Tutorial Descriptions   [Tutorial Overview]

Monday, August 13, 2001

M1 Practical Wireless IP Security and Connectivity: How to Use It Safely  NEW
Philip Cox, SystemExperts Corporation

Who should attend: Users, administrators, managers, and anyone who is interested in learning about some of the fundamental security and usage issues that we all must come to grips with in purchasing, setting up, and using wireless IP services. This course assumes some knowledge of TCP/IP networking and client/server computing, the ability or willingness to use administrative GUIs to setup a device, and a general knowledge of common laptop environments. It does not assume that the attendee is intimately familiar with the physics of signals, the various wireless protocols, or the details of various emerging wireless standards (e.g., WML, Bluetooth, 802.11, CDPD, WTLS).

The primary focus of this tutorial is on wireless IP services for laptops, although we'll glance at some popular mobile devices such as handheld systems and cell-phones with Internet access.

Whether you like it or not, wireless services are popping up everywhere. As time goes on, more of your personal and corporate data communications will be done over various types of wireless devices. We're faced with a proliferation of business and technical choices concerning security, hardware, software, protocols, and administration.

The good news is that generally somebody else will handle these complicated issues for users (of course, that "someone else" may be you!). However, since for most wireless services you're carrying the device everywhere you go, you and your organization will still be responsible for understanding and managing them. Since the purpose of wireless is to share data when you aren't directly attached to a wired resource, you need to understand the fundamental security and usage options.

In this course we will cover a number of topics that affect you in managing and using wireless services. Some of the topics will be demonstrated live using popular wireless devices.

Topics include:

• Wireless practicals
  • Transmission networks: packet and cellular
  • Who's using what?
  • What really matters?
• Popular access points
  • Cisco Aironet
  • Apple Airport
  • Lucent ORiNOCO
  • 3Com Airconnect
• Configuration issues
  • Setting up an access point
  • Using an access point
  • Setting up your laptop
• Threats
  • Eavesdropping
  • Transitive trust
  • Denial of service
• Practical uses
  • At home
  • At a conference
  • At work
  • At a university
• Miscellaneous wireless topics

Phil Cox is a consultant for SystemExperts Corporation. Phil frequently writes and lectures on issues of UNIX and Windows NT integration and on information security. He is the lead author of Windows 2000 Security Handbook, 2nd Edition, and a featured columnist in ;login: The Magazine of USENIX & SAGE. He has served on numerous USENIX program committees. Phil holds a B.S. in computer science from the College of Charleston, South Carolina.

M2 Network Security Profiles: A Collection (Hodgepodge) of Stuff Hackers Know About You
Brad Johnson, SystemExperts Corporation

Who should attend: Network, system, and firewall administrators; security auditors and those who are audited; people involved with responding to intrusions or responsible for network-based applications or systems that might be targets for crackers (determined intruders). Participants should understand the basics of TCP/IP networking. Examples will use actual tools and will also include small amounts of HTML, JavaScript, and Tcl.

Network-based host intrusions, whether they come from the Internet, an extranet, or an intranet, typically follow a common methodology: reconnaissance, vulnerability research, and exploitation. This tutorial will review the ways crackers perform these activities. You will learn what types of protocols and tools they use, and you will become familiar with a number of current methods and exploits. The course will show how you can generate vulnerability profiles of your systems. Additionally, it will review some important management policies and issues related to these network-based probes.

The course will focus primarily on tools that exploit many of the common TCP/IP–based protocols, such as WWW, SSL, DNS, ICMP, and SNMP, which underlie virtually all Internet applications, including Web technologies, network management, and remote file systems. Some topics will be addressed at a detailed technical level. This course will concentrate on examples drawn from public-domain tools that are widely available and commonly used by crackers.

Topics include:

• Profiles: what can an intruder determine about your site remotely?
• Review of profiling methodologies: different "viewpoints" generate different types of profiling information
• Techniques: scanning, on-line research, TCP/IP protocol "mis"uses, denial of service, cracking clubs
• Important intrusion areas: discovery techniques, SSL, SNMP, WWW, DNS
• Tools: scotty, strobe, netcat, SATAN, SAINT, ISS, mscan, sscan, queso, curl, Nmap, SSLeay/upget
• Defining management policies to minimize intrusion risk

Topics not covered:

• Social engineering
• Buffer overflow exploits
• Browser (frame) exploits
• Shell privilege escalation

Brad Johnson is vice president of SystemExperts Corporation. He has participated in the Open Software Foundation, X/Open, and the IETF, and has often published about open systems. Brad has served as a security advisor to organizations such as Dateline NBC and CNN. He is a frequent tutorial instructor and conference speaker on network security, penetration analysis, middleware, and distributed systems. He has a B.A. in computer science from Rutgers University and an M.S. in applied management from Lesley University.

M3 Secure Networking: An Introduction to VPN Architecture and Implementation
Tina Bird, Counterpane Internet Security

Who should attend: System administrators and network managers responsible for remote access and wide area networks within their organization. Participants should be familiar with TCP/IP networking and fundamental network security, although some review is provided.

The purpose of this tutorial is to provide a step-by-step guide to evaluating an organization's VPN requirements, selecting the appropriate VPN architecture, and implementing it within a pre-existing security infrastructure.

Virtual private networking technology provides a flexible mechanism for addressing connectivity needs within many organizations. This class focuses on assessing business and technical requirements for remote access and extranet connections; evaluating VPN technology; integrating VPNs within an existing network infrastructure; common implementation difficulties; and VPN security issues.

Topics include:

• VPN security features (encryption, access control, NAT) and how they protect against common Internet threats
• Assessing your organization's needs for remote access
• IPSec, PPTP, application layer VPNs, and where they fit
• A brief review of commercial VPN products
• Implementing VPN technology within your organization's network
• Common VPN difficulties
• VPN security issues

After completing this course, students will be ready to evaluate their requirements for remote access and begin testing commercial VPNs.

Tina Bird is a network security architect at Counterpane Internet Security. She has implemented and managed a variety of wide-area-network security technologies and has developed, implemented, and enforced corporate IS security policies. She is the moderator of the VPN mailing list and the owner of "VPN Resources on the World Wide Web." Tina has a B.S. in physics from Notre Dame and an M.S. and Ph.D. in astrophysics from the University of Minnesota.

M4 Computer Crime: Investigating Computer-Based Evidence  NEW
Steve Romig, Ohio State

Who should attend: People who investigate computer crimes, who are somewhat familiar with systems and network administration, and who have at least a basic understanding of what the Internet is and what people commonly use it for.

This tutorial covers many aspects of computer crime investigations. After quickly blazing through basic definitions and legal concerns, we will dive into an examination of where to find evidence, how to collect evidence safely using a variety of tools, and how to correlate evidence to build a picture of the digital crime scene. We will end by discussing the specific details of various types of evidence, including examples from both host-based investigations and evidence gleaned from network devices. Specific examples are drawn from UNIX, Windows NT, and various pieces of telecommunications hardware.

Topics include:

• Basic forensic science overview
  • what evidence is
  • how evidence is used in an investigation
  • the investigation "game plan"
  • principles of collecting and processing evidence
• Where the evidence is (overview)
  • understanding how computers and networks work
  • examples of incidents and where evidence might be found
• Correlating evidence
• Host-based investigations
  • memory, swap
  • processes
  • network activity
  • files and file systems
  • discussion, demonstration, and comparison of tools for processing host-based evidence
• Network-based investigations
  • host-based network service logs
  • network activity logs
  • authentication logs
  • telco logs, including pen registers, phone traces, and caller ID
  • discussion, demonstration, and comparison of tools for processing network-based evidence

Steve Romig is in charge of the Ohio State University Incident Response Team and is working with a group of Central Ohio businesses to improve Internet security practices. Steve has also worked as lead UNIX system administrator at one site with 40,000 users and 12 hosts and another with 3,000 users and over 500 hosts. Steve received his B.S. in mathematics (computer science track) from Carnegie Mellon University.

Tuesday, August 14, 2001

T1 Intrusion Detection and Network Forensics
Phil Cox, SystemExperts Corporation

Who should attend: Network and system managers, security managers, and auditors. This tutorial will assume some knowledge of TCP/IP networking and client/server computing.

What can intrusion detection do for you? Intrusion detection systems are designed to alert network managers to the presence of unusual or possibly hostile events within the network. Once you've found traces of a hacker, what should you do? What kind of tools can you deploy to determine what happened, how they got in, and how to keep them out? This tutorial provides a highly technical overview of the state of intrusion detection software and the types of products that are available, as well as the basic principles to apply for building your own intrusion detection alarms. Methods of recording events during an intrusion are also covered.

Topics include:

• What is IDS?
  • Principles
  • Prior art
• Can IDS help?
  • What IDS can and can't do for you
  • IDS and the Web
  • IDS and firewalls
  • IDS and VPNs
• Types and trends in IDS design
  • Anomaly detection
  • Misuse detection
  • Traps
  • Future avenues of research
• Concepts for building your IDS
  • What you need to know first
  • Performance issues
• Tools for building your IDS
  • Sniffers and suckers
  • Host logging tools
  • Log recorders
• Reporting and recording
  • Managing alerts
  • What to throw away
  • What to keep
• Network forensics
  • So you've been hacked
  • Forensic tools
  • Brief overview of evidence handling
  • Who can help you
• Resources and references

Phil Cox is a consultant for SystemExperts Corporation. Phil frequently writes and lectures on issues of UNIX and Windows NT integration and on information security. He is the lead author of Windows 2000 Security Handbook, 2nd Edition, and a featured columnist in ;login: The Magazine of USENIX & SAGE. He has served on numerous USENIX program committees. Phil holds a B.S. in computer science from the College of Charleston, South Carolina.

T2 Hacking Exposed: LIVE!  NEW
George Kurtz and Stuart McClure, Foundstone, Inc.

Who should attend: Network and system administrators, security administrators, and technical auditors who want to secure their UNIX/NT–based networks.

Is your UNIX/NT–based network infrastructure up to meeting the challenge of malicious marauders? In this tutorial we'll present the methodologies used by today's hackers to gain access to your networks and critical data.

We'll demonstrate a typical attack exploiting both well-known and little-known NT-based vulnerabilities. We'll show how NT attackers can leverage UNIX vulnerabilities to circumvent traditional security mechanisms. And we'll identify opportunities to better secure the host and networks against more esoteric attacks.

All examples will be demonstrated on a live network of machines.

Topics include:

• Footprinting your e-commerce site
  • Port scanning
  • Banner grabbing
•  
• Exploiting common configuration and design weaknesses in NT networks
  • Enumerating user and system information from NT 4 and Windows 2000 hosts
  • Exploiting Web services
  • Logging on to NT using only the password hash
  • Routing through IPX and NetBEUI networks
  • Grabbing remote shells on NT
  • Hijacking the GUI
  • Hidden trojans: executing streamed file
• Bypassing routers and firewall filtering
  • Using source ports
  • Leveraging port redirection
  • 101 uses for Netcat
• Linking NT and UNIX vulnerabilities for maximum exploitation
• Securing NT systems to prevent attacks

George Kurtz has performed hundreds of firewall, net work, and e-commerce–related security assessments throughout his security consulting career. He is a regular speaker at many security conferences and is frequently quoted in The Wall Street Journal, InfoWorld, USA Today, and the Associated Press, and is a co-author of the widely acclaimed Hacking Exposed: Network Security Secrets & Solutions.

Stuart McClure specializes in security assessments, firewall reviews, e-commerce application testing, hosts reviews, PKI technologies, intrusion detection, and incident response. For the past two years Stuart has co-authored a weekly column on security for InfoWorld magazine. For the past four years, he has worked both with Big 5 security consulting and the InfoWorld Test Center. Before InfoWorld, Mr. McClure has managed and secured a wide variety of corporate, academic, and government networks and systems.

T3 Panning for Gold: What System Logs Tell You About Your Network Security  NEW
Tina Bird, Counterpane Internet Security

Who should attend: System administrators and network managers responsible for monitoring and maintaining the health and well-being of computers and network devices in an enterprise environment. Participants should be familiar with the UNIX operating system and basic network security, although some review is provided.

The purpose of this tutorial is to illustrate the importance of a network-wide centralized logging infrastructure, to introduce several approaches to monitoring audit logs, and to explain the types of information and forensics that can be obtained with well-managed logging systems.

Every device on your network--routers, servers, firewalls, application software--spits out millions of lines of audit information each day. Hidden within the data that indicates normal day-to-day operation (and known problems) are the first clues that an attacker is starting to probe and penetrate your network. If you can sift through the audit data and find those clues, you can learn a lot about your present state of security and maybe even catch attackers in the act.

Topics include:

• The extent of the audit problem: how much data are you generating every day, and how useful is it?
• Logfile content
• Logfile generation: syslog and its relatives
• Log management: centralization, parsing, and storage
• Log analysis: methods for reconstruction of an attack

This class won't teach you how to write Perl scripts to simplify your logfiles. It will teach you how to build a log management infrastructure, how to figure out what your log data means, and what in the world you do with it once you've acquired it.

Tina Bird is a network security architect at Counterpane Internet Security. She has implemented and managed a variety of wide-area-network security technologies and has developed, implemented, and enforced corporate IS security policies. She is the moderator of the VPN mailing list and the owner of "VPN Resources on the World Wide Web." Tina has a B.S. in physics from Notre Dame and an M.S. and Ph.D. in astrophysics from the University of Minnesota.

T4 Cryptographic Algorithms Revealed  UPDATED
Greg Rose, Qualcomm

Who should attend: Anyone interested in a fairly detailed overview of what makes cryptographic algorithms work, and, when they don't work, how they are broken. Some of the Advanced Encryption Standard finalists are covered to provide lessons in block ciphers, with the winner, Rijndael, treated in depth.

Some mathematical background is required--at the very least, familiarity with common mathematical notation and polynomials, and some elementary statistical knowledge. You've been warned.

Topics include (unless time runs out):

• Brief history
  • Substitution and transposition
  • Development of DES
  • Public-key cryptography
• Symmetric block ciphers
  • Feistel ciphers in general
  • DES
  • Other AES candidates (Twofish, RC6, Serpent)
  • Rijndael (AES) in depth
  • Block-cipher modes of operation
• Symmetric stream ciphers
  • Linear feedback shift registers
  • A5, SOBER, and other LFSR-based constructions
• Cryptanalysis
  • Differential & linear cryptanalysis
  • Attack assumptions and threat models
  • Attacks on stream ciphers
• Public-key systems
  • Group and finite field theory
  • Discrete log systems (El Gamal, Diffie-Hellman, DSS)
  • RSA
  • Elliptic curves
• Other stuff
  • Hash functions, SHA-1, SHA-256

Greg Rose is a Principal Engineer for QUALCOMM International, based in Australia, where he works on cryptographic security and authentication for third-generation mobile phones and other technologies. He holds a number of patents for cryptographic methods and has successfully cryptanalyzed widely deployed ciphers.