Overview | Monday | Tuesday | By Instructor

Monday, July 31, 2006

M1 TCP/IP Weapons School (Day 1 of 2) NEW! Richard Bejtlich, TaoSecurity.com 9:00 a.m.–5:00 p.m. Who should attend: Junior and intermediate analysts and system administrators who detect and respond to security incidents. TWS is the right way for junior and intermediate security personnel to learn the fundamentals of TCP/IP networking. Students learn how to interpret network traffic by analyzing packets generated by network security tools. Examples of normal, suspicious, and malicious traffic teach analysts how to identify security events on the wire. Students will generate traffic in a virtual machine and analyze that traffic using open source tools. TCP/IP Weapons School will be as interactive as the student wishes. The instructor will provide one FreeBSD VMware image loaded with the tools he will discuss in class. He will also provide a Linux target VM. Students can run both images on a student-provided laptop, provided the free VMware Server product is installed. The point of the class is to teach TCP/IP by looking at nontraditional TCP/IP traffic. I will make comparisons to normal TCP/IP traffic for reference purposes. The name of the course is related to the US Air Force Weapons School, which is the "Top Gun" of the Air Force. Course plan: This is a condensed and intensive two-day version of a four-day course. The class will concentrate on the protocols and services most likely to be encountered when performing system administration and security work. Students will create traffic would be seen by various malicious security events. I plan to teach TCP/IP using a layered approach. For example: Day one, part one: Layer 1: Ethernet and 802.11; show frame formats; contrast with IP over Firewire; Tools to create fake wireless access points Layer 2: ARP traffic; 802.1q trunking and VLANS; Cisco Discovery Protocol; demonstrate tools which perform ARP poisoning and related layer 2 attacks (Yerseni, Ettercap) Day one, part two: Layer 3: IP: demonstrate IP spoofing, IP fragmentation, and routing attacks (IRPAS, RPAK); address DHCP as a protocol that assigns IP addresses; basic routing protocols; ICMP reconnaissance (Xprobe2) and ICMP attacks against TCP (Gont) Richard Bejtlich (M1, T1) is founder of TaoSecurity LLC, a company that helps clients detect, contain, and remediate intrusions using network security monitoring (NSM) principles. He was previously a principal consultant at Foundstone, performing incident response, emergency NSM, and security research and training. He has created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. From 1998 to 2001, Richard defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT), performing and supervising the real-time intrusion detection mission. Formally trained as an intelligence officer, he holds degrees from Harvard University and the United States Air Force Academy. Richard wrote The Tao of Network Security Monitoring: Beyond Intrusion Detection and the forthcoming Extrusion Detection: Security Monitoring for Internal Intrusions and Real Digital Forensics. He also wrote original material for Hacking Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular Web log resides at https://taosecurity.blogspot.com. M2 DDoS for Fun and Profit Sven Dietrich, CERT Research, Carnegie Mellon University; David Dittrich, University of Washington 9:00 a.m.–5:00 p.m. Who should attend: System administrators, network administrators, and computer security practitioners. A basic understanding of IP networking, network protocols, and routing as well as an understanding of computer security fundamentals is required. The tutorial will trace the development of denial of service attacks from early, machine-crashing exploits to the present day distributed denial of service (DDoS) attacks. A substantial portion of the tutorial will be devoted to understanding DDoS attacks and developing appropriate responses. Among the issues to be addressed are preparing for a DDoS attack, recognizing the attack type and probable attack pattern, designing appropriate filter rules to mitigate the attack, and working with upstream providers. We will also survey current research that may lead to ways of thwarting such attacks in the future. Topics include: Fundamentals: Basic networking and routing protocols Denial of Service: Basic concepts Vulnerabilities and pathologies OS support The jump from DoS to DDoS Evolution of attack tools Classes of DDoS tools: What they do Choices in the attack space How they work Currently available tools and bots Diagnosis of the problem: How do you know you are under attack? Symptoms in your own operational and system monitoring data Differentiating between flash crowds and attacks Advances in research Inspecting a compromised system Building a monitoring/traffic capture facility Mitigation: Recognition of the attack Attack signatures and attack tool identification DoS vs. DDoS Indications of single and multiple sources Creating countermeasures Techniques for limiting the damage Characterizing the attacked resources Infrastructure changes Traceback Filtering Active response Strikeback Political hurdles: Dealing with your ISP Dealing with management The bright road ahead DDoS and beyond Prospects for future advances in attacker tools Technical, legal, and political mitigation strategies Sven Dietrich (M2) is a senior member of the technical staff at CERT Research at Carnegie Mellon University and also holds an appointment at the Carnegie Mellon University CyLab, a university-wide cybersecurity research and education initiative. Previously he was a senior security architect at the NASA Goddard Space Flight Center, where he observed and analyzed the first distributed denial-of-service attacks aainst the University of Minnesota in 1999. He taught Mathematics and Computer Science as adjunct faculty at Adelphi University, his alma mater, from 1991 to 1997. His research interests include survivability, computer and network security, anonymity, cryptoraphic protocols, and cryptography. His previous work has included a formal analysis of the secure sockets layer protocol (SSL), intrusion detection, analysis of distributed denial-of-service tools, and the security of IP communications in space. His publications include the recent book Internet Denial of Service: Attack and Defense Mechanisms (Prentice Hall, 2004), as well as the articles "Analyzing Distributed Denial of Service Tools: The Shaft Case" (2000) and "The 'mstream' Distributed Denial of Service Tool" (2000), and others on Active Network Defense, DDoS tool analysis, and survivability. David Dittrich (M2) is a Senior Security Engineer and Researcher for the UW Center for Information Assurance and Cybersecurity and the Information School at the University of Washington, where he has worked since 1990. Dave is also a member of the Honeynet Project and Seattle's "Agora" security group. He is most widely known for his research into Distributed Denial of Service (DDoS) attack tools and host & network forensics. He has presented talks and courses at dozens of computer security conferences, workshops, and government/private organizations worldwide. He has been a prolific self-publisher of white papers, FAQs, and malware tool analyses, all intended to make his (and everyone else's) life easier in dealing with computer intrusions. Dave has contributed to the books Know Your Enemy, by the Honeynet Project (Addison-Wesley, 2001), The Hacker's Challenge, edited by Mike Schiffman (McGraw Hill, 2001), and two articles in the Handbook of Information Security, edited by Hossein Bidoli (John Wiley & Sons, 2005), and was another co-author of Internet Denial of Service: Attack and Defense Mechanisms (Prentice Hall, 2004). Dave was recently named one of Information Security Magazine's "Security Seven" (representing the education sector) in 2006. His home page can be found here. M3 Measuring Security NEW! Dan Geer, Geer Risk Services 9:00 a.m.–5:00 p.m. Who should attend: Operations and security managers who need to design or interpret a metric structure for security risk management. "You cannot manage what you cannot measure": every business school says this, so it must be true. "Cyber security is about risk management": almost everyone believes this, and for good reason. The sum of the two says that with respect to computer-related security we are hosed if we don't get on the ball and design some decent security metrics. So far, so good, but what in tarnation is that? "Ay, there's the rub," as Hamlet would say. This tutorial makes a healthy stab in the direction of security metrics and hopes that its students soon surpass their teacher, which may not be all that hard, as security metrics design is somewhere between infancy and toddlerhood. Topics include: Where You Stand Depends on Where You Sit: What management texts/schools mean when they say, "Measure what you manage" Good Artists Create, Great Artists Steal: Styles and methods of measurements used in other fields that are applicable to security risk, and how to steal them Modeling: Is there any point in lifecycle or other models of how security works; is there any unifying abstraction worth using? Large Numbers: The state of the world and how to compare yourself to it Information Sharing: Data fusion is dangerously powerful but essential (with a sidebar on de-identification as a pre-sharing safety mechanism) Where to Begin: How to roll your own, and a few pitfalls to avoid, assuming that decision support is your real deliverable How to Communicate What You Find: Being simple without being simplistic Topics do not include: Secure coding standards, disaster recovery planning, firewall log analysis, or anything else that is already a solved problem or a side effect of low/no discipline Dan Geer (M3)—Milestones: The X Window System and Kerberos (1988), the first information security consulting firm on Wall Street (1992), convenor of the first academic conference on electronic commerce (1995), the "Risk Management Is Where the Money Is" speech that changed the focus of security (1998), the presidency of the USENIX Association (2000), the first call for the eclipse of authentication by accountability (2002), principal author of and spokesman for Cyberinsecurity: The Cost of Monopoly (2003), and co-founder of SecurityMetrics.Org (2004). M4 Introduction to Practical Cryptography NEW! Steven M. Bellovin, Columbia University 9:00 a.m.–5:00 p.m. Who should attend: Programmers and managers who use or procure (or should use) cryptographic software or hardware. No previous background in cryptography or math is required, nor are any particular programming languages assumed. This tutorial provides an introduction to (a bit of) cryptographic theory; it concentrates on how cryptography can actually be used. After completing this course, participants will understand how to apply cryptographic mechanisms and how to integrate such protocols as SSL and S/MIME into application systems. More importantly, they'll understand what not to do themselves. They'll also be much more able to understand and evaluate cryptographic products. Topics include: What is cryptography; history of cryptography? Cryptographic primitives (block ciphers, hash functions, etc.) Cryptographic combinations and protocols Cryptography and the Internet: the design and use of major protocols, such as IPsec, SSL, and S/MIME Integrating standard mechanisms into your applications Threats References Steven M. Bellovin (M4) is a professor of computer science at Columbia University, where he does research on networks, security, and especially why the two don't get along. He joined the faculty in 2005 after many years at Bell Labs and AT&T Labs Research, where he was an AT&T Fellow. He received a BA degree from Columbia University, and an MS and PhD in Computer Science from the University of North Carolina at Chapel Hill. While a graduate student, he helped create Netnews; for this, he and the other perpetrators were award the 1995 USENIX Lifetime Achievement Award. He is a member of the National Academy of Engineering and the Department of Homeland Security's Science and Technology Advisory Board. Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs; he was also a member of the information technology subcommittee of an NRC study group on science versus terrorism. He was a member of the Internet Architecture Board from 1996–2002; he was co-director of the Security Area of the IETF from 2002 through 2004.

Tuesday, August 1, 2006

T1 TCP/IP Weapons School (Day 2 of 2) NEW! Richard Bejtlich, TaoSecurity.com 9:00 a.m.–5:00 p.m. See Part 1, M1, for the description of the first day of this tutorial. Who should attend: Junior and intermediate analysts and system administrators who detect and respond to security incidents. TWS is the right way for junior and intermediate security personnel to learn the fundamentals of TCP/IP networking. Students learn how to interpret network traffic by analyzing packets generated by network security tools. Examples of normal, suspicious, and malicious traffic teach analysts how to identify security events on the wire. Students will generate traffic in a virtual machine and analyze that traffic using open source tools. TCP/IP Weapons School will be as interactive as the student wishes. The instructor will provide one FreeBSD VMware image loaded with the tools he will discuss in class. He will also provide a Linux target VM. Students can run both images on a student-provided laptop, provided the free VMware Server product is installed. The point of the class is to teach TCP/IP by looking at nontraditional TCP/IP traffic. I will make comparisons to normal TCP/IP traffic for reference purposes. The name of the course is related to the US Air Force Weapons School, which is the "Top Gun" of the Air Force. Course plan: This is a condensed and intensive two-day version of a four-day course. The class will concentrate on the protocols and services most likely to be encountered when performing system administration and security work. Students will create traffic would be seen by various malicious security events. I plan to teach TCP/IP using a layered approach. For example: Day two, part one: Layer 4: TCP, UDP; many packet crafting tools operate at this layer (Hping, Scapy); Port scanning (NMAP, Scanrand) Day two, part two: Layers 5-7: demonstrate tools which pretend to be various applications (Honeyd, Nepenthes); Cover HTTP, FTP, SMB, DNS, TFTP (time-permitting); Also show exploitation of services using Metasploit Richard Bejtlich (M1, T1) is founder of TaoSecurity LLC, a company that helps clients detect, contain, and remediate intrusions using network security monitoring (NSM) principles. He was previously a principal consultant at Foundstone, performing incident response, emergency NSM, and security research and training. He has created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. From 1998 to 2001, Richard defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT), performing and supervising the real-time intrusion detection mission. Formally trained as an intelligence officer, he holds degrees from Harvard University and the United States Air Force Academy. Richard wrote The Tao of Network Security Monitoring: Beyond Intrusion Detection and the forthcoming Extrusion Detection: Security Monitoring for Internal Intrusions and Real Digital Forensics. He also wrote original material for Hacking Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular Web log resides at https://taosecurity.blogspot.com. T2 Understanding and Addressing the Threat of Internet Worms NEW! Vern Paxson, ICSI/LBNL; Stefan Savage and Geoff Voelker, University of California, San Diego; Nicholas Weaver, ICSI 9:00 a.m.–5:00 p.m. Who should attend: Researchers, Ph.D. students, and practitioners interested in the magnitude of the threat of, and the range of possible defenses against, large-scale "worms" that self-propagate across the global Internet. Participants should have a solid knowledge of TCP/IP networking. For researchers, this tutorial is particularly aimed at those new to the problem domain. In the past five years, large-scale Internet epidemics have profoundly demonstrated the threat posed by self-propagating programs ("worms"). The combination of widespread software homogeneity and the Internet's unrestricted communication model creates an ideal climate for infectious pathogens. Worse, each new generation of outbreaks demonstrates increasing speed, virulence, and sophistication. Much has been done in recent years to understand and address this threat; and much remains to be done. This tutorial provides a detailed technical overview for researchers and network security practitioners looking to immerse themselves in the state of the art. Topics include: Using "network telescopes" to observe Internet-scale behavior Measurements and forensic analysis of outbreaks Scan detection Content-sifting Host-based detection Behavior-based detection Honeyfarms Botnets Future worms Vern Paxson, Stefan Savage, Geoff Voelker, and Nicholas Weaver (T2) are all principle investigators of the 5-year, NSF-sponsored Collaborative Center for Internet Epidemiology and Defenses. Dr. Vern Paxson is a senior scientist at the International Computer Science Institute (ICSI) and a staff scientist at the Lawrence Berkeley National Laboratory. His main active research projects are network intrusion detection in the context of Bro, a high-performance network intrusion detection system he developed; large-scale network measurement and analysis; and Internet-scale attacks. Profs. Stefan Savage and Geoff Voelker serve on the faculty of the Computer Science and Engineering Department at the University of California, San Diego. They have published extensively on the characterization of and defense against large-scale denial-of-service and worm attacks on the Internet. Prof. Voelker likes to surf. Dr. Nicholas Weaver is a researcher at ICSI, specializing in automated detection and response systems, with a particular interest in hardware-friendly algorithms and implementations.     T3 RFID Security & Privacy NEW! Kevin Fu, University of Massachusetts; Adam Stubblefield, JHU Information Security Institute and Independent Security Evaluators; Ari Juels, RSA Laboratories 9:00 a.m.–5:00 p.m. Who should attend: (1) Engineers and researchers looking for a technical background on academic and industrial aspects of RFID security, and (2) technically savvy managers who seek to understand the risks and benefits of RFID technology. People who need to deploy an RFID system will learn about potential threats and pitfalls in RFID security and privacy. Purveyors of Radio Frequency IDentification (RFID) technology conceive of a new world of automation and consumer convenience. Indeed, RFID surrounds us in many forms: supply chains, car keys, credit cards, subway fare passes, and even blood bags. Yet these new applications can result in unintentional privacy risks and security pitfalls. In this tutorial, participants will gain an understanding of (1) applications of secure RFID systems in public transportation, electronic payments, and access control; (2) cutting-edge cryptographic attacks on deployed RFID security systems; (3) and defenses to avoid security and privacy risks. Participants will also learn the basic properties of how RFID works from the perspective of someone who uses RFID products. After completing this tutorial, participants will better understand how to quantify and reduce the security and privacy risks of deploying RFID-based systems. Kevin Fu (T3) is an assistant professor in Computer Science at UMass Amherst where he develops privacy-preserving RFID tickets for public transportation. He has a PhD from MIT.     Adam Stubblefield (T3) is a research professor at the JHU Information Security Institute and a partner at Independent Security Evaluators. Adam specializes in evaluating the security of devices ranging from RFID payment systems to electronic voting and wireless security. He has a PhD from Johns Hopkins University. Ari Juels (T3) is presently the research manager and principal research scientist at RSA Laboratories, where he has worked for nearly a decade. He has a PhD from UC Berkeley.     T4 Security Without Firewalls NEW! Abe Singer, San Diego Supercomputer Center; Paul Robertson, Consultant 9:00 a.m.–5:00 p.m. Who should attend: Administrators, security personnel, and anyone responsible for administering a network. This talk is technical (and not purely conceptual), and requires practical technical knowledge or expertise. Effective network security is not about blocking traffic at a perimeter. If the hosts themselves are not managed and secured, securing the network can be a waste of time. The San Diego Supercomputer Center does not use firewalls, yet managed to go almost 4 years without an intrusion (and a firewall would not have helped against the one intrusion we have had). The approach defies some common beliefs, but it seems to work, and scales well. "Use a firewall" is the common mantra of much security documentation, and is the primary security "solution" in most networks. However, firewalls don't protect against activity by insiders, nor do firewalls provide protection for activity that is allowed through the firewall. Equally with external threats, you can build an effective, scalable host-based security model. The keys parts to that model are: knowing your environment centralized configuration management regular and frequent patching strong authentication (no plain-text passwords) This tutorial will approach securing a networked computer environment by taking a comprehensive, center-out approach. While network-layer security will be discussed, it will be a small part of the overall presentation. Topics include: The Security Approach Understanding and evaluating trust Relationships The threat perspective—protecting data The ongoing process of managing your environment Policy realism —effective approach to policies that allow you to do your job, and allow others to do theirs Building/fixing your environment Simple approach to auditing the configuration of UNIX hosts, networks, and services Auditing Windows systems Building reference systems and maintaining consistency using cfengine Recapturing control of your Windows desktops from your users System Administration Trusted systems and the real world: Configuration, administration, and challenges dealing with SELinux, RSBac, Trusted Solars, etc. Managing user accounts and credentials Securely configuring and managing core network services, such as NFS, DNS, SSH Patching strategy Good system administration practices Security from physical attacks Disk encryption: The good, the bad and the ugly of encryption options, recovery, backup, etc. DeviceLock and other 3rd party device access control tools Miscellaneous bits S/MIME implementations, encrypting and signing emails, Centralized logging. Real-world examples of catching bad things going in and out of your environment. Burglar alarms. Reponse plans and Forensics-Friendly environments. Network-layer security Firewalling and its uses Layer 2 fun—Network-level configurations, how effective they are, when and when not to use them, and what threats they address Overview of network tunneling and encryption Abe Singer (T4) is a Computer Security Researcher in the Security Technologies Group at the San Diego Supercomputer Center. In his operational security responsibilities, he participates in incident response and forensics and in improving the SDSC logging infrastructure. His research is in pattern analysis of syslog data for data mining. He is co-author of of the SAGE booklet Building a Logging Infrastructure and author of a forthcoming O'Reilly book on log analysis. Paul Robertson (T4) has over 22 years of experience. Currently he is an independent consultant providing IT, security, computer forensics, training, telecom, and RFID services. He moderates the Firewall-Wizards mailing list and is the editor of the Network Firewalls FAQ. Mr. Robertson was Director of Risk Assessment for TruSecure (now CyberTrust,) where he founded their computer forensics, and ISAC programs, and assisted ICSA Labs in its IDS and firewall testing programs. Prior to TruSecure, he worked at Gannett Company, putting USAToday.com on the Internet, providing corporate-wide Internet and information security expertise, investment analysis, and network design. Mr. Robertson spent a number of years as a mainframe assembly language programmer for an ISV writing DBMS software. Mr. Robertson started his career in the U.S. Army, including a tenure at The White House during the Reagan administration providing computer and telecommunications support to the President of the United States, Vice President, National Security Advisor, National Security Council, and others as directed.