Adam Laurie (RFIDIOt, GB)
In this session I will give a roundup of some the issues I've spoken about over the last year, which include:
Whilst I aim to make this reasonably technical, it will be fairly relaxed and informal, with live demonstrations and some room for experimentation if any of the participants are brave enough... :)
Seville, ES
June 20, 2007 10:00-10:50, June 20, 2007 11:20-12:20, June 20, 2007 12:20-13:10
Hosted by FIRST.Org
MD5: 1b81aee2cd883c149ebb2600b50ad075
Format: application/pdf
Last Update: June 7th, 2024
Size: 9.43 Mb
Masaki Ishiguro (Mitsubishi Research Institute, Inc.), Hironobu Suzuki (Mitsubishi Research Institute, Inc., JP)
Malicious packets generated by Internet worms or port scans can be captured by monitoring ports of IP addresses where any network service is provided. Several methods have been proposed for detecting threats over the Internet by monitoring malicious packets. Most of these methods apply statistical methods to time-series frequencies of malicious packets captured at each port.
This paper proposes a new method for evaluating threats in the Internet based on access graph defined by the relation between sources and destinations of malicious packets. This method represents access relation between sources and destinations of malicious packets by bipartite graph and defines relation of threat and vulnerability between sources and destinations of malicious packets. In order to evaluate threats on the Internet, we apply a new method to this relation. This method evaluates threats by using spacial structure of access graph which has not been used by traditional methods. We applied our method to working examples monitored during the period of worm outbreaks to show the effectiveness of our method.
MD5: a41baf56d9d9d35ac7653058b1c502e7
Format: application/pdf
Last Update: June 7th, 2024
Size: 115.86 Kb
MD5: 6add801418802149c78a69851a859a97
Format: application/pdf
Last Update: June 7th, 2024
Size: 182.62 Kb
Klaus-Peter KossakowskiKlaus-Peter KossakowskiKlaus-Peter Kossakowski (DFN-CERT Services GmbH, DE), Luis Francisco Servin Valencia (Presecure Consulting GmbH, DE), Till Dörges (PRESECURE Consulting GmbH, DE)
Threat sources for computer networks are diverse and increasingly complex. Attackers usually make use of vulnerabilities or configuration mistakes to break the external lines of defense and into different hosts or pry on what should otherwise be a secure/private communication channel.
Unfortunately, the means to defend from and react to attacks are scarce and work mostly isolated. Among these we can count firewalls,Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and honeypots, as well as the possibility of doing penetration tests from within or from outside the network.
By using all these methods at hand, there is a lot of information available that has to be processed to assess the current situation. Based on this the security policies governing a network can be adjusted. This is by no means trivial and could overwhelm a person trying to do it manually.
This paper presents a framework that concentrates the input from different sensor types, assesses the situation and decides on the action to take to counter a possible attack. This ranges from (semi-)automatically changing the security policies for the whole network, to reconfiguring a service within a host.
In particular the processing method to make the assessment will be the core of this article.
MD5: 2f1973e703815fe3f3abf4425ae7be44
Format: application/pdf
Last Update: June 7th, 2024
Size: 492.37 Kb
MD5: 63d8eadbf8fd347a0ee6abc48fed1055
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.69 Mb
Joanna Rutkowska (COSEINC, PL)
Many people believe that using a hardware based acquisition method, like e.g. a PCI card or a FireWire bus, is the most reliable and secure way to obtain the image of the volatile memory (RAM) for forensic purposes.
This presentation is aimed at changing this belief by demonstrating how to cheat such hardware based solutions, so that the image obtained using e.g. a FireWire connection can be made different from the real contents of the physical memory as seen by the CPU. The attack does not require system reboot.
The presented technique has been designed and implemented to work against AMD64 based systems, but it does not rely on hardware virtualization extensions.
MD5: 8985173b09a874569517b67208c22482
Format: application/pdf
Last Update: June 7th, 2024
Size: 722.81 Kb
Francisco Monserrat (FIRST.org, ES), Guilherme Vênere (Brazilian Academic and Research Network), Jacomo Piccolini (ESR/RNP, BR)
Francisco Monserrat
Francisco "Paco" Monserrat is the Security Coordinator of RedIRIS (the Spanish Academic and Research Network) and he is a FIRST member since 1997. During the last few years, he has worked actively on the TF-CSIRT, iniromoting the cooperation among CSIRTs in Europe.
Paco has spoken on various conferences and his activities focus on Forense Analysis, criptography and Computer Security Incidents Response Teams.
Paco has spoken on various conferences and his activities focus on Forense Analysis, criptography and Computer Security Incidents Response Teams. Guilherme Vênere has a BsC in Computer Science at Universidade Federal de São Carlos. With 11 years of experience in system administration and security, he's security analyst at CAIS/RNP (Brazilian Research Network Security and Incident Response Team) for the last 3 years. He's also a FIRST member, and instructor of computer forensics classes in Brazilian and international conferences. He has GCFA and BS-7799 certification. He is currently working on an attack and infection detection system for RNP backbone.
Paco has spoken on various conferences and his activities focus on Forense Analysis, criptography and Computer Security Incidents Response Teams. Guilherme Vênere has a BsC in Computer Science at Universidade Federal de São Carlos. With 11 years of experience in system administration and security, he's security analyst at CAIS/RNP (Brazilian Research Network Security and Incident Response Team) for the last 3 years. He's also a FIRST member, and instructor of computer forensics classes in Brazilian and international conferences. He has GCFA and BS-7799 certification. He is currently working on an attack and infection detection system for RNP backbone.Jacomo Dimmit Boca Piccolini has an Engineer degree in Industrial Engineering at Universidade Federal de Sao Carlos - UFSCar, with two post-graduation one obtained on the Computer Science Institute and other on the Economics Institute of Universidade de Campinas - Unicamp. Hi is GCIA, GIAC Certified Intrusion Analyst and GCFA, GIAC Certified Forensics Analyst, working as a senior security analyst at the Brazilian Research and Academic Network CSIRT (CAIS/RNP). With 10+ years of experience in the security field his is the lead instructor of CAIS/RNP and hands-on coordinator for FIRST Technical Colloquiums. He is currently fighting the misuse of RNP backbone infrastructure by hackers.
Seville, ES
June 21, 2007 10:00-10:50, June 21, 2007 11:20-12:20, June 21, 2007 12:20-13:10
Hosted by FIRST.Org
monserrat-francisco-slides.pdf
MD5: 28a48e639689e585c1e68751deb286da
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.41 Mb
Gavin ReidGavin ReidGavin Reid (HUMAN Security, US)
Gavin Reid is VP of Threat Intelligence for HUMAN, HUMAN is a cybersecurity company that protects enterprises from bot attacks to keep digital experiences human. Previous to this, he was the CSO for Recorded Future. Recorded Future delivers advanced security intelligence to disrupt adversaries, empower defenders, and protect organizations. Reid had global responsibility for ensuring the protection, integrity, confidentiality, and availability of all customer-facing services, internal operational systems, and related information assets. Gavin has 20 years of experience in managing all aspects of security for large enterprises. He was the creator of Cisco's Security Incident Response Team (CSIRT), Cisco's Threat Research and Communications (TRAC), and Fidelity's Cyber Information Group (CIG). Gavin started doing information security at NASA's Johnson Space Centre.
MD5: 459d9c5e7ffb3da6942c54c013ab7f32
Format: application/pdf
Last Update: June 7th, 2024
Size: 332.53 Kb
Ralph Thomas (VERISIGN iDefense, US)
Phishing Trojan horse programs are not traditional bots, but sophisticated and original pieces of malicious code. Since iDefense began tracking this technique in May 2006, attackers have quietly seeded dozens of variants into the wild to target at least 30 specific banking institutions. These attackers had intimate knowledge of each targeted bank’s Web infrastructure and built a sophisticated command-and-control system that completely automated the attacks. The authors believe that criminal organizations are using these phishing Trojans to compromise millions of bank accounts across the globe. These Phishing Trojan attacks can defeat sophisticated authentication schemes that security experts previously thought rock solid.
This presentation discusses mitigation techniques that work and fail in light of these new malicious code attacks. The audience will be given an overview on malicious code attacks against the financial infrastructure and an introduction to banking authentication schemes. The presentation also includes cyber fraud detection and mitigation strategies.
MD5: b37e11e6b30f2dc8dcd07d9977b43e72
Format: application/pdf
Last Update: June 7th, 2024
Size: 281.68 Kb
MD5: 2ad0b4e932dc299928170039769ad253
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.38 Mb
Chris Walsh (cwalsh.org, US)
A number of high-profile data loss incidents have focused attention on questions surrounding the collection, storage, and protection of personal information.
Measures aimed at protecting those whose personal information has been put at risk through such incidents have become widespread in the U.S., with increasing calls for similar regulation in the EU, Canada, and elsewhere.
We examine past and present security breaches to illustrate the thesis that to understand, we must discuss. Effective measures to address security breaches can only be developed through empirical reserach. We can learn what contributes to such breaches, and their impact that on those whose information is revealed and on the breached entity.
We conclude by discussing future steps that can be taken legislatively and by the research community to facilitate greater understanding in this area.
MD5: 7fcd44d846f585f8dee0253947a0e96d
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.65 Mb
Dr. Bernd Grobauer (DE), Dr. Martin Wimmer (Siemens AG, Corporate Technology, CT IC CERT, DE), Dr. Heiko Patzlaff (Siemens AG, Corporate Technology, CT IC CERT, DE)
In terms of security, web browsers are most unreliable fellows: during the past few years, no other application type has been as error prone, inviting a plethora of attacks. Yet, modern business cannot do without web browsers any more. Other application types handling data accessed via the Internet such as messaging applications, document viewers, peer-to-peer applications, etc., are also increasingly under attack, but at least some of them cannot be done without. What is one to do?
This talk discusses the possibilities of mitigating risk by separating unreliable software from production systems. We provide an overview of various methods of separation (exile on a dedicated system, jail in virtual or change-root-like environments, ...), discuss the security gain that can be achieved, and highlight the challenges in integrating such separated systems with the production environment so as to achieve satisfactory usability.
MD5: eacf5933f665b2b18fbc14201ac9b355
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.67 Mb
Carsten Casper (ENISA, GR)
Public and private decision makers need accurate statistical and economic data on information security. They need information about trends and volumes of security problems, but also about the level of confidence that clients and citizens put in information processing resources. Various public and private sources of such data exist, within an organisation, within a country and beyond borders. However, in most cases such data is kept in silos, not compared with data from other sources. This happens for technical reasons, but also because every incident is embarrassing for the owner of the technical infrastructure and most think that such information is best kept secret.
ENISA, the European Network and Information Security Agency, has received the task to evaluate whether a trusted partnership can be developed and to prepare a framework for collection of such data. This could include Managed Security Service Providers, Electronic Communication Service Providers, vendors, users, government entities and others. The goal is not to actually share data - that would be too ambitious, given the sensitive nature of the information - but rather to discuss under which circumstances sharing of such sensitive data can be possible. In June 2007, first results of this relationship-building will be visible. The goal of this session is to present them to the public.
MD5: b357d0f78c479b7341bab27a6aca0e06
Format: application/pdf
Last Update: June 7th, 2024
Size: 28.13 Kb
MD5: 81dd12dfb06c4567486235a74ad1e415
Format: application/pdf
Last Update: June 7th, 2024
Size: 100.53 Kb
Dr. Henry B. Wolfe (University of Otago, NZ)
Almost every aspect of our lives is touched or somehow controlled by technology driven processes, procedures and devices. It is therefore important to understand that because of this pervasive electronic influence, there is a high probability that a successful criminal or unacceptable incident will occur within the perimeter of an organization’s information and/or computer and network infrastructure. The difference between conducting a successful investigation resulting in a potential prosecution or failing these will often lie squarely in the lap of the electronic forensic investigator. If potential evidence is compromised at any point in the investigation, it will be unacceptable in a court of law. The highest risk of compromise occurs at the point prior to evidentiary acquisition. The first responder’s primary responsibility is to protect and preserve potential evidence and to see to it that suspect electronic devices and storage media are not tampered with by anyone until such time as the professional electronic forensics investigator (law enforcement or private) takes full control of the scene. This paper will explore electronic forensics demonstrating the need and making the case for the appointment and training of a first responder to incidents where electronic devices may have been used.
MD5: db28284bde10f46a26487c4c5fea9cc8
Format: application/pdf
Last Update: June 7th, 2024
Size: 73 Kb
Dr. Bernd Grobauer (DE)
A remote manageable network sensor on a live CD may allow a CERT with little or no direct control over its networks to achieve improved situation awareness: because installation of such a sensor requires very little effort on part of local system administrators, the barrier of deploying IDS sensors is significantly lowered. Furthermore, an easily installable network sensor is a valuable tool for fast response to ongoing incidents in which network data must be collected.
This talk reports about the experiences collected by Siemens CERT in creating an easily installable IDS sensor, deploying it within the company and running the sensor network: We describe the design of the sensor and sensor management console and report on lessons learned in interacting with local system administrators and operating the sensors. We also describe experiences with using remote sensors as honeypots rather than IDS sensors.
Building on our experiences, other CERTs should be able to get up to speed fast with creating and rolling out network sensors in their network.
MD5: fdccc303d2e434738b7c3722e4d01db4
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.44 Mb
Francisco. (Paco) Monserrat (RedIRIS)
Francisco "Paco" Monserrat is the Security Coordinator of RedIRIS (the Spanish Academic and Research Network) and he is a FIRST member since 1997. During the last few years, he has worked actively on the TF-CSIRT, iniromoting the cooperation among CSIRTs in Europe.
Paco has spoken on various conferences and his activities focus on Forense Analysis, criptography and Computer Security Incidents Response Teams.
Seville, ES
June 22, 2007 11:20-12:20, June 22, 2007 12:20-13:10
Hosted by FIRST.Org
MD5: 9f3634203b5ca259cc8666572e5e41e4
Format: application/pdf
Last Update: June 7th, 2024
Size: 324.18 Kb
Stefano Zanero (Politecnico di Milano T.U. & Secure Network S.r.l., IT)
One of the things that amazes me on mailing lists and in conferences regarding intrusion detection is the symmetric presence of two concurrent issues:
Both are very reasonable stances, per se. Trouble is, we don't have answers for those customers, and we don't have benchmarks to actually measure if one IDS is better than another. Since a key issue in developing technologies is measuring how well they compare with earlier attempts, it is an unsurprising result that we don't have really good IDS yet, just a very wide bunch of (often unconvincing) suggestions on how an IDS should be made.
So, I'd like to help fellow practitioners and researchers by debunking claimed "performances" of current IDS systems, by demolishing current "testing methodologies" and by showing how practical testing architectures can be created to compare systems.
The key points to take away from this lecture are:
MD5: 12dc791d266caad8025bbff410b68be4
Format: application/pdf
Last Update: June 7th, 2024
Size: 199.96 Kb
MD5: 5773048c6d9e9867f68a7b3b47f87226
Format: application/pdf
Last Update: June 7th, 2024
Size: 483.9 Kb
Dr. Wietse Z. Venema (IBM, US)
Wietse presents lessons learned about the persistence of information in file systems and in main memory of modern computers - not only how long information persists, but also why this happens, and what the limitations of that information are.
After an introduction to the basic concepts of volatility and persistence, Wietse presents examples of how to recover time line information from a variety of network and host-based sources, including a walk-though of a post-mortem file system analysis.
The presentation ends with results from file and memory persistence measurements. The results are based on measurements of a variety of UNIX and Linux systems, with some results for Windows/XP, including how to recover encrypted files without knowing the key.
This presentation includes content from the "Forensic Discovery" book that was co-authored with Dan Farmer.
Seville, ES
June 18, 2007 09:00-10:50, June 18, 2007 11:20-13:10
Hosted by FIRST.Org
MD5: 19f054efea2a154eee50762bcac04666
Format: application/pdf
Last Update: June 7th, 2024
Size: 381.66 Kb
Mr. Ryan Washington (Amazon Web Services, US)
This period of presentation delivers a basic understanding of forensics from an MBA's point of view. What is forensics? Why do we need it? Who wants our information? Why would someone attack us? Why do these tools cost so much? These questions and more will be answered from an easy to understand point of view. This class was designed to help mid-level and upper management understand and appreciate the cost, payback, and time needed to conduct an investigation, but is ideal for anyone desiring to understand exactly what is involved in digital media exploitation. This will not be an in-depth class, nor a vendor specific class, but common industry specific tools will be mentioned for their pro's and con's as used in a real-world environment.
MD5: ce696a25ae2482ff3749d0ede49110de
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.8 Mb
Ma Huijuan (National University of Singapore, SG)
While some people are still suspicious about the existence and significance of zero-day threats and attacks, less-than-zero-day attacks have come into the scene. Less-than-zero-day attacks refer to those targeting vulnerabilities that haven’t been publicly disclosed. With the trend that hackers target more on financial gain instead of fame in recent years, it’s expected less-than-zero-day attacks will pose greater risk to organizations. However, it’s very difficult to defend against due to the fact that the vulnerabilities are unknown.
In this presentation, I will share our experience in dealing with such attacks. Monitoring and alerting of the incident will be introduced first, followed by containment of the damage, analysis of the compromised system, and identification of less-than-zero-day attack. After that, I will talk about the process of reporting the unpublished vulnerability to Cert Coordination Centre and the relevant vendor, as well as assisting the vendor to fix it, so that organizations using this software can be protected. At the end, I will talk about the lessons learnt and the security measures we find useful in dealing with such kind of attacks.
I hope by sharing our experience, more people will join in the efforts to combat against less-than-zero-day attacks, report unpublished attacks, and help the vendors to fix them, so that organizations globally are protected and the internet security as a whole can be improved.
MD5: 9fea983c204bb6b28372bfd3b6d0cc06
Format: application/pdf
Last Update: June 7th, 2024
Size: 157.37 Kb
Roelof Temmingh (Paterva, ZA)
In recent times a lot of emphasis has been placed on the interaction and collaboration between individuals on the Internet – the old asymmetrical nature of the web has changed from a data producer/consumer model to a model where everyone is a producer and a consumer at the same time. This change has been very rapid without set guidelines or policies – it's best described as a phenomenon rather than a well thought out process – and it is indeed one that is driven by the community rather than an RFC. The challenges faced by the traditional producers of yesterday is now on the doorstep of individuals – with the difference that the environment and role players are a lot less defined. The high level of interaction and connections between produced information, the vague identity of the producer and the abundance of distribution channels make the Internet of today the ideal breeding ground for those with less-than-honest intentions that utilize trickery such as personal (online) identity theft, public opinion manipulation, viral campaigns or simply discovering valuable or restricted information by means of extensive data mining. These types of attacks could be performed by individuals with minimum technical knowledge and infrastructure.
In this presentation I will look at how the abundance of information available on the Internet combined with a generation of less-questioning, more trusting Internet users can lead to vulnerabilities that are hard to delineate, hard to anticipate, hard to protect against, and, as will be shown in the presentation, a disturbing reality. The presentation will further look at possible ways to defend against this types of attacks as well as discussing and demonstrating a framework for generic information gathering that could be used in both a defensive and attacking role.
Seville, ES
June 21, 2007 10:00-10:50, June 21, 2007 11:20-12:20, June 21, 2007 12:20-13:10
Hosted by FIRST.Org
MD5: 1079eb9b439b28171c6f0ce376b292b5
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.34 Mb
Peter Sommer (London School of Economics, GB)
Identity Management Systems: the forensic dimension
An identity management system consists of an enabling technology, a means of managing that technology, and a framework of policies, law and regulations. If all works out well we achieve a balance of reliability in authentication and appropriate levels of confidentiality for those taking part.
But over a period of time the quality of the enabling technology and its management may become eroded. The technology may be less robust than first appeared, or advances may make compromise easier. A management system may show unexpected defects.
We need to study these eroding factors in identity management systems as we do more widely in computer security systems.
One of the least understood is the role of specialists in digital forensics. These people are constantly reverse-engineering hardware and software in order to identify digital footprints of activities which can then be used in legal proceedings. Their aims are often of the highest - to bring wrong-doers to justice. But in so doing in relation to identity management systems, they create the means by which people become prematurely de-anonymised and /or personal data is revealed in circumstances not originally envisioned.
I propose to examine the dilemmas, produce some examples and suggest some remedies.
MD5: 2f83a365a11dec32eda79e3372e0c025
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.4 Mb
Peter Wood (First Base Technologies, GB)
Identity theft and fraud is an important and growing problem. It affects individuals, government departments and private sector organisations, and often forms part of more serious criminal operations such as people trafficking and drug smuggling. It is estimated that more than 120,000 people are affected by identity theft in the UK each year. The latest estimate is that identity fraud costs the UK economy 1ドル.7 billion.
In the words of Fox Mulder, 'trust no-one.' If someone steals your password at work, it is a significant step towards stealing your identity. It won't just impact your employer but your personal life too. In fact it could easily leave you with a reputation for enjoying illegal pronography, a large credit card bill and even larger overdraft.
Peter Wood has developed a set of methodologies to stimulate corporate identity theft attacks, both external and internal. He shares his experiences in perpetrating licensed attacks against a variety of clients over the last year, as well as the results of criminal investigations. His methods and recommendations should prove invaluable to any business.
Seville, ES
June 22, 2007 15:40-16:30, June 22, 2007 17:00-17:45, June 22, 2007 17:45-18:00
Hosted by FIRST.Org
MD5: d1a43120a785c45746e187a402009705
Format: application/pdf
Last Update: June 7th, 2024
Size: 17.5 Kb
MD5: bee1fe6e571543ffef1365bfbc14b52b
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.71 Mb
Chris Fry (US), Martin Nystrom (US)
Most attacks from the Internet are not actionable. They're automated, noisy distractions from the real problems your enterprise is facing. The threat has driven deeper into your enterprise; infected hosts are remote-controlled and attacking your naked infrastructure.
For this reason, Cisco's Computer Security Incident Response Team's (CSIRT) has begun orienting its security monitoring toward internal threats. CSIRT engineers will describe their approach, topology, challenges, and lessons learned in the process. This highly practical session will illustrate security monitoring with CS-IPS version 5 and 6, CS-MARS 4, Netflow v7, and syslog. CSIRT engineers will describe how the global solution was deployed, tuned, and lessons learned in the process. Participants should expect to leave with practical insights and best practices in deploying internal monitoring for incident response.
MD5: d6344b1aa3d6c8220886ee0485e02ced
Format: application/pdf
Last Update: June 7th, 2024
Size: 9.84 Mb
Raffael Marty (Splunk, US)
Insider Threat has increasingly been discussed in the past months. Information Leaks, Sabotage, and Fraud have been reported all over big institutions. One way to address the insider threat problem is to analyze log files and find suspicious behavior before it results in direct or indirect financial loss for the company.
Signs of suspicious behavior or users lend themselves very well to visualization techniques. Visualization of data has proven to be the approach generating the best return on investment when it comes to complex data analysis problems. This workshop takes a step-by step approach to analyzing signs of insider threat. I will use a few open source tools to process the information and generate visual representations. Among them is a tool called AfterGlow (afterglow.sourceforge.net) which was written by the presenter. It is a very simple tool to visualize preprocessed information. The analysis I will go through in the workshop will show how early warning signs of insider activity manifest themselves in the log files, making it possible to prevent further damage and assess the impact of the activities.
The goal of the talk is to leave the audience with the knowledge and tools to do visual log analysis on their own data.
Seville, ES
June 20, 2007 15:40-16:30, June 20, 2007 17:00-18:00, June 20, 2007 18:00-18:50
Hosted by FIRST.Org
MD5: 8fdca647ddf36fe8f1b2b00a9cf1668c
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.08 Mb
Lord Toby Harris of Haringey (House of Lords, GB)
Information security is not given a high enough priority by individuals, the corporate sector and by Government. There are a variety of reasons for this – emotional, cultural, financial and cynical. Is information security user-friendly enough? Whose responsibility is it anyway? What should the service providers be doing? What should Governments be doing? Does the global nature of the internet make solutions impossible? Is Microsoft’s Vista the answer? Is self-regulation sufficient or does there have to be legislation? Are market pressures a help or a hindrance? Who is going to clear the mess up when it all ends in tears?
MD5: 0a53ae74b7164f34b2757e70d6954eac
Format: application/pdf
Last Update: June 7th, 2024
Size: 102.71 Kb
Francisco García Morán (Director General, DG Informatics, European Commission, EU)
The speech will present the security strategy of the European Commission in the framework of the EU security policy as outlined by the European Council in 2004.
After introducing the European Commission and its role in the EU institutional framework, the presentation will describe the EC's IT organisation and governance and will highlight the role of security in the "Roadmap towards an Integrated eCommission" the internal eGoverment initiative of the EC launched in the context of the i2010 initiative.
The presentation will outline the principles inspiring the security policy , "a secure Europe in a better world", and will describe the EC strategy for Network and Information Security explaining the dimensions of the problem, from technical to social and ethical. Then the Research Security Policy will be introduced describing all the efforts and preparatory actions that had lead to the allocation of 1.4 M€ for security research in FP 7.
It will also describe the initiatives regarding Safer Internet and those in the area of Justice, Freedom and Security.
Finally, the EC internal security policy will be outlined and the implementation efforts regarding the policy will be presented including the description of the peripheral security infrastructure, security of IT configurations and Information Systems as well as the measures put in place to fight viruses and spam.
garcia_moran-francisco-slides.pdf
MD5: 927d1fbdd8007be76434f50418ad50b9
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.71 Mb
Mary Ann Davidson (Chief Security Officer, Oracle, US)
The increasing reliance of organizations on information technology makes IT the backbone for much of critical infrastructure. At the same time, IT infrastructure has morphed from a model of well-defended castles of information to multiple "tents" housing disparate data, with, in some cases, a "welcome" mat in front of each tent. How can the security landscape evolve to effect a correct balance between openness and secrecy? How can the security community itself evolve – including users, guardians, and "police"of information - to ensure that cybercommunities continue to be inhabitable and hospitable, instead of "The Wild West?"
MD5: aa988e9e67c650fd64b130ac25b355d0
Format: application/pdf
Last Update: June 7th, 2024
Size: 256.07 Kb
George Stathakopoulos (General Manager of Product Security, Microsoft, US)
stathakopoulos-george-slides.pdf
MD5: 1fd30f54c71b737f1a1ea7f65e3246b8
Format: application/pdf
Last Update: June 7th, 2024
Size: 6.15 Mb
Graham Whitehead (Futurologist, BT, GB)
The human race has always been fascinated by numbers and computing. Recently I have been challenged that Moore's Law (created by Gordon Moore in 1968 that predicted that the number of transistors on a chip would double every two years and the price would halve in the same time) will not only cease being true but will saturate and flatten off. I do not believe this to be the case -I see in the next few years greater and greater computing power being available.
The advent of Broadband connections, originally by ADSL, and new networks like BT’s 21CN will bring an era of AORT A (Always On Real Time Access). The human will be abstracted from the complexity of searching for information. Artificial Intelligent Agents will wander around this new information maze looking for information that might be of interest to you and push it towards you. These agents will have faces, voices, will hear and understand what you say, and might even have personalities! The whole process will get very conversational.
But we will go further than just artificial people, we will start immersing ourselves in virtual environments. Imagine a virtual High Street where you can wander and visit the shops of your choice. These establishments will be "peopled" by avatars which look and behave just like the real people in the real shops -but there will be no queues.
With the advent of the SmartCard we will be carrying enormous amounts of personal information and exchanging it in public places. One SmartCard could carry all your personal details from your ID card and passport to driving licence and medical history .I see everything having SmartCard readers (computers, phones, mobiles, TVs) and the appropriate information will be exchanged without the extreme efforts that are required of the human today -re-typing the same details on every web-page. I also see the security hologram on the card still being a visual security device, but also becoming a thumb print reader. The SmartCard becomes a "This is me -honestly it really is me" security token. With the advent of Web Services on the AORTA network, I could be at an electronic point-of-sale machine and the insertion of the token automatically brings all my relevant data (including current picture) to that point in the network.
In the near future everything is going mobile. We will all have personal communicators (yes just like Star Trek!) which will connect us to voice communications and information. You will start asking your mobile phone questions and receive information that is pertinent to you at this time and at this location. Soon, with 3G type systems, we will be able to send and receive moving pictures. In fact in the very near future we will as carelessly pass images and moving images over these devices as we just talk to them today.
And as we enter this new information age, we must look at how we will trade with our customers. It is vitally important that we target each individual customer and personalise our communication with him or her. Gone are the days when a simple advertisement was good enough, and we expected our customers to come and find us. Now we have to build a bridge and an interactive, proactive experience for our customers.
Technology is changing very fast indeed. I predict that you will see more change in the next 10 years than has been experienced in the past 150 years. Technology is changing -the question is " Are you changing as fast" because if you do not you and your organisation might not be trading in the next few years!
MD5: 6e5a512d398ddec8375e4f64341d63f2
Format: application/pdf
Last Update: June 7th, 2024
Size: 17.06 Mb
G8 High-Tech Crime Subgroup (FIRST Law Enforcement/CSIRT Cooperation SIG)
At last year's FIRST Conference, the 1st "CSIRTs meet LEs, Les meet CSIRTs" workshop was held. The workshop was bridged the gap between two different communities by introducing their mission, policy and culture with regard to responding to cyber incidents and information handling. Also the case studies demonstrated the value of the partnership and collaboration between CSIRT and Law Enforcement.
With the success and overwhelming response to the 1st workshop, this year FIRST and the G8 High Tech Crime Subgroup plan to hold the 2nd "CSIRTs meet LEs, LEs meet CSIRTs" workshop. This year's theme is "Forensics" and identifying what data is most useful for Incident Response teams to gather and present for successful Legal action to be taken and to working with LEs. There will be Forensics techniques and tools being introduced from both communities and best practices.
View the workshop schedule in the conference schedule in PDF format.
Seville, ES
June 18, 2007 09:00-10:50, June 18, 2007 11:20-13:10
Hosted by FIRST.Org
MD5: f5f3e76f5c09c0de6cf8327f2ac0f897
Format: application/pdf
Last Update: June 7th, 2024
Size: 164.62 Kb
Klaus-Peter KossakowskiKlaus-Peter KossakowskiJohannes Wiik (Agder University, NO), Jose J. Gonzalez (Agder University, NO), Klaus-Peter Kossakowski (DFN-CERT Services GmbH, DE)
Effective incident response is dependent on detection. A CSIRT typically relies on detection via intrusion detection techniques, or reports from various sites. In this paper we only focus on high priority incidents reported from sites. If a CSIRT depends on its constituency as the primary source for incident detection and reporting, especially incidents of higher priority, then the service provided itself depends on these reports. One major factor is the pool of various sites inside and outside the constituency that accept the CSIRT as the point of contact and henceforth report such incidents. Due to this dependency, the relationship between the CSIRT and the reporting sites within the constituency as well to other cooperating sites and other CSIRTs is very important to maintain.
However, empirical data we have found indicates that this relationship is very unstable over time. Viewed over a time frame of years, the number of reporting sites and the high priority workload seems to show an oscillatory behaviour pattern independent on the available resources to handle this workload. This is a problem, because such instability means that the effect, quality and efficiency of the incident response service is also unstable over time.
This article therefore tries to address the following questions:
This research problem has been studied as a part of a larger PhD research project investigating the effectiveness of incident response in a well known context of a coordinating CSIRT. ASystem Dynamics simulation model has been developed to serve as a controlled environment to identify the main causal relationships creating the instability between certain key variables of interest:
The results from the simulation model indicate that the instability in these key variables are caused by long time delays in the interaction between CSIRT and reporting sites. Attraction of reporting sites is very much dependent on the past quality of service by the CSIRT. Building reputation takes time and so does losing reputation as well. At the same time the attraction of new reporting takes time. There is a tendency that a good quality of service (and thereby reputation) will lead to attraction of new reporting sites. This will increase the workload driving down the quality. However, the impact of lower quality on future attraction is delayed. Hence, there is a risk of overshoot in the workload before the perception about quality starts to decline. Conversely, the same delays can lead to undershoot in reporting and the workload despite improving quality. The behaviour pattern over time will thereby be oscillatory for the number of reporting sites, the number of high priority incidents reported, and the quality of service. However, it is very hard to identify because the delay times are so long that the pattern is only visible over several years.
Through the model, the following policies of interest were tested:
The model showed that alternative 2 tended to dampen the oscillatory behaviour. Alternative 2 only gave a temporary solution, before the instability came back over the course of time.
MD5: b9be99607d25530bbdae32a8d53f858e
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.23 Mb
Jacomo Piccolini (ESR/RNP, BR)
Trust no one or you will be assimilated! This is the current scenario inside the software cracking and piracy community. This paper focuses on the study of the usage of pirate software to infect systems and their abuse by miscreants. Statistics from collected malware related to software piracy will be presented.
The author believes software piracy will always exist, here included operational systems, applications and games. The problem is directly related to the customer’s compulsory behavior for new features and releases leading the user to consume any product; even in beta version (sometimes faked versions) and piracy products.
To deal with this demand, some specialized piracy groups had, for long time, supplied this market with diverse products, among others, we emphasize keygens, which are applications that can generate a registration key to allow software installation and cracks, which are modifications in files from the target software that allows their execution or removes existing protections.
With the advance of software protection techniques, new forms to circumvent these protections and to make this content available are being offered, such as installation packages, cracked versions ready to run and CD emulators. The piracy community is always developing new ways to take care of the demand and to circumvent the protections that are implemented.
The universe of software piracy possess multiple mechanisms of distribution: sites specialized in cracks, keygens and emulators (cd-roms), ftp servers, CDs being sold in streets or offered in sites and mainly P2P applications.
The process of malware distribution uses any of these mechanisms, with only small differences. We must understand that miscreants are very creative and their main goal is to infect as many systems as possible. Files that are accessible through web pages are hosted in sites that explore vulnerabilities in navigators. Why wait for user to download and execute if the system can be infected and controlled through browser vulnerabilities?
Even the malware files, available as keygens and cracks, possess different forms of infection; the great majority of analyzed specimens will infect a system in a second stage, after the installation and decompression. This technique is used only to make more difficult the file identification as malware. The main functionality of this type of malware also varies from simple downloaders and adware to botnets. From the miscreant’s point of view this is the perfect scenario, the end user is downloading and executing malicious code with their consent and without any restrictions.
In 2006 one of the main sources of malware propagation through software piracy was the creation of dozens of crackers for the Windows Genuine Advantage. The constant updates of the WGA tool had made users of counterfeit versions of Windows to often search for new versions of crackers and, when they did not succeed, they simply started to install all available crackers. From the WGA cracking files collected, almost 70% were classified as downloaders and bots with elevated degree of sophistication and difficult removal process.
The same issue occurred in the end of the 2006 with the launching of the new version of the Internet Explorer, whose installation only successes through the authentication of the operational system as being legit.
This kind of exploitation and propagation is not restricted to Microsoft products; any popular software with some installation restriction is being used as an attack vector.
The consumer of piracy software is at this moment being heavily targeted by the piracy community which only aims to infect and to control their system for illicit purposes and to feed the piracy industry, normally by stealing all serial numbers of installed software from the users system and later distribution on web sites, without forgetting the traditional use of the systems as part of botnets.
The message here is simples, there is no crack or keygen or another tool related to software piracy that can be considered safe to use, even to download. Users must be discouraged to consume any kind of software piracy in order to avoid their personal information and systems being used my miscreants.
MD5: 4934fe7ea27b2361068ff9ac92924537
Format: application/pdf
Last Update: June 7th, 2024
Size: 12.92 Kb
MD5: 3a068303aba453e3e5d736f024c97590
Format: application/pdf
Last Update: June 7th, 2024
Size: 491.79 Kb
Andrew CormackAndrew CormackAndrew Cormack (GB)
System and Network Managers and Incident Response Teams can represent a serious threat to the privacy of individual users. To ensure smooth operation of their systems and ensure they are not a threat to others, administrators may need to be able to read, modify or block any file or communication, or to pass it to their Incident Response colleagues for investigation. However those same powers, if misused either accidentally or misguidedly, can cause serious harm to individuals and organisations. Lacking written guidance on how to exercise their considerable powers, many administrators are left to rely on their own consciences to find the balance between protecting the individual and protecting the wider community: this is not a comfortable position for the administrator, their organisation or their users.
The European legal system has at least half a century of experience of protecting individual privacy, formalised in 1950 in Article 8 of the European Convention on Human Rights, which established the "right of respect for private and family life, home and correspondence". This talk will suggest how principles established in the Convention and in subsequent European and national legislation to protect personal data and communications can be applied to network operations and incident response. The focus will be on developing good practice based on fundamental principles, so should benefit those from other legislative traditions as well as those who have to ensure that their practices comply with their particular local privacy law.
MD5: 95dcbaf0ef2928176c0cb15481c30742
Format: application/pdf
Last Update: June 7th, 2024
Size: 399.83 Kb
Fong Lian Yong (National University of Singapore, SG)
Universities have the dual challenge of creating an environment that fosters experimentation and learning while protecting the users against unauthorized access and other internet threats. In a large enterprise network like NUS, where there are more than 30 000 online nodes, this challenge is more acute. Universities are unlike corporations because they cannot impose overly restrictive policies that could hamper research and sharing. In corporate environments, network users are primarily rule-abiding employees. However, in university environments, majority of the network users are students.
I will present the enterprise wide security framework adopted by NUS. This framework is built on PPT Methodology (i.e. People, Process and Technology). The People Element is the most important element and as the saying goes "Human is the weakest link in the security chain". Under the people element, I will detail the strategy to address upper management, user buy-in, staff morale, user awareness and training requirements. Under the process element, I will discuss the process framework we adopt to track progress and success. Processes include vulnerability management, threat management, incident management, audits and penetration testing. etc. On the technology aspect, NUS has looked beyond the traditional firewalls, intrusion detection and prevention systems, antivirus, anti-spyware, anti-spam implementation. Many systems are developed inhouse as many off-shelf systems are not effective in a unique environment like NUS. Our blackholing mechanism, honeynet implementation and vulnerability management system are some examples of our innovative security implementations.
I hope that sharing our experience with the strategy that helped us and the pitfalls to avoid can prove valuable to both universities and similar organizations in the that do not already have a similar strategy in place but are facing enterprise-level threat mitigation issues and inhibiting cost factors.
MD5: 9c4fbf66e9837585803acc319610e722
Format: application/pdf
Last Update: June 7th, 2024
Size: 182.9 Kb
Frank Wintle (PanMedia Ltd, GB)
In his address to the 18th FIRST annual conference in Baltimore, guru Bruce Schneier asked and answered a critical question: "How do you compel the home user to secure a PC against Trojans and worms? You don’t. You can’t."
Twelve months later, the theme of the 19th FIRST conference is Seville is digital privacy, in the wake of a year in which millions of items of personal data were lost or stolen from corporates with disastrous consequences for the reputation of e-commerce.
These are the starting points for Frank Wintle’s presentation to Conference 19. Why don’t home users care and why don’t they act? Why, in the UK, did more than half a million people walk away from Internet banking in 2006? Why are phishers still able to pose as financial institutions, sucker innocents and detach them from $millions? What’s the root cause of corporate carelessness?
Could one reason be that the Internet security industry has a huge communications problem?
Wintle thinks that it is, and in this presentation he will argue that the "I’m-a-geek-and-I’m-proud-to-speak-geekspeak" attitude betrays the kind of pride which almost always goes before a big fall – if the fall isn’t happening already.
He then goes on set out the principles of a communications approach which can make even the most arcane subject lucid and engaging for non-specialist audiences, and illustrates how effective communications can change attitudes and actions.
Lastly, he discusses strategies and evaluation, exploring ways in which CERT’s within nations or organisations can define communications targets they want to reach and behaviours they want to change and then use appropriate PR techniques to reach their objectives.
MD5: 183732536546a4a7e7a5d3f5e7178714
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.69 Mb
Javier Masa (University of Malaga, ES), Jose Alfonso Accino (University of Malaga, ES), Victoriano Giralt (University of Malaga, ES)
Modern institutional directory services nowadays are confronting a clear conflict of interests. On the one hand, there is the need of members of the institution to find other members in the same or different institution. On the other hand, there are the privacy rights of the individuals.
This has made us to develop a mechanism to solve this confrontation using information access controls that can be managed both by the institutions and the individuals.
This presentation will discuss our implementation of such mechanism based on LDAP classes and attributes, and OpenLDAP Access Control Lists.
We will also present information of adoption of the privacy control attributes in other institutions after more than a year of promoting them. This research is being carried out during the first quarter of 2007.
The posibility of using the Access Controls in RedHat Directory Server is also being assessed during the first quarter of 2007 and we will also present how to do it in case the result are possitive as expected.
MD5: 7761b9f34815e86fe936fd14c26b6e7b
Format: application/pdf
Last Update: June 7th, 2024
Size: 136.84 Kb
MD5: b6db52565f427e73391d415926c55fbd
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.99 Mb
Peter Cox (Borderware, GB)
Voice over IP (VoIP) services are, as the name suggests a method of running Voice Telephony over IP networks. The protocols used for VoIP and specifically the Session Initiation Protocol (SIP) also provide a number of other real-time communication services including Video Conferencing, Instant Messaging and Presence services. The latter provide intelligent call routing ensuring improving communications services.
VoIP offers many business benefits, but in the rush to realise these benefits it is easy to forget that VoIP is an IP service and is subject to all the IP network level vulnerabilities and threats that other IP applications such as web and email have faced for the past 10 years or more. In addition, the real-time requirements of VoIP and Video Conferencing and the position of these services as a key-stone in business communication makes VoIP applications uniquely vulnerable to application and content vulnerabilities.
This session reviews the VoIP threat landscape, highlighting the risks posed by these threats and outlining the security requirements for an effective and robust VoIP implementation.
MD5: 4dda1e4e97cab6aa8661f2a75fca3711
Format: application/pdf
Last Update: June 7th, 2024
Size: 30.09 Kb
MD5: 3a0558a04d08202c4773201d83ef484b
Format: application/pdf
Last Update: June 7th, 2024
Size: 379.06 Kb
Avi Corfas (Skybox Security, Inc, US)
Modern enterprise networks have many thousands of vulnerabilities, only a few of which are usually exposed to attack. Finding those exposures manually has proven to be a daunting task, especially in light of daily publishing of new vulnerabilities and constant network changes. Attack simulation is a new technology that helps security professionals prioritize vulnerabilities and focus on actual exposures. In addition to the technology challenges involved in security and network modelling, the creation of a new market category in the security space is a challenge in itself. This is an overview of the technology and its evolution from idea to a running business.
MD5: d7ecf1822a76a1291c4c7c9b6691bfd1
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.08 Mb
Carlos Abad (Spanish National Cryptologic Center (CCN), ES)
The CCN-CERT is the Spanish National Information Security Incident Response Team that was born in late 2006 with the mission of being the support and coordination centre of security incidents that affects public organizations, helping the governmental organisms to respond efficiently before the security threats affect their information systems.
More than the standard basic steps that include the setting up of a CERT, the creation and development of a CERT with national government constituency entails some key problems and challenges.
Seville, ES
June 22, 2007 17:00-17:45, June 22, 2007 17:45-18:00
Hosted by FIRST.Org
MD5: 99f26772e326c0c3cb564bdf27fc7640
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.5 Mb
Klaus Möeller (DE)
Grid Computing has often been heralded as the next logical step after the World Wide Web. Instead of only accessing static content (i.e. web pages) users of Grids can access dynamic resources such as computer storage (for any sort of data) and use the computing resources (i.e. the CPU) of computers under the umbrella of a virtual organisation. Although Grid Computing is often compared to the World Wide Web, it is vastly more complex both in organisational and technical areas. This also extends into the area of security and incident response, where established academic CSIRTs face new challenges arising from Grids.
The German ministry of education and research (BMBF) has started in 2005 a strategic initiative, D-Grid, to further Grid computing and usage within the German scientific community. This initiative is similar in many ways to those of other countries around the world. Part of that initiative is the establishment of CSIRT services for Grids.
Cormack, et al. have argued in "that CSIRT activities for a Grid are not fundamentally different from those performed by a traditional CSIRT." In practice, there are many challenges to be overcome to establish a CSIRT for the specific needs of Grids and Grid users. The following two sections will give an overview about the challenges and experiences DFN-CERT has encountered while setting up a CSIRT for the D-Grid communities.
One of the first lessons learned is, that there is not "the Grid", like "the Web" or "the Usenet". As in the case of the D-Grid project, there are, even at the beginning, no less than six Grid communities: high-energy physics, climate research, astrophysics, engineering and medicine. There is even a text-Grid for use in the humanities. Each has its own unique set of requirements that extend to the field of security. Researchers in physics for example, have few requirements about the protection of intellectual property from the participants in their Grids, contrary to that engineers place high emphasis on this particular area. Participants in a medical Grid have high requirementsabout the protection of patient data. Grids with practically no personal data, like climate research place no emphasis on this area. An academic CSIRT thus has to learn about the specific requirements of each and every Grid community within its constituency.
One could argue, that the Grid communities are already part of the CSIRTs constituency and thus, this would be a simple task of asking the CSIRT of the local organisations. In practice, the local teams are often not aware of Grid activities and vice versa. Besides that, there are sometimes teams for the whole grid, that are not directly affiliated with one site. Also, many groups use the same terminology, but with different meaning and emphasis.
A different approach is needed, that circumvents the problems of local groups. The D-Grid initiative provides an excellent forum because it establishes an exchange platform for the Grid communities in Germany. Making DFN-CERT known to the Grid communities is thus a simple matter of introducing it into these forums.
Experience with CSIRT operation has shown, that international cooperation is imperative to successful establishment of CSIRTs. In the field of Grids, this means that an international web of cooperation has to be established as well. On one side, this extends into the CSIRT community, where organisations such as FIRST and Terenas TF-CSIRT are to be engaged, on the other side the Grid communities and organisations like the Global Grid Forum (GGF). As a result of these activities, "Incident handling and security guidelines of NREN Grids" have become part of Terenas TF-CSIRT terms of reference.
To handle the technical part of Grid incidents as well as to be able to proactively help sites in securing their Grid infrastructure, a CSIRT has to develop an understanding about the software used in the Gridsm of their constituency. With this understanding, more advanced services like Grid-honeypots may be build in the future.
The underlying operating systems are common systems, like Linux, and these are well understood by CSIRTs. The next layer, the Grid middleware, is composed of big software packages like UNICORE, the Globus Toolkit or gLite, that facilitate access to storage and computing resources, as well as monitoring, directory services and authentification across virtual organisations.
These software packages are very little understood by CSIRTs. Exacerbating this problem is that there are only a few people in the academic community itself that fully understand this software. Also, setting up test installations of the huge and complex Grid middleware requires far more resources than setting up ordinary software installations, like a workstation or web server. To gain experience in this area, cooperation with existing test installations is the way to go.
Although the basic procedures of handling vulnerabilities are the same, whether for normal software or for Grid software, the concrete task of obtaining the information puts up some challenges. While Grid software is open source and developed among the same lines as standard open source packages, the standard security practices, like open mailing lists for security advisories or signed software packages, are often not followed.
MD5: 8b9fe22bba10d36475ec9d8e8c5fde1f
Format: application/pdf
Last Update: June 7th, 2024
Size: 155.64 Kb
MD5: 94ca83c390a68d4c0a48dc9ee73038e8
Format: application/pdf
Last Update: June 7th, 2024
Size: 282.04 Kb
This talk delves into the automated tools associated with secure software development, and how they can be successfully integrated into a development workflow.
Tool categories are first surveyed, and their utility and applicability to secure development reviewed. These include traditional information security tools such as network vulnerability scanners and application vulnerability scanners, as well as more focused development-only tools such as static source code analyzers. The pros and cons of each tool set is described in plain detail, with particular attention to how software developers can benefit from them.
Next, individual tool categories are discussed with regards to how they can be integrated into a secure software development workflow process. This portion of the session starts by examining the pitfalls associated with how the tools are often put to use by software developers, and then provides a clear set of recommendations of how to best make use of the tools.
Penetration testing tools (and processes), for example, are often used in a late life cycle approach that "verifies" an application's security level shortly before its deployment into production. This approach is inherently a "black box" one in which the application is assessed in an outside --> in perspective. This talk recommends an alternate approach to using penetration testing tools in an inside --> out manner that optimizes employee time and effort by prioritizing work based on identified business risks. That is, "white box" penetration testing can focus on the aspects of an application that have been identified as being weak during architectural risk analyses.
Similarly, static source code analysis tools are often used in a late life cycle manner that leaves little time for remediation of identified coding defects. In this talk, we explore methods of integrating static source code analysis tools throughout the coding process in a way that greatly optimizes their likelihood of success and reduces the amount of effort necessary.
Overview of software security process "touchpoints"
Survey of existing tools
Tools associated with Information Security
Tools associated with Software Security
Integration into development workflow
Penetration testing
Code review
Application testing
MD5: 3faef556df3ceb93ca93ee2b33d852c4
Format: application/pdf
Last Update: June 7th, 2024
Size: 179.38 Kb
MD5: 9e9749e710298c5c81fba60f307add30
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.17 Mb
Eloy Paris (US)
Network Expect is a framework that allows to easily build tools that can interact with network traffic. Following a script, traffic can be injected into the network, and decisions can be taken, and acted upon, based on received network traffic. An interpreted language provides branching and high-level control structures to direct the interaction with the network.
Network Expect was heavily influenced by, and inspired on, the "Expect" program written by Don Libes, which allows to "talk" to interactive programs in a scripted fashion. Because of this, there are lots of similarities between commands in Network Expect and commands in Expect.
A Network Expect script can send traffic to the network and then take decisions based on the received network traffic. The type of things that Network Expect can do are usually very low level network operations, which usually require writing a custom program in a language like C.
Network Expect’s philosophy is based on the observation that network applications always operate on an action-reaction principle in which something is sent over the network to an application running on a remote host and a response is then received.
Network Expect can generate arbitrary network traffic and inject it into a network at layer 2 or layer 3. A wide range of protocols is supported, including IP version 6 as well as protocol options like IPv4 options, IPv6 extension headers, and TCP options. Network Expect can also listen for network traffic, decode it, and take decisions based on the type of traffic received.
These capabilities make it very easy to emulate network protocols to do vulnerability testing and auditing, penetration testing, network protocol research, etc.
The presentation "Taming Packets: The Network Expect Framework for Building Network Tools" will give an introduction to the Network Expect framework and provide examples of how Network Expect has been used to solve real-life problems.
Network Expect is Open Source Software that was developed by Eloy Paris from Cisco Systems.
MD5: 5f8572e5bced818537eb139e27d7d487
Format: application/pdf
Last Update: June 7th, 2024
Size: 110.95 Kb
Rolf Schulz
Cybercrime is becoming more and more widespread, due to the flexibility and risk-free use of modern Trojans and other malware.
When talking about Trojans and worms, most people think about phishing threats. Phishing and Pharming ARE major threats to all online users. Besides the immediate commercial damage, one of the most displeasing side effects of Phishing and Pharming is the destruction of TRUST in the quickly growing internet business.
But Phishing is not the only threat targeting the end user. There are others, like industrial espionage or spear phishing which are not well-known in public but posed a real and more serious threat. In the past, we discussed the future potential of what used to be Remote Access Trojans (RATs), today this threat is represented by IP (intellectual property) worms, cryptoviral extortion schemes, or industrial espionage Zero-day exploits.
Malware can also have national security implications, but discussions on these are again rare in public. For instance, in June 2005, Japanese nuclear data was leaked on the Internet through a virus on a personal computer. It exposed interiors, details of regular inspections of repair works, and names of workers.
Other incidents in Israel and UK were reported only briefly in the news.
This paper will change the focus of Trojans from online fraud to more serious threats - like industrial espionage and terrorism.
Terrorism and phishing have one thing in common: Information gathering, manipulation - and money. Looking at a typical drop zone of a Trojan, you'll find all kinds of information, like passwords, IDs, credit card details etc.
These information alone are not interesting, but in a combination, can create a major threat, e.g. to assemble a false ID. But who is collecting all this information? Who has access to this? Who is using it? This paper will show you how all these interact together in our today's world.
Using a typical "latest design" worm, we will analyze the behavior, the communication and the impact of such malware. We will show you how to use trigger-based systems to collect data in an intranet, and how to use actual malware to make designer worms, undetectable by antivirus scanner for personal spying. We will discuss pattern-based detection versus anomaly behavior detection, and will close with a forecast on next generation malware.
MD5: e5dfdec5a1abb30dfc8691e02cbaab2b
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.74 Mb
Melanie Rieback (Vrije Universiteit Amsterdam, NL)
Radio Frequency Identification (RFID) malware, first introduced in my paper 'Is Your Cat Infected with a Computer Virus?', has raised a great deal of controversy since it was first presented at the IEEE PerCom conference on March 15, 2006. The subject received an avalanche of (often overzealous) press coverage, which triggered a flurry of both positive and negative reactions from the RFID industry and consumers. This presentation will serve as a forum to explain RFID malware, from a hacker's perspective. I will start by explaining the fundamental concepts behind RFID malware, and then offer some qualifications and clarifications, separating out the facts vs. the myth regarding the real-world implications.
MD5: 6655484eb8cb2c6b1c3e02046cc0844d
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.8 Mb
Ray Stanton (BT, GB)
Mr. Stanton's presentation is intended to give FIRST members an appreciation of the common market challenges that we all face: what forces are driving investment decisions, the competition for investment, and executive requirements and needs. This summary includes an analysis of specific member issues and an overview of competing organisations. Finally, Mr. Stanton will suggest ways to demonstrate value to senior management, and how to protect investment for future and ongoing activities.
MD5: 89da5e1dca7a6823f697b3602f2e4121
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.17 Mb
Bob Ayers (Chatham House, GB)
The spectre of international terrorism has changed the traditional balance between the rights of the citizen to freedom privacy versus the needs of the Nation State to provide security for the population. In the United Kingdom, surveillance technology is already extensively deployed monitoring many aspect of daily life of the population, with even more intrusive programmes planned or under way. Is the loss of privacy the price we must pay for security and safety in the 21st century? What are the future consequences of this increasing loss of individual freedom and privacy?
MD5: d11b954e7aceb8c779de2c8aeb2ef152
Format: application/pdf
Last Update: June 7th, 2024
Size: 222.39 Kb
Joe Moore (GB), Mark Rowe
This half day session will explore the software testing technique of fuzzing and how it can be used to find security defects. It will cover the advantages and disadvantages of fuzz testing and will give some practical insight into the current free tools and techniques available to security testers. During the session several demonstrations will be given showing how fuzzing may have been used in the past to discover some well publicised security vulnerabilities. The attendees will also be encouraged to gain some hands on experience.
Seville, ES
June 22, 2007 10:00-10:50, June 22, 2007 11:20-12:20, June 22, 2007 12:20-13:10
Hosted by FIRST.Org
MD5: ce4659bbecdaf8d37ab764119b9fbeb2
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.21 Mb
Prof. Nabil SahliProf. Nabil SahliProf. Nabil Sahli (TunCERT, TN)
As a case example for developing countries, we will first give a fast overview about the actions of the Tunisian strategy in ICT Security which led to the launch of the Tunisian CERT, the promulgation of "an original" law related to IT Security (mandatory security audit, mandatory declaration of attacks, ..) and the launch of an Agency specialized in ICT Security.
We will then focus on the presentation of the activities of the public Tunisian CERT: the CERT-Tcc (Computer Emergency Response Team - Tunisian Coordination Center), by giving an overview about:
We will conclude by presenting an overview about the urgent needs of developing countries and the interest of a regional approach and closes with a set of guidelines and key issues to consider for building efficient plans and strategies in IT security, coming from the Tunisian experience in that field, and which is partially based on the launch of the CERT-TCC.
Seville, ES
June 22, 2007 17:00-17:45, June 22, 2007 17:45-18:00
Hosted by FIRST.Org
MD5: 61c7db17bf6b3f90f37c7e5a94e96c4c
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.1 Mb
MD5: 453e1570158605f8c71fc3e9440a88f1
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.74 Mb
Aashish Sharma (US), James J. Barlow (National Center for Supercomputing Applications)
Incident response within an organization can often be a challenging task. There are usually multiple levels within an organization, as well as multiple departments that you may have to work with when responding to an incident. What are the challenges when you now have a grid environment where you may have thousands of users using resources within your organization that you have no control over? Then when an incident does happen (that's not an "if"), how do the organizations within the grid work together to respond to the incident, which can usually have spillover to many sites within the grid. This work addresses the challenges of incident handling and response in the more complex environment of grid computing where there is a distributed user base and multiple physical entities composing a virtual organization. We will cover how the TeraGrid sites deal with coordinated incident response and give some real world examples on actual incidents.
MD5: 7e99a9c059b3a5af76e96049bd3e57a0
Format: application/pdf
Last Update: June 7th, 2024
Size: 417.06 Kb
Dr. Wietse Z. Venema (IBM, US)
Neither the UNIX system, nor the C programming language were built with security as a primary goal. Consequently, building a secure program can be like building a house on quicksand. The challenge for the implementor is to avoid the mechanisms that are weak, and to carefully build on the few mechanisms that remain. This tutorial focuses on implementation errors, why these errors happen, and how an implementor can avoid making such errors.
Security problems happen when system behavior does not match the user's expectation. Wietse illustrates this with a very small and obviously correct file shredder program that does not work at all, and for more reasons than most people can think of. This is followed by a segment that illustrates several flaws that were found in real applications that used the UNIX file system in an exploitable manner.
The set-uid feature is unique to UNIX, and deserves its own segment. Wietse demonstrates why it is fundamentally impossible to write set-uid software without creating a security hole.
Finally, Wietse presents the open source Postfix mail system, and how its partitioned design not only helped to build a secure mail system, but also helped to avoid code degeneration as the system expanded in size by more than four times.
Seville, ES
June 18, 2007 14:40-16:30, June 18, 2007 17:00-18:50
Hosted by FIRST.Org
MD5: 35da697fd09295de5578e1e6f47d9487
Format: application/pdf
Last Update: June 7th, 2024
Size: 998.37 Kb
Dr. Heiko Patzlaff (Siemens AG, Corporate Technology, CT IC CERT, DE)
In the past three years the main infection vectors of malware have shifted from network scanning worms targeting server software and social engineering based attacks such as email worms to attacks targeting vulnerabilities in client software. The most popular target of these attacks is Microsofts Internet Explorer. One idea that has been employed in the past to deal with scanning worms also proves useful in these new scenarios: honeypots.
In the talk the idea of using a client honeypot to protect a small workgroup environment is explored. We present an architecture for integrating an automated instance of Internet Explorer into a web proxy to transparently filter malicious web sites. We provide implementation details, report on problems encountered and give measurements of run-time metrics such as latency.
MD5: 62b5372864dfdd179a97f27fb11d83f7
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.52 Mb
Art Manion (US), Hal Burch (US), Yurie Ito (JP)
Art Manion is the Vulnerability Analysis Team Lead at the CERT Coordination Center (CERT/CC). The Vulnerability Analysis Team works with vendors, reporters, researchers, and other parties on vulnerability coordination, response, and disclosure. In addition, the team researches new ways to manage vulnerability information and improve software security. CERT/CC is a Federally Funded Research and Development Center (FFRDC) operated by the Software Engineering Institute at Carnegie Mellon University.
Hal Burch is a member of technical staff at the CERT Coordination Center (CERT/CC). Hal's responsibilities at CERT/CC include the Secure Coding Initiative and development of tools for vulnerability handling at CERT/CC. CERT/CC is a Federally Funded Research and Development Center (FFRDC) operated by the Software Engineering Institute at Carnegie Mellon University.
Yurie Ito is a Director of the Technical Operation of JPCERT/CC. Yurie is responsible for overall JPCERT/CC Technical Operation including Incident Response, Vulnerability Handling, Watch and Warning, and Situation Awareness program. She is a Director and Steering Committee member of the FIRST organization since 2005 to 2007. She is a Steering Committee member of the APCERT.
MD5: 6d7ef14251924977e561cf0cfee0df92
Format: application/pdf
Last Update: June 7th, 2024
Size: 168.76 Kb
MD5: 6daea9ec14a5432259cba62c2cb274f2
Format: application/pdf
Last Update: June 7th, 2024
Size: 1001.66 Kb
Till Dörges (PRESECURE Consulting GmbH, DE)
Viruses, bots, worms, etc. are nothing else but mobile agents. Mobile agents in turn have been the scope of research in computer sciences for quite some years. Recently research on the security side of mobile agents has received increased attention, too.
Perfectly securing mobile agents is generally impossible. While this is cumbersome for legitimate scenarios this is good news when trying to protect IT infrastructure. On the other hand, there are quite powerful protection methods for mobile agents so securing computers is far from trivial.
In order to explain this simple truth the paper relates current as well as well established findings from (theoretical) computer sciences to the IT security world of practitioners.
It is shown what methods are available to protect mobile agents, i. e. viruses, bots, and worms, from their environments, i. e. the computers they are running on. The limits of these protection methods are also explored.
MD5: c44081f3365fa794f409c80b28b97ab4
Format: application/pdf
Last Update: June 7th, 2024
Size: 141.34 Kb
MD5: 49729ccda2df172cdaa3a694077ed9be
Format: application/pdf
Last Update: June 7th, 2024
Size: 673.13 Kb
Laurent Butti (France Telecom Orange, FR)
WiMAX (Worldwide Interoperability for Microwave Access) is the new hyped broadband wireless access technology. Basically WiMAX is a radio technology that promises two-way data access at several megabits per second with ranges of several miles, either in line of sight (LOS) or non line of sight (NLOS) situations.
IEEE 802.16-2004 standard will be analysed in terms of security, a critical analysis will be performed and fully described. Authentication, confidentiality and integrity on the radio side will be discussed. Some issues will be pinpointed and the presentation will focus on how they are adressed within IEEE 802.16e-2005 standard.
Finally, we will describe some experimental deployments leaded by France Telecom, how they succeeded in bringing a Broadband Wireless Access to residential and enterprise architectures.
MD5: e1924c764ffa2b8adcd9a703becb4e31
Format: application/pdf
Last Update: June 7th, 2024
Size: 674.11 Kb