T1 TCP/IP Weapons School, Layers 47 (Day 2 of 2) NEW!
Richard Bejtlich, TaoSecurity.com
9:00 a.m.5:00 p.m.
Who should attend: Junior and intermediate analysts and system administrators who detect and respond to security incidents.
TWS is the right way for junior and intermediate security personnel to learn
the fundamentals of TCP/IP networking. Students learn how to interpret network
traffic by analyzing packets generated by network security tools. Examples of
normal, suspicious, and malicious traffic teach analysts how to identify
security events on the wire. Students will analyze traffic using open source
The point of the class is to teach TCP/IP by looking at nontraditional TCP/IP
traffic. I will make comparisons to normal TCP/IP traffic for reference
purposes. The name of the course is related to the U.S. Air Force Weapons School,
which is the "Top Gun" of the Air Force.
The class will concentrate on the protocols and services most
likely to be encountered when performing system administration and security
work. Students will inspect traffic such as would be seen in various malicious
Topics for Day 2 include:
- Decoding SSL: Ssldump and Wireshark
- Decoding HTTP and Gzip
- HTTP Chunked Encoding: Metasploit
- ASN.1 Encoding: Metasploit
- WMF: Metasploit
- Application Fingerprinting: NTP, DNS, HTTP, PADS, Fl0p
- Covert Channel: HTTP, DNS
- Nmap vs. Nepenthes
- Amap vs. Nepenthes
- Httprint vs. Nepenthes
- Metasploit vs. Nepenthes
- Fuzzing: SNMP
Richard Bejtlich (M1, T1) is founder of TaoSecurity LLC (https://www.taosecurity.com). He was
previously a principal consultant at Foundstone. Richard created network
security monitoring operations for ManTech and Ball Corporations. From 1998 to
2001 then-Captain Bejtlich defended global American information assets in the
Air Force Computer Emergency Response Team (AFCERT). Formally trained as an
intelligence officer, Richard is a graduate of Harvard University and the
United States Air Force Academy. He wrote The Tao of Network Security
Monitoring and Extrusion Detection, and co-authored Real Digital
Forensics. He also writes for his Web log (taosecurity.blogspot.com).
T2 They Really Are Out to Get You:
How to Think About Computer Security NEW!
Marcus Ranum, Tenable Network Security
9:00 a.m.5:00 p.m.
Who should attend: Programmers and managers involved in the design, specification, deployment, or maintenance of computer-based applications.
Does that sound perhaps
overly broad? Well, it isbecause virtually any software will, eventually,
be security-critical whether you like it or not. Participants do not need
any specific knowledge, though a basic understanding of computer security
will help. People who attend this tutorial should come away with a
high-level view of the pressure points in the development/deployment
cycle where they can best stop the bleeding, along with a collection
of mental tools that they can employ, and a framework for using them.
This tutorial is a high-level mental toolkit for thinking about security in
applications and administration. It's aimed not at the tactical level of
security (where most of us spend our time) but at the strategic level, and
how to think about security as a problem, overall, rather than getting
mired in the details.
After completing this tutorial, participants will either feel much better
about their ability to cope with security, or they will be terrified into
- The natural laws of security
- Blocking and carrying
- Whitelisting and blacklisting
- Security in the design process
- Touchpoints for adding security to development cycles
- Data security
- Dealing with security data
- The insider threat and counter-intelligence problem
- Thinking about risk rationally
- Mental tricks
Marcus Ranum (T2) has been building and designing security and security
systems since 1989. He is the author of several books on security,
and has been, variously: network manager, C programmer, development
team leader, VP of engineering, CSO, CEO, and consultant. He is
currently the CSO of Tenable Network Security.
T3 Remote Testing for Common Web Application Security Threats NEW!
David Rhoades, Maven Security Consulting
9:00 a.m.5:00 p.m.
Who should attend: People who are auditing Web application security or developing Web applications.
The proliferation of Web-based applications has increased the
enterprise's exposure to a variety of threats. There are overarching
steps that can and should be taken at various steps in the application's
lifecycle to prevent or mitigate these threats, such as implementing
secure design and coding practices, performing source code audits,
and maintaining proper audit trails to detect unauthorized use.
This workshop will focus on testing the security of Web-based
applications from the perspective of the end user. Security testing,
or auditing, helps to fulfill industry best practices, as well as
legal requirements. Security testing is especially useful since
it can be done at various phases within the application's lifecycle
(e.g., before deployment), or can be used when the application's
source code is not available for review.
The workshop will explain the threats and their potential impact
on the security of the application. Demonstrations will be given
showing the tools and techniques needed to remotely detect and
validate the presence of these threats. The course material will
contain references to suitable resources and documentation for
fixing and preventing the weaknesses discussed.
By taking this class the student will:
- Understand the security threats facing Web applications
- Learn the tools and techniques to remotely validate a Web application's security.
- Enhance secure programming practices by raising awareness and giving programmers the tools need to audit their code from the user's perspective
David Rhoades (M3, T3) is a principal consultant with Maven Security
Consulting, Inc. Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the U.S. and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and has taught for the SANS Institute, the MIS Training Institute, and ISACA.
T4 Live Forensics NEW!
Frank Adelstein, ATC-NY; Golden G. Richard, University of New Orleans
9:00 a.m.5:00 p.m.
Who should attend: Security professionals, CERT members, and security-aware users who would like to know more about live digital forensics
Traditional digital forensics focuses on analyzing a copy (an
"image") of a disk to extract information—e.g., deleted files,
file fragments, Web browsing history—and to build a timeline that
provides a partial view of what has been done on the computer. Live
forensics, an emerging area in which information is gathered on
running systems, offers some distinct advantages over traditional
forensics. Live forensics can
provide information, such as running processes, memory
dumps, open network connections, and unencrypted versions of encrypted
files, that cannot
be gathered by static methods. This information can both serve as digital evidence and
help direct or focus traditional analysis methods. Despite the
usefulness of live forensics, however, it offers significant
challenges, many of which are related to malware.
This tutorial will discuss the types
of information that can be gathered, how the evidence can be analyzed,
and how it can work in conjunction with traditional methods to satisfy forensic requirements. We will spend approximately 25% of the time on static disk analysis techniques and then move on to
gathering and analyzing live data. We will give examples and demonstrations
of some techniques and tools. At the end, students should understand
what live state information is available on a computer, some of the methods for gathering the information, how this information
can be used to build up the picture of what happened, and issues
that might affect the integrity of captured evidence.
The tutorial does not assume that students have a background in forensics.
Students are assumed to have a reasonably mature knowledge of
systems. Familiarity with operating systems structure, disk layouts,
and the basic interactions between operating systems and hardware
will be beneficial but is not required. Note that the course
emphasizes what types of information are available and how this
information can be extracted, rather than providing a 10-step
checklist of how to investigate cases. Those familiar with
traditional forensic analysis will benefit from the course. This course will not cover
Frank Adelstein (T4) is the technical director of computer security at
ATC-NY in Ithaca, NY. He is the principal designer of a live forensic
investigation product (marketed as Online Digital Forensic Suite™ and
LiveWire Investigator™) and has worked in the area of live investigation
for the last 5 years. He has also been the principal investigator on
numerous research and development projects including security, wireless
networking, intrusion detection, and training.
Golden G. Richard III (T4) is an Associate Professor at the University
of New Orleans, where he developed the Information Assurance curriculum and
coordinated the effort to have the University of New Orleans certified by
the National Science Foundation as a Center of Academic Excellence. He
teaches courses in digital forensics, computer security, and operating
systems internals. He is a co-founder of Digital Forensic Solutions,
LLC and is the author of the digital forensics tool "Scalpel."
Richard and Adelstein are the chair and vice-chair of the Digital
Forensic Research Workshop, the premier workshop on research advances
in the area of digital forensics. They have co-authored the book
Fundamentals of Mobile and Pervasive Computing (for McGraw-Hill).