensics Practitioner, he is a Fellow of the British Computer Society and the Institute
for Communications Arbitration & Forensics.
Matthew Pemble is currently the ISIRT Manager for a major international bank. An experienced Security Architect and Consultant, as well as an Incident and Investigations Manager and Computer Forensics Practitioner, he is a Fellow of the British Computer Society and the Institute
for Communications Arbitration & Forensics.
pemble-matthew-slides.pdf
MD5: 443f2e5b7790be9c301a5f51eb9fe5df
Format: application/pdf
Last Update: June 7th, 2024
Size: 199.33 Kb
- NL
An overview of the German Honeynet Project
Thorsten Holz (NL)
holz-thorsten.slides.pdf
MD5: 81cd69bbb0fc840b7eec664c7e279a17
Format: application/pdf
Last Update: June 7th, 2024
Size: 440.3 Kb
- PL
Piotr Kijewski (Research and Academic Computer Network in Poland, PL), Piotr Kijewski (Research and Academic Computer Network in Poland, PL)
The paper describes methods of automated threat signature generation from network flows. These methods are being implemented as part of the CERT Polska early warning ARAKIS project, and the paper is a follow up to the ARAKIS talk given at the FIRST 2004 Budapest conference. The paper identifies what constitutes a good signature for use in IDS/IPS systems, presents an architecture of the signature extraction system, describes various signature extraction techniques, including our own proposal and presents some results. The level of technical detail is medium. Targeted at an audience with security experience, in particular, knowledge of the underlying principles of intrusion detection and honeynets is helpful.
kijewski-piotr-papers.pdf
MD5: 1143d8e778d170a636ecf18c47277319
Format: application/pdf
Last Update: June 7th, 2024
Size: 139.66 Kb
kijewski-piotr-slides.pdf
MD5: 2d1541b9b28d5431141bb67ed286b9e1
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.09 Mb
- FI
Behavioral Study of Bot Obedience using Causal Relationship Analysis
Lari Huttunem (University of Oulu, FI), Pekka Pietikäinen (University of Oulu, FI), Pekka Pietikäinen (University of Oulu, FI)
Botnet discovery can be difficult, since the existence of a network is often discovered only after it used for widespread activity such as a DDoS or a phishing scam. Sharing intelligence on a potential botnet traffic is also problematic mainly due to data privacy issues.
In this paper, we describe some currently used methods for identifying botnets and issues which arise when applying them in practice. We will identify the types of information that could be shared between different stakeholders and the technical means available to gather such data. Finally, we will present causality graphs and describe initial experiences in applying them to analyzing botnet incidents.
- US
Botnets as Vehicle for Online Crime
Aaron Hackworth (Carnegie Mellon University, US), Aaron Hackworth (Carnegie Mellon University, US), Nicholas Ianelli (Carnegie Mellon University, US), Nicholas Ianelli (Carnegie Mellon University, US)
This presentation goes beyond simple explanation of what a botnet is and dives into specific bot technologies and how they are used in the commission of online crime. When the presentation is complete, attendees will have a better understanding of botnet technologies, how these technologies are leveraged to enable physical world crime and what some of the motivating factors that have led malicious code authors to add specific features to their bot malware.
- CH
Building and Deploying Billy Goat: a Worm-Detection System
Diego Zamboni (IBM Zurich Reserch Laboratory, CH), James Riordan (IBM Zurich Reserch Laboratory, CH), James Riordan (IBM Zurich Reserch Laboratory, CH), Yann Duponchel (IBM Zurich Reserch Laboratory, CH)
Billy Goat is a worm detection system widely deployed throughout IBM and several other corporate networks. We describe the tools and constructions that we have used in the implementation and deployments of the system, and discuss contributions which could be useful in the implementation of other similar systems. We also discuss the features and requirements of worm detection systems in general, and how they are addressed by Billy Goat, allowing it to perform reliably in terms of scalability, accuracy, resilience and rapidity in detection and identification of worms without false positives.
riordan-james-papers.pdf
MD5: 8032f5adba2f445c884ef2cd444b5848
Format: application/pdf
Last Update: June 7th, 2024
Size: 237.59 Kb
riordan-james-slides.pdf
MD5: 22624dfce6415b97e470bb467c9a57ea
Format: application/pdf
Last Update: June 7th, 2024
Size: 475.94 Kb
- DE
Jürgen Sander (PRESECURE Consulting, GmbH, DE), Jürgen Sander (PRESECURE Consulting, GmbH, DE)
In the last quarter of 2005, the German CERT-Verbund has started to implement an early
warning information system (EWIS) called CarmentiS. Like in any known early warning
information system, one building block of CarmentiS are decentralized sensor networks,
which are building the backbone of the system. Therefore most of the technical challenges
involved in setting up an EWIS are rather straight foreward, an overview of the basic
concepts of CarmentiS was given at the last FIRST conference in Singapore.
Well, the reason to introduce an additional paper to this topic is the second building block
of CarmentiS – human analysis and of course the combination with classical sensor
networks. The human analyst will add incorporating information sources, which are
otherwise not available or cannot be automatically included and processed. The technical
systems will support the analysts where ever it is possible to be able to concentrate the
analyst viewpoint on the essentials.
In this case the real impediments are not on the technical side, legal and organisational as
well as human issues are in the way, making the building of such systems a real
challenge. Of course, in the full paper the essential technical concepts, interfaces and
services which are offered by CarmentiS will be explored and explained, but focusing on
the following topics:
- Information sharing - legal and technical aspects
- The cooperative approach – technical and organizational aspects
junger-sander-slides.pdf
MD5: 8490e502451786b4f0393bdae84d21f0
Format: application/pdf
Last Update: June 7th, 2024
Size: 549.43 Kb
- US
CERT's Virtual Training Environment: A New Model for Security and Compliance Training
James C. Wrubel (Carnegie Mellon University, US), James C. Wrubel (Carnegie Mellon University, US)
The CERT Virtual Training Environment (VTE, online at https://www.vte.cert.org) provides self-paced remote access to CERT’s suite of Information Assurance and Computer Forensics training material in virtual classroom and knowledge library formats. VTE follows a ‘read it, see it, do it’ instructional model, offering written training material, captured video of instructor-led lectures and demonstrations, and virtual training labs that are provisioned on-demand directly by students through virtual machine technology. VTE is currently in use by the Army Reserve Information Operations Command, the Marine Forces Pacific Command, and the Department of Homeland Security National Cyber Security Division.
This presentation will cover the following topics:
- VTE History and Background
- VTE Training and Library Mode
- Features and Benefits
- Platform Requirements
- Demonstrations of the following functionality:
- VTE Training Mode
- Lecture topics
- Assessements
- Hands-on Labs
At the end of the presentation, Mr. Wrubel will offer VTE access accounts valid through January 1, 2007 to any interested audience members.
wrubel-james-slides.pdf
MD5: a761fabddb9562148b10f1a4b3ed34cf
Format: application/pdf
Last Update: June 7th, 2024
Size: 775.47 Kb
- GB
Compulsory Data Retention: Issues for CSIRTs
Andrew CormackAndrew Cormack (GB)
Andrew Cormack trained as a Mathematician well before the Internet went
mainstream. After five years on a research vessel managing the science IT,
he joined the University of Cardiff as Postmaster, where it was suggested
he might like to investigate “this world wide web thing” and assess whether
it had a future. A few years later he started the UK’s academic CERT as
well as managed the EuroCERT project. Since then IT Security was Andrew’s
passion. During his career at JISC he transitioned to the organizations
Chief Regulatory Advisor and pursued Law studies in which he graduated as a Master of Law.
Andrew’s contributions to the Incident Response community are many and
broad: He was one of the initial TRANSITS trainers and thus shaped the
careers of hundreds of incident responders. Andrew’s ability to listen
beyond the mere words that people speak, combined with his vast knowledge,
allowed him over and over again to build bridges to other fields. One
particular area of focus was the governance and legal frameworks related to
Incident Response, where he helped policy makers recognize the importance
of CSIRTs. Andew was a member of ENISA’s Permanent Stakeholder Group and
sat on the boards of ORCID and the Internet Watch Foundation. He was a
regular attendee and presenter at security conferences, and the Program
Chair of the 2019 FIRST annual conference in his native Edinburgh.
Andrew Cormack passed away on April 12 2023, only two weeks after having
learned about his induction in the IR Hall of Fame.
Article: Remembering Andrew Cormack - by Serge Droz
cormack-andrew-slides.pdf
MD5: 2aabc53951285f3ee00a53a7b03dfd7b
Format: application/pdf
Last Update: June 7th, 2024
Size: 31.49 Kb
- US
Matthew Geiger (Carnegie Mellon University, US)
Among the challenges faced by forensic analysts are a range of commercial 'disk scrubbers', software packages designed to irretrievably erase files and records of computer activity. These counter-forensic tools have been used to eliminate evidence in criminal and civil legal proceedings and represent an area of continuing concern for forensic investigators.
This paper details the analysis of 13 commercial counter-forensic tools, examining operational shortfalls that can permit the recovery of significant evidentiary data. The research also isolates filesystem fingerprints generated when these tools are used, which can identify the tool, demonstrate its actual use and, in many cases, provide insight into the extent and time of its use.
The result is an indexed resource for forensic analysts, covering 19 tools and tool versions, that can help identify traces of disk-scrubbing activity and guide the search for residual data. In addition, a new forensic utility, named Aperio, is presented. It employs a signature library to automate the hunt for traces of counter-forensic tool use. Aperio can search filesystems presented as images or devices, and provides a detailed audit report of its findings. Together these resources may assist in establishing the usage of counter-forensic tools where such activity has legal implications.
geiger-matthew-papers.pdf
MD5: 33c5e9c0d9deb39bb52745c184d9883d
Format: application/pdf
Last Update: June 7th, 2024
Size: 422.58 Kb
geiger-matthew-slides.pdf
MD5: 527e0af7e2840d13cee75ac6e212acbe
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.07 Mb
CSIRT interactions with law enforcement and intelligence services
Jacques Schuurman
- US
Design Your Network to Aid Forensic Investigation
Robert Sisk (IBM Corporation, US), Robert Sisk (IBM Corporation, US)
Although security and related tools have improved over the years, all too often the first signs of a compromise appear in the form of a trouble ticket or problem report. Even though many monitoring methods are available, when deployed, security teams quickly find themselves buried in data or very busy with the care and feeding of such tools. This course will review network design and monitoring with the intent of identifying and providing adequate compromise detection, developing appropriate security response to suspicious “eventsâ€, and increasing readiness for forensics investigation. We will do this by identifying and setting security goals, applying simple, but adequate, monitoring methods to meet those goals, and developing some response methods for investigating and mitigating specific attacks. A production network architecture, including "lessons learned" during its development and maintenance, will serve as a case study for facilitated discussion.
sisk-robert-slides.pdf
MD5: 11c71b6d75b30f4c84548cfd55f8c642
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.9 Mb
- NL
Designing and Developing an Application for Incident Response Teams
Kees Leune (Tilburg University, NL), Kees Leune (Tilburg University, NL), Sebastiaan Tesink (Tilburg University, NL)
Computer security incident response teams need to track incidents as they develop. To support day-to-day operations, teams need to be able to generate quick overviews of ongoing incidents, and they must be supported in their daily work by automating as much routine work as possible. AIRT is a web-based system to provide incident tracking capabilities to computer security incident response teams. Its design goals include to provide a comprehensive incident management console, ability to quickly associate external teams with IP addresses, the ability to create an incident in 30 seconds after receiving it, provisions for PGP signed mail, and more. This paper presents AIRT, its goals, architecture and its functionality.
leune-kees-papers.pdf
MD5: fc67e5f59584cb2b18b4e725ea829f99
Format: application/pdf
Last Update: June 7th, 2024
Size: 160.63 Kb
leune-kees-slides.pdf
MD5: 480e0d2c044cfc97876a63a8e72f1fe1
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.08 Mb
- NO DE
Effectiveness of Proactive CSIRT Services
Johannes Wiik (Agder University, NO), Jose J. Gonzalez (Agder University, NO), Klaus-Peter Kossakowski (Software Engineering Institute, DE), Klaus-Peter Kossakowski (Software Engineering Institute, DE)
Background
For the FIRST 2005 conference we put together a paper researching limitations related to the reactive CSIRT services, mainly the response to low priority incidents. As the PhD research project of Johannes Wiik continued [Wiik et al. 2005], the scope was broaden to study the limitations of other services perceived as mandatory, most importantly the advisory service. The intermediate results related to the advisory service seem suggest very interesting, but also provocative, insights. Therefore we agreed to prepare a proposal for the upcoming FIRST conference in Baltimore.
Proactive Services as Cross-Organizational Learning Process
Almost all authors discussing these teams have suggested that Computer Security Incident Response Teams (CSIRTs) need to deliver new as well as additional proactive services to stay effective, but there are hardly any studies investigating to what extent existing proactive services are indeed effective or how to make them more effective. Indeed the advisory service is one of the core CSIRT services and proactive in scope – already part of the description even in the oldest CERT related documents – which has not changed much over the years. Only some technical development can be seen in regard to system categorization, identification schemes for vulnerabilities or formats for the effective exchange.
We argue that the potential of proactive services should be viewed as cross-organisational learning process. They carry the promise of avoiding incidents and the hope of saving considerable resources. The advisory service instigates the transfer of information between vendors of commercial off-the-shelf-software (COTS) or open source software and users of these products in the CSIRT constituency. Another proactive approach is actively searching for vulnerabilities in networks and organizations. Quite specific information is provided through analysis of systems within the constituency and informing the administrators about much needed patches or changes to the setup. Rather than carrying out this analysis only on demand the networks and systems are routinely surveyed. Thus, it is similar to (and hence we call it) a "neighbourhood watch": your neighbours keep an eye on your assets.
In this paper we evaluate two proactive services:
1. The common advisory service as an example of an existing service, and
2. Neighbourhood watch (NBHW) as a new service that builds on the advisory service.
Based on a case study and organisational learning theory, we build a system dynamics simulation model to test the effectiveness of the two services. Preliminary findings indicate that neighbourhood watch has several significant strengths compared to the traditional advisory service with respect to knowledge acquisition, information distribution, information interpretation and organisational memory.
However, as the advisory service is a community service the aim is to reach out to all constituents and it can therefore make an overall impact, despite its weaknesses. As NBHW is dependent on authorisation to scan the networks of each constituent, its effectiveness in the constituency as a whole is very much dependent on the take-up rate.
We also evaluate the short term impact of using NBHW that typically helps new customers of this service to detect previously unnoticed incidents. Thereafter we look at the long term impact as customers mature their way of using more effectively the information provided by this service to secure their networks and organizations.
This last issue is important to put our observations back into the broader picture. It stresses again [Wiik et al. 2005] that all CSIRT related activities are impacting each other and cannot be seen as separate activities. As current management approaches do not consider this aspect, we recommend to all CSIRTs to revisit their services and interdependencies not yet addressed in their current setup.
References
[Wiik et al. 2005] Limits to Effectiveness in CSIRTs / Johannes Wiik; Jose J. Gonzalez;
Klaus-Peter Kossakowski. - [Paper for the FIRST 2005 Conference, Conference Proceedings. Also available from www.cert.org/csirts/] - GB DE
ENISA update
Andrew CormackAndrew Cormack (GB), Marco Thorbrügge (ENISA, DE)
Andrew Cormack trained as a Mathematician well before the Internet went
mainstream. After five years on a research vessel managing the science IT,
he joined the University of Cardiff as Postmaster, where it was suggested
he might like to investigate “this world wide web thing” and assess whether
it had a future. A few years later he started the UK’s academic CERT as
well as managed the EuroCERT project. Since then IT Security was Andrew’s
passion. During his career at JISC he transitioned to the organizations
Chief Regulatory Advisor and pursued Law studies in which he graduated as a Master of Law.
Andrew’s contributions to the Incident Response community are many and
broad: He was one of the initial TRANSITS trainers and thus shaped the
careers of hundreds of incident responders. Andrew’s ability to listen
beyond the mere words that people speak, combined with his vast knowledge,
allowed him over and over again to build bridges to other fields. One
particular area of focus was the governance and legal frameworks related to
Incident Response, where he helped policy makers recognize the importance
of CSIRTs. Andew was a member of ENISA’s Permanent Stakeholder Group and
sat on the boards of ORCID and the Internet Watch Foundation. He was a
regular attendee and presenter at security conferences, and the Program
Chair of the 2019 FIRST annual conference in his native Edinburgh.
Andrew Cormack passed away on April 12 2023, only two weeks after having
learned about his induction in the IR Hall of Fame.
Article: Remembering Andrew Cormack - by Serge Droz
- US
Evaluating CSIRT Operations
Audrey Dorofee (Carnegie Mellon University, US), Audrey Dorofee (Carnegie Mellon University, US), Chris Alberts (Carnegie Mellon University, US), Robin Ruefle (Carnegie Mellon University, US), Robin Ruefle (Carnegie Mellon University, US)
This tutorial will discuss the reasons, outcomes, and benefits
of evaluating incident management capabilities such as CSIRTs.
Four different methodologies will be presented that can be
used to evaluate various aspects of incident management capabilities.
During the tutorial, practical exercises will be conducted
that demonstrate various components of each methodology to give
a real-life perspective on performing such evaluations.
ruefle-robin-slides.pdf
MD5: 50284a812831fc8897fa81b3138a0ec2
Format: application/pdf
Last Update: June 7th, 2024
Size: 601.55 Kb
- US
Exploring the Next Level of Cyber Attacks: Methodologies and Demonstration of Web Application Hacks
Matt Fisher (SPI Dynamics, US), Matt Fisher (SPI Dynamics, US)
Matt Fisher is a Senior Security Engineer for SPI Dynamics and has over 12 years experience in
the information technology industry. He has multiple certifications and has spoken on the topic of
Web application security at numerous conferences. Matt was a contributing author for the book
titled, “Google Hacking for Penetration Testers” and is registered with the Defense Information
Services Agency as a subject matter expert in Web application security.
Matt Fisher is a Senior Security Engineer for SPI Dynamics and has over 12 years experience in
the information technology industry. He has multiple certifications and has spoken on the topic of
Web application security at numerous conferences. Matt was a contributing author for the book
titled, “Google Hacking for Penetration Testers” and is registered with the Defense Information
Services Agency as a subject matter expert in Web application security.
fisher-matthew-slides.pdf
MD5: 21409b39b5f47dda92aaedfd1cfa8ef3
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.34 Mb
- FR
Honeypot Technology: Principles and Applications
Franck Veysset (France Télécom R&D, FR), Franck Veysset (France Télécom R&D, FR), Laurent Butti (France Télécom R&D, FR), Laurent Butti (France Télécom R&D, FR)
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Based on this definition, we will introduce the topic with an overview of the evolution of this technology, from the beginning to the latest advances.
This tutorial will cover in depth examples of use in corporate environments, including low interaction honeypot to gather statistics on malicious activities (worms & viruses…), wifi honeypots, fully operational architectures…
Some demonstrations will be done during the tutorial, presenting most useful resources and open source projects (honeyd, sebek, mwcollect…).
Good interaction with the audience is expected.
veysset-franck-slides.pdf
MD5: d00bdf680ef0f7e3dba10da1a79a4a12
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.92 Mb
- NZ
If You Don't Know What You Don't Know
Arjen de Landgraaf (Co-Logic Security, Ltd, NZ), Arjen de Landgraaf (Co-Logic Security, Ltd, NZ)
IT Security has per definition always been a re-active business. It is like having a castle, protecting the crown jewels with locked gates (firewalls) intrusion detection (the watch) and intrusion prevention methods (hot oil and peck, arrows, stones, dead horses etc) Preventing anyone unauthorized to attack and enter.
However, major changes over the last couple of years in requirements of businesses to keep up with the competition and markets demanded a different approach to Web based services, resulting in openness of systems to visitors, customers, and our own teleworkers. Its like having to maintain a 24 hrs market, open to everyone, in the middle of your castle, with stalls of next generation technology, enticing visitors to buy. How do you strip-search 500K unique visitors to your site each month?
Emphasis of demands on today’s web designers and programmers is more and more on becoming open and accessible, visually attractive and smart functions.
The ”New Breed” of web designers and programmers of today is artistic, they learned all on market-focused design, with educational institutes jumping to the demand, delivering new breed courses and degrees. Today’s programmers program “On the Fly”, constantly needing to meet requirements of marketing and sales departments. The demand on them is huge, after all, static websites are out, and dynamic content is in. The “can you do this, can you do that, we need it live this Monday” puts enormous pressure on them to deliver. Deliver quickly.
To the aid of this new breed is an unbelievable enormous pool of programs, scripts, and tools, available on the Internet, and either free or low cost. Re-Use has gained another meaning – what is easier than including code snippets and scripts to have the new Web Application deliver what the Marketing and Sales people require. Today’s web programmers are artists, not the logical, structured breed of developers we used to have working to develop accounting and warehouse management applications.
Artists who may claim paintings of others as their own. If you are an artist, would you admit copying someone elses work?
Also the Teleworkers of today, become one of the main areas of productivity improvement for organizations – after all the physically traveling to and from work is in most cities in the world becoming more and more a burden, or virtually impossible with the huge traffic jams – are not IT persons. They have the same pressure of having to deliver. And their kids may have secretly LimeWire or other sharing software installed on their parents notebook, downloading files, video, music and the rest, for their own satisfaction. They are no IT Security Experts.
All these groups together just do what they can do to make ends meet, to deliver value to their employer, to not have to work through the weekend, to catch up with their workload. And here lies the danger. If You Don’t Know what you Don’t Know, it does not exist. You don’t know even enough to be able to ask the question.
If IT Security staff does not know what it doesn’t know, the Question will never be asked. The Answer to this “Question We Do Not Know To Ask” can mean the difference between an organization’s success, or that of corporate disaster. The difference between either an IT Security Job well done, or an unexpected career change.
- DE
IRT object
Wilfried Woeber (DE)
- US
Keynote: Computer Security Incident Response - Past, Present, Future
Richard D. Pethia (Carnegie Mellon University, US), Richard D. Pethia (Carnegie Mellon University, US)
Richard Pethia manages the Networked Systems Survivability (NSS) Program at the
Software Engineering Institute (SEI) at Carnegie Mellon University. The program ensures
appropriate technology and systems management practices are available to recognize,
resist, and recover from attacks on networked systems. The program’s CERT Coordination
Center (CERT/CC) has formed a partnership with the Department of Homeland Security to
provide a national cyber security system, US-CERT. In 2003, Pethia was awarded the
position of SEI Fellow for his vision and leadership in establishing the CERT/CC, for creating
and establishing the worldwide network of over 200 CSIRTs and FIRST, for his leadership in
creating the NSS Program, and for his partnership with the Department of Homeland
Security in the formation of US-CERT. Pethia is also a co-director of Carnegie Mellon
University’s CyLab, bringing together the varied cyber security activities at the university.
Richard Pethia manages the Networked Systems Survivability (NSS) Program at the
Software Engineering Institute (SEI) at Carnegie Mellon University. The program ensures
appropriate technology and systems management practices are available to recognize,
resist, and recover from attacks on networked systems. The program’s CERT Coordination
Center (CERT/CC) has formed a partnership with the Department of Homeland Security to
provide a national cyber security system, US-CERT. In 2003, Pethia was awarded the
position of SEI Fellow for his vision and leadership in establishing the CERT/CC, for creating
and establishing the worldwide network of over 200 CSIRTs and FIRST, for his leadership in
creating the NSS Program, and for his partnership with the Department of Homeland
Security in the formation of US-CERT. Pethia is also a co-director of Carnegie Mellon
University’s CyLab, bringing together the varied cyber security activities at the university.
pethia-richard-slides.pdf
MD5: 1d7da2c7ec3f0b066846fad5f3f7a58b
Format: application/pdf
Last Update: June 7th, 2024
Size: 953.95 Kb
- US
Log Data Analysis for Incident Response
Anton Chuvakin (LogLogic, Inc., US), Anton Chuvakin (LogLogic, Inc., US)
Dr Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Director of Product Management with LogLogic, a log management and intelligence company, he is involved with defining and executing on a
product vision and strategy, driving the product roadmap, conducting research as well as assisting key customers with their LogLogic implementations. He was previously a Chief Security Strategist with netForensics, a security information management company.
A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and "Hacker's
Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs.
Dr Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Director of Product Management with LogLogic, a log management and intelligence company, he is involved with defining and executing on a
product vision and strategy, driving the product roadmap, conducting research as well as assisting key customers with their LogLogic implementations. He was previously a Chief Security Strategist with netForensics, a security information management company.
A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and "Hacker's
Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs.
chuvakin-anton-slides.pdf
MD5: 1abe1766c1ef489feeacc9000202c266
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.22 Mb
- US
Maximizing the Benefits of Intrusion Prevention Systems: Effective Deployment Strategies
Calvin Miller (District of Columbia Government, US), Charles Iheagwara (District of Columbia Government, US), Farrukh Awan (District of Columbia Government, US), Farrukh Awan (District of Columbia Government, US), Yusuf Acar (District of Columbia Government, US)
This paper discusses general intrusion prevention systems concepts and provides a context-based analysis of the techno-economic imperatives as the driver of this technology. Further, in light of the Gartner 2004 recommendations, the paper examines the security needs and functional requirements for enterprise network IPS deployments. Given the complexity of the implementation environment, the paper will seek to demonstrate the value associated with a well thought out deployment strategy. To this end, the paper introduces performance measures and proposes effective deployment strategies to enhance the performance the IPS. Using field data, we measure the financial benefit of an IPS deployment.
- CH
Peter Haag (The Swiss Education and Research Network, CH), Peter Haag (The Swiss Education and Research Network, CH)
For network security teams of any size, an accurate analysis of the traffic situation is essential. The well-known traffic graphs, do not give enough information especially to investigate security related incidents. To work with netflow data turned out to be a good balance between collecting and processing the data and the information gained from this process.
A lot of tools to collect netflow data are available, but the flexibility to process the flows was either poor, or resulted in expensive commercial systems. The Open Source tools nfdump and NfSen close this gap. They provide a flexible and powerful system to collect and process netflow data for a great variety of tasks.
The presentation starts with a small introduction of netflow and explains how nfdump and NfSen can be used to look at your network traffic, to create easily top N statistics of hosts and networks demanding most bandwidth of your network, as well as to detect host and port scans. It shows how a security incident can be tracked and profiled. Last but not least it gives an overview how to extend NfSen with custom plugins for dedicated tasks specific to your network.
haag-peter-papers.pdf
MD5: 9d6aef80bf92db05fba9a2bbd32669b5
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.36 Mb
haag-peter-slides.pdf
MD5: fb81dd7c48215bc00de79eef75cec248
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.27 Mb
- US
Next Steps in Bridging the Gap
Kenneth R. van WykGary McGraw (Cigital, Inc., US), Kenneth R. van Wyk (FIRST.Org, US)
Kenneth R. van Wyk is an internationally recognized information security expert and author of the O’Reilly and Associates books, Incident Response and Secure Coding. In addition to providing consulting and training services through his company, KRvW Associates, LLC, (http://www.KRvW.com), he currently holds numerous positions: as a monthly columnist for on-line security portal, eSecurityPlanet (http://www.eSecurityPlanet.com), and a Visiting Scientist at Carnegie Mellon University's Software Engineering Institute (http://www.sei.cmu.edu).
Ken has 20+ years experience as an IT Security practitioner in the academic, military, and commercial sectors. He has held senior and executive technologist positions at Tekmark, Para-Protect, Science Applications International Corporation (SAIC), in addition to the U.S. Department of Defense and Carnegie Mellon and Lehigh Universities.
Ken also served a two-year elected position as a member of the Steering Committee, and a one-year elected position as the Chairman of the Steering Committee, for the Forum of Incident Response and Security Teams (FIRST) organization. At the Software Engineering Institute of Carnegie Mellon University, Ken was one of the founders of the Computer Emergency Response Team (CERT®). He holds an engineering degree from Lehigh University and is a frequent speaker at technical conferences, and has presented papers and speeches for CSI, ISF, USENIX, FIRST, and others. Ken is also a CERT® Certified Computer Security Incident Handler.
- DE
NoAH project
Klaus Möeller (DE)
moeller-klaus-slides.pdf
MD5: 7f51b10c6c46c7452b0afbf6baeb92b2
Format: application/pdf
Last Update: June 7th, 2024
Size: 98.65 Kb
NREN server certificate service
Jan Meijer
meijer-jan-slides.pdf
MD5: ec99d90991b5d123dd12039be044a690
Format: application/pdf
Last Update: June 7th, 2024
Size: 244.74 Kb
- PL
Presentation about Sender Policy Framework
Przemyslaw Jaroszewski (PL)
Przemyslaw Jaroszewski is a security specialist in CERT Polska. For the past seven years he has been involved in incident response, advocating and coaching in computer security, as well as taking part in various security-related projects. One of his main areas of interest is e-mail security and spam. He was managing processes of development and implementation of a prototype database in the SPOTSPAM project.
- DE
Proactive Security Monitoring in a Policy Managed Network
Till Dörges (PRESECURE Consulting GmbH, DE), Till Dörges (PRESECURE Consulting GmbH, DE)
Till Dörges joined PRESECURE Consulting GmbH as a researcher in 2002. The two major projects he's currently working on are a network of distributed IDS-sensors (evolved from the EC-funded project "eCSIRT.net") and the also EC-funded research project about proactive security monitoring in a policy-based framework ("POSITIF"). Both projects strongly relate to Intrusion Detection, Honeynets and (Security-) Policies.
He also is the team representative of PRESECURE within the European community of accredited CSIRTs ("Trusted Introducer") as well as for FIRST.
Till Dörges studied Computer Sciences in Hamburg, Toulouse and Leipzig. He holds a French
"Maîtrise d'Informatique" and a German "Informatik-Diplom".
Till Dörges joined PRESECURE Consulting GmbH as a researcher in 2002. The two major projects he's currently working on are a network of distributed IDS-sensors (evolved from the EC-funded project "eCSIRT.net") and the also EC-funded research project about proactive security monitoring in a policy-based framework ("POSITIF"). Both projects strongly relate to Intrusion Detection, Honeynets and (Security-) Policies.
He also is the team representative of PRESECURE within the European community of accredited CSIRTs ("Trusted Introducer") as well as for FIRST.
Till Dörges studied Computer Sciences in Hamburg, Toulouse and Leipzig. He holds a French
"Maîtrise d'Informatique" and a German "Informatik-Diplom".
dorges-till-papers.pdf
MD5: ab1a90502514adfe0113503d498aea39
Format: application/pdf
Last Update: June 7th, 2024
Size: 301.18 Kb
dorges-till-slides.pdf
MD5: 7d9c227bd99ebbf4d9ef44b460e38192
Format: application/pdf
Last Update: June 7th, 2024
Size: 628.5 Kb
- JP
Masato Terada (IPA, JP), Masato Terada (IPA, JP)
Unauthorized access intending to spread malware has been active and causing a lot of damage worldwide. In
order to eliminate vulnerabilities and prevent unauthorized access, it is necessary to improve the way to
distribute security information about computer software and hardware. When a new vulnerability is
discovered or a security advisory is released, the security administrators try to collect information about and
countermeasures against the vulnerability. In this paper, we examines how we can provide a more efficient
security information distribution service for the security administrators that helps them reduce their workload
related to collecting and grouping various information and take care of security incidents.
We propose JVNRSS (JP Vendor Status Notes RSS) as a security information sharing and exchanging
specification. Currently, JPCERT/CC and IPA (Information-technology Promotion Agency) are promoting a
framework to handle vulnerability information in Japan.
They offer JVN, a portal site to provide security
information about the domestic computer software and hardware manufactured by the vendors participating
in the framework. JVNRSS is one of the methods JVN has been using to distribute security information.
JVNRSS is based on RSS 1.0 and uses the "dc:relation" field defined in the Dublin Core as a Relational ID
to correlate security information issued by various sources (Figure 1). JVNRSS uses the reference URL
specified in a security alert, for example, an URL of the Common Vulnerability Exposure, CERT Advisory,
CERT Vulnerability Note and CIAC Bulletin. In this paper, firstly we explain the specification and
application of JVNRSS. Secondly, we'll introduce the result of our feasibility study on JVNRSS (Figure 2)
and lastly we'll propose the RSS Extension for security information sharing.
terada-masato-papers.pdf
MD5: 00977e402e88dd6e630072740a435b9e
Format: application/pdf
Last Update: June 7th, 2024
Size: 235.54 Kb
terada-masato-slides.pdf
MD5: 2824afaf4d1230888a0044d21099fc9b
Format: application/pdf
Last Update: June 7th, 2024
Size: 1023.69 Kb
- US
Joseph Schwendt (Intel Corporation, US), Joseph Schwendt (Intel Corporation, US), Steve Mancini (Intel Corporation, US), Steve Mancini (Intel Corporation, US)
Topic
RAPIER (Rapid Assessment & Potential Incident Examination Report) is a security tool built to assist in malware collection and analysis. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. With the results, a security analyst is provided information which can aid in determining if a system has been compromised, and potentially determine the method of infection, the changes to the system, and determine how to recover/clean the system. RAPIER can also be used to provide anti-malware vendors with the information necessary to update their definitions files. It is the first tool within Intel that fully automates the entire process, thus enabling a highly effective means for rapid response to potential malware infections.
Outline
- Problem Statement
- Fundamental Operational Solution
- Framework Engine
- How to design your own modules
- Feature Modules
Technical Detail
Moderate - we will cover what content the modules capture so understanding basic attributed of Microsoft Windows OS is helpful.
Audience
- Incident Handlers
- Investigators
- Security Operations Center management/participants.
mancini-steve-papers.pdf
MD5: a48f038cc05e5c60affbcd21f912f317
Format: application/pdf
Last Update: June 7th, 2024
Size: 212.88 Kb
mancini-steve-slides.pdf
MD5: 7e04d7e41d6d5339eb23b992c2288a22
Format: application/pdf
Last Update: June 7th, 2024
Size: 493.02 Kb
- US
Reliably Determining the Outcome of Computer Network Attacks
Barry E. Mullins (Air Force Institute of Technology, US), Capt David J. Chaboya (Air Force Institute of Technology, US), Capt David J. Chaboya (Air Force Institute of Technology, US), Richard A. Raines (Air Force Institute of Technology, US), Rusty O. Baldwin (Air Force Institute of Technology, US)
Organizations frequently rely on the use of Network Intrusion Detection Systems (NIDSs) to identify and prevent intrusions into their computer networks. While NIDSs have proven reasonably successful at detecting attacks, they have fallen short in determining if attacks succeed or fail. This determination is often left to the security analyst or system administrator. Large-scale networks pose a particular challenge for IDS analysts. The process of manually checking systems to determine if an attack is successful becomes burdensome as the size and geographic location of the network increases. Many analysts use network data alone, in particular the server response, to determine the outcome of the attack. Intuitively, the server response is the packet or packets the target computer returns after an attack. However, in the case of buffer overflows, the attacker has the ability to forge or modify this response.
This paper examines two key aspects of network defense: the ability to circumvent detection devices and how network analysts respond to evasion techniques. We examine how social engineering can be used to influence an analyst's decisions and we recommend ways to counter this threat. The intended audience will be responsible for either developing IDS signatures, or analyzing network IDS results. The technical detail is moderate, but does assume some exposure to network traffic analysis, intrusion detection, and exploits in general.
chaboya-david-papers.pdf
MD5: 27a05976acb9e3d94f946e7f41476112
Format: application/pdf
Last Update: June 7th, 2024
Size: 231.66 Kb
chaboya-david-slides.pdf
MD5: 19cf5579abc732dc8a45d3c58e300412
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.88 Mb
- US
Reporting Security Vulnerabilities: Defining Best Practices For Industry and Third Party Co-Ordinators
Tara Flanagan (Cisco Systems Ltd., US)
Tara Flanagan is the Director of Legal Services for Cisco System's world wide services organization, and has supported Cisco's security reporting team (PSIRT) for seven years. Prior to joining Cisco in 1997, she
worked as a government contracts attorney and commercial litigator with
the Los Angeles law firm of McKenna, Conner and Cuneo. During her
tenure as outside counsel, she represented large and small companies
engaged in business with the U.S. government (i.e. represented FMC
Corporation in lawsuit against the Goodyear Tire and Rubber Company
resulting in $32M judgement for FMC), as well as pro bono cases in which
she represented children and for which she received several pro bono
awards. She holds a B.A. cum laude from Tulane University (New Orleans,
LA) and a J.D. cum laude Pepperdine University (Malibu, CA). She is
licensed to practice law in California and is registered inhouse counsel
in Virginia.
flanagan-tara-slides.pdf
MD5: e8b97a1efa75ca5124af0ab207cc17a9
Format: application/pdf
Last Update: June 7th, 2024
Size: 245.51 Kb
- KR
Risk Analysis Methodology for New IT Service
Jun Heo (Korea Information Security Agency, KR), Jun Heo (Korea Information Security Agency, KR), Yoojae Won (Korea Information Security Agency, KR)
This research intends to provide a new risk management methodology that predicts the security of future oriented IT services and help to create a counter strategy in advance. The proposed methodology is founded on domestic as well as foreign methodology and information protection reference model ITU-T X.805 and was executed in 3 parts: security factor distrimination phase, risk calculation phase,and counter strategy deduction phase. In the security factor discrimination phase the ITU-T X.805 is applied to determine the new IT services´s infraestructure, service, application level as well as the protecion subject by management, control and user plane. In the risk calculation phase, the X.805 creates risk scenarios for each module by level/plane and calculates the degree of risk by taking fatality, frequency of occurrence and degree of attack into consideration. In the counter strategy was devised by prioritizing risk and applying counter technologies from the list of required technologies based on the 8 information protection requirements.
heo-jun-slides.pdf
MD5: 085ce7785dc398301688d4c793f47f41
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.97 Mb
- US
Secure Coding in C and C++
Robert C. Seacord (Carnegie Mellon University, US), Robert C. Seacord (Carnegie Mellon University, US)
Secure Coding in C and C++ provides practical advice on secure
practices in C and C++ programming. Producing secure programs requires
secure designs. However, even the best designs can lead to insecure
programs if developers are unaware of the many security pitfalls
inherent in C and C++ programming.
This tutorial provides a detailed explanation
of common programming errors in C and C++ and describes how these errors
can lead to code that is vulnerable to exploitation. The tutorial
concentrates on security issues intrinsic to the C and C++ programming
languages and associated libraries. It does not emphasize security issues
involving interactions with external systems such as databases and web
servers, as these are rich topics on their own. The intent is that this
tutorial be useful to anyone involved in developing secure C and C++
programs regardless of the specific application.
seacord-robert-slides.pdf
MD5: c130fea77034706d904e552e2dbf8f62
Format: application/pdf
Last Update: June 7th, 2024
Size: 502.04 Kb
- US
Peter G. AllorPeter G. AllorPeter G. Allor (Honeywell, US), Peter G. Allor (Honeywell, US)
Peter Allor is a Director for Red Hat Product Security where he has responsibility for the portfolio on Secure Development through Incident Response. He is currently the Chair for the FIRST PSIRT SIG where a number of documents supporting the product security incident response were developed by practitioners for practitioners including a Framework of Services, Maturity and a base Incident Response plan.
Pete has assisted in the formation of the IT-ISAC and ICASI (Industry Consortium for Advancing Security on the Internet) groups for broader response and coordination. He is also a former Member of the FIRST Board of Directors serving as the CFO for five years, guiding CVSS and other SIGs as well as the board liaison for FIRST Conferences. Pete was a founding member of the IT Sector Coordinating Council and has participated on the CyberSecurity Commission for the 44th Presidency as well as supporting his CEO on the National Infrastructure Advisory Council where he led several working groups.
Pete started with Internet Security Systems working their vulnerability disclosures and then was with IBM Security when ISS was acquired. He later moved to Honeywell working their cloud solutions and product as the Product Security Chief prior to moving to Red Hat.
Peter Allor is a Director for Red Hat Product Security where he has responsibility for the portfolio on Secure Development through Incident Response. He is currently the Chair for the FIRST PSIRT SIG where a number of documents supporting the product security incident response were developed by practitioners for practitioners including a Framework of Services, Maturity and a base Incident Response plan.
Pete has assisted in the formation of the IT-ISAC and ICASI (Industry Consortium for Advancing Security on the Internet) groups for broader response and coordination. He is also a former Member of the FIRST Board of Directors serving as the CFO for five years, guiding CVSS and other SIGs as well as the board liaison for FIRST Conferences. Pete was a founding member of the IT Sector Coordinating Council and has participated on the CyberSecurity Commission for the 44th Presidency as well as supporting his CEO on the National Infrastructure Advisory Council where he led several working groups.
Pete started with Internet Security Systems working their vulnerability disclosures and then was with IBM Security when ISS was acquired. He later moved to Honeywell working their cloud solutions and product as the Product Security Chief prior to moving to Red Hat.
allor-peter-slides.pdf
MD5: dce34fbfbb7a0f532e328d29d210d34b
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.71 Mb
Solaris 10 security design considerations
Casper Dik
dik-casper-slides.pdf
MD5: acf27b9cb33bd98191701b2ec686206a
Format: application/pdf
Last Update: June 7th, 2024
Size: 179.76 Kb
- NL
SURFnet IDS - A distributed intrusion detection system
Rogier J.L. Spoor (SURFnet, NL)
Rogier Spoor graduated in Bioprocess Engineering at the Wageningen University and Research Centre.
His first job was working as a Technical Linux and Network Engineer.
Currently, Rogier works as an Account Advisor at SURFnet and is in charge of the D-IDS project.
spoor-rogier-slides.pdf
MD5: 8fa536c7514a40c88d722b1f253181c9
Format: application/pdf
Last Update: June 7th, 2024
Size: 455.15 Kb
- DE
The Impact of Honeynets for CSIRTs
Jochen SchönfelderJan Kohlrausch (DFN-CERT Services GmbH, DE), Jan Kohlrausch (DFN-CERT Services GmbH, DE), Jochen Schönfelder (DFN-CERT, DE)
For the daily work of a CSIRT it is of major importance to know which vulnerabilities are currently abused to compromise computers and to timely warn the constituency if a zero-day exploit is found. Besides the traditional incident response work, honeypots have
shown to become more important to follow these aims.
In this talk we give an overview on the NoAH project and related projects devoted to the deployment of distributed honeypots and show how CSIRTs and other security teams can profit from the deployment of their infrastructure.
kohlrausch-jan-papers.pdf
MD5: 4e03d2ab0452193798bf7f6046ff5d78
Format: application/pdf
Last Update: June 7th, 2024
Size: 49.16 Kb
kohlrausch-jan-slides.pdf
MD5: 8125a3c38ee362815292fb954a263621
Format: application/pdf
Last Update: June 7th, 2024
Size: 168.11 Kb
- US
The Network-Centric Incident Response and Forensics Imperative
Richard Bejtlich (TaoSecurity, US), Richard Bejtlich (TaoSecurity, US)
Security staff often take a host-centric approach to determining the scope and damage of computer intrusions. Standard forensics techniques are hard-drive centric, with collection and analysis of live data only gradually being adopted. This presentation offers a complementary set
of practices focusing on network-centric techniques. In an age of kernel-based rootkits and savvy intruders, sometimes only the network can tell the truth.
- US
Lawrence R. Rogers (Carnegie Mellon University, US), Lawrence R. Rogers (Carnegie Mellon University, US)
Today’s professional system and network administrators are increasingly challenged to make computer and network security a greater part of their overflowing set of daily activities. In response to this trend, the Software Engineering Institute (SEI1), specifically the CERT® Program2, has designed a three-course curriculum in survivability and information assurance (SIA).
- JP
Threats of P2P File Sharing Software - a Japanese Situation About "Winny"
Keisuke Kamata (JPCERT Coordination Center, JP), Keisuke Kamata (JPCERT Coordination Center, JP), Yuichi Miyagawa (JPCERT Coordination Center, JP)
Information leakage incident (especially for important confidential one) has been increased in Japan. Most of those incidents are caused by a virus named "Antinny" which is a name of virus developed for P2P file sharing software "Winny". Winny is a name of P2P file sharing software. In this presentation, we will explain the serious situation about information leakage incidents in Japan and technical details about Winny.
kamata-keisuke-slides.pdf
MD5: 9337d69c6562e97ab11697211552c122
Format: application/pdf
Last Update: June 7th, 2024
Size: 333.64 Kb
- FR
Fabien Pouget (French Government, FR), Fabien Pouget (French Government, FR), Guillaume Urvoy-Keller (Institut EURECOM, FR), Marc Dacier (Institut EURECOM, FR)
In this paper, we present a method to detect the existence of sophisticated
attack tools in the Internet that combine, in a misleading way, several
exploits. These tools apply various attack strategies, resulting into several
different attack fingerprints. A few of these sophisticated tools have already
been identified, e.g. Welchia. However, devising a method to automatically
detect them is very challenging since their different fingerprints are
apparently unrelated. We propose a technique to automatically detect their
existence through their time signatures. We exemplify the interest of the
technique on a large set of real world attack traces and discover a handful of
those new sophisticated tools.
pouget-fabien-papers.pdf
MD5: ff0ef3f977f7a2da9716de24270b7f36
Format: application/pdf
Last Update: June 7th, 2024
Size: 383.7 Kb
pouget-fabien-slides.pdf
MD5: 8c68f51d0624b183b9fc68e54dadcded
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.84 Mb
- NL
TRANSITS courses
Karel Vietsch (NL)
vietsch-karel-slides.pdf
MD5: 971b9701c3d4a2c8388e948350cc0b3c
Format: application/pdf
Last Update: June 7th, 2024
Size: 269.06 Kb
- NL
Update on e-coat forum
Don StikvoortDon Stikvoort (NL)
Don Stikvoort is founder of the companies “S-CURE” and “Cross Your Limits”. S-CURE offers senior consultancy in the area of cyber security – specialising in CSIRT matters. Cross Your Limits coaches and trains in the human area. Based in Europe, Don’s client base is global.
After his MSc degree in Physics, he became Infantry platoon commander in the Dutch Army. In 1988 he joined the Dutch national research network SURFnet. In that capacity he was among the pioneers who together created the European Internet since November 1989. He recognised “security” as a future concern in 1991, and was chair of the 2nd CSIRT in Europe (now SURFcert) from 1992-8, and FIRST member since 1992. Today Don is a FIRST Liaison Member.
Together with Klaus-Peter Kossakowski he initiated and built the closer cooperation of European CSIRTs starting in 1993 – this led to the emergence of TF-CSIRT in 2000. In 1998 he finished the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC. He was active in the IETF and RIPE (co-creator of the IRT-object). Don chaired the Program Committee for the 1999 FIRST conference in Brisbane, Australia, and kick-started the international FIRST Secretariat in the same year. From 2001-2011 his company ran TF-CSIRT’s Trusted Introducer service. He wrote and taught several training modules for the CSIRT community.
In 1998 Don started his first company. A first assignment was to build the network connecting over 10,000 schools in The Netherlands. Many CSIRTs were created with his help and guidance, among which the Dutch national team (NCSC-NL). Second opinions, audits and maturity assessments in this field have become a specialty – and in that capacity Don developed SIM3 in 2008, the maturity model for CSIRTs which is used worldwide today for maturity assessments and certifications. SIM3 has is now under the wings of the “Open CSIRT Foundation” (OCF). Don was one of the founders in 2016 and now chairs its board.
Starting in 1999, Don was certified in NLP, Time Line Therapy®, Coaching and Hypnotherapy, and brought that under the wing of “Cross Your Limits”, which portfolio is life & executive coaching, and training courses in what Don likes to call “human arts”. He also trains communicators, presenters and trainers, including many in the CSIRT field.
Don thrives as motivational and keynote speaker. He enjoys to share his views on how the various worlds of politics, economics, psychology and daily life, but also cyber security, all intertwine and relate – and how deeper understanding and a better ability to express ourselves, increase our ability to bring good change to self as well as the world around us. He has discussed such topics all over the world, from Rome to the Australian Outback. His goal is to challenge his audience to think out-of-the-box, and motivate them to be the difference that makes the difference, along the lines of the old African proverb:
“If you think you’re too small to make a difference, try sleeping in a closed room with a mosquito”.
stikvoort-don-slides.pdf
MD5: f7671402d537a9bf6d60214d3cebc074
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.34 Mb
Update on EC funded projects - GN2/JRA2 progress report
Jacques Schuurman
graf-christoph-slides.pdf
MD5: 86c08e0d020da9c0cea5db1320e2fcb5
Format: application/pdf
Last Update: June 7th, 2024
Size: 66.87 Kb
Update on RTIR working group
Carlos Fuentes
fuentes-carlos-slides.pdf
MD5: d087ec7298d652b77561721d02874fa3
Format: application/pdf
Last Update: June 7th, 2024
Size: 208.87 Kb
Ian Bryant, CSIA
bryant-ian-slides.pdf
MD5: 5555e9e1e3f2645d3265d242f4433955
Format: application/pdf
Last Update: June 7th, 2024
Size: 247.24 Kb
- US
US Operational Security Exercise
Charles Yun (Internet 2, US)
yun-charles-slides.pdf
MD5: eae81483d865a0b36fa6aab2efb9e48e
Format: application/pdf
Last Update: June 7th, 2024
Size: 87.56 Kb
- US
VisFlowConnect-IP : A Link-Based Visualization of NetFlows for Security Monitoring
William Yurcik (University of Texas at Dallas, US), William Yurcik (University of Texas at Dallas, US)
Network traffic dynamics have become an important behavior-based approach to assist security administrators in protecting networks. In this paper/presentation we present VisFlowConnect-IP, a link-based network flow visualization tool that allows operators to detect and investigate anomalous internal and external network traffic. We model the network as a graph with hosts being nodes and traffic flows being edges. We present a detailed description of VisFlowConnect-IP functionality and demonstrate its application to traffic dynamics in order to monitor, discover, and investigate security-relevant events.
yurcik-william-papers.pdf
MD5: c018093e17975a5a3905c821cbf18482
Format: application/pdf
Last Update: June 7th, 2024
Size: 756.88 Kb
yurcik-william-slides.pdf
MD5: a3d72fb0f65a759d34cb647861705cd1
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.99 Mb
- FR
WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats
Fabien Pouget (French Government, FR)
Fabien Pouget has a PhD degree from the Institut Eurecom (ENST Paris), France.
He received his master of Science from the Ecole Nationale Superieure des Telecommunications in 2002 after having worked as internship student in the IBM Research laboratory in Zurich, Switzerland. He joined the Network Security Team (nsteam) at Eurecom the same year. His research and teaching interests include computer and network security. He is involved in many projects on intrusion detection systems and honeypots and his PhD subject dealt with alert correlation.
He co-founded with Pr. Marc Dacier the Leurré.com project (www.leurrecom.org).
He is currently working for the French administrative CSIRT, CERTA.
pouget-fabien-slides.pdf
MD5: 2410a9d0a98c4270bd54b4951e9fca24
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.3 Mb
- CN
Worm Poisoning Technology and Application
Cui Xiang (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN), Cui Xiang (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN), Wu Bing (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN), Yonglin Zhou (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN), Zou Xin (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)
Current strategy against Internet worms is similar to capturing mouse using mousetrap, that is, to clip the occasionally passing mouse and never release until it dies. However, this strategy is less effective than that of spreading pest control chemicalst to cause a plague among cockroach group. For infected cockroach, we don’t expect it dead at once. We hope it goes back nest and infects others, by which way can kill pests at an exponential rate.
The theory of Worm Poisoning is similar with pest-toxicant production technics. The PoisonWorm functions like the pest-toxicant and the poisoned worm is like the infected pest then.
Worm Poisoning (also called Worm Spoofing) is a new-invented technology for worm containment. It tricks malicious worms to spread irrelevant file or code by their own mechanisms. The worm which poisons others and propagates by the poisoned worms is called PoisonWorm. So PoisonWorm is a special worm with active spread motivation, but without self-propagating capability. While it can obtain spread ability when some other malicious worms break out. It will reduce the negative influence of the malicious worm gradually, and won’t cause extra burden to the Internet or its host. A proof-of-concept PoisonWorm has been compiled and tested successfully using MSBlaster, Sasser, Mydoom and Netsky worms as the poisoned worms which proved the feasibility of the idea. PoisonWorm has some common characteristic but essential difference with anti-worm(also called good worm).
In this paper, the concept of Worm Poisoning and PoisonWorm are presented and the feasibility of Worm Poisoning is emphatically testified. A propagation model called SIRP and the side-effect to network traffic of PoisonWorm are given and compared to the classical epidemic Kermack-Mckendrick model. We highlight the feasibility and necessity of PoisonWorm and its application in active defense system against Internet worms. Also the technology of P2P-based unknown worm detection and signature verification is briefly introduced.
xiang-cui-papers.pdf
MD5: e43c8764b88cf48764d177e649e10a4b
Format: application/pdf
Last Update: June 7th, 2024
Size: 206.66 Kb
Zero-day work detection
Herbert Bos, VU, LOBSTER project
bos-herbert-slides.pdf
MD5: 7fd845194a436b64ef9f5ebe895b037c
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.1 Mb
