Publications (2009)

EU
A Quantitative Cross Comparative Analysis of Tools for Anomaly Detection
Maurizio Molina (EU)
2009 Symposium - Riga
Riga, LV
January 20, 2009 10:00-10:30
Hosted by CERT NIC.LV
dante_riga_presentation.pdf
MD5: 7d3a80ee6a97b1b02c076cf3bf170262
Format: application/pdf
Last Update: June 7th, 2024
Size: 325.58 Kb
A Railway Operators Perspective on the Lessons of the Great Hanshin-Awaji Earthquake
The Great Hanshin-Awaji Earthquake in January 1995 resulted in the loss of over 6,400 lives and the full or partial destruction of 250,000 houses. JR-Wests lines, too, suffered extensive damage, including the collapse of elevated tracks on the Sanyo Shinkansen and urban mainlines. Nevertheless, railway services and urban functions were restored rapidly, and this presentation will describe how this was achieved and what lessons were learned in the process by JR-West as a railway operator.
first09_0702.html
sasaki-takayuki-sliders.pdf
MD5: cc81ac06ce79a6508dfc82093f0040b5
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.92 Mb
Analysis of the DDoS Attacks on Georgia & Estonia
Damage/harm done: The main problem was lack of Internet connectivity, lack of sending & receiving information. Because of this there was a lot of misinformation, which caused people to panic. Similarities between Estonian and Georgian case: Main similarities where the choice of targets and the choice of means: using defacement , DDOS, trying to persuade people to "ping" or extensively use resources. In both cases the attackers provided alternate political message. Conlusion: We do not realize that each day we grow more and more dependent on information systems and communications. Internet has become one mean businesses cannot function without. Companies and governments are dependent on interconnected information systems. This raises new threats to society and provides other governments or interested groups of individuals new means to influence societies or companies. We need to understand the environment and, that many small vulnerabilities can generate very big risks. Informational technology is very good at amplification. Risks are distributed - asymmetric and small-time criminal activity can actually quantify to big losses.
lepiktabatadze-sliders.pdf
MD5: 46d1bdb35931d473b9e1f66b550f5075
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.35 Mb
FR
Analyzing Malware with a dead Angle: PRG vs Torpig
CERT LEXSI (FR)

2009 Symposium - Riga
Riga, LV
January 20, 2009 17:00-17:30
Hosted by CERT NIC.LV
cert-lexsi-slides.pdf
MD5: d792dc812b4880eb54986e4a86a6c88b
Format: application/pdf
Last Update: June 7th, 2024
Size: 525.05 Kb
Anti-bot Countermeasures in Japan
Japan's Cyber Clean Center (CCC) is a unique national program designed to mitigate bot infections present in Japanese networks. Founded by the Japanese government in December 2006, the program has operated for almost two years. In this paper, we discuss the progress the CCC project has made to date, its successes, and its challenges in dealing with the problem of bot infections on a national level.
horsley-manabe-sliders.pdf
MD5: 158b3fcb1e66e852b0a8fdafda2d3577
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.84 Mb
ES
Anti-Phishing Working Group and the Internet Policy Committee
Jordi Aguilà (e-la Caixa CSIRT, ES)
Since about two years ago the APWG (Anti Phising Working Group)has created an internal Security group named IPC (Internet Policy Committee).

This Group tries to sensibilize and promote executive actions against fraud and other criminal activities in the Internet.

The IPC has started different actions together with the ICANN to stop fraud though the use of legal actions at the Domain Name Systems.

The last year 2008 we have had the first collective actions coming from the ICANN. FIRST and its members have a future executive role to play in those actions, this presentation explains how.

shiver-aguila-sliders.pdf
MD5: 41aed63b05e248caa09ff8710b79ef0a
Format: application/pdf
Last Update: June 7th, 2024
Size: 298.14 Kb
Architecting Systems of Systems for Response
The role of security within the system development lifecycle is evolving due to the introduction of new U.S. government guidance (NIST SP 800-64v2), adoption of international standards (ISO 27001) and professional standards (Common Body of Knowledge from the Certified Secure Software Lifecycle Professional). The renewed focus on the injecting security into the SDLC introduces an opportunity to better integrate security in the acquisition and design of new systems, thereby allowing the incorporation of functionality that will aid in system recovery, forensic investigations and incident recovery. Through discussion of best practices and case studies, we will explore how this renewed focus on security integration with the SDLC introduces opportunities for the CERT/CIRC to become more engaged in management of risk.
mcdermottrossman-sliders.pdf
MD5: a1bc6033a3a36574b852ab611d852195
Format: application/pdf
Last Update: June 7th, 2024
Size: 605.63 Kb
US
Attacks Against the Cloud: Combating Denial-of-Service
Jose Nazario (Arbor Networks, US)
Attackers have targeted critical infrastructure for over a decade in the form of denial-of-service attacks. The potential for attackers to disrupt the availability of network services continues to increase as critical business services are moved into cloud-based infrastructures. This talk will provide a retrospective history of DDoS evolution as well as a discussion of the security community's response over the past decade.
first09.html
nazario-jose-2-sliders.pdf
MD5: 941d5997a29c749db8c72dee6602216f
Format: application/pdf
Last Update: June 7th, 2024
Size: 420.08 Kb
Closing the Gap Between Network Policy Creation and Enforcement
Closing the Gap between Policy Creation and Enforcement

In the rise of regulatory constructs and standards (ISO, ITIL, Sarbanes Oxley) which were designed to ease corporate governance and audit, companies often fail to develop and manage a reasonable Network Policies. While reasons can be manifold the Gap between the Creators and Enforcers emerges as the main cause.

Based on experiences of numerous multinational corporations and organizations, this speech provides insights on how to avoid those pitfalls and discusses tangible measures for closing the gap. A step by step walk trough based on a real life example of a global logistic company shows development of a proper concept, comprehensible approaches and enforcement capabilities.

As a Senior Security Engineer at Open Systems, a global Managed Security Provider operating on all continents, Sven BrÃ¼lisauer has a long term experience in designing, creating and executing/enforcing Network Security Policies of international companies in various branches.
bruelisauer-sven-sliders.pdf
MD5: efb848d4250db21ded3f6d6e6c71737a
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.16 Mb
US
Content: The Next Generation of Incident Response
Gib Sorebo (SAIC, US)
Incident response is at a crossroads. For many years, security operations center have focused on malware, ports, protocols, and devices. When the goal was to protect the perimeter, this solution worked well. However, now that applications bring partners and customer deeper into corporate networks, the traditional monitoring and response techniques often fail to detect some of the most insidious threats: the ones that seek to steal or change critical data without anyone noticing. In many cases, the incident response team is simply not equipped to know whether a sensitive data stream flowing out of the organization is authorized. More and more, incident response cannot be done in isolation. It must involve business units who own the information and manage the people who consume it. This presentation will examine the evolving discipline of Data Life Cycle Management and how various technologies and techniques such as Data Leak Prevention (DLP), Digital Rights Management (DRM), and Data Access Management (DAM) can be leverage by incident responders to better serve their organizations. The session will draw on studies conducted for a US Government Department and their efforts to address OMB Memorandum 06-16 Recommendation 4, which requires federal agencies to track and properly handle database extracts containing sensitive information.
sorebo-gib-sliders.pdf
MD5: d5b626d4459a47b7fcfcaa71e6026474
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.03 Mb
Contradictions in Current European Security Policy
Measures like the data retention, the online search on IT-Systems as weapons in the war against terrorism and the extensive punishability of so called "hacker tools" in the European Convention of Cybercrime are potential risks for the security of IT-Systems and security research. On the other hand, promotion of IT-Security is also an elementary governmental objective.

This presentation will describe the recent implementation of this objective into law and the likely effects on the actual practice of IT-Security and security research. My intention is to explain, in which cases these measures may prove to be counterproductive for the governmental intent to boost IT-Security.

The focus of the presentation will be on European legislation, although the problems in Europe are by no means regional, but a part of the world policy against terrorism.
koecher-jan-sliders.pdf
MD5: 7f48d7868d12d036b8474be835600da4
Format: application/pdf
Last Update: June 7th, 2024
Size: 111.17 Kb
CSIRT Modeling Architecture
As the information technology (IT) society expands, the computer security incident response teams (CSIRTs) have been drawing attention and have been introduced to the business enterprises as well.

This proposal analyzes the modeling that can be used to add, expand, or change function(s) of a CSIRT in the process of its operation when required by the technical factors such as more complicated attacks, or by organizational ones such as its position within the whole organization it belongs to. Based on this analysis, the possibility of modeling architecture will be proposed, considering organizational approaches. This modeling architecture will help determine whether or not each factor to add, expand, or change function(s) of a CSIRT can be modeled. It also provides a design concept, which considers relationships and influences among models in case modeling is deemed possible.
yoshida-takahiko-sliders.pdf
MD5: 89b87d5a0e7e6533d53204d5afa49a29
Format: application/pdf
Last Update: June 7th, 2024
Size: 215.37 Kb
Deriving information from raw data: making business decisions with logs
Performance metrics are used to drive business. Most of the time we focus on sales forecasts, FTE utilisation, and other tangible external measures. Yet our businesses depend on massively complex IT infrastructures which also have a huge amount to say about how they're working. Why do we disregard this enormous source of data? IT systems have flexible logging facilities which are ideally suited to hypothesis testing and performance measurement and forecasting. This presentation will give some examples which illustrate how businesses can answer questions such as: 1) what effect did my sales promotion have on visitors to my web site? 2) how long has this employee been a systemic abuser of our Acceptable Use Policies? 3) how much time do we spend addressing repetitive faults instead of fixing underlying causes? The presentation will be more commercial in nature than technical; attendees are not expected to have experience with logs.
weir-jones-toby-sliders.pdf
MD5: 9c85bb57f985bbfa46c1dbb8b0522421
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.48 Mb
Effective Software Vulnerability Discovery within a Time Constraint
Vulnerability discovery can be important task for a CSIRT team because it ensures some certain security aspects of software. Unfortunately, from what we have learned over the past years, effective vulnerability discovery needs a lot of time and human resources. There is also a never ending loop between software engineers and software security analysts because new versions of softwares are released regularly which introduces a lot of changes in the code. There are situations in which there is not enough time for the usual vulnerability discovery procedure when a new software or a newer version of an existing software is about to be deployed in an insecure environment. In such cases, software security analysts normally want to spot the maximum number of existing vulnerabilities (if any), and to fix them until the time factor allows. Some of the most important current vulnerability discovery approaches and their effectiveness (with a special focus on the time) will be discussed. New approaches will be introduced to be used in situations that the current approaches fail. The main topics which are covered are as follows:o CERT and Vulnerability Discovery (VD) o An Overview of Vulnerabilities o Current Vulnerability Discovery Methods o A New Procedure For Vulnerability Discovery o The Proposed Procedure in Action o PHP (CVE-2008-5498) o xrdp (CVE-2008-5902 CVE-2008-5903 CVE-2008-5904) o Q/A
razaviebadishajarisadeghian-sliders.pdf
MD5: 2bb00a858cdefff686a23473922e669d
Format: application/pdf
Last Update: June 7th, 2024
Size: 657.54 Kb
Emerging Threats and Attack Trends
This intermediate session discusses the emerging nature of threats on the Internet today.

The session starts with a discussion about the general nature of threats, including answering the what, why, and how questions in how they relate to threats. There will be a discussion around technologies and methods that lead to new threats. A core element will be a year in review to discuss the last year of threats and how they relate to what is important for the next year. The session concludes with recommendations that can help mitigate exposure to future threats.

The audience should include security managers and engineers as well as IT engineers that have an interest in security.

The session was designed to talk to an enterprise audience, but more customers will find the information useful and interesting. It is assumed that the audience has a basic knowledge of both computer and network security as well as TCP/IP networking in general.
oxman-paul-sliders.pdf
MD5: 0cd851b01233418282314dd6e453f278
Format: application/pdf
Last Update: June 7th, 2024
Size: 2 Mb
JP
Feasability Study of DoS attack with P2P System
Masato Terada (IPA, JP)

Masato Terada received M.E. in Information and Image Sciences from University of Chiba, Japan, in 1986. From 1986 to 1995, he was a researcher at the Network Systems Research Dept., Systems Development Lab., Hitachi. Since 1996, he has been Senior Researcher at the Security Systems Research Dept., Systems Development Lab., Hitachi. Since 2002, he had been studying at Graduate School of Science and Technology, Keio University and received Ph.D in 2005. Since 2004, he has been with the Hitachi Incident Response Team. Also, he is a visiting researcher at Security Center, Information - Technology Promotion Agency, Japan (ipa.go.jp), and JVN associate staff at JPCERT/CC (jpcert.or.jp), as well.

2009 Symposium - Riga
Riga, LV
January 20, 2009 09:30-10:00
Hosted by CERT NIC.LV
20090120-masato-terada.pdf
MD5: bb96626c18f87f3886c42c8a57b3d1eb
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.16 Mb
MY
Handling Incidents from Honeypot data
Adli Abdul WahidAdli Abdul Wahid (APNIC, MY)
Honeypots and honeynet are not new concepts. Many CERT/CSIRTs deploy them in one form or the other for various reasons. MyCERT has been running a honeynet project since 2003. However, instead of using the data obtained for early warning research i.e. trends analysis or visualization, we have started to handle information from the honeynet gathered as incidents and report them to respective ISPs or CERT/CSIRTs. In particular, we are interested in dealing with the source of abuses.

Some of the challenges involves how to handle different types of abuse cases, the sheer number of data involved and how to manage the incidents efficiently. In this presentation, we will share our experience in handling and reporting data captured from our honeynet. This talk will also highlight some of the operational issues involved when doing so.
wahid-adli-sliders.pdf
MD5: 48be4f0999c763cd2085577c39608af0
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.8 Mb
How to Handle Domain Hijacking Incidents (Prevention, Investigation and Recovery)
In this presentation, we will talk about incidents in which internet domains are hijacked. Domain hijacking is about illegally taking the control of a domain name from its legal holder. This attack may have irreparable and lasting damage on a registrant and disrupt the registrant business.

Domain hijacking is a widespread incident that many national and local CSIRT teams may encounter. Therefore, it is a necessity for a CSIRT team to be familiar with this incident. This presentation will cover the prevention methods, investigation of hijacked domains and domain hijackers, and, recovery from the incident.

The main topics which are covered are as follows:
- Some terms
- What is domain hijacking and why it happens?
- Who are affected?
- Risks and threats
- Motivations for Hijackers
- How it can be done?
- Prevention
- Security measures for Registrars, Registries and Registrants
- ICANN regulations
- Extensible Provisioning Protocol
- Finding the hijackers IP addresses
- Recovery
- Dispute Resolution Policies
- Urgent Retaking of domains
- Some incidents
- Hijacking of 300+ Iranian domain names
niksefatshajari-sliders.pdf
MD5: 5af1a58427ffcdeb1d6bd30d81bded98
Format: application/pdf
Last Update: June 7th, 2024
Size: 86.32 Kb
In the Cloud Security
As cyber crime drives the evolution of malware we have seen the volume of new malware grow way beyond exponential levels. How are the cyber criminals achieving this? Traditional anti-virus solutions have faced criticism as some claim that in light of todays complex attacks, the premise on which it is based is now an outdated approach. Cloud services have brought a new dimension to the Internet, and anti-malware vendors are utilising this methodology to provide a new level of real-time malware protection, the next evolution based on collaborative intelligence. What and how does cloud computing provide a new front line of threat defence?
day-greg-2-sliders.pdf
MD5: 94044c445e0fc83487765d25f3cebb8e
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.77 Mb
Incident Response For VOICE Services
The legacy voice network has always been a stepchild attack vector for the cyber security discipline but it has never fallen out of favor with the hacker community. It still provides a near 100% guaranteed success rate for gaining unauthorized access to enterprise data networks and communications infrastructure. The deployment of VoIP technology has only exacerbated the problem. VOICE FIREWALL technology solves these issues, enables significant cost savings on voice services and supports a whole new and critical component of Cyber INCIDENT RESPONSE capabilities as have been practiced over the past 20 years. Any Incident Response program that does not directly address the VOICE SERVICES VULNERABILITY set is running blind and the costs to security and operations for that blindness is increasing daily. This presentation provides perspective on the set of vulnerabilities of voice services, a basic explanation of Voice Firewall technology and introduces some of the fundamentals of VOICE INCIDENT RESPONSE as currently practiced in the commercial arena.
sutterfield-lee-sliders.pdf
MD5: 569d0fd36429105f795f0e3533302530
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.59 Mb
Information Security Exchange Formats and Standards
Exchanging information is vital for todays networked world. This is particularly true for the domain of information security, because most security incidents are
not limited to one adminstrative domain. Handling and mitigating security incidents requires effective collaboration. Thus enabling meaningful exchange of information is crucial. In order for information to be interpreted always the same way standards are necessary. The same holds true when automatic processing is required. To this end a wealth of standards, enumerations, formats, and languages has been created already for information exchange in information security. This paper explores existing standards if they support collaboration between (incident handling) entities. General areas where standards are necessary,

e.g. intrusion detection, malware identification and response, etc., are identified. The standards are briefly described and if applicable compared to each other. Implementations and use cases are mentioned. Last, but not least, uncharted standard territories are identified.
dorges-till-sliders.pdf
MD5: 4eee0f0faae24754959dda6c68e8e973
Format: application/pdf
Last Update: June 7th, 2024
Size: 420.76 Kb
CN
Information Security of the Beijing 2008 Olympic Games
Yonglin Zhou (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)
2008 is an important year for CNCERT/CC. During this year, CNCERT/CC participated in network security defense for Beijing Olympic Games. After the Olympic Games, CNCERT/CC received the recognition of thanks and badge from the Beijing Olympic Organizing Committee for its excellent work.

Due to the importance of network security of the Beijing Olympic Games, CNCERT/CC had prepared and participated in it for nearly a year-long period of time, and eventually accumulated many valuable experiences in the large event emergency response on network security. These experiences are not only of guiding significance for the future work of CNCERT/CC, I think, but also would be good references for our colleagues in the world. Therefore, at the FIRST Conference such a global network security event, I would like to, on behalf of CNCERT/CC, share our experiences in participating in the Beijing Olympic Games network security defense with our colleagues of CERTs from all over the world.

Prior to 2008 Bejing Olympic Games, we had already done a lot of preparatory work. First of all, we tried to collect all types of data, information and intelligence, and analyze the situation and status quo we are faced with, and assess all possible threats against the Beijing Olympic Games, and classify and prioritize various types of possible network incidents potentially targeted to the Beijing Olympic Games. After that, we developed a multi-sectoral emergency response coordination plan and re-adjusted the internal work processes and carried out a number of drills based on the multi-sectoral emergency response plan. APCERT incident drill 2007 is just one of them. Furthermore, we also sent out our call for cooperation on information sharing and incident handling abroad to CERT organizations via FIRST network and APCERT network, and achieved positive echo from the international CERT community.

During the whole Olympic games and Paralympic games, by means of a variety of monitoring tools, we implemented extensive monitoring on domain name hijacking, abnormal network traffic, important websites, Trojan horses, botnets, etc and responded rapidly to threats towards the information systems of Olympic Games. Especially, on the eve and middle of the Beijing Olympic Games Openning, in order to dramatically reduce the risk of large-scale DDoS attacks, we launched twice sudden strike on zombie servers of botnets and Trojan-horse C&C servers. The stat. figure shows the wonderful result of those actions.

The Beijing 2008 Olympic Games is a great event with peace and the peace comes not easily. Too much good experience deserves to be reviewed and distributed. Here we hope our presentations benefits to the whole CSIRT community.

zhou-yonglin-sliders.pdf
MD5: f2482e608c447deee99515d82bf7b369
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.17 Mb
Information Security one Character at a Time
Although information security is my life-work, after spending five years doing my part to build Skype as the companys CSO, it was time to take a break one that would help me put my career as well as my field of work into perspective. So I came to Japan to study Japanese full-time for a while.

The Japanese language is ideographic the system of kanji, or Chinese writing, literally paints ideas. The connection between kanji and Japanese culture is palpable and complex, and the writing is extremely difficult to learn. But once I started picking apart how the characters are put together, I learned that there are many hidden and interesting concepts that are relevant to security and incident response.

first09_0701kurt.html
sauer-kurt-sliders.pdf
MD5: d69325c4c353e728d19f33426f4be49d
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.5 Mb
Information Security's Third Wave
The purpose of this presentation is to analyze the factors and interactions among them that explain the differences between different national and regional information security environments. It tackles such questions as why did cyber crime take hold more quickly in some environments, and why does it evolve in different ways in each? Which indicators can help security professionals and policymakers understand how social and economic changes are expressed in subsequent changes in cyber crime and cyber security provision.

The presentation addresses these challenges by offering a comparative analysis of the development and current dynamics of malicious hacking activity in several among the world's major national/regional information security environments (exact choices to be determined, although Brazil, Russia, China and the US will be among them). Four sets of variables-- socio-economic, technical, hacking community, and official-response-- will be defined and configured to provide a model of correlates of malicious hacking applicable to each environment. Because a dearth of sufficient data across the different national environment currently prevents sound large-n analyses, the second stage of the analysis will consist of an hypothesized causal chain intended to transform a correlative model into an explanatory one; thus the methods of structured comparison and process-tracing, each drawing upon existing sociological and economic models of decision and collective action. Essentially, the model consists of two sets of environmental variables (the socio-economic and the technical) and two sets of actor-based --i.e. those pertaining to the hacking community itself and to the official and private sector communities which resist them-- which intersect to produce the characteristics and dynamics of each specific environment. The analysis will conclude by examining the extent to which the model also succeeds in explaining the current trend of growing integration among the different national/regional information security environments. Expected results include the extent to which the expanse and sophistication of different cyber crime environments can be explained by the creation and perpetuation of mechanisms which solve collective action problems, including the distribution of risk and the facilitation of anonymous trust through reciprocity.
jellenc-eli-2-sliders.pdf
MD5: 93d1e07f315791f1292c38a90e90f6c5
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.02 Mb
Initiatives to enhance Cyber Security
Created in 1923, INTERPOL is the world's largest international police organization. Its mission is to assist law enforcement agencies in its 187 member countries to combat all forms of transnational crime.

INTERPOL provides a high-end infrastructure of technical and operational support to enable police forces around the world to meet the growing challenges of crime in the 21st century.

Vincent's presentation will focus on INTERPOL's core functions and unique role in supporting its member countries in the fight for a safer world including in the cyber space.
danjean-vincent-sliders.pdf
MD5: 355757570260acf864500eeae49bd0e2
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.76 Mb
Internet Analysis System (IAS) Module of the German IT Early Warning System
IT security analysts in CERTs or situation centers need in detail information and extensive technical data for their work. The Internet-Analysis-System (IAS) is a distributed monitoring system for collecting statistical anonymized network data with the goal of finding anomalies regarding network operation and security automatically.

Sensors are therefore located at internet gateways of companies, universities and public offices to examine network data passively and transmit status information to an analysis station. Profiles for normal behavior in various network layers and protocols are calculated and stored periodically. As a result the data which is currently monitored can be automatically compared to normal behavior, generating a warning if an anomaly occurs.

This paper describes the concept and implementation of the IAS briefly and explains how data is analyzed in the BSI situation center. Being used as a module of the German IT early warning system, the IAS has a larger monitoring scope than most monitoring systems and is a valuable extension to them.
bierwirthvorbach-sliders.pdf
MD5: 4c6e73fd40dc9a4d5233614c7c06487f
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.06 Mb
TW
Malicious Webpage Detection
Chia-Mei Chen (National Sun Yat-Sen University, TW)
As the Internet services increasingly prevail, more and more applications are put into web sites that can be directly accessed via web browsers over then network. However, most of the websites are developed with limited security consideration. Hackers have taken the advantage of the vulnerabilities to inject malicious JavaScript into compromised web pages, and a victim who visits the site will be compromised. Based on our observation, malicious web pages have unusual behavior for evading detection which makes them different form normal ones. Therefore, we propose a client-side malicious web page detection method which is based on anomaly behavior analysis. Through tracing and analyzing target web page, our method can identify malicious web pages and alarm the website visitors efficiently.
chen-chiamei-sliders.pdf
MD5: d2d9e486fdfd1b844ea410316de8a874
Format: application/pdf
Last Update: June 7th, 2024
Size: 360.69 Kb
Mashup Security & Incident Response Considerations
Mashups are the latest trend leveraging the proliferation of APIs (application programming interfaces) on the Internet. As developers migrate from seeking "killer apps" to "killer platforms" integrated applications created in the mashup style present unique security challenges as well as new opportunities for the incident response team. This talk will present the defining characteristics of Web 2.0 and Mashups and provide detailed analysis of security features unique to the mashup environment as well as opportunities and pitfalls for performing incident response for mashup applications on the Internet and within the Enterprise.
mcdermottrossman-2-sliders.pdf
MD5: cd20e84a2e4ac84bcb3f08c9ae7c299c
Format: application/pdf
Last Update: June 7th, 2024
Size: 317.41 Kb
Measuring the Root Cause of Incidents
This talk will provide insights into how measurement can be incorporated into after-the-fact analysis of the root causes of incidents to reduce the likelihood of future incidents. The talk will include an overview of the major measurement classes of vulnerabilities, such as software flaws, configuration settings, and trust relationship abuse. It will also discuss in detail the characteristics of vulnerabilities that can be measured using CVSS and other related specifications, as well as measurements not currently included in these specifications. Attendees will gain a better understanding of how they can incorporate measurements into their post-incident analysis processes, analyze these measurements, and draw conclusions as to what changes should be made to the organization's security posture.
scarfone-karen-sliders.pdf
MD5: f1734342b9ba2684dfb35bc2556b8671
Format: application/pdf
Last Update: June 7th, 2024
Size: 38.66 Kb
Missing Clues How to Prevent Critical Gaps in Your Security Monitoring
Security events such as user activity logs, network intrusion detection system (NIDS) alerts, server logs, and network device records are indispensable footprints that allow security investigators to trace activity and monitor problems. Without reliable event sources, monitoring is a futile exercise-there is no way to discern between the lack of activity and unrecorded activity. Security professionals must monitor interruptions in event sources to help ensure reliable and accurate metrics, preserve investigative integrity, and provide assurance that attackers cannot hide in event gaps.

The presenters will detail how the Cisco Computer Security Incident Response Team (CSIRT) uses open-source tools to improve integrity in its security monitoring. The presenters will introduce tools and processes to keep security events continually recorded, including how to maintain proper device configurations, how to maintain agreements with support staff, and how to monitor event feeds for gaps.
nystromschwartzburg-sliders.pdf
MD5: d465721c393dc89aa49d0d53f2192469
Format: application/pdf
Last Update: June 7th, 2024
Size: 10.24 Mb
More of What Hackers Dont Want You to Know
Hacker techniques continue to evolve. Are the "good guys" keeping up? This sequel to the book entitled "What Hackers Don't Want You to Know" updates some of the more recent myths and misconceptions which pervade the IT industry and create vulnerabilities in critical infrastructures. Problems with passwords and biometrics, bluetooth hacking, Web 2.0 vulnerabilities, RFID exposures and other issues will be discussed along with ways to avoid some of the pitfalls.
crume-jeff-2-sliders.pdf
MD5: 013e1f3e1a8b847a7a7b684ba48963de
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.6 Mb
BR
New Developments on Brazilian Phishing Malware
Jacomo Piccolini (ESR/RNP, BR)
Brazilian phishing gangs are well known by their skills and widespread usage of malware. According to Brazilian Banking Authority in 2007 they lost over U$ 200,000,000 in Internet fraud. This presentation intend to show the new developments on Brazilian phishing malware such as ramsonware techniques but will also demonstrate some techniques used such as screen grabbing, mouse clicking tapping, frame overlapping, browser simulation (where the browser is simulated to act as the original); and how this information is packed and sent to the attacker. This will be a live demonstration of malware activity and phishing kits. Since this presentation will cover the latest developments the final material will be given only at the conference.
piccolini-jacomo-sliders.pdf
MD5: 67c361384133e50a7b82859510c4888e
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.33 Mb
BR
One year of RNP Fraud
Ronaldo Castro de Vasconcellos (BR)

Oct 2009 FIRST TC
Santiago, CL
October 22, 2009 12:00-12:45
Hosted by CLCERT
vasconcellos-ronaldo-sliders.pdf
MD5: f6b25120c39f9ffa580e712cc98989ed
Format: application/pdf
Last Update: June 7th, 2024
Size: 656.26 Kb
Proactively blacklisting Fast-Flux domains and IP addresses
Successful malware attacks are always backed by sophisticated hard to track infrastructure. Increasing number of cyber criminal groups are relying on sophisticated Fast-Flux networks making it hard to stop the attack.

This presentation will focus on how to track Fast-Flux networks using multiple sources, and proactively block all associated domains and IP addresses. Most successful Fast-Flux attacks stay alive by constantly adding new domains and IPs to their bot-net. Presentation will show how to keep up with the Fast-Flux network when it registers new domains to be used in the attack.
sudusinghe-shahan-sliders.pdf
MD5: 93d6718481e3384432e2fb41a5554fc4
Format: application/pdf
Last Update: June 7th, 2024
Size: 627.86 Kb
Proprietary Data leaks: Response and Recovery
Proprietary data leaks can be particularly challenging incidents to manage. The very foundation of the business may be at stake. Determining the scope of the incident is critical and can be quite tricky, because data leaks can occur through physical media, such as mobile phones and USB drives, or via covert network channels. These breaches can be further complicated when proprietary data includes personally identifying information (PII), protected health information (PHI) or payment card industry (PCI) data.

This presentation will provide security team managers with practical guidelines for responding to proprietary data leaks (PDL). We will discuss state-of-the-art technology for smuggling data, methods for efficiently determining the scope of PDL incidents, and strategies for navigating potential regulatory concerns during response.

Employees often have physical access to sensitive data while carrying cell phones, PDAs, cameras, iPods, and thumb drives. Network access is ubiquitous. As a result, in many organizations, both the risk and potential impact of a PDL is extremely high.

The single most critical step in managing PDL incidents is to accurately determine the scope of the leak as early as possible. This can be challenging, because of the vast array of exportation vectors available to attackers, and the ease of hiding information. We will review the latest mobile storage devices and ways that attackers can use them to smuggle data undetected, out of organizations and across borders. This will include a live demonstration using an ordinary cell phone as an encrypted file transfer device. We will then discuss ways that attackers can set up and use covert network channels to export proprietary data. Based on this overview, we will discuss strategies for accurately determining the full scope of a PDL as quickly as possible.

Once the scope of a PDL incident has been determined, the security team can follow normal response procedures for notifying business units, law enforcement, and customers. Special care must be taken to maintain internal communication and organization, since often many different internal groups are involved and are highly concerned. When PDL cases involve PII or other regulated data, the company's response may be dictated by law. The response team must be trained in advance to recognize regulated data and escalate cases appropriately.

In the aftermath of a PDL incident, security team managers can find themselves overwhelmed by the complexity and uncertainty of the response. This presentation will provide managers with a detailed understanding of the current technology used for data smuggling, as well as practical, prioritized guidelines for managing PDL response and recovery.
davidoff-sherri-ham-jonathan-sliders.pdf
MD5: f9c21e0d135d96a0489507c451dc041d
Format: application/pdf
Last Update: June 7th, 2024
Size: 620.01 Kb
GB
Recapturing the Wheel MediPerspectives on Crisis and Recoverya
Frank Wintle (PanMedia Ltd, GB)
Only the fool wrote T S Eliot in his 1935 play Murder in the Cathedral, may think he can turn the wheel on which he turns. Thats a truth Nassim Nicholas Taleb rediscovered for us this year in his best-seller The Black Swan: The Impact of the Highly Improbable where he shows how, in business as well as in life, our predictive powers are delusive and we should expect not just the unexpected , but the unexpected catastrophe.

When the wheel we think were turning flies off its axle and hits us in the face, you can be sure the media will be quick to the scene, pushing cameras and microphones into our dazed faces to get the best shots of our wounds and asking How do you feel? How did this happen? Whos responsible? What are you going to do about it?...

Internet security practitioners are particularly exposed when a media firestorm breaks. Users are aware its imperative to keep communications and transactions secure, but their technical expertise usually ranges from scant to zero. Low levels of understanding promote high levels of blind trust and dependency, which quickly convert to outrage and recrimination when their web-worlds turn upside down. Worse, in a crisis the specialist correspondent is supplanted by the general news reporter, whose knowledge is also limited, and whose priority is to name and shame the guilty parties.

So the lure is to bolt the doors, shutter the windows, and try to get on with the business of recovery in what is an attempt at a media black-out.

Only you cant. Because in todays media , if you leave a vacuum, someone else one of an army of analysts, or a politician, or your competitor, or delegates from all three will be swept onto the empty stage and start talking on your behalf, saying things you might not like to hear.

At this turning point in your corporate lifecycle how you handle the media, and the image you therefore project, will have a profound effect on your reputation. If youre part of a quoted company, according to research from the University of Oxford, England, the way you behave publicly in crisis will directly impact on your stock price do well and your shares can actually end up worth more than they were before disaster struck.

The author and international award-winning documentary film-maker Frank Wintle now advises major corporations on their media strategies and helps them prepare for, rehearse, and execute media crisis management. He is also FIRSTs communications consultant.

In Recapturing the Wheel Media Perspectives on Crisis and Recovery he will be sharing these strategies with the FIRST Kyoto audience.

wintle-frank.sliders.pdf
MD5: eee46422f0e077b5b7d963bbbfaa6700
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.7 Mb
US
Reconceptualizing Security
Bruce Schneier (Counterpane Internet Security, Inc., US)
Security is both a feeling and a reality. You can feel secure without actually being secure, and you can be secure even though you don't feel secure. We tend to discount the feeling in favor of the reality, but they're both important. The divergence between the two explains why we have so much security theater, and why so many smart security solutions go unimplemented. Several different fields -- behavioral economics, the psychology of decision making, evolutionary biology -- shed light on how we perceive security, risk, and cost. It's only when the feeling and reality of security converge that we have real security.
first09_0630.html
Show Me The Evil - A Graphical Look at Online Crime
Recently malicious Internet activity has finally been getting the attention it needs. People are finally starting to realize the potential dangers they face while working, playing, shopping and banking online. But how big is the problem, really? Utilizing observations of life in the underground economy and metadata collected from Team Cymru's extensive network of darknet sensors and other methods, Dave will paint a colorful picture of how prevalent, international and businesslike Internet crime is today. You will never view your broadband link the same way again.
deitrich-dave-sliders.pdf
MD5: 8abdda8795b3f5dd516b2f995cf2bce5
Format: application/pdf
Last Update: June 7th, 2024
Size: 10.4 Mb
GE
Team Update - CERT-GE Presentation
David Tabatadze (CERT-GE, GE)
2009 Symposium - Riga
Riga, LV
January 20, 2009 14:00-14:15
Hosted by CERT NIC.LV
cert_georgia_presentation.pdf
MD5: 8e841bfc99eb598afbdcf86b2bd8ed58
Format: application/pdf
Last Update: June 7th, 2024
Size: 174.13 Kb
ES
Team Update - INTECO Presentation
Jorge Chinea López (INTECO, ES)
2009 Symposium - Riga
Riga, LV
January 20, 2009 13:45-14:00
Hosted by CERT NIC.LV
inteco-cert_presentation.pdf
MD5: 95eb2190bbf16c7cf1098d338c018e6b
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.17 Mb
BR
The current state of mobile security
Ronaldo Castro de Vasconcellos (BR)

Cell phones are not ordinary talking devices anymore. Complex operating systems (Android, iPhone OS, Symbian, Windows Mobile), third party applications, full time connectivity (3G, Wi-Fi, Bluetooth)and GPS receivers make the so called smartphone a formidable attack platform with new possibilities. The presenter will show an overview of known attack strategies, a look at what happened in the recent hacker confererences regarding mobile attacks and some possible and realistic future scenarios.

Oct 2009 FIRST TC
Santiago, CL
October 21, 2009 10:45-11:30
Hosted by CLCERT
vasconcellos-ronaldo-sliders2.pdf
MD5: eaaeab70d4f41049452a7efac96a67b6
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.25 Mb
US
The essential role of the CSIRT in secure software development
Kenneth R. van Wyk (KRvW Associates, LLC, US)
Incident response as we know it has come a long way since its inception in the late 1980s. In today's environment, it is vital that incident response teams are able to rise to increasing demands. which range from ensuring regulatory compliance through working with software development teams to help adequately build security in to our business software. In his talk, Ken will discuss the changing incident response environment and what sorts of technical skill sets it will take for a CSIRT to be able to succeed in the future.
vanwyk-kenneth-sliders.pdf
MD5: 6816e3929b4d45525ea4d121d0528574
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.49 Mb
The Incident Response and the Law Enforcement
Information communications network, especially the Internet, has been dramatically developing, contributes improvement of daily life of the people, and now functions as fundamental social and economic infrastructure. Alongside, cyber-attack and cyber-crime increase, thereat against information security has been increasing.

In order to take effective measures against the concern, incident response that took cooperation with the police is expected at every organization. Related themes are as follows:
- Prepare for the incident response, grasp the damage, evidence preservation, countermeasure for attack
- Effort of early warning by the police
- Computer forensics
CFC is an only member as law enforcement in FIRST. We would like to contribute to the improvement of the information security measure in every organization through our presentation.
yamada-yoshio-sliders.pdf
MD5: 694f86c209edbb481c55baa4fd21168e
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.37 Mb
US
The State of Internet Fraud and Crime and Useful Attempts to Battle the Miscreants
Foy Shiver (The Anti Phishing Working Group, US)
Internet crime continues to evolve and the miscreants are ever industrious in their attacks. This session will look at how Phishing and electronic crime continues to change as seen across the APWG's broad member base. The progress of APWG's policy and best practice efforts working with ICANN, the registries, registrars, industry and law enforcement will be reviewed. In addition, new initiatives toward accelerated take downs of criminal sites, new education projects and ongoing research efforts.

A few of the areas to be covered:
- APWG Overview and status
- Latest Phishing Survey and evolution of attacks to date
- Accelerated IP/Domain suspension plan
- Data Sharing initiatives for forensic purposes
- ISP and Brand Redirect Education Site
- Registrar Best Practices
- I've Been Phished Best Practices
shiver-foy-sliders.pdf
MD5: 83813f9b475fcb255e4a3da683e80566
Format: application/pdf
Last Update: June 7th, 2024
Size: 1022.24 Kb
US
The Threat of Banking Trojans: Detection, Forensics, and Response
Marc Vilanova (Netflix, US)
During his 30-min. presentation, the speaker will insist on the importance of analyzing all Trojan incidents with computer forensics techniques and will describe some of the methods used by banks to detect Trojan-infected customers in order to rise timely alerts. He will also present a real case of a banking Trojan to the audience.

vilanova-marc-sliders.pdf
MD5: 3027409c3652d73ba34a77c0288b2c7f
Format: application/pdf
Last Update: June 7th, 2024
Size: 825.42 Kb
Threat Response - Doing the right thing first time
It seems that for every security issue there are at least ten if not more solutions, and in many instances the correct solution may be different across diverse scope of a business. How do we collaborate business risk with security knowledge and expertise to ensure the first response is the right response relevant to the business risk profile, the characteristics of the threat and the tools at our disposal, when seconds/minutes do make a difference? How do we ensure we are ready for the next challenge to our specific businesses IT security? We need a approach that truly combines counter measure and business risk awareness with industry threat expertise in today's diverse security vendor landscape.
day-greg-sliders.pdf
MD5: 5f877d810652d9c7b9cfff51b20a1e78
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.3 Mb
To Be or Not To Be An Incident Recovery Case Study
The National University of Singapore campus network is a multi-gigabit, high speed network which host many machines. On average, there are around 20,000 systems online during office hours. There are close to 3000 servers on the network, providing vital services to academic research and university administration. These servers are administered by some 500 IT professionals, administrative officers, researchers and students scattered around various schools, faculties, research centers, hostels and departments.

Despite the layers of defenses sheltering the network from constant attacks, IT security incidents happen from time to time, caused by outside and inside attackers, due to the openness of the network and freedom of research nature of academic environment. NUSCERT thus gained considerable hands-on experience on incident handling and computer forensics. Incident recovery is part of day-to-day life in such environment.

The presentation will first explain the "priority based" incident handling framework established by NUSCERT over the years, emphasizing on the incident recovery strategies and tactics.

As a case study, real life examples selected from university incidents database will be analyzed to demonstrate the workings of the incident recovery tactics in academic environment.

Key success factors will be shared and the decision making processes will be recreated to benefit other similar large organizations.

sherman-xie-sliders.pdf
MD5: d8c76bca0eedf6ae3d9b490d3a0199af
Format: application/pdf
Last Update: June 7th, 2024
Size: 93.78 Kb
US
Tracking the who and why behind targeted, semi-targeted and widespread attacks
Michael La Pilla (iDefense, US)
Incident responders are often charged with analyzing data, performing forensics and cleanup to major incidents. Often times, during both targeted attacks and generic malware incidents the intention of the attack is incorrectly examined.

This presentation will highlight both major and unreported incidents from the past year, primarily focusing on malware. Attackers often use certain tools or traits for intentional misinformation campaigning to mask who is behind attacks and what data is actually taken. It will attempt to show the most common false assumptions made in attack analysis and show real-world examples of misinformation campaigns.
lapilla-michael-sliders.pdf
MD5: b05f2075dcc5ef82a19e61aa4a8b3976
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.03 Mb
US
Update on Carrier Infrastructure Security Attacks
Jose Nazario (Arbor Networks, US)
This talk will provide a technical update on the latest types of infrastructure attacks that Arbor Networks is seeing in the wild. Specifically, it will delve into three categories of attack: denial-of- service attacks, DNS attacks, and routing attacks. It will provide both an overview of recent empirical attacks as well as a summary of carrier survey data.
nazario-jose-sliders.pdf
MD5: c0287680ff610a7e7d62a004c2ef2311
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.18 Mb
Whitelist implementation for DNS servers
Francisco. (Paco) Monserrat (RedIRIS)

Francisco "Paco" Monserrat is the Security Coordinator of RedIRIS (the Spanish Academic and Research Network) and he is a FIRST member since 1997. During the last few years, he has worked actively on the TF-CSIRT, iniromoting the cooperation among CSIRTs in Europe.

Paco has spoken on various conferences and his activities focus on Forense Analysis, criptography and Computer Security Incidents Response Teams.

2009 Symposium - Riga
Riga, LV
January 20, 2009 11:00-11:30
Hosted by CERT NIC.LV
fjmc-first-riga.pdf
MD5: 6b49034551b0a7b270eb287f02d8e2ec
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.55 Mb
DE
Windows Memory Forensics with Volatility
Andreas Schuster (Deutsche Telekom AG, DE)
The analysis of main memory can provide valuable help in incident response and forensic investigations. One of the most promising tools in this field is the Volatility framework. This free and open source software provides analysts with a comprehensive set of commands to enumerate processes, drivers, network connections, and much more. To experienced users, Volatility becomes a programming framework that allows to build custom analysis modules in a little while.

This tutorial will provide the attendees with the fundamentals of memory management on the Microsoft Windows platform. Attendees will learn how to leverage Volatility to uncover malicious system activity. A mapping will be drawn between key concepts of memory management and the core modules of Volatility. Advanced users will create their first plug-in during the course.
schuster-andreas-sliders.pdf
MD5: ab67cbe1c8561233166f425e0d48918f
Format: application/pdf
Last Update: June 7th, 2024
Size: 292.63 Kb

Publications (2009)

A Quantitative Cross Comparative Analysis of Tools for Anomaly Detection

A Railway Operators Perspective on the Lessons of the Great Hanshin-Awaji Earthquake

Analysis of the DDoS Attacks on Georgia & Estonia

Analyzing Malware with a dead Angle: PRG vs Torpig

Anti-bot Countermeasures in Japan

Anti-Phishing Working Group and the Internet Policy Committee

Architecting Systems of Systems for Response

Attacks Against the Cloud: Combating Denial-of-Service

Closing the Gap Between Network Policy Creation and Enforcement

Closing the Gap between Policy Creation and Enforcement

Content: The Next Generation of Incident Response

Contradictions in Current European Security Policy

CSIRT Modeling Architecture

Deriving information from raw data: making business decisions with logs

Effective Software Vulnerability Discovery within a Time Constraint

Emerging Threats and Attack Trends

Feasability Study of DoS attack with P2P System

Handling Incidents from Honeypot data

How to Handle Domain Hijacking Incidents (Prevention, Investigation and Recovery)

In the Cloud Security

Incident Response For VOICE Services

Information Security Exchange Formats and Standards

Information Security of the Beijing 2008 Olympic Games

Information Security one Character at a Time

Information Security's Third Wave

Initiatives to enhance Cyber Security

Internet Analysis System (IAS) Module of the German IT Early Warning System

Malicious Webpage Detection

Mashup Security & Incident Response Considerations

Measuring the Root Cause of Incidents

Missing Clues How to Prevent Critical Gaps in Your Security Monitoring

More of What Hackers Dont Want You to Know

New Developments on Brazilian Phishing Malware

One year of RNP Fraud

Proactively blacklisting Fast-Flux domains and IP addresses

Proprietary Data leaks: Response and Recovery

Recapturing the Wheel MediPerspectives on Crisis and Recoverya

Reconceptualizing Security

Show Me The Evil - A Graphical Look at Online Crime

Team Update - CERT-GE Presentation

Team Update - INTECO Presentation

The current state of mobile security

The essential role of the CSIRT in secure software development

The Incident Response and the Law Enforcement

The State of Internet Fraud and Crime and Useful Attempts to Battle the Miscreants

The Threat of Banking Trojans: Detection, Forensics, and Response

Threat Response - Doing the right thing first time

To Be or Not To Be An Incident Recovery Case Study

Tracking the who and why behind targeted, semi-targeted and widespread attacks

Update on Carrier Infrastructure Security Attacks

Whitelist implementation for DNS servers

Windows Memory Forensics with Volatility

Publications on Spotlight