Home
About AusCERT
About the Conference
Program
Executive Program
Speakers
Conference Location
About the Gold Coast
Travel Information
Visa Information
Registration Fees
Delegate Registration
Sponsors
Exhibitor Staff Registration
Sponsorship Information
FAQ
Awards
For Media 
AusCERT
University of Queensland AusCERT2008
AusCERT2007
AusCERT2006
AusCERT2005
AusCERT2004
AusCERT2003
AusCERT2002Presentations:
| The PCI Security Standards Council – Standards for Today and Tomorrow | |
| Bob Russo - General Manager - PCI Security Standards Council | |
|
This session will be led by PCI Security Standards Council (PCI SSC) General Manager Bob Russo. As General Manager, Bob Russo drives the organization’s operational policies while also ensuring the Council meets its goals of creating education programs, establishing pools of certified assessors and scanning vendors, and incorporating feedback from all stakeholders across the payment chain into the work of the Council. In this session, attendees will learn how the PCI SSC works to develop, enhance, disseminate and assist with implementation of security standards for payment card data security. The session will also cover how and where stakeholders globally can impact and influence this development process for standards governing both card data security broadly, along with those focused specifically on certain points in the payment chain such as PIN entry devices and Payment Applications. The presentation will also address events that have illustrated the tremendous impact that data breaches can have in the financial services space. In this discussion, Mr. Russo will share lessons learned from recent breaches, details on new educational resources launched by the Council and a look ahead in standards development. There will be a chance to conduct Q&A at the end of the session. Any attendee involved in PCI compliance efforts at their organizations, along with those with a data security, risk, fraud or compliance mandate may find this presentation useful. In addition to financial institutions, processors, merchants and government audiences, the session will be relevant to PIN entry devices manufacturers, payment application vendors and software developers. |
|
| Security Performance Metric Development | |
| Andrew Collins & Matthew Brunckhorst - Australian Customs | |
|
With continuing budget cuts within the Federal Government, this presentation discusses replacing fear, uncertainty and doubt or worse, the backdated threat & risk assessment; with rigorous, business focused security performance metrics aimed at measuring the effectiveness of IT security budgets. The presentation will discuss approaches and recent developments regarding security metric development, specifically: Why security metrics are needed: Looking at how security budgets are typically allocated based on a percentage of the total IT budget and how these figures are generated. The presentation will challenge a number of these ‘truths’ and identify where assumptions and guesses have become self-fulfilling ‘facts’. This presentation will identify why this approach is ill founded and why metrics provide a justifiable case for business expenditure on security. Defining Metrics: What makes a good metric, definition, capture, and presentation of various metrics. A discussion on their effectiveness and relevance. What makes a bad metric, and what measures are misconstrued as metrics.Measuring Effectiveness: Measuring security effectiveness against ISM standards and against business objectives. Identifying Efficiencies: Security metrics need to be aimed at improving the business by identifying where systems can be consolidated, re-deployed or removed or where business processes can be changed to better utilise staff. NOTE: This presentation is vendor agnostic and discusses metric development in a generic sense. |
|
| Fight Cyber Crime like we mean it | |
| Andy Purdy - Cyber Center at George Mason University & NCFTA | |
|
A key element of addressing the nation's cyber risk in a strategic fashion, is to coordinate across government stovepipes and with the private sector, nationally and internationally, is to proactively target the most significant malicious actors, their tools, the vulnerabilities they exploit, and the networks' weaknesses that enable and embolden them. |
|
| Information Security Management in difficult Economic Times | |
| John Harrison - Queensland Government | |
|
On occasion, information security professionals working in large organizations feel overwhelmed or unappreciated. This may simply be the result of the increasing challenges inherent in the profession, which have been aggravated further by recent severe financial constraints. However in many cases the root cause of the problem is how the information security team engages the rest of the organization. Improvements in this engagement can result in very significant benefits for both the information security team and the organization. This presentation aims to assist those who hold technically orientated information security roles by providing them with an effective approach for implementing information security programs with less difficulty and stress. It will also assist them acquire resources for information security investment with less organizational resistance. This presentation may also assist those with newly acquired managerial responsibility for information security governance in their efforts towards implementing a risk-based engagement model, which is generally considered “best-practice”. The presentation will also include some practical techniques and hazards to avoid. |
|
| Macintosh Forensics | |
| Steve Whalen & Rob Spitler - Forward Discovery | |
|
This two-day hands on training covers some of the most important topics found in Forward Discovery’s 5-day Macintosh Forensic Survival Course (MFSC) which has been designed by the top experts and practitioners in the field of Macintosh forensics. Forward Discovery is recognized as a leader in computer forensic and incident response training worldwide. Forward Discovery’s Macintosh Forensic Survival Course is designed knowing that an examiner must be able to successfully testify in a court of law, work within limited budgets and high case loads, develop comprehensive reports and process cases in a “no nonsense” and timely fashion. Our training was designed for the student to learn what is needed with a no one left behind attitude in a team work atmosphere with hands on training. Students will walk away with the skills necessary to properly seize, acquire, analyze and document an examination of an Intel-based Macintosh computer in a forensically sound manner. Unlike most instructional environments, our forensic training is conducted without relying on automated forensic tools, allowing the participant to apply what is learned to any tool in their forensic arsenal. The training was built upon a systematic approach for forensic examination of a Macintosh from start to finish, in a way that just makes logical sense. Topics include:
All participants will receive copies of Forward Discovery’s Raptor Forensic Acquisition CDs along with training on its use. |
|
| Inside the biggest of the OWASP Top-10 | |
| Ken Van Wyk - KRvW Associates, LLC | |
|
Inside the biggest of the OWASP Top-10 Kenneth R. van Wyk (Ken@krvw.com)In this full day tutorial, we start by introducing the tools that will be used in the tutorial. We thoroughly describe each tool and demonstrate how they are installed and used. (These will be essential for each student to be able to perform the hands on exercises throughout the tutorial.) Next, we introduce the famed OWASP Top 10 web application vulnerabilities list. For each of the ten vulnerability classes, we provide a detailed description of the problem and examples and case studies of how the associated attacks work. Then, using the previously installed tools, we describe a hands on exercise to be performed individually by the class. The exercise specifics and objectives are described thoroughly, but the solutions are not. Students are then instructed to attempt to successfully execute each exercise. Afterwards, the solution is provided and demonstrated by the instructor. In the next step, we discuss the available remediation techniques that can be considered to avoid each vulnerability, along with Java/J2EE code examples where applicable. Remediation specifics are presented for each aspect of designing, coding, and testing application software. Lastly, we discuss and consider some of the 'big picture' lessons that can be learned from the OWASP Top 10 issues. These include the importance of positive input validation, strong authentication, session management, and access control. The Open Web Application Security Project (http://www.owasp.org) is a non-profit organization dedicated to enhancing the security of web application software. |
|
| IPv6 Security Considerations and Deployment | |
| Cecil Goldstein - APNIC | |
|
This tutorial will discuss security considerations when deploying IPv6 networks. It will discuss features that are available today in shipping products to address security concerns relating to neighbor discovery, routing, filtering and logging. The IPsec protocol will be covered in detail, enumerating how this protocol can effectively be used to protect IPv6 communications. Working configuration examples will be used to show how theoretical considerations can be practically applied. The tutorial will also cover current work in the IETF to address IPv6 security related problems. This tutorial is presented by APNIC using materials provided courtesy of Merike Kaeo (Double Shot Security, Inc), as a initiative of and in association with APNIC. |
|
| Assurance 'Hands On' Wireless Services Auditing | |
| Neal Wise & Oliver Greiter - Assurance.com.au | |
|
Assurance 'Hands On' Wireless Services Auditing The intention of the tutorial is to equip attendees with an understanding of conventional wireless technologies (802.11a/b/g/n, Bluetooth), their current risks and how to defend and provision secure wireless services. Attendees will be given familiarity with common wireless security tools and the opportunity to actively and passive “attack” and defend real wireless networks. Attendees will also learn about wireless solution control design. The tutorial will share the experience Assurance has gained over the years in conducting wireless service security audits in critical infrastructure, manufacturing, logistics and education. The tutorial will be conducted as a “hands on” tutorial. Based on previous experience the presenters have found that attendees gain more from a tutorial when there’s a high degree of participation. Attendees will need to bring a notebook PC (Intel or Macintosh). Effective wireless assessment requires use of specific technology. Some wireless cards aren’t fit for the purpose of sensitive reception required for assessment. Attendees will either use their existing wireless card in their notebook (if supported) or will be provided with a “loaner” wireless card or USB device. Bluetooth client adapter equipment will also be made available where an attendee’s technology doesn’t suffice. Attendees will also be provided with Assurance’s custom “run from CDROM” Linux Intel environment containing tools (some from Assurance – some from 3rd parties) for
|
|
| Collaborative Security and the Internet | |
| Paul Twomey : President/CEO - ICANN | |
|
The Internet's security will be best achieved through multi-stakeholder collaboration in increasing the capacity of those involved in securing Internet systems and those responding to threats. Dr Twomey will address how Internet threats are evolving, how these threats can involve the Domain Name System as target and as enabler, and how ICANN plans to contribute to Internet security, stability and resiliency in responding to emerging challenges. The presentation will provide an example proactive collaboration by discussing ICANN’s efforts to build distributed capacity for security and resiliency in the Domain Name System; through cooperation with regional organizations and through training for operators of the Top Level Domain operators across the globe. Additionally, Dr Twomey will address how ICANN worked with the security community and DNS community in ensuring effective collaboration in response to the Conficker worm. |
|
| Oops - Defending where the Enemy Isn't | |
| Peter Gutmann - University of Auckland | |
|
The computer security industry has sometimes been compared unfavourably to the fashion industry, putting up flambouyant defences where it doesn't make any difference while paying no attention to the open barn door behind the curtain. Why do we allow three retries for passwords instead of two, or four, or thirty-eight? How effective are SSH fingerprints? And how's the ol' PKI doing? This talk will look at some widespread examples of defending where the enemy isn't, including the underlying threat models (or lack thereof), the effectiveness of the defences, and the real-world pressures and externalities that affect them, along with various modest proposals for alternative approaches. |
|
| Frank Lloyd Wright was Right! | |
| Dan Klein | |
|
AusCERT has been holding conferences for quite a few years, and the CERTCC was founded over two decades ago. Yet in spite of these prominent centers of excellence, we keep seeing new attacks, new exploits, and new vulnerabilities - in simpler terms, 'same stuff, different day'. It's not because there are more bad guys out there (although there are), and it's not because the bad guys are smarter (but they are). In my opinion, it is because we are working with tools and systems that are fundamentally flawed. Our house of bricks is built on a sandy foundation, and we find ourselves at a crossroads - the same crossroads that every technology has faced in our history: start over again and do it right from the start, or keep doing it wrong until it all falls over in a heap. This talk will try to take a lighthearted look at some really bad news. Either we will have to spend a lot of money redeveloping our basic tools, infrastructure, and operating systems properly, or we will have to spend a lot of money patching bugs and regularly recovering from security disasters (and continually be faced with the same basic problems). One way we have a lot of unhappy people now, the other will have a lot of unhappy people later. In the 1950's, the architect Frank Lloyd Wright was given a tour of Pittsburgh, which ended atop Mt. Washington. He was asked 'okay, what should we do?'. In his inimicable style, he looked around and said 'raze it and start over'. Having lived in Pittsburgh for 35 years, I can tell you that he was right. I've worked with computers for as long as I've been in Pittsburgh. Frank's advice is strangely apropos. |
|
| Thoughts on the Future of Internet Security | |
| Steven M. Bellovin - Columbia University | |
|
Internet security has been a challenge for many years. Unfortunately, the situation is getting worse: there's more to steal, and the attackers are growing ever-more sophisticated. I'll discuss some future trends and will even dare a few predictions, prognostications, and flat-out guesses. I'll also speculate on desirable directions for future research and practice. |
|
| Speed-debating: Topics in information security | |
| Panellists - various organisations | |
|
First introduced at AusCERT2008, this session comprises a series of fast-paced mini-debates where mixed teams of 3 panellists per team, debate several different topics over the course of the session. The debates are very-short (around 1 minute speaking slot per team member) and the audience votes on the outcome of each debate before we quickly move onto the next topic. For each debate topic, the composition of the teams change... so former team members may appear on different teams for each topic! |
|
| R&D panel chair | |
| Professor Paul Bailes (Panel Chair) - Head of School(ITEE) - The University of Queensland | |
| E&T panel chair | |
| Patrick Gray (Panel Chair) - Managing Editor - Risky.biz | |
| R&D panel | |
|
Colin Boyd (Research Director, ISI, QUT), Paul Gampe (VP of Engineering Services and Operations, Red Hat) Dr Taher Elgamal (Axway) Dr Andrew White (The University of Queensland) |
|
|
This interactive panel session will address issues concerning Reserach and Development for Security in the Digital Economy
|
|
| E&T panel | |
|
Jeff Tendero (Director, Enterprise Architecture and Strategy, QLD Govt CIO's office), Mark Phillips (Team Leader, IT Security Policy & Consulting, Suncorp), Professor Bill Caelli (IISEC, QUT, The University of Qld) Peter Gutmann (University of Auckland) |
|
|
This interactive panel session will address issues concerning Education and Training for Security in the Digital Economy |
|
| R&D session Keynote | |
| Professor Eugene Spafford - Purdue University | |
|
Keynote address |
|
| Education and Training for Security in the Digital Economy | |
| Professor Bill Caelli - IISEC, (ISI) QUT & The University of Queensland | |
|
Just what is the difference between education and training in relation to information assurance? But, anyway, does either the private or public sector make any real distinction in practice or even care when seeking the professional infosec person? And, just what does education or training in this area entail? More than systems admin? Less than forensic analysis? Deep aspects of secure software coding? As we enter an era of a so-called “digital economy” do we have in place the necessary education processes to enable that economy to be protected from a hostile and even antagonistic global Internet to which it is now intimately linked with well educated and trained managers and developers? Yes, or No? |
|
| Recent Online Crime Case Studies | |
| Duncan Taylor & Dan Antonio - Technology Crime Investigations - Western Australia Police | |
|
This presentation will examine a recent case study involving the investigation into a data compromise of an SQL E-Commerce database containing over 4500 credit card details and personal particulars. The presentation will cover the method of operation, motives and the significant difficulties encountered in the collection and presentation of evidence. The presentation will highlight the need for ongoing law enforcement and private industry partnerships to achieve successful results in the investigation and prosecution of technology enabled crime. |
|
| Is Disaster Recovery Dead? | |
| Alex Serrano : MBCI Business Continuity Manager - Deloitte-Touche | |
|
Since 2000 there has been a progressive but marked shift away from traditional disaster recovery and towards IT resilience and service continuity solutions. Over the same period, organisations have been under increasing pressure to provide high levels of performance and service in an increasingly turbulent and unpredictable world. Despite this fact, and despite periods of increased focus following the catastrophic events of September 11 and the emergent influenza pandemic threat, real levels of investment in BCM have remained static or gone backwards across organisations in many sectors. Executives are focused as never before on corporate risks, but they are losing faith in traditional approaches to IT disaster recovery and business continuity. However, it is increasingly understood that by creating IT systems and business processes that resist failure more effectively, it is possible to avoid implementing expensive traditional disaster recovery solutions and business resumption planning. The intended audience for this presentation includes: IT Disaster Recovery and Business Continuity Professionals; C-suite executives; technology consultants, business management, risk management professionals. Key learnings:- why Disaster Recovery is transforming into high availability and service continuity- what organisational resilience is, why it is increasingly important, and how it is transforming DRP and BCM- how organisations can exploit new technologies and approaches to streamline the disaster recovery effort and implement increased reslience while constraining costs- how BCM and DR professionals can 'stay relevant' in increasingly challenging environment and meet the changing expectations of executive leadership. |
|
| Network Traffic Analysis of Point of Sale System Compromises | |
| Special Agent Ryan E. Moore - United States Secret Service | |
|
In response to point of sale system data losses observed nation-wide, an investigation was initiated to determine the method of compromise through log file analysis and link the data compromise to the geographic location of individuals responsible for using the fraudulently obtained data. This presentation is a case study of the U.S. Secret Service investigation of point of sale system compromises. This case study illustrates a successful task force operation that employed high interaction honey-pots and statistical analysis of observed network traffic from point of sale systems to determine a root cause of compromise. |
|
| Recent developments in DDoS attacks originating in the Russian Internet | |
| Ruslan Stoyanov & Dimitry Levashev - RTComm | |
|
In recent months DDoS attacks originating in the Russian Internet have attracted international attention, but within Russia they have been a more complex issue for some time now. The presentation will provide and over view of how DDoS attacks are used within the ru sphere and focus on recent developments we have observed in DDoS attacks, as well as systems for creating an early alarm system for identifying and tracking botnets. |
|
| Consumer Safety Online - Who's responsibility is it anyway? | |
| Alastair MacGibbon | |
|
Governments and businesses want consumers to do more online. And consumers have benefited enormously by accessing information and services using internet technologies. But while most internet experiences are good, we hear a lot about the dangers. What is the impact on consumers (and businesses) when things go wrong? Who thinks they are responsible? Who should be responsible? And what more could be done? |
|
| Security for Multi-Enterprise | |
| Taher Elgamal - Axway | |
|
Multi enterprise applications are one of the best examples of the most general in terms of security issues� This covers: Inside and outside boundaries of corporations Sensitive information being handled by multiple parties Time-sensitive transactions and SLA dependent relationships Large transactions that would potentially attract adversaries This presentation is aimed at the CSO and CIO's and others whose responsibilities include the protection of corporate IP and business enablement. |
|
| Identifying Security Risks of Smart Meters and an Advanced Metering Infrastructure | |
| Gabriel d'Eustachio - CSC Australia | |
|
The adaptation of Advanced Metering Infrastructure (AMI) will greatly improve the efficiency, functionality and robustness of the Australian electric supply networks. This technology is relatively new and in many aspects does not have the level of maturity that is desired for a key component of critical infrastructure. Implementing an AMI introduces numerous potential security risks to the utility and the power distribution network. These risks must be identified as early as possible, and security controls must be in-built to the AMI from the very beginning. This presentation will review the inherent security risks of different aspects of an AMI, and will examine potential controls that can mitigate these risks. As an AMI is essentially a large, multi-platform network, the identification and mitigation of security risks is crucial to implementing a secure architecture. This presentation is intended for anyone who is interested in a new, emerging technology that will soon be implemented across Australia. It will be of particular interest to utilities and critical infrastructure providers, but will be presented at a level that is readily approachable for those interested in an interesting new technology. |
|
| SCADA: Exposed and on the Internet | |
| Daniel Grzelak - SIFT | |
|
SIFT recently conducted research and developed a toolkit for testing SCADA devices enabled with the Modbus protocol. In doing so, it became quickly apparent the scope of devices and their various configurations available and accessible over the Internet is significant, and greatly concerning. This presentation will examine this exposure, what it is out there, why people should be concerned, and what can be done to lessen the risks. The presentation will also detail war stories and various anecdotes that will help solidify the reality of the situation |
|
| Cybercrime and the Legal Dimension | |
| Nigel Phair - Australian Federal Police | |
|
This presentation will appeal to law enforcement officers, but will be of equal interest to IT Security staff and those whose role it is to protect against intrusion and also be mindful of insiders who may using system resources for illegal means. The themes to be covered in this presentation include: - The current legislative framework - Substantive criminal offences - Evidentiary issues - Forensic examination and expert witnesses - Significant Australian court cases. |
|
| Security Activisim and Vigilantism | |
| Alana Maurushat | |
|
The role of security activism and vigilantism is not well documented. This presentation will present a summary of the types of activism and vigilantism currently in the field. The presentation will examine a range of legal and ethical issues, as well an unveil a draft of an Ethical Code of Conduct that the presenter is currently working on with a group of security activists (namely members of ISOTF.org). |
|
| Apple iPhone Forensics | |
| Steve Whalen - Forward Discovery | |
|
The Apple iPhone is one of the fastest selling and most widely used communication device which is capable of storing an sending massive amounts of information. What evidence is left behind? What evidence is accessible to an examiner? What is “jailbreaking” and what is its forensic significance? These questions and more will be discussed in this presentation by Steve Whalen, CFCE of Forward Discovery. |
|
| Australia - We're not that special - A look at the methods, finding and analysis of malicious activity targeting Australia in 2008 | |
| Shaun Vlassis : Security Analyst - Shadowserver/Honeynet Project | |
|
A look at the methods and findings of tracking malicious activity targeting Australian Online Interests over 2008. Who is behind it? Why? and more importantly are we seeing Australian specific events? |
|
| The Building Security In Maturity Model (BSIMM) | |
| Ken Van Wyk - KRvW Associates, LLC | |
|
As a discipline, software security has made great progress over the last decade. There are now at least 25 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework http://www.informit.com/articles/article.aspx?p=1271382 as our guide. Those companies among the nine who graciously agreed to be identified include: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model. This talk will describe the maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works¬---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Use the software security maturity model to determine where you stand and what kind of software security plan will work best for you. |
|
| Exercising Information Assurance Education: Testing Security Knowledge at Full Speed | |
| Col. Joe Adams - United States Military Academy at West Point | |
|
Information Assurance (IA) training is widely recognized as important, but most current efforts consist of courses that are not coordinated into a cohesive curriculum. Even when there has been an effort to design a sequence of courses, students are rarely tested on the entire body of knowledge in a hands-on, real-time environment. This presentation presents the experiences of the United States Military Academy (USMA) in using a Cyber Defense Exercise (CDX) as just such an environment. The CDX requires students to design, construct, and then defend an information system over the course of a four day, real time exercise. The CDX is not a stand-alone element of the IA education program. It is, in many ways, the graduation exercise for students taking the IA curriculum. A number of elements must come together to make the CDX a realistic training environment. This presentation will discuss the IA curriculum components included in the Computer Science and Information Technology majors at USMA. The next section will describe unique facility and software requirements that are required for the CDX. The final section will show how the composition of the CDX provides the culminating point of the IA curriculum. |
|
| VoIP fraud: Understanding incident response that costs real money. | |
| Scott McIntyre - XS4ALL | |
|
As the world's telecoms companies shift away from traditional technologies and move towards an all-ip infrastructure, fraudsters and organised criminals have already figured out how best to profit from this new technology. Voice over IP offers potentially massive benefits to consumers and businesses, but the inherent risks the technology brings about has already resulted in massive financial impact for those in a rush to implement without considering the implications. Understanding the trade-off of 'customer friendly' versus 'fraud friendly' is essential before deploying VoIP infrastructure. This talk will cover actual case studies that one provider has worked through in investigating a variety of VoIP abuse and fraud scenarios, the problems dealing with law enforcement and the impact to the customer and overall business model as they struggle to merge the old-world and new in this emerging technological standard. Intended audience: Law enforcement (might be of interest to the pre-conference-conference for LEA), consumers, businesses, ISPs and anyone using VoIP or wanting to use it. What they can learn: From our mistakes. Risk factors. How to begin to detect abuse and misuse of VoIP infrastructure. 'Signs of Evil' This talk could easily be of interest to law enforcement to understand the issues that require investigation, as well of managers and those deploying VoIP within their corporate environments. Consumers are also at huge risk, and anything I can do to help people not feel the pain we've felt would be well worth it. |
|
| Virtualisation: Pitfalls in Corporate VMware Implementations | |
| Jason Edelstein - Sense of Security | |
|
By introducing a layer of abstraction between the physical hardware and virtualised systems running IT services, virtualisation technology provides a powerful means to deliver cost savings via server consolidation as well as increased operational efficiency and flexibility. However, the added functionality introduces a virtualisation layer that itself becomes a potential avenue of attack for the virtual services being hosted. Because a single host system can house multiple virtual machines, the security of that host and implemented network architecture becomes even more important. In our experience this immature technology is often poorly understood, and rarely implemented correctly in enterprise environments without jeopardising the organisations security posture. This presentation will discuss these common pitfalls in VMware implementations (both technical and operational), and propose a set of viable security controls to mitigate the risk. |
|
| Threats and security control models for centralised wireless solutions | |
| Neal Wise & Oliver Greiter - Assurance.com.au | |
|
Enterprise wireless technology has been shifting to a centralised provisioning and management model. There are good reasons for undertaking this 'consistency of policy and configuration' but the technology introduces new challenges for threat management while providing some new controls which are often underutilised. |
|
| Mobile Phone Forensics - History and the Future | |
| Andrew Rourke - ASI Solutions | |
|
The presentation covers the history of the development of mobile phones. It leads into how mobile phones have been used to increase the efficiencies in business efficiencies and private communications. Regrettably terrorists and criminals have also used mobile phone technology for nefarious activities. Examples of how criminal and terrorist utilise the technology is included in the presentation. There are many complexities in mobile phones that we do not see in desktop computing. The presentation covers the evidence that can be obtained from a mobile phone and the advanced tools available today used in extracting this evidence Intended Audience: Managers and technicians with a need or interest in Computer Forensics. Learning outcomes: History and workings of mobile phones - evidence available on the phones and tools used to extract the evidence. |
|
| RFID security | |
| Dr Melanie Rieback - Vrije Universiteit - Netherlands | |
|
The RFID Guardian Project is an initiative to put practical open-source HW/SW tools for RFID Security and Privacy into the hands of security consultants and the general public alike. This talk will discuss Radio Frequency Identification, its security and privacy implications, and will provide the newest information about Version 4 of the RFID Guardian, which we intend to launch this summer to the general public. |
|
| Experiences with Conficker C Sinkhole Operation and Analysis | |
| John T Kristoff - Team Cymru | |
|
The Internet operations and security community has come together like never before to help thwart the threat of the Conficker worm. As revision 'C' of the worm was set to begin upgrading on April 1, 2009 and up to 50,000 domain names per day were due to be contacted by infected hosts, four sinkhole operators were part of the global effort to mitigate the threat. Team Cymru, operating one of these four sinkholes, will share our experiences in running a sinkhole, lessons learned and some analysis of the data captured. |
|
| P0wning the programmable Web | |
| Dan Hubbard & Stephan Chenette - Websense | |
|
With hundreds of new mashups and web API's being released weekly, the 'web as a platform' is vastly expanding the threat landscape well beyond the browser. From Gadgets, Widgets, and Mashups, to REST, SOAP, and JavaScript, there are several security principals missing. During the session we will review the weaknesses in the programmable web, and demonstrate some of these weaknesses with proof-of-concept code. |
|
| Open source intelligence | |
| Roelof Temmingh - Paterva | |
| Evolution of Malware observed on the Customs Gateway | |
| Matthew Brunckhorst : Customs IT Security and Compliance Manager - Australian Customs | |
|
Audience - Technical and IT management. Lessons - Understanding of how malware and attacks are changing and developing on the Internet and how attacks are becoming much more targeted. |
|
| Manipulating the media and black SEO techniques | |
| Patrick Gray : Managing Editor - Risky.biz | |
|
The brave new world of social media has been lauded as the best thing since sliced toast by every Twittering, Slashdotting Diggiot on the planet. There are, however, some drawbacks. For example, if enough people blog, Digg, or Twitter something, it's generally accepted as fact, and accepted quickly. US-comedian Stephen Colbert described the phenominon as wikiality:'together we can create a reality that we all agree on—the reality we just agreed on,' Colbert explains. 'Any user can change any entry, and if enough users agree with them, it becomes true.' That quote, somewhat ironically, was sourced from a Wikipedia entry. A story 'dug' by as few as 1250 accounts on digg.com can translate into millions of page views. But what if those 'Diggs' came from false accounts assembled via a botnet? What if the article it linked to was cobbled together using cross-site-scripting? And what if that bogus piece of content falsly claimed your company was facing bankruptcy or under investigation for 'regulatory irregularities'? During this presentation, technology journalist Patrick Gray argues wikiality can be engineered by those with a bit of know-how. Take one botnet, some cross site scripting vulnerabilities, a few TinyURLs and a hacked Twitter account, and shake. Drizzle over a well-crafted message designed to crash a share price, stir in some well-positioned misinformation and some black-hat SEO, short the stock and serve. Not only will attendees get a glimpse at what some organised, financially motivated bad guys could do to their company's share price, but they'll learn what they can do to mitigate the damage these theoretical attacks could cause. |
|
| The Need for Customer-centric Signaling in the Software Market | |
| David Rice - The Monterey Group | |
|
Poorly written, insecure software is no longer a technology issue; it is a public policy issue. The market does not provide significant or compelling incentives for developing secure software, thus current cyber security spending largely deals with the effects of insecure software. In essence, software manufacturers practice unrestrained vulnerability dumping onto downstream market articipants. As such, cyber defenders are too busy mopping the floor to turn off the faucet. This situation must end. This presentation argues that reducing the daily flow of new software vulnerabilities into the global stream of commerce is best accomplished through clear, observable, reliable signals made available to software buyers in the form of software assurance labels. To date, the software industry has no labeling regime in widespread use. Buyers and users of software have little more to go on than vague, unprovable assertions by software manufacturers regarding software quality and security. As a result, software resiliency, security, and quality remain undersupplied and inconsistently distributed at great cost to economic and national security. |
|
| The future (and past) of web application security how to detect and protect against value attacks | |
| Andrew Van Der Stock - OWASP | |
|
2008 was a bumper year for value attacks. Criminals are finally getting over the sophomoric desire to own large numbers of hosts, turning their attention to getting a lot of money instead. This is bad if you have stuff the criminals want. Unfortunately, web application scanners (source and dynamic) cannot easily (if at all) detect or scan for this entire class of attack - you need to do the hard work. In this presentation, you'll learn how to: * Figure out where the value in your application is * Identify weaknesses in your processes by identifying all the paths to your assets * Protect your application against value and process attacks by careful and minor changes to your design * Identify if folks are trying to do 'interesting' things using ESAPI's intrusion detector classes |
|
| AusCERT Turbo Talks | |
|
A series of rapid-fire 5 minute presentations by AusCERT2009 delegates. Sign-ups will open at the start of Monday's conference program and will close at the end of Monday's proceedings. There is no pre-registration available for this session. All proposals must be submitted on Monday, and must be made by existing AusCERT conference delegates or on their behalf. Topic proposals must be related to information security but can otherwise address any aspect of the field; though the AusCERT program committee reserves the right to disallow a topic or speaker without negotiation or recourse for complaint. The final speakers list will be posted during the plenary session on Tuesday morning. During the session, the 5 minute time limit for presenters shall be strictly administered by an independent, third-party chairperson. |
|
| Expanding the Internet: The IPv4 to IPv6 transition | |
| Cecil Goldstein - APNIC | |
|
The availability of a global IP addressing mechanism with adequate address space is fundamental to the operation and growth of the Internet. As we move closer towards the exhaustion of the free unallocated IPv4 address pool, determining how to meet the challenge of continued address provision, is becoming increasingly more crucial. This presentation will briefly review the current status of IPv4 address space and also IPv6 deployment. In addition, address policies presently implemented, as well as those being proposed and under discussion, will be examined. The processes for obtaining IPv6 address space will also be briefly considered. |
|
| Macintosh Forensics | |
| Steve Whalen & Rob Spitler - Forward Discovery | |
|
This two-day hands on training covers some of the most important topics found in Forward Discovery’s 5-day Macintosh Forensic Survival Course (MFSC) which has been designed by the top experts and practitioners in the field of Macintosh forensics. Forward Discovery is recognized as a leader in computer forensic and incident response training worldwide. Forward Discovery’s Macintosh Forensic Survival Course is designed knowing that an examiner must be able to successfully testify in a court of law, work within limited budgets and high case loads, develop comprehensive reports and process cases in a “no nonsense” and timely fashion. Our training was designed for the student to learn what is needed with a no one left behind attitude in a team work atmosphere with hands on training. Students will walk away with the skills necessary to properly seize, acquire, analyze and document an examination of an Intel-based Macintosh computer in a forensically sound manner. Unlike most instructional environments, our forensic training is conducted without relying on automated forensic tools, allowing the participant to apply what is learned to any tool in their forensic arsenal. The training was built upon a systematic approach for forensic examination of a Macintosh from start to finish, in a way that just makes logical sense. Topics include:
All participants will receive copies of Forward Discovery’s Raptor Forensic Acquisition CDs along with training on its use. |
|
| Bots and BotNets | |
| Richard Perlotto & David Watson - Shadowserver | |
|
Live Botnet Exercise and Honeywall Monitoring: This class will be a two-in one offering. A class up to 40 will be split into two groups. Each group will attend one part of the class, and then after lunch switch into the other section. This way the entire class will have an opportunity to experience malicious behavior and activity in one section, and then the monitoring and capture of that activity in the other section. The Live Botnet Exercise Section: This is a live malware demonstration and malicious activity class. We are NOT here to learn about reversing, protection, defense, nor detection. For that seek another class. We are here to have fun and play in the role of the bad guy, the herder, the script kiddie, and the see how much fun and easy it is to participate on the other side of the field. The Honeywall Monitoring: Setting up and management of Honeywall. Seeing the results of malicious behavior and different tools to track and extract out data about the behavior and actions. This the about the detection in the role of trying to find out what the criminal element is doing and why. |
|
| Introduction to malware reverse engineering | |
| Andrew Collins & Matthew Brunckhorst - Australian Customs | |
|
Introduction to malware reverse engineering Author(s): Andrew Collins (presenter) & Matthew Brunckhorst (tutor)One Day practical tutorial teaching participants the basic skills involved in reverse engineering malware or unidentified binary files. The tutorial will cover four key areas:
|
|
| A Business Model for Information Security | |
| Derek Oliver - ISACA | |
|
Business Model for Information Security The University of Southern California's Marshall School of Business created an academic model for systemic security anagement. ISACA, the Information Systems Audit & Control Association, are developing this academic exercise into a fully commercial model showing the integration and interdependencies of every aspect of Business in managing the security of information. This presentation, by the Chair of the ISACA committee charged with the development, will explain the initial concepts of the model, its relevance to organizations of every size and complexity and how ISACA see its continuing evolution into a globally recognized 'product'. This tutorial will be of interest not only to information security professionals but to all who have a responsibility for or interest in maintaining the security of an organization's precious information. The Model takes the form of a flexible pyramid, linking key business elements, for example People, Technology and Processes, by Dynamic Interconnections such as Culture, Architecture, Governance and Emergence. It encourages a systemic, holistic approach to Information Security holding that it is not a specific issue relating to “technology”, as it is so often regarded, but has a multiplicity of dependencies throughout the organization, Information Security is, simply, only as good as the weakest link in all of the dynamic interconnections and business elements. ISACA’s Committee for the Development of the Security Model, chaired by Dr. Derek J. Oliver of the UK’s Ravenswood Consultants Ltd. and comprising experienced and qualified security experts from all over the world, was set up in July, 2008 by the Association’s Security Management Committee, itself chaired by Jo Stewart-Rattray, Director of Information Security at RSM Bird Cameron in Adelaide. ISACA has already prepared two initial documents: an Executive Guide and a Practitioner’s Guide to the Model. Both are scheduled for publication in the first quarter of 2009 and will be free downloads to help the Model to take its place in The Security Evolution. They are currently considering the individual concepts of the Model which need to be further developed and taken forward to further, more detailed publications. Today’s ISACA was founded in 1969 as the EDP Auditors Association. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field. Today, ISACA’s membership, more than 75,000 strong worldwide, is characterized by its diversity. Members live and work in more than 160 countries and cover a variety of professional IT-related positions including Internal and External Audit and Information Security Management. Since its inception, ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners worldwide. Its research pinpoints professional issues challenging its constituents. Its Certified Information Systems Auditor (CISA) certification is recognized globally and has been earned by more than 60,000 professionals since inception. The Certified Information Security Manager (CISM) certification uniquely targets the information security management audience and has been earned by more than 9,000 professionals. As ISACA’s ‘flagship’ product, Control Objectives for Information and Related Technology (CobiT) has become the most highly regarded framework for IT and Corporate Governance, the development of an integrated, systemic, business model for information security is the latest, and possibly the most exciting in a long line of successful research projects undertaken by ISACA and its associated Foundation and promises to become the most recognized, international approach to the holistic management of corporate information security. |
|
| Hacking Citrix | |
| Brett Moore - Insomnia Security | |
|
Citrix Insecurities (or Hacking Citrix if you prefer) Citrix. The point and click remote desktop interface that is often seen but not heard. Often used as an alternative to RDP as it offers flexible and secure configuration options. Typically though a deployment is extremely weak and a compromise is guaranteed. This talk will cover off some standard deployment scenarios; explain a lot of Citrix security issues. The presentation will cover various network layer security weaknesses and other configuration issues that should be addressed when implementing a secure Citrix installation. The presentation will also demonstrate a common scenario where an attacker can exploit vulnerabilities allowing them to take over the server and potentially the entire network. This includes breaking out of a typical Citrix environment, escalating privileges, and stealing domain authentication to access a domain controller. |
|
| Weaponry 2.0 | |
| Petko Petkov - GnuCitizen | |
|
We live in an age of continual and increasingly rapid technological change. Whilst past hacking practices have evolved around knowing the command line inside out, today professionals and hobbyists can employ the advanced functionalities offered by modern web technologies. |
|
| Ghost Recon: Subverting Local Networks | |
| Berne Campbell : Security Professional | |
|
Networks are a crucial component of information systems and businesses. This presentation demonstrates both passive and active attacks on networks that can cause havoc if they fail to implement comprehensive countermeasures. The security of various networking protocols will be examined, including routing, first-hop redundancy, and Layer 2 management protocols. Attacks discussed include topology discovery, fingerprinting, traffic redirection, man in the middle, and others. Some newly developed and released tools will be demonstrated in this talk. An understanding of networking fundamentals is assumed. This talk is intended for professionals who want a greater understanding of threats against local networks. They will learn how attacks can be implemented against networks that have inadequate controls, and the importance of these controls will be reinforced. It is hoped that due to this education the security of networks will improve. |
|
| Malware and Cryptography - Enemies or Bedfellows? | |
| Paul Ducklin - Sophos | |
|
Cryptography can be used as an anti-malware tool, to protect you. Paradoxically, however, it can also be used by the Bad Guys in their malware, to attack you. (Indeed, the defensive/offensive duality of cryptographic software led some countries to regulate it, at least until recently, more strictly than personal firearms) This paper examines the past and present interweaving of cryptography and malware, and tries to predict what offensive uses of crypto we might see in the next few years. Come and have a chuckle at some of the cryptographic blunders made by malware authors (but be prepared to wipe at least some of the smile off your face at some of the defensive errors clocked up over the years). And now that crypto is largely deregulated, learn how to use it offensively yourself. For defensive purposes, of course. |
|