AusCERT2005

Abstracts

10 New Year's Resolutions for 2005 - A Mid-Year Review --- How are we doing?

By William Pelgrin, Director, NYS Office of Cyber Security and Critical Infrastructure

Director Pelgrin will provide a dynamic, multi-media presentation discussing the current cyber threat environment and what we can do about it. Questions like: "Are You the Weakest Link?" and "Am I safe?" will be explored.

Additionally, Director Pelgrin will highlight the cyber security initiatives underway through the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), as well as the Multi-State Information Sharing and Analysis Center (MS-ISAC). Since its creation in 2002, CSCIC has moved forward quickly in addressing the needs of state government, with the establishment of a 7 x 24 cyber center, distribution of cyber advisories, policy implementation and a number of other programs. This Office also focuses on building strong relationships between and among the public (federal, state, and local), and the private sectors to best ensure our State's cyber readiness. In 2003 the MS-ISAC was officially recognized by the US Government as the public sector ISAC. Director Pelgrin's presentation will highlight the successes and pit falls in his effort to be cyber prepared.

2005 Australian Computer Crime and Security Survey

By Jamie Gillespie, Senior Security Analyst, AusCERT and
Kevin Zuccato, Director, Australian High Tech Crime Centre

The survey builds on the format of the well-known annual CSI/FBI Computer Crime and Security Survey and includes new lines of enquiry designed to better understand the particular factors which contribute to computer security incidents.

The survey provides the most up to date and authoritative analysis of computer network attack and computer misuse trends in Australia over the last 12 months. As before, the survey includes a number of real case studies and expert commentary from Australian law enforcement, AusCERT and other Australian experts. Above all, the survey aims to raise awareness of the complex nature of computer security issues, identify areas of concern and, where appropriate, to motivate organisations to take a more active role in protecting their systems.

A novel application of PKI smartcards to anonymise Health Identifiers

By Stephen Wilson, Director, Lockstep Consulting

Electronic Health Record (EHR) systems are emerging as one of the community's key pieces of information technology. A critical building block of all EHS is the Unique Health Identifier (UHID). Default thinking about UHIDs has settled on a national numbering scheme, despite the fact that patient privacy can be seriously jeopardised if given UHIDs ever become linked to individuals' names. A spectrum of generic risk mitigation strategies is envisaged, including access controls, conservative consent provisions around secondary usage, and limiting personal details recorded. Yet none of these measures do anything to control the underlying linkages of UHIDs and names, and so a serious gap persists in EHR strategy and architecture.

This paper presents a new way to fundamentally anonymise UHIDs through a novel use of public key certificates and smartcards. Smartcards have to date been seen as passive carriers of UHIDs. This simple view underestimates their abilities, but deeper analysis has been inhibited by the desire to remain "technology neutral", and to admit as many forms of UHID as possible. Our design secretes each identifier within an anonymous digital certificate, and links one or more certificates to a smartcard. If an EHR entry is digitally signed via such a certificate, then that entry is directly linked to the numerical identifier, but cannot be linked to the individual's name without having access to the smartcard and the private key it contains.

This approach brings several unique benefits. It strengthens consumer consent controls, provides off-line identity resolution, and radically reduces the need for centralised, mission-critical identity servers. It seamlessly supports multiple identifiers and legacy EHRs. And it is compatible not only with the imminent Medicare smartcard, but also with a range of other choices available to consumers in the near future, such as smart drivers licences and EMV credit/debit cards. We strongly recommend that more sophisticated use of the new Medicare smartcard be made, lest public policy in e-health security be seen by the community to lag behind the banking sector, where two factor authentication and smartcards are rapidly entering the mainstream.

A ¡¥Standards¡¨ approach to the development of system security plans

By Dr Sue Dudley, Information Security Group Manager, Victoria Police

This half-day tutorial, which is mainly intended for those delegates who have either:

management responsibility for security documentation; and/or
direct responsibility for the documentation of a System Security Plan (SSP)

will examine one approach (using internationally recognised information security standards as the foundation and framework) to the development of an SSP.

The relationship between an organisation's Information Security Policy, a System Security Policy and an SSP will be briefly examined; then, using small group activities, delegates attending this tutorial will learn how to structure, and identify the required content for, an SSP applicable to any specific system.

Delegates will also learn how this approach to SSP development can also be used, with very minor modifications, as a practical guide for monitoring/auditing the implementation and management of system security controls, and for the upgrading of system security.

As the following two standards:

Information Technology Code of Practice for Information Security Management [AS/NZS ISO/IEC 17799:2001] (Standards Australia/Standards New Zealand); and
Information Security Management Part 2: Specification for Information Security Management Systems [AS/NZS 7799.2:2003] (Standards Australia/Standards New Zealand)

are used as the key standards for the foundation and framework of the SSP, delegates planning to attend this tutorial are requested to bring their own copy of those two standards.

This tutorial is of a basic level.

Advances in stopping email viruses, phishing attacks and spam

By Mike Bessey, IronPort Systems

Bot networks have greatly increased the challenges around securing email. In this session we cover some of the newest techniques for stopping virus outbreaks, phishing attacks, spam, port 25 DoS attacks and other email nasties. There are no completely effective solutions available today, but we review what practical techniques and products can help you improve email security.

You can profit from others' misfortune! This presentation will reveal how other email users have been impacted by vulnerabilities in their email systems, and show you ways to batten down your hatches. IronPort Systems is the world¡¦s fastest-growing email gateway technology company, and supplier to many of Australia's largest ISPs, Government and Corporate customers.

AFP Case Studies - Absent Security

By Darrell Betts, Computer Examiner, Australian Federal Police and
Matthew Thomson, Computer Examiner, Australian Federal Police

The Computer Forensic Team of the Australian Federal Police, is the organizations primary team for the acquisition and recovery of electronic evidence. The team has the opportunities, and is well placed, to observe, record, and analyse diverse computer systems. We often observe good practices, and not so good practice.

This presentation will highlight some of these practices using 'case studies' such as:

Internet "misuse" - how a sys admin used the system for hacking overseas
eMail systems as an "attacking" tool, how an ex-employee used the system he created
Fraudulent Data Harvesting -how easy it is to harvest data from people online

This presentation will also cover 'What we need from you (if something goes wrong) and what you need to do'.

Acquiring and capturing electronic data
- Techniques and tools
- What to capture
- Record keeping and note taking
Presenting in Court
Effort
- You cannot rely on, nor expect, the Police to prepare the case alone
Logs
- What logs to record, and how long to keep them
- Interpretation of logs
- Evidentiary considerations
Network Documentation
- Reasonable documentation to assist in understanding

Application Security ¡V Why conventional firewalls, IPS, HIDS and antivirus are not enough

By Mark Verbloot, F5 Networks

As businesses place more applications on the Web, they expose more of their sensitive customer data to hackers. Browser-based applications tunnel through the entire security perimeter of an organisation, giving users unprecedented access to internal systems.

For most organisations, the Web application has in itself become the security perimeter, and the only way to ensure the security of those applications is to deploy an Application Firewall. More than HTTP protocol inspection an application firewall understands how a user can navigate the site, and what they can provide to the application as input - it provides a layer of security that ensures people are only able to interact with a web application in the way it was intended to be used.

This session will discuss F5's Application Firewall called TrafficShield. It is a new class of security device using a full proxy architecture and a positive security model (white listing) to only permit requests that we want to be good.

Architecting a Secure Future??

By Stephen MacDonald, Check Point Software Technologies, Australia

Creating a secure computing environment for business takes planning and careful consideration. Australian businesses have traditionally taken a point solution approach to addressing the information security requirements of their business. As new applications have been added or new security threats have emerged then point solutions have been implemented to address that specific requirement.

The Internet has become the lifeblood of many businesses and applications that leverage the Internet, such as VoIP, have begun to reach maturity. This continued rapid growth in the Internet has bought with it an array of new security threats. A traditional point solution approach shackles businesses as it restricts their ability to quickly implement new and secure applications, to respond to newly identified threats and to expand their network beyond traditional boundaries to encompass remote workers and third party contractors in a safe manner.

Australian businesses should be taking an architectural approach to their security infrastructure in order to lay the foundations for secure computing. An architectural approach allows security solutions to scale across different people, locations and environments and encompasses remote users in cyber cafes up to the largest corporate network. It means that every change in your business no longer necessitates huge technical changes.

Stephen MacDonald, Security Solutions Architect at Check Point, has spent the past nine years in information security and will outline why an architectural approach to secure is a necessity if you want a secure future for your business.

Are your valuable data assets secure?

By Nicko van Someren, nCipher, Australia

Stringent control over who can see sensitive information, wherever it is stored, is fundamental to compliance and is the cornerstone of effective security. In today's world this means robust access control, widespread encryption and a comprehensive audit capability. This presentation examines how critical data can be protected from external and internal threats and yet can still be accessible to authorized people and applications.

Artifact Analysis - Methodologies and Trends

By Kevin J. Houle, Artifact Analysis Team Leader, CERT Coordination Center

In order to understand the nature of the evolving threats in Internet security, it is important to understand the tools used to execute attacks. Malicious code developed and deployed on the Internet continues to evolve to enable more organized and sophisticated attacks. Defending systems and networks today now extends beyond just leveraging technology into a need to understand attacker capability. Artifact analysis is the study of Internet attack tools and malicious code. This presentation will examine the role artefact analysis plays in Internet security, the goals of artifact analysis, and common components of an artifact analysis capability. Topics will include a discussion on differences between artifact analysis and forensics, an overview of artifact analysis methodologies and tools, and some observations regarding trends in malicious code evolution.

Artifact Analysis Tutorial

By Kevin J. Houle, Artifact Analysis Team Leader, CERT Coordination Center

In order to understand the nature of the evolving threats in Internet security, it is important to understand the tools used to execute attacks. Malicious code developed and deployed on the Internet continues to evolve to enable more organized and sophisticated attacks. Defending systems and networks today now extends beyond just leveraging technology into a need to understand attacker capability. Artifact analysis is the study of Internet attack tools and malicious code. This tutorial provides a deeper view into artefact analysis based on the information discussed in "Artifact Analysis - Methodologies and Trends". Topics include safe recovery and handling of malicious code, an in-depth discussion about tools and techniques used to perform artifact analysis, and case studies of several examples of malicious code from the Internet.

Aspects of a secure and assured infrastructure using a ¡¥layered¡¦ approach to security

By Greg Bunt, Juniper Networks, Australia

Greg Bunt, Senior Systems Engineer from Juniper Networks, will discuss aspects of a secure and assured infrastructure using a ¡¥layered¡¦ approach to security. This session will cover dynamic threat mitigation including end-to-end protection, intrusion and viral detection and effective neutralization. It also looks at providing customer feedback loops for self help.

AusCERT member only session

By AusCERT

This is an informal session, hosted by AusCERT staff in which we discuss with our members existing and proposed AusCERT services. This includes the introduction of new AusCERT team members, discussion of proposed new services and current projects as well as training opportunities. It is a chance for our members to voice their opinions or raise questions about any aspects of AusCERT. We warmly welcome all AusCERT members to join us for a chat and some refreshments.

Australian Launch of the Business Application Security Assurance Program (BASAP)

By Oliver Binz, General Manager, b-sec

This presentation will represent the official launch of the Business Application Security Assurance Program (BASAP). Attendees will be given a detailed description of the program and how it meets current requirements to ensure critical business applications meet best security practices.

Unlike existing certification programs, such as Common Criteria, BASAP is designed to be cost effective and provide fast turn-around. The evaluation criteria are published enabling businesses to pre-qualify applications before submitting them to BASAP.

If your business uses custom built Web Applications, you should not miss this presentation. All participants will receive a free copy of the BASAP Application Security Assurance Framework.

BASAP is proudly supported by b-sec Consulting, Microsoft and Avanade.

Borderless Security

By Andrew Younger, Senior Engineer, SafeNet Australia

Widely distributed, heterogeneous computing environments are challenging to secure. Perimeter-based solutions and security point products from multiple vendors all present management issues.

SafeNet¡¦s Borderless Security Platform, which was launched at the RSA Conference in San Francisco in February 2005, is a new approach which combines authentication, authorization, and confidentiality wrapped in a robust management system. Based on open standards and designed to co-exist with existing technologies, it enables rapid deployment of:
¡E Policy-Based authorization
¡E Strong Authentication
¡E VPN-based confidentiality and integrity of data
¡E Enterprise-wide Single Sign On
¡E Automatic enforcement of remote user security policies
¡E Central system management to create, manage and revoke user credentials.

This session will look at the philosophy behind Borderless Security and its practical application ¡V and explore the technologies underpinning this innovative new platform for securing enterprise IT systems.

Bots and Botnets - The Automation of Computer Network Attack

By David Dittrich, Senior Security Engineer, Washington University

Bot networks aggregate computers that have been compromised with trojans, allowing them to be remotely controlled by hackers. In the past year, the proliferation of e-mail borne viruses and auto-downloading trojans has dramatically increased the number and size of botnets, which now have economic value as Spam engines and tools in DDoS blackmail schemes. Compromised "zombie"
machines were recently found on the networks of the U.S. Defense Department and Senate.

IRC (Internet Relay Chat) is a live chat system that allows users to create private discussion rooms. While IRC has a lengthy history of legitimate use, it is also a medium for discreet communication between hackers. In February the FBI shut down a large IRC provider, Ohio-based CIT/Foonet, saying it was operating a DDoS-for-hire scam. CIT operator Jay Echouafni is now a fugitive, charged with paying hackers to use botnets of between 5,000 and 10,000 hosts to launch crippling digital attacks on the websites of business rivals.

The CIT case demonstrates the difficulty of defending against DDoS attacks from huge botnets. One of the victims, WeaKnees.com, shifted its hosting to Rackspace, which has touted its ability to defend against DDoS attacks. The attackers subsequently changed tactics and launched an attack that kept WeaKnees offline for two weeks, according to affidavits filed with the court case.

This presentation explores the history of IRC "bots" and bot networks, their development, and current feature set. Dave will discuss how botnets are set up and used in computer network attack, illustrating the concepts from news articles, contents of compromised hosts, and samples of real network traffic.

Building an Enterprise E-mail Filtering Gateway

By Bojan Zdrnja, The University of Auckland

Recent events have suggested that spam and malware authors are working together on improving their methods of distribution. This places an additional burden on servers, based largely on the volume of messages. In addition, users are increasingly demanding of spam detection technology and expect a reduced number of false positive incidents.
As the cost of spam detection increases - organisations are faced with the challenge, how to deliver clean and safe e-mail.
This presentation will demonstrate the architecture and implementation of an enterprise e-mail system at the University of Auckland. Security policies for dealing with infected e-mails will be discussed as well as an overview of the latest anti-spam techniques.
This presentation is aimed at the intermediate level audience.

Challenges we face in today's cyber world

By Eugene Kaspersky, Kaspersky Labs

The threat to business and personal information assets is radically changing. And with that change comes a growing risk to businesses of every size. The threat began with hooligans seeking notoriety or simply creating havoc wherever they could. But these threats are moving into a totally new realm. It has become a for-profit endeavor that ranges from personal identity theft to corporate espionage. The threat in its mildest forms results in disruption of day-to-day business, taking a significant toll on the profitability of companies of all sizes.

By 2002, email and digital transactions had become as common in businesses as the telephone. The Internet allowed for a whole new class of transactions to take place using e-mail and digital money. Digital financial transactions were not new to financial institutions. However, the increasing use of the "wide-open" Internet as the transport, coupled with the growing popularity of digital transactions with businesses and individuals, represented a major change.

Digital threats can originate from any point on the globe and come in seemingly infinite forms, many of which are not widely understood. While the Internet enabled a new era in online convenience and efficiency, it also increased the threat to the financial assets of both businesses and individuals.

Today, trade secrets are often stolen digitally. Databases can be hacked, or computer spyware can be used to siphon off information created or accessed by any employee. Physically destroying a building is one way to cripple a business; a denial of service (DoS) attack is a digital equivalent that can bring a business to its knees in short order. The operatives behind the threats are no longer just pranksters. Digital exploits have become a real business, run by real professionals, with potentially staggering payoffs.

How and why has the threat evolved? What can be done to ward off this increasingly dangerous threat? The presentation of Eugene Kaspersky, Head of Anti-Virus Research of Kaspersky Lab, a famous player at the global anti-virus market, will describe the main trends in modern IT threats and potential ways of struggle against them.

Combining the best in antispam with the best in antivirus

By Saeed Hagh, Symantec Australia

Symantec Brightmail, the antispam market leader, invites you to join an exclusive product demonstration that will provide an in-depth look at the new Symantec Mail Security appliances. Our antispam expert will address technical aspects of these appliances with a product demonstration and share the latest methods to combat the ever-increasing threat and burden of spam in your environment.

Corporation Patterns, Best Practices & Standards for Deploying Federated Identity Management Solutions in a Web Services world

By Venkat Raghavan, IBM, USA

In the real world seemingly simple things like managing identities and accounts for partner companies' users (identity management) results in significant administrative overhead and is the main reason why companies cannot pursue automation of business processes. The issues related to identity management and security administration in today¡¦s environment are primarily due to a single reason: each application or platform internalises the notion of an identity that needs to be provisioned with that platform or service. These issues are exacerbated when companies begin to embrace Service Oriented Architecture (SOA) to simplify service integration across company, business and trust boundaries as security credentials cannot be easily shared between applications domains.

Federated Identity Management has emerged as a critical process component of SOA. A process that simplifies identity and security for cross-enterprise or intra-enterprise collaboration built on a foundation of trust, integrity and privacy. The approach recognises that administration of users and programs can be simplified if companies can apply relationship-based trust with their partner-organisations to improve their security posture, governance and user experience. While federated identity deals with user administration and user entitlements, federated security management on the other hand addresses the issue of security management for programs or services that need to be secured across heterogeneous application platforms and security domains. Built on WS-Security family, federated security leverages policy-based security to secure cross-enterprise, cross-platform, cross-vendor Web Services.

This session will articulate best practices and provide a standards-based approach for deploying Federated Identity Management, multi-company provisioning and SOAP Web Services security for B2B interactions. The focus will be on best practices for integrated identity management, federated identity interoperability between J2EE and MS .NET and use of specifications such as Liberty ID FF 1.1/1.2, WS-Security, WS-Federation, WS-Trust & to deliver federated security management. You will learn the conceptual, technical and the standards-based framework needed to deploy federated identity management solutions using trusted Web Services foundation.

Cost effective defence-in-depth, providing application and content security

By Christo Simeonoff, Blue Sky Industries Pty Ltd

This session will illustrate the 'whole-of-life' cost savings obtainable by using an integrated approach to meeting Best Practice security targets.

Detecting Intrusion Attacks

By Eric Krieger, Secure Computing Corporation

I will be discussing topics associated with detecting intrusion attacks and how to fight back against them. My materials will cover three main areas:
¡E Network layer attacks ¡V which are (speaking in terms of the TCP/IP protocol stack) a layer 3 problem
¡E Application layer attacks ¡V which is a layer 7 problem
¡E Recommended solutions to these attacks, in particular, advice on dealing with layer 7 attacks because they are the main problem we are all struggling with today

I will be discussing perimeter security in terms of layers in the TCP/IP protocol stack, associating four specific kinds of gateway security technologies with the 7-layer OSI model.

Background:
The most common firewall technology today is stateful inspection. The vast majority of networks today are presently protected by this approach. This is layer 3 technology, and here is an essential point to be remembered about the stateful inspection process. Once any packets pass the 'state table check¡¦, they are always streamed directly through the firewall at layer 3, just like packets are streamed through routers, with little or no additional security filtering.

Moving up the OSI stack, we see that a number of stateful inspection firewall manufacturers are extending stateful inspection a bit into the application layer, and augmenting it with some application filtering which is good. Some of them refer to their approach as deep inspection. But these solutions primarily remain to be router and switch level technologies in their core architecture that are not built for terminating traffic at layer 7, the application layer.

Moving further up the OSI stack to layer 7 itself - again, this is referred to as the application layer - we see that some systems are actually capable of assembling complete layer 7 application objects (mail messages, web pages and of course the nasty worms, trojans and viruses that come along with these applications). This class of security gateway can also include IPS capabilities to stop emerging application-specific attacks. Secure Computing Corporation¡¦s Sidewinder G2 Security Appliance is such a system.

Finally, there is a new class of security gateways that I have artificially stacked on top of layer 7 in the OSI model, as these gateways are application-specific like the recently so-named Web firewalls. These application-specific firewalls typically focus on only one protocol, HTTP in this case, and they are configured to learn the actual content hosted on the systems that they protect. They are all manufactured by venture capital funded start-up companies and are still not well known or well tested in the mainstream market.

Detecting Network-based Obfuscated Code Injection Attacks Using Sandboxing

By Stig Andersson, Queensland University of Technology

Intrusion detection systems (IDSs) are widely recognised as the last line of defence often used to enable incident response when a system's prevention mechanisms are ineffective, or have been compromised. A signature based network IDS (NIDS) which operates by comparing network traffic to a database of suspicious activity patterns (known as signatures) is a popular solution due to its ease of deployment and relatively low false positive (incorrect alert) rate. Lately attack developers have focused on developing stealthy attacks designed to evade NIDS. One technique used to accomplish this is to obfuscate the shellcode (the executable component of an attack) so that it does not resemble the signatures the IDS uses to identify the attacks but is still logically equivalent to the clear-text attacks when executed. We present an approach to detect obfuscated code injection attacks, an approach which compensates for efforts to evade IDSs. This is achieved by executing those network traffic segments that are judged potentially to contain executable code and monitoring the execution to detect operating system calls which are a necessary component of any such code. This detection method is based not on how the injected code is represented but rather on the actions it performs. Correct configuration of the IDS at deployment time is crucial for correct operation when this approach is taken, in particular, the examined executable code must be executed on a system identical to the system the IDS is monitoring with regards to both operating system and architecture. We have implemented a prototype detector that is capable of detecting obfuscated shellcodes in a Linux environment, and demonstrate how it can be used to detect new or previously unseen code injection attacks and obfuscated attacks as well as well known attacks.

Enabling Automated Policy Enforcement with Real-time Network Discovery.

By William Young, Sourcefire

Join Sourcefire's Security Engineer, William Young, to hear about Enabling Automated Policy Enforcement with Real-time Network Discovery. William will be focusing on the value of passive asset detection in the context of NIDS/NIPS as well as discussing the details of the flexibility of the latest Snort rules language in identifying morphing exploits. The new and emerging threats and the role of monitoring in identifying these exploits as they occur will also be addressed.

Experience in fighting DDOS attacks

By Nicolas Fischbach, Senior Manager, Network Engineering Security, COLT Telecom

Service providers have to deal with large and distributed denial of service attacks multiple times a day. We will present state-of-the-art detection and mitigation techniques and how, when combined with router/network hardening, DDoS attack can be "survived".

Exploits -- The past, the present and the future

By Paul Ducklin, Head of Technology, Asia Pacific, Sophos ANZ

Software security is regularly in the news these days, so you might reasonably expect modern software to be resilient to attacks made possible by poor design or by incorrect programming. But a wide range of old-fashioned errors continue to turn up in today's code, with the result that the internet seems to be as vulnerable in 2005 (e.g. Sasser) as it was in 1988 (e.g. the Morris worm).

This paper examines the history and the likely future of remotely-exploitable vulnerabilities, showing how problems in design and implementation lead to a range of widely-repeated bugs. These include buffer overflows, signed/unsigned errors, canonicalisation flaws and privilege mismanagement.

The paper also looks at the techniques we can use -- in hardware, in the operating system kernel, in run-time libraries and even in choice of implementation language -- to help us produce systems in which exploits are prevented, rather than cured.

Though technical in nature, this paper is intended for a basic-to-intermediate audience. One or two examples will dip into low-level detail, so familiarity with compilers (e.g. MSVC, gcc), assemblers (e.g. MASM, gas) and architecture (e.g. i386 memory paging) would be an advantage.

Fighting Internet diseases: DDos, worms and miscreants

By Nicolas Fischbach, Senior Manager, Network Engineering Security, COLT Telecom

Denial of service attacks are nothing new. During this tutorial we will look at the history of DoS and DDoS and present measures that should be taken to make the infrastructure more resistant. Detecting and understanding what is going on is a major step in the right direction towards an effective mitigation. We will look at different ways on how to achieve both goals while keeping CAPEX and OPEX reasonable. Less technical things like the history and motives of the bad guys will also been looked into and we will discuss what the future may look like.

Forensics, Privacy and ISP Liability - Weaving and Dodging Risk

By Phillip Hourigan, Partner, Deacons

This presentation will focus on current issues in law relevant to IT Security. Topics to be covered include legal issues in undertaking or acquiring forensics services and proposed amendments relating to ISP liability.

In the area of forensics, service providers routinely provide these services with little or no formal arrangements with customers. From a provider's perspective the risks include significant assumed liability for damage to IT infrastructure as a result of any forensic activity and for security breaches or other compromises to security not uncovered as part of the forensic services. Forensics also raises a range of privacy compliance issues for both the customer (in relation to its data subjects) and the service provider. This leads to a general consideration of current issues in privacy compliance in the area of IT Security.

Proposed amendments to the Copyright Act in Australia introduced as part of Australia's obligations under the implementation of the US Free Trade Agreement are aimed at significantly increasing the exposure of ISP's in relation to copyright infringement. Having regard to the prevalence of threat propagation via ISPs there is significant risk that ISPs will not qualify for the limited 'safe harbour' exceptions in relation to the authorisation of copyright infringement.

Apart from identifying current problems in the areas outlined, this session will also look at strategies for mitigating legal risk.

From Chaos to Control: Assuring Service by Securing the Enterprise

By Chris Pick, Vice-President Security Management, NetIQ

Join Chris Pick for an executive discussion on the challenges of Enterprise Security and why traditional approaches to security fail.

During this presentation Chris will provide a comprehensive overview of today¡¦s biggest IT security concerns, and will address specific drivers such as risk & vulnerability management and compliance with regulations and standards.

In addition he will illustrate the need to take a process based approach to security management and will introduce you to NetIQ¡¦s closed-loop approach to enterprise Security Management.

You will gain valuable insight into;
¡E Building best practices that will provide your organisation with a strong security foundation
¡E How to minimise the flood of security event data
¡E Identifying the critical risks to your IT infrastructure
¡E How to reduce the complexity of securing your IT infrastructure as well as your exposure to risks and non-compliance issues.

Future Security of VoIP and SCADA

By Robert Graham, Chief Scientist, Internet Security Systems (ISS)

VoIP and SCADA are both network technologies that offer multiple business benefits to companies and individuals¡K.and substantial cyber security risks as well.

This 'no holds barred' presentation will outline the potential areas of vulnerability inherent within SCADA and VoIP, where the sources of threat are likely to come from and the possible impacts that a cyber attack could have on businesses who utilise these technologies.

Real life examples of security breaches and attack scenarios will be highlighted as well.

If delegates are looking for invaluable practical advice for pre-emptive security planning for VoIP and SCADA, then this is a must-see session.

Audience: Executive management as well as network and security administrators.

Getting Clear About Information Security Roles & Responsibilities

By Charles Cresson Wood, (CISA, CISM, CISSP) Independent Information Security Consultant, Sausalito, California

Far too many organizations have been dealing with information security as though it was a one-time project. To the contrary, information security is an on-going organizational function and needs to be recognized as such. This presentation will explore the reasons why information security roles and responsibilities need to be explicitly incorporated into departmental mission statements, job descriptions, and outsourcing documents. The impediments to establishing information security as an accepted and full-fledged organizational unit will additionally be explored. Various recommended reporting relationships for an information security unit will also be described in this presentation.

Honeynets

By Lance Spitzner, President, Honeynet Project

This will be a highly technical overview on what honeynets are, their value, the different types and how they work. We will focus on Data Control, Data Capture, and Data Analysis mechanisms of GenII technologies. We will also cover some different deployment options, such as honeynet farms and virtual honeynets. Last, we will cover several examples of honeynet captures and what we have learned. The class will include a hands on demonstration showing how all the different elements of a honeynet at work, it will include a demo of the latest Honeywall CDROM.

How to securely deliver Access to your organisation, why Access is Strategic to Security and your Success

By Phil Montgomery, Citrix Systems

This session explains how organisations need to expand their thinking about ACCESS. Access has always been a challenge between security, functionality and productivity. By implementing an Access Strategy, you can deliver a system that enables universal secure access, without the traditional limitations or security implications.

I am not a target

By Ron Brandis, Principle Information Security Consultant, Electronic Warfare Associates-Australia

A common belief is that many organisations are not a target for hackers, since they have nothing of value to steal or destroy, is false. For the attacker the real motivation may not be to steal or destroy an organisation's assets it is often to control them so as they can conduct further attacks on other organisations.

Demonstrations within a simulated network are shown of how an Attacker, using current exploit methods, searches for soft targets in order to direct attacks at a more secure second target. The first target in most cases maybe a normal home user whilst the second is the valued target for the attacker.

The attacks performed are walked through the various stages of including:

Network port scanning in order to identify soft targets;
Attack and comprise the soft target through a current Buffer overflow;
Download the required attacking tools to the soft target;
Launch SQL injections attacks, from the soft target, at another target; and
Comprise and control the second target, all through the soft target.

By the end of the presentation, participants will have an understanding of:

What systems and organisations are attractive to Attackers.
What is a soft target.
The threat for the home user or the small business.
How attackers compromise one target in order to assist in providing anonymity to the attacker for further attacks at other targets.

A strength of this presentation is the demonstration of real live attacks, highlighting why they occurred, how they were perpetrated and how they can be defended against as an attacker attacks two targets and how an Attacker can hide behind the first target.

This presentation is of an introductory level.

Identifying Weak Applications

By Justin Derry, Senior Security Consultant, b-sec

Application focused attacks are becoming more common and are likely to become the next "big thing" for security managers to have to address.

A motivated attacker targeting a specific system, will often find it simpler and more effective to use a weak application or web site to compromise a system, than attempt to break into a network through a firewall or other connected network devices.

This tutorial is aimed to give Security Managers, System Administrators and IT professionals an understanding of the technical risks associated with applications and how to identify and possibly mitigate common weaknesses.

The tutorial will cover some of the common methods that attackers will use to exploit and compromise weak applications, as well as the styles of common attacks launched against applications including:

- Types of Attack surfaces such as Web Services, XML and Applications
- SQL & Command Injection
- Cross Site Scripting
- Authentication & Authorisation failures
- Failure to handle errors correctly exposing system information
- Manipulating application parameters

The presentation will include a number of demonstrations of how to identify these weaknesses in an application, the risks associated with each attack, and how the attack could lead to the compromise of corporate systems.

At the conclusion of this session you will have gained a solid understanding of the risks associated with weak applications, as well as skills on how to test for and identify common problems.

IEEE 802.11i WLAN Security Protocol - A Software Engineer's Model

By Elanker Sithirasenan, Griffith University

Wireless local area networks (WLANs) based on the IEEE 802.11 standards are one of today's fastest growing technologies in businesses, schools, and homes, for good reasons. As WLAN deployments increase, so does the challenge to provide these networks with security. Security risks can originate either due to technical lapse in the security mechanisms or due to defects in software implementations. Standard Bodies and researchers have mainly used UML state machines to address the implementation issues. In this paper we propose the use of GSE methodology to analyse the incompleteness and uncertainties in specifications. The IEEE 802.11i security protocol is used as an example to compare the effectiveness of the GSE and UML models. The GSE methodology was found to be more effective in identifying ambiguities in specifications and inconsistencies between the specification and the state machines. Resolving all issues, we represent the robust security network (RSN) proposed in the IEEE 802.11i standard using different GSE models.

Information Security Governance

By Rupert Dodds, Director of information risk management team, KPMG

The presentation aims to explain how information security integrates into the corporate governance framework. Security alignment with corporate strategy is examined, with security presented as an issue with twin goals - business enablement and asset protection. People, process and technology elements of security are examined in this context, and roles, responsibilities and accountabilities discussed. The presentation will make reference to a number of real life examples from the presenter's personal experience, and conclude with a case study in which the presenter was involved. The case study covers a business process transformation project, in which information security was a key component to enabling the business strategy.

This presentation is of a Basic level.

Integrate or bust: Why spyware isn't the only internet security threat

By Charles Heunemann, SurfControl

Today, 80 percent of Internet-connected computers have on them some type of spyware.

While many IT Managers consider spyware as a greater problem than viruses (Source: WatchGuard Survey January 2005), nine out of 10 computer users can¡¦t identify what spyware is ¡V an indicator of the organisational challenges in combating this malicious software. (Source: US National Cyber Security Alliance AOL/NCSA Online Safety Study 2004.)

For enterprises, the greatest security risk stems from a failure to protect all facets of a company network and from employees who think spyware is IT¡¦s problem.

Escalating in sophistication and fraudulence, spyware and other online threats such as phishing use multiple attack vendors to propagate within organisations.

Spyware¡¦s threat lies in the ability to track online activity, stealing personal or corporate data for sale to anyone who will pay.

In this presentation, find out how innovative anti-spyware technologies integrated with SurfControl¡¦s world-class Internet security offerings are reducing network vulnerabilities.

The leading Internet security company, SurfControl is the only provider with multi-layered technologies that manage spyware attacks executed through Web and email, wireless and mobile users, Message Sticks, Instant Messaging and Peer 2 Peer applications.

Learn how SurfControl is harnessing the power of its globally deployed team of threat detection experts to continuously identify emerging Internet threats.

By the end of the presentation, participants will have an understanding of:
¡E The explosion and increasing sophistication of malicious spyware
¡E The importance of securing network boundaries at multiple levels
¡E Managing organisational challenges in combating spyware

Intelligent proactive network monitoring

By Jacques Schuurman, Chair, SURFnet-CERT

Network attacks on or via the Internet are a growing concern for operators of fast backbones of high bandwidth with many connected but heterogeneous sites.
Miscreant use of the underlying resources becomes more common and the effectiveness of malicious traffic increases as the time between a massive outbreak and the impact thereof (disruption of services, compromised workstations, etc. etc.) becomes too short to rely on slow human analysis and response. In the European context of National Research Networks, an initiative was started to design and develop a highly intelligent, automated tool for network monitoring and alerting. This project combines all initiatives that have been undertaken so far, and promises to deliver a fully operational monitoring and alerting tool by the end of the project in 2008. The first pilot version is expected by Spring 2005, and consecutive iterations of development will gradually add more intelligence and functionality to the toolset. This presentation will briefly address the history behind intelligent network monitoring, go into extensive detail of the current version, and present the roadmap towards the final envisaged deliverable of the project.

Introducing Next Generation Prevention Technologies that Keep YOU Ahead of the Threat

By Steve Reddock, Internet Security Systems

Most conventional Internet security solutions are still largely reliant on reactive ¡¥attack-based¡¦ methods that respond to known threats - leaving you vulnerable to new ones.

Pre-emptive security is becoming the emerging requirement for all types of organisations to stay ahead of any threats.

So what pre-emptive security technologies abound; how effective are they?

In this presentation, Steve will address:
¡E How Virtual Patch technology can pre-emptively protect from known and unknown threats (including case studies to demonstrate this and
¡E The latest pre-emptive security solutions that are available including the recent launch of a ground-breaking desktop prevention technology that:
- Is an industry FIRST
- Does NOT require a signature update
- Can stop threats at the source and
- Offers multi-layered protection.

IPV6 security threats

By Darrin J. Miller, Technical Leader, Security Technology Group, Cisco Systems, Inc.

Much of the security discussion around IPv6 has focused on its inclusion of IP Security (IPSec). While the confidentiality, integrity, and authentication features of IPSec are clearly useful, IPSec deployment with IPv6 will feature many of the same deployment challenges currently seen in IPv4 (identity, key management, and configuration issues). This session present IPv6 security as contrasted with IPv4 from a threats perspective. Threats that are familiar in
IPv4 are compared to how those threats may evolve in IPv6, and advice is offered on what new considerations or best practices are necessary to mitigate them. In addition, the session covers advanced IPv6 security topics like transition options and deploying IPv6 security mechanisms in a dual stack IPv6/
IPv4 environment. This session requires a working knowledge of the IPv6 and IPSec protocols as well as IPv4 security best practices.

ISSPCS certification workshop "ISSPCS: What's in it for me?"

By Mark McPherson, Training and Education Manager, AusCERT

Intended audience: IT/IS professionals seeking certification
Duration: 2 hours (with coffee break)
Presenter: Mark McPherson, Training Manager, AusCERT
Cost: FREE (Please get your tickets at the Registration desk)

Overview: This workshop details the history of the ISSPCS project, its goals and evolution. Mark will explain how ISSPCS certification integrates with your development as an IS professional and a member of the global community through real-world business processes setting a new industry standard in IS professional assessment.

Key Guidelines in Determining Which Systems to Address First in the Battle Against Risks, Vulnerabilities & Regulatory Non-Compliance

By Chris Pick, Vice-President Security Management, NetIQ

Today, in the face increased corporate accountability, organizations are being mandated to proactively develop a comprehensive security architecture that protects shareholder integrity and customer privacy. As a result, new, comprehensive, and practical guidelines have been developed, often confusing those who wish to develop a practical security program from a single best practice source.

In this presentation, the presenters will compare and contrast key security guidelines from NIST, BSI, ISACA, and ITIL. They will also discuss the emergence of automated risk management infrastructures which balance business risk with the need and cost of adequate protection.

Malware trends

By AusCERT

Viruses, worms, trojans, spyware, adware, backdoors, rootkits, where will it all end? The differences between various types of malware are slowly disappearing as they adopt functions from each other. In addition, as more appliances become network capable and aware the possibilities for the spread of malware is increasing rapidly. This is a chance to ask our panel of experts about current and future malware threats and what can be done to address these threats.

Next Generation Application Firewalls: IPS Replacing Current Firewalls.

By Amir Peles, Radware Australia Pty Ltd

The number and severity of application vulnerabilities is growing, leaving networks exposed to downtime and administrative maintenance costs. This session will explore next-generation application firewalls needed to prevent and mitigate attacks. Various methods will be presented, including deep packet inspection, anomaly detection, anti scanning prevention, denial of service protection, attack isolation and traffic shaping.

Online ID theft - the next revolution in military affairs

By Graham Ingram, General Manager, AusCERT

Over the past few years, a range of political, social, economic and technological changes have occurred that combine to create an environment in which organised crime is flourishing. The crime is online identity theft. This presentation examines some of the factors that have led to this situation, and examines the surprising level of sophistication and development of trojan malware that is occurring for the purpose of illicit financial gain. A revolution in military affairs has occurred which has enabled online ID theft to flourish. Another revolution in military affairs needs to occur to effectively address the threat.

Passive Techniques for Detecting Session Hijacking Attacks in IEEE 802.11 Wireless Networks

By Rupinder Gill, Queensland University of Technology

Wireless networking technologies based on IEEE 802.11 series of standards are evolving to address many of the security issues that plagued earlier wireless standards. Unfortunately the current standards fail to authenticate management frames and network card addresses, and rely on loosely coupled state machines. This results in serious vulnerabilities that may lead to denial of service, session hijacking, and address masquerading attacks. Until the standards are updated to redress these problems, wireless network deployments must be supported by wireless intrusion detection systems--a challenging and under researched area. This paper presents techniques for improving detection of session hijacking attacks that are passive, computationally inexpensive, reliable, and have minimal impact on network performance. Experimental results are presented to give confidence in the utility of the techniques.

Preparing for Tomorrow¡¦s Threats, Today

By Vincent Gullotto, McAfee

The threats keep changing. spim, spit, bot networks, pharming, spyware, adware, mobile and attackers also use old techniques in new clothing.

As the head of McAfee AVERT, the Anti-Virus and Vulnerability Emergency Response Team, Vincent Gullotto is at security¡¦s ¡¥Front Line¡¦. During this session, he will share his experience and discuss the current and future threats organisations will face. Gullotto will also discuss the techniques customers can use today, to protect them proactively against these threats.

Presenting IT evidence in the Courtroom

By Ajoy Ghosh, Consultant

This half day workshop is for system administrators, security engineers, security managers and other IT experts who may need to present IT evidence in the courtroom. The workshop focuses on a technician¡¦s role as a witness and assumes he/she is comfortable with their role as an investigator. The presenter shares his experiences as an expert witness in a variety of civil and criminal cases in Australian jurisdictions.
This is a practical workshop and participants will have the opportunity to prepare and present an expert report.

Content

An introduction to the adversarial process
The role of ¡§the expert¡¨
The role of ¡§IT evidence¡¨
Differentiating criminal and civil procedure
An introduction to HB-171
Practical advice to help presentation:
a. Collection of Evidence
b. Analysis of Evidence
Writing the expert report
Pre-trial processes
In the Courtroom

Professional Association; why is it relevant for me? How can it assist me with my professional challenges and career in Australia-New Zealand?

By Guy Lupo, ISSA

Target Audience: Security professionals, executives, business representatives, vendors, government, certified professionals, and any one with any kind of interest or opinion about what the professional associations should be focused at on 2005.

Overview: With the growth and expansion of Information security and its relevance to business, Security professionals are facing more challenges in their careers and keeping up to their organization's business objectives and professionalism.
It is the Professional associations' task to provide the tools and platform that are relevant to the dynamic security market space for the security professionals to keep their level of knowledge, share best practices and provide business and career opportunities for their members.
The professional associations are also important to the security industry, and must act to represent the voice of security professionals in Australia-New Zealand.

Purpose: Share with delegates the importance of being a member of an association, and show how membership can personally benefit them and their organization.

Agenda:
We start by explain the importance of a professional association to the security professional with our ISC2 CEO Mr. Rolf Moulton as guest, the proceed to an open feedback session to hear from the people how do they think the association can provide value in the following four of the most relevant issues in the Australia-New Zealand market
- Identity Management
- Threat Management
- Risk Management
- Professional certification
Closing by several important ISSA Australia-New Zealand and International announcements.

Guests: ISC2 CEO Mr. Rolf Moulton, Mr. Clayton Jones ISC2 Business Development Asia-Pac, More Guests

Hosted by ISSA with contributions from other professional associations

Professional Certification; Who Wants It, Who Needs It?

By Mark Ames, ISIG

Purpose: As the number of IT Security 'certificates' on offer continues to increase, employers are confused, the government has commissioned a study, and some security folks are questioning the value of any certification program. Come along to discuss and debate the role of certification programs in the industry, who really wants them, and why we need or don't need them.

Target Audience: Everyone with any kind of interest or opinion on professional certification of information security people.

Hosted by ISIG with contributions from other professional associations

Agenda: We'll start with four or five three-minute opinion pieces from our surprise guests and other surprising speakers. Then it's an open debate on the issues. ISIG will report on the outcomes to the IT Security Skills Accreditation in Australia project and share the results with our colleague organisations.

Protecting Networks against Content Based Attacks

By Philip Kwan, Fortinet, Inc

Viruses, Trojans, Worms, Spyware, Adware and Network Intrusions are transmitted over networks in a variety of ways today. Transmission can occur through peer-2-peer File Sharing, Email, Sneaker Net and common Web site access. These attacks on critical systems can no longer be fully protected by traditional firewalls and as a result a new breed of security devices has evolved. This discussion will cover the most common attacks affecting networks today and how to protect against them. The discussion will also talk about the problem from a broad perspective, cover the solutions that exist today and specifically how Fortinet solves many of these problems.

Protecting Windows from the Next Worm -- Reactive Security Solutions Are No Longer Enough

By Thor Larholm, PivX Solutions

A discussion of the vulnerability/exploit timelines of the most dangerous worms of 2004 and how to protect your computers from the new threats that are inevitably coming.

Protecting Your Network Perimeter Through Effective Patch & Vulnerability Management

By Neal Gemassmer, PatchLink Asia Pacific

Feature-rich patch and vulnerability management give organisations the advantage of significantly reducing the probability of attacks by enforcing corporate-wide policies to thoroughly scan, block, patch and fix machines before they are exploited on the network, infect other computers, and disrupt traffic.

Devices such as laptops and handheld computers are required to attach and detach from the central network, resulting in the potential for infectious code to spread quickly through the entire environment, impacting the bottom line and reputation of the organisation. This session will overview how automated, cross-platform, patch and vulnerability management technologies drastically strengthen network end-point security through proactive scan and block, and remediation capabilities.

Attendees will learn:
¡E How end-point security eliminates network threats such as worms and viruses
¡E About the latest developments in patch and vulnerability management technologies and program strategies
¡E How enterprise users are saving time and money by proactively controlling network access through automated quarantining technology and remediation
¡E How implementing perimeter control devices/products in conjunction with automated patch and vulnerability management technology reduces network risk and exposure to a myriad of vulnerabilities.

Return on Investment for Information Security

By David Lynas, President, David Lynas Consulting Group

Security exists to support our business. If it is not doing so, and seen to be doing so, we can be perceived as a Business Prevention Department as a mere cost centre that contributes little and is therefore given little back in terms of resource allocation and budget, without which we can achieve even less. Security has no meaning, no intrinsic value, without context. So what does security mean to us? What does it look like? Do we have enough of it? How do we measure it and the purpose it is serving? How do we know if it is succeeding and if our program has value?

This innovative and participative tutorial presents the issues and actively works through a structured and detailed step-by-step process to define the answers. Along the way we will examine case studies, our own environments and incorporate an appropriate benchmarking system into our process, resulting in a clear picture of our investment in security, the value our business gains from it, and learn to set on-going performance targets. We will create an action plan for on-going improvement, learn how to measure and manage it, and learn how to assess our program against standards, relevant directives and legislation.

Contents include:

The Importance of Measuring Security Value
What Value the Business Requires from Security
How to Measure the Value of Security
How to Measure Investment in Security
How to Measure Return on Investment and Return of Value
How to Create, Measure, and Use Metrics
How to Set, Measure, and Use Performance Indicators
How to Set, Measure, and Use Service Level Targets
How to Select and Implement Appropriate Benchmarks
How to Evaluate Security Against Relevant Standards & Legislation
A Structured Process for Developing and Maintaining an Effective; Credible ROI Model for Your Business

This tutorial is of an Intermediate level.

Reverse Engineering of Network Signatures

By Darren Mutz, University of California, Santa Barbara

Network-based intrusion detection systems analyze network traffic looking for evidence of attacks. The analysis is usually performed using signatures, which are rules that describe what traffic should be considered as malicious. If the signatures are known, it is possible to either craft an attack to avoid detection or to send synthetic traffic that will match the signature to over-stimulate the network sensor causing a denial of service attack. To prevent these attacks, commercial systems usually do not publish their signature sets and their analysis algorithms. This paper describes a reverse engineering process and a reverse engineering tool that are used to analyze the way signatures are matched by network-based intrusion detection systems. The results of the analysis are used to either generate variations of attacks that evade detection or produce non-malicious traffic that over-stimulates the sensor. This shows that security through obscurity does not work. That is, keeping the signatures secret does not necessarily increase the resistance of a system to evasion and over-stimulation attacks.

Running a high-tech investigation: it ain't just forensics...

By Steven Branigan, President of Cyanline, LLC, a wireless network security company.

Running a high tech investigation requires skill, preparation, excellent tools, and luck. Hopefully, this session will help with all 4!

Most network and systems managers are not ready to handle the intricacies of a high tech investigation, and that is a shame. While they are certainly smart enough, most have not been exposed to the issues surrounding proper investigative methods or evidence handling. Consider that this is a necessary skill, since the front line people in most high tech investigations are the
system and network managers.

This tutorial will cover some basic techniques on conducting a high tech investigation. I will focus on, and discuss freeware tools that exist to help with investigations.

During the tutorial, I will cover some actual case investigations and draw out lessons on what works and what doesn't to further illustrate the key concepts.

You will leave with a checklist of actions to take when investigating a case.

Security contracts: The devil is in the detail

By Gretchen Golik, Security Architect, QANTAS Airways

There is a business focus on increasing the use of external providers to deliver services to organisations where IT is not their core business. This model enables an organisation to drive cost efficiencies and enhance the customer experience.

Qantas IT has been providing information technology services to Qantas Airways for over 40 years. Airlines have been pioneers in the utilisation of technology to support the business processes involved in providing passenger, freight, catering and other ancillary services to customers.
Qantas IT is going through a significant period of change, it is moving from an organisation that provided all services internally to an organisation that is providing a mix of internally and externally provided services.

By placing such a heavy reliance on external provider¡¦s dependencies exist on securing the confidentiality, integrity and availability of the information assets. To counter these dependencies appropriate security obligations need to be negotiated with the provider and settled before finalising the contract.

This presentation will provide techniques for designing security contracts aligning to international standards to protect your information assets.

This presentation is of Intermediate level.

Security Design: What Works, What Doesn't, and Why

By Bruce Schneier, CTO, Counterpane Internet Security

The strangest thing about security is how little it has to do with security. Why did firewalls succeed in the marketplace when e-mail encryption failed? Why don't companies regularly install patches? Why is software of such poor quality? The reasons have little to do with security, and everything to do with the incentives of the players involved. Economics, politics, laws, even social constraints matter much more than security concerns. This talk attempts to peel back the security talk and explain what really goes on when someone makes a security decision. The results might surprise you.

Security Management: How to implement?

By Joo Soo Lim, Security Consultant, Telstra Corporation

This is a hypothetical business case study. A large IT service provider wants to consolidate its IT service management to improve the end-to-end management of customer service requirements, standardise processes for service management across business units, rationalize the legacy systems and support toolsets, and ensure that adequate security has been considered. This presentation will detail using the 6 sigma approach used together with the ITIL model to achieve the goals from a security perspective. Because every aspect of the IT service management process has the security management considerations, important security issues and recommendations will be discussed.

This presentation is of an Intermediate level.

Security Myths

By Jesper Johansson, Microsoft Corporation

Far too much of what we do in security does not have any real impact on security, not to mention that it does not map to any realistic threats that you have decided to mitigate as part of your overall risk management strategy. In this session, we cover the top ten things that security professionals do that do not have any real impact on security.

In some cases, these steps actually have exactly the opposite effect, as they compromise confidentiality, integrity, and/or availability instead of improve it.

Security's quantum future - quantum cryptography and quantum computation

By Geoff Pryde, Research Fellow, Centre for Quantum Computer Technology and Physics Department, The University of Queensland

The 21st century will see the advent of quantum technology - devices and
processes that use the laws of quantum physics to gain an advantage over what
is possible in principle with current technologies. It has already been shown
theoretically that quantum computers, if they can be practically built, could
efficiently crack RSA encryption, whose security lies in the fact that no
efficient non-quantum algorithm is known for factoring the product of two large
prime numbers. Would this be the end for information security? It turns out that the very principles of quantum physics which make quantum computers powerful also allow for a range of cryptographic schemes, collectively called quantum cryptography, that are guaranteed secure by the laws of physics. This talk will cover the basics of quantum information technologies, the present state of the art, and the future for information security in a quantum world.

Seeing is Believing

By Paul Ducklin, Head of Technology, Asia Pacific, Sophos ANZ

Watch how spyware, phishware, banker trojans, keyloggers, botnets and similar malicious code work. See the tricks that malware authors use to make their code hard to detect, identify and remove. Learn how to fight back.

This presentation is for the practically-minded, and includes a live (but safe and self-contained!) demo of the latest malware in action. (Suitable for techies and non-techies alike.)

Should you outsource your messaging? Managed messaging and security in a hosted environment

By Greg Dickason, WebCentral

Managing the security of your organisation's email is a significant undertaking. As in-house IT departments face the challenges of doing more with less, strategically sourcing all or a key element of your organisation's security to a specialist outsourced hosting provider is becoming more prevalent. In this session, Greg Dickason will outline WebCentral's experience with making Microsoft Exchange 2003 operate in a fully-managed, multi-tenancy environment, incorporating full anti-virus, anti-spam and hosting-specific Exchange system configuration lockdown. WebCentral was one of the first companies globally to successfully offer Microsoft Exchange in a hosted environment to its corporate and enterprise clients.

Single Sign-On: Fact or Fiction?

By Geoff Noble, RSA Security, Australia

Effective password management is more critical and costly than ever before. Password proliferation depletes IT dollars, frustrates end-users and compromises enterprise security. Organisations are desperate for a true single sign-on solution that can:
¡E Reduce help desk calls and password management costs
¡E Ease the burden of regulatory compliance
¡E Enhance enterprise security while extending the value of current investments
¡E Empower end users.

This session will discuss the various natures and differences of SSO including Enterprise-, Web- and Identity Federation- or SAML-based SSO, how they are maturing and beginning to play an important role in addressing identity management requirements. We will also explore the ¡¥Keys to the Kingdom¡¦ issues and the role of authentication from passwords to tokens and certificates.

As SSO is often considered a usability solution and not a security feature. This session aims to show how the developments in technology around SSO concepts ¡X such as SAML, Liberty ID-FF and Kerberos integration ¡X have evolved to provide a SSO solution that is both easy and consistent for end-users, as well as providing rich and powerful security and policy enforcement functionality.

Spamware, Spyware, Malware, Grayware: Do you want to ¡¥wear¡¦ the high costs?

By Michael Grace, Imagineering Security Services (ISSP)

The technology developments in the last 10 years have clearly demonstrated a natural product cycle from software application creation followed by dedicated application servers through to the final appliance platform. The appliance platforms themselves have grown in power, manageability and flexibility whilst driving costs down. This whole process reaches critical mass when a manufacturer delivers the appliances with world standard functionality yet freed of the onerous per-user based licensing.

Barracuda Networks is one such success case in the areas of Spam & Spyware protection, combining the strengths of Open Source & proprietary technologies to deliver astounding results, whilst convinced that the days of expensive per user licencing are already past.

Spyware - a Microsoft perspective

By Jason Garms, Anti-Malware Product Team, Microsoft

In this session, Jason will discuss the current state of the Internet with regard to spyware, adware and other potentially unwanted software. He will present a taxonomy for categorizing these types of software, and how it continues to evolve. He will review how Microsoft is working to provide users more visibility and control over their computers, including efforts around the Windows AntiSpyware software, which is currently available in beta.

Spyware - is it here to stay?

By David Ahmad, Development, Symantec Corporation

There has been a lot of media publicity around spyware. Many ask if spyware is the latest form of malware, causing as much havoc as its cousins viruses, worms, trojans and spams. Some ask if its use should be regulated. This presentation will attempt to answer some of these questions while guiding you through spyware's history, the threats it poses to organisations and individuals, its impact and how we can deal with it. We'll discuss some of its legal implications and future developments.

Spyware, The Rising Impact

By Adam Biviano, Trend Micro

A Multi-layered Defence against Spyware -
Spyware enters networks from the Web which makes the Internet gateway your first line of defence against spyware. Trend Micro, the global market share leader in gateway, mail server, and file server security was the first vendor to detect and block spyware at the gateway in May 2004. Trend Micro¡¦s multi-layer anti-spyware solution integrates spyware prevention and clean up at the gateway, server, and enterprise client.

Strong Authentication for the Internet

By Nicolas Popp, VeriSign, California

The rapid rise of online identity theft, the dark spectrum of phishing attacks and looming governmental regulations, all point towards the need for stronger authentication on the Internet.

Around the world, ISPs such as AOL and numerous financial institutions are beginning to offer two-factor authentication to their end-users. Nevertheless, the deployment of One Time Password tokens and smart cards on the Internet still remain fragmented and very challenging. Today¡¦s Internet users are still more concerned about convenience than security.

So, the prospect of carrying a single-function security device that only works on one Internet site does not provide an attractive solution. To truly scale to millions of Internet users, the industry will need to come together and address the key challenges of usability, deployment costs, and interoperability.

This talk identifies the key requirements for successfully deploying strong authentication to online consumers. It also offers some insight into emerging solutions that leverage open standards, shared infrastructures and new business models that can truly support the deployment of stronger authentication at Internet scale.

Technology to Support Incident Management & Response

By Scott Mann, Dimension Data

Many organisations have well-defined security procedures in place, but the technology tools and security staff to support these procedures are often not able to keep pace with the requirements of incident response and computer forensics. In addition to reactive processes, a managed approach also has the potential to proactively identify incident precursors and in some cases avert its occurrence. This session will demonstrate enterprise wide incident management models and technologies including demonstrations of remote investigations and proactive scanning for malicious code.

The Active Response Continuum to Cyber Attacks

By David Dittrich, Senior Security Engineer, Washington University

Abstract not available

The Cracking of the Cipher Challenge

By Simon Singh, Author, Journalist and TV Producer

In "The Code Book", a history of cryptography, the author Simon Singh included ten encrypted messages with a prize of $20,000 for the first person or team to decipher all of them. Thousands of amateur and professional codebreakers took up the Cipher Challenge, but it took over a year before the messages were cracked. Simon Singh will be talking about how he constructed the Cipher Challenge and how the winners eventually cracked it. He will also be using the Cipher Challenge to give an introduction to the history of cryptography. In particular, he will discuss what the Cipher Challenge can teach us about information security.

The DNA of IT Security

By Oscar Marquez, VP of Product Management, Tier-3

Oscar Marquez takes a look at the DNA of the IT security industry and how faulty genetics mean that it has singularly failed to achieve its end goal, to resist the growing onslaught of virus, worm and Trojan Horse attacks he will also discuss how the industry handles increasingly complex security threats and IT misuse, in order to maintain the viability of the IT organism.

The IT security industry has become a chaotic muddle of offerings that seeks to address only specific elements or groups of the IT threatscape, working on the basis that if the threat is known it can be addressed.

So, what happens when the nature of the threat is unknown or unseen?

Organisations are constantly being exposed to threats that they can¡¦t see or measure. Consequently, how can they manage these threats? If they can¡¦t be seen, they can¡¦t be managed! Therefore, a gap exists in the ability of security systems based on existing DNA to manage anything other but known security threats.

The Security Management concept is genetically flawed! How has the Black Hat industry fooled us for so long? This is not just an intellectual exercise. Enterprises are being impacted economically.

The fact is that the Universe of IT Threats simply cannot be defined.

As members of the IT security community the integrity of the IT infrastructure sits firmly within our remit. However, it is easy to lose the trust of our peers and so hard to restore it once it has been lost.

Oscar will outline why we¡¦ve been misled and where we should look for a solution to re-engineer our faulty DNA!

The Importance of End Point Security in a Remote Access Environment

By Chris Hopen, Aventail Corporation

You trust your secure access users. Can you trust their environment?

Today's end users expect access to the corporate network from more places. Increasingly, they're on wireless and broadband networks and using a wide range of devices. The productivity benefit of providing users with anywhere remote access is clear.

The risk is also clear: IT must now manage and protect access to critical network resources from the most dangerous places on the Internet: public kiosks, employee owned PCs, and unmanaged PDAs ¡V places and devices IT cannot possibly control.
Attend this session and you'll learn:
¡E What are the end point threats IT must protect against?
¡E What are the critical criteria for a comprehensive end point protection solution?
¡E How can an SSL VPN solution protect you from these threats?
¡E How to enforce endpoint security policy, while optimizing end-user ease of use?

The Internet - 10 years from now - Utopia or dystopia?

By AusCERT

Over the last 10 years we have seen the expansion of the Internet and associated technologies create new opportunities in, and often change, the way we live our lives in areas such as business, recreation, social and political activities. What awaits us 10 years from now?

Journey with our experts as they gaze into the future and speculate about what the Internet 2015 will look like and how it will influence the world around us - from the perfect ideals of what they might want the Internet to be like to their worst nightmares of what might evolve.

The New Reality in Security Management: Effective Security means Business Alignment

By Malcolm Lister, Computer Associates

The role of security is evolving! The Greatest challenge facing security today is defining its role and contribution to the business outcomes of the organisation. Security has changed from technical defence to strategic business partner. Security has typically been managed by IT, and the key measures of success have been based on the extent to which the enterprise¡¦s information assets have been protected ¡V an inward defensive focus. Rapidly changing business drivers are conflicting with this inward focused view as external customers are provided with access to internal systems and information. Security must be an integral part of any successful e-commerce initiative, and must be a foundation stone for business growth. ROI from security, moreover, is driven by enabling business initiatives.

The real value of security is only unlocked by a comprehensive framework that links business priorities to IT processes. The source of such a framework is the organisation¡¦s business objectives. An effective security strategy must be built around a clear understanding of the key drivers which include: market-facing business objectives, operational IT objectives and standards, service delivery, as well as risk, regulatory compliance and corporate governance objectives.

The rapid evolution of eBusiness demands that software security solutions must be not only constructed around business objectives, but that ongoing product development also incorporates business strategy. Malcolm will use specific examples and case studies of how a paradigm shift in our perceptions of Security can enable an organisation to deliver its business and strategic outcomes.

Netegrity, recently acquired by Computer Associates, has provided a capability that positions CA at the forefront of the market in such key business areas as WebServices and Federated Identity, now increasingly used in both government and private sectors.

The Security of Wireless Computing Technologies

By David Ross, Queensland University of Technology

The massive public take-up of pervasive computing technologies and preparedness to accept the ubiquitous wireless communication channels is occurring with little or no regard for the failings and inherent risks associated with these new technologies.

Australia has one of the highest rates of mobile telephone take-up in the world. Digital cordless telephone handsets, which also communicate with their base stations in the microwave spectrum, are also popular for both residential and commercial use. BlackBerrys are making their presence felt in corporate Australia. Bluetooth headsets are gaining popularity in Australia's young adult market, while phones, PDAs and personal computers, which commonly used IrDA for data transfer, are now increasingly offering Bluetooth, Wi-Fi, or all three, not only for data transfer, but for access to wired-infrastructure networks, including the Internet.

This paper gives an overview of the current state of the art of wireless networking in general and IEEE 802.11 WLANs in particular, including the current technologies and their inherent problems. The paper concludes with the current mitigation strategies and some future directions in the industry.

The Threat of Internet Worms

By Vern Paxson, Senior Scientist, International Computer Science Institute (ICSI) in Berkely and Lawrence Berkeley National Laboratory

Recent years have seen repeated releases of Internet-scale "worms" - programs that self-propagate across the network by exploiting security vulnerabilities in open Internet servers. The speed and size of the infections pose great challenges for defending against them. We will look at measured behavior of significant worms, likely evolution of "better" worms as attackers incorporate additional techniques, the state of the art in terms of defense mechanisms, and the challenging research problems that lie ahead.

The Tipping Point ¡V E-mail Threat Convergence

By Mark Sunner, MessageLabs

The methods by which viruses proliferate are changing dramatically, spam volumes are sky-rocketing, and phishing attacks are increasing in sophistication and anonymity. As virus and spam landscapes continue to change, both are now taking advantage of methods used by the other and are converging. How do both conspire to assist each other? What is the impact of regulations and why are legal frameworks only part of the overall solution? The presentation will address the future of messaging security.

The Zen of Network Security: Seeing Mountains, Moving Mountains

By Richard Thieme, Professional speaking, writing, consulting, ThiemeWorks

The network in your head is not the network. But what is the network in the heads of your adversaries? Knowing how the adversary thinks is tantamount to getting inside their behaviours. Then quickness of response determines the winner.

To paraphrase a zen koan: at first, networks are networks. Then, after enlightenment, networks are no longer networks. Then, networks are networks again. Seeing how this is true enables real masters of information security to live vibrantly in a world without walls, to defend effectively a network that ... isn't really there.

What are your assumptions? What are you missing? How can you fill in some of those blanks?

Threats to the Net: an overview of the U.S. perspective of the changing nature of computer crime illustrated by selected case studies

By Christopher M.E. Painter, Deputy Chief, Computer Crime and Intellectual Property Section at the Department of Justice USA

This presentation will discuss the changing nature and threat of computer crime, both from the US Department of Justice and an international perspective, and discuss some of the things law enforcement is doing to meet that threat in investigations, in building international law enforcement collaborative networks, and in building partnerships with the private sector and the CERT and technical community. The talk will be illustrated with case examples from those involving notorious lone hackers to those involving organized criminal groups.

Top problems of the Internet and what can be done to help

By Kc Claffy, Director, Cooperative Association for Internet Data Analysis

Drawing on 15 years of investment in analyzing various types of Internet data (workload, topology, routing, and performance), kc describes her vision of the current state of the Internet and the most acute problems it faces now and in the future. She will cover background on the historical context of funding for Internet research and development, and articulate the set of most paramount and pervasive weaknesses in the current infrastructure. She will also argue that technological forces will inevitably demand a re-evaluation of the fundamental aspects of Internet architecture, engineering, and governance. Audience participation will be encouraged.

Unix Security Audit & Control

By Gary Gaskell, Security Architect, Infosec Services Pty Ltd and ISI, QUT

The tutorial will assist attendees in the audit planning and testing of the security of Unix (& Linux) systems. Unix security controls will be described in detail. Attendees will learn the Unix security model, how the key security controls work, how to inspect the configuration of security parameters and how to test the effectiveness of security controls.

The tutorial will also cover important topics including audit planning and report development. This tutorial will primarily assist Information Systems auditors to understand and audit Unix security. Other professionals will also be provided with security related skills for Unix systems.

This tutorial is of a basic level.

User Centric Identity Management

By Simon Pope, DSTC

Identity management is traditionally seen from the service providers' point of view, meaning that it is an activity undertaken by the service provider to manage service user identities. Traditional identity management systems are designed to be cost effectiveness and scalable primarily for the service providers, but not necessarily for the users, which often results in poor usability. Users are for example often required to memorise multiple passwords for accessing different services. This only represents a minor inconvenience when users only access a few online services. However, with the rapid increase in the uptake of online services, the traditional approach to identity management is already having serious negative effect on the user experience. The industry has responded with proposing new identity management models to improve the user experience, but in our view these proposals give little relief to users at the cost of relatively high increase in server system complexity. This paper takes a new look at identity management, and proposes solutions that are designed to be cost effective and scalable from the users' perspective, and that are compatible and can work together with traditional identity management systems.

VoIP Security: What are the real issues?

By Phillip Yialeloglou, Cisco Systems, Australia

This session on VoIP security examines the issues of eavesdropping, impersonation, toll fraud and denial of service. These risks will be examined both in isolation and as part of an end to end risk mitigation design.

WarBussing: The State of Wireless Security in a cross section of a major Australian City

By David Conran, Security Specialist, WebCentral

This paper endeavours to analyse wireless network traffic data which was passively collected whilst traveling the same route over an 18 month period. The data collected allowed analysis of the type, number and level of wireless (802.11*) network security of the devices found. It highlights the growth and penetration of wireless networking into the community, includes some trend analysis and some of the implications of cheap wireless networking, the potential for abuse and the probable exposure of organisations to inappropriate risk.

Web Application Security - The next BIG challenge

By Oliver Binz, General Manager, b-sec

The odds are that your organisation has the majority of security challenges under control. Your anti virus and spam systems function well, your firewalls do their job, your servers are hardened to the within an inch of their CPUs shutting down altogether. Maybe even your users are becoming more security aware - or maybe not. All in all life is good, and the daily security challenges are being met.

This presentation may change that perception. While not designed to scare people into spending money on more equipment, it is intended to highlight a high risk, easily exploitable security hole affecting most business.

Web based applications are the key ingredient for e-commerce and e-government. They are used by almost every organisation on the globe that is doing business over the internet. However, very few of these organisations have ever performed a detailed risk analysis or security review on the applications that make it all happen. Those that have, have had their share of surprises.

This presentation will provide insight into the nature of the problem as well as management and mitigation strategies. Case studies will be used to give added depth and value.

Why do hackers hack?

By Steven Branigan, President of Cyanline, LLC, a wireless network security company.

Why do some people hack computers while others equally talented people do not? Why are some hackers looking merely to explore while others are intent on causing damage?

During this session, I will examine some basic hacker motivations. I will draw upon real world cases to help illustrate how these motivations affected the severity of the hacking attack.

Then, using this background information, I propose that we tailor our limited security resources more effectively to combat the most damaging hackers first.

Key takeaway from this session:
- better understanding of what drives hackers.
- focusing of limited security resources for maximum advantage

Audience: network and security administrators, as well as executive management.

Writing Practical Information Security Policies

By Charles Cresson Wood, (CISA, CISM, CISSP) Independent Information Security Consultant, Sausalito, California

Clear, up-to-date, and relevant policies form the backbone for every successful information security effort. This presentation will explore real-world situations where policies made a big difference, as well as the reasons why policies are now an essential component of every successful information security effort. Focusing on the management and technical issues of policy development, the presentation will also explore the best ways to develop policies, the best ways to get management buy-in, and the best ways to tailor policies for different audiences. Also covered will be several modern automated tools for delivering policies and measuring user understanding of policies.

X-posing Emerging Internet Security Threats and Protecting the Enterprise

By Graham Connolly, Websense

Many organisations believe they are well protected from external security threats such as hacking and web based virus attacks.

With workplace use of instant messaging, interactive games and streaming sports events on the rise, the office has become an instant door opener for invasive and potentially damaging enemies, such as, spyware, phishing scams, keyloggers malicious code and Web based viruses. Providing access to the Internet without protection, opens the floodgates of potentially dangerous online threats into the organisation.

The Websense presentation will examine an array of strategies to combat the most dangerous emerging online security threats.

feedback
	© AusCERT 2005
	Email: webmaster@auscert.org.au
	Web URL: http://www.auscert.org.au
	Maintained by: ITS - University of Queensland
	Last Updated - 6th May 2005