Network Security Training Conference: March 28-30 2001
Vancouver, B.C. Canada.
Conference UPDATES: March 10 2001
Ron Gula of Enterasys writes….
As I feared, I cannot make the conference this year. I am sending two of my guys to attend and hopefully demo the latest versions of Dragon in the demo area. I would like to offer the skills of Gary Golumb to speak in my place. Gary has been working with Dragon for some time now. He has recently done some work with Greg Hougland where he did a rather thourough analysis of the NT Rootkit. Gary would like to present a talk along the lines of “Stateless TCP connectections and their effect on network IDS”. It turns out that tools like NT Rootkit and a lot of the DDOS clients don’t need a full three way handshake to establish a session. This mucks with NIDS to no end …..
Gary Golumb of Enterasys writes….
As Ron said, I would like to share some information/thoughts on traits exhibited by Rootkit and other tools. I would like to focus on how these tools affect network protection and detection mechanisms. Also, the placement of these new tools (on NT in Kernel Mode as opposed to traditional User Mode) is something else I find fascinating. The potential for these “next-generation” tools is extraordinary, so I would like to discuss those issues and the issues of what it means for security professionals.
The very nature of this subject keeps it vendor-nonspecific (to a great degree). I know I enjoy seeing presentations without all the banner waiving, so I am trying to keep the format of this along the same lines.
New Talk: Win32 Format String Exploits
by Andrew Reiter and Chris Abad
Andrew Reiter, R&D Engineer with Foundstone, Inc., is an experienced computer and network security researcher with a great interest in discovering new methodologies for exploitation and protection of systems, reverse engineering, protocol development, and FreeBSD kernel programming. He has worked in doing security research and development with numerous groups including the BindView RAZOR team and multiple well-known, non-profit security research groups. Andrew has developed new talks and presented on numerous occasions for New Dimensions, Inc., where he has spoke on hacking and security to major government and military personnel, and also has spoke in front of various technical groups at meetings and conferences on topics ranging from FreeBSD kernel development to security. Andrew is currently working at Foundstone, Inc. where he is part of a security research and development team. firstname.lastname@example.org
Christopher Abad, an R&D Engineer with Foundstone, Inc., is currently studying mathematics at UCLA and has also done considerable research in the security industry including pioneering work in the concepts of passive network mapping. He has given various presentations on this subject at security conferences including Defcon. email@example.com
Also Frank Heidt will be unable to present and will be replaced by another speaker from @Stake.
The current conference speaker lineup includes:
Renaud Deraison – Author of Nessus, speaking about the Nessus attack scanner, giving an overview of scanner operations and a tutorial on Nessus Attack Scripting Language (NASL). [http://www.nessus.org]
Martin Roesch – Author of the popular Snort Intrusion Detection System (IDS), speaking about new developments in IDSes. [http://www.snort.org]
Dug Song of Arbor Networks – Author of many famous networking tools. Speaking about monkey in the middle attacks on encrypted protocols such as SSH and SSL. [http://www.monkey.org/~dugsong]
Rain Forest Puppy – Will be speaking about assessing the web, with demonstrations of several new (previously unreleased) rfp.labs web tools including the release of Whisker 2.0 and other surprises in his inimitable style. [http://www.wiretrip.net]
Mixter of 2XS – Author of several widely used distributed tools and some popular security whitepapers will give a talk about “The future of distributed applications” explaining the key elements of peer-to-peer networks, discussing a few examples/possibilities of distributed technology, and related security problems in distributed networks. [http://mixter.void.ru]
K2 of w00w00 – Will present his new ADMutate, a multi-platform, polymorphic shell-code toolkit and libraries for detection evasion. [http://www.ktwo.ca] (Early reviews say it’s scary good. –dr)
Matthew Franz of Cisco — Author of Trinux: A Linux Security Security Toolkit, will discuss a comprehensive security model (including tools and techniques) for conducting security evaluations of firewalls, VPNs, and other networked devices. [http://www.trinux.org]
Lance Spitzner of Sun – Will present more of the HoneyNet group’s honeypot findings, including watching Romanian hackers on their own web cam while they were hacking one of his honeypots for their botnet. [http://project.honeynet.org]
Theo DeRaadt of OpenBSD – Paper Title TBA [http://www.openbsd.org]
Fyodor of insecure.org – Author of the popular nmap network scanner, will talk about new mapping and scanning tools and techniques. [http://www.insecure.org]
HD Moore of Digital Defense – Will give a surely popular talk about his more esoteric NT/Win2k penetration test tricks in apresentation called “Making NT Bleed.” where he will cover some of the procedures he has had to develop during the course of cracking multiple systems for customers daily. [http://www.digitaldefense.net]
Jay Beale of MandrakeSoft – Author the the Linux Bastille scripts and Security Team Director at MandrakeSoft, will talk about securing Linux. [http://www.bastille-linux.org]
Kurt Seifried of SecurityPortal.com – Will moderate a panel debate about cryptography… a “two edged sword” including PKI, SSH and SSL. [http://www.securityportal.com]
Dave Dittrich of The University of Washington – Author of many famous Forensic Analyses and UW Senior Security Engineer, will give a talk about finding intruders, then tracing their actions through the trails they leave on penetrated systems. [http://www.washington.edu/People/dad/]
Robert Graham of NetworkICE – CTO of NetworkICE, will discuss IDS operations and decoding technology, illustrating with exploits including his new “sidestep” utility during live demonstrations of the BlackICE Sentry IDS system and other IDSes like Snort. [http://www.networkice.com]
Sebastien Lacoste-Seris & Nicolas Fischbach of COLT Telecom AG – Editors of the French Securite.Org site, will discuss the rollout of Kerberos across their company and hosting center using Kerberized SSH and Kerberos V5 across Unix/Cisco/Win2k platforms to provide strong authentication with SSO capabilities, their experiences, and what potential problems and limitations they faced. [http://www.securite.org]
Afternoon (1-6), Wed Mar 28.
All Day (9-6:30) (and night :-), Thurs Mar 29,
Morning (10-2/3) Fri 30.
There will be some Birds of a Feather sessions held at 6:30 on Thursday – these will be announced at the conference.
The venue will be the Pacific Palisades Hotel Conference Center on Robson Street.
The hotel web site can be found at www.pacificpallisadeshotel.com I’m told that all suites (but not all of the regular rooms) now feature in room high speed network access. Please mention that you are with the CanSecWest conference to the hotel reservation agent when booking rooms.
The conference this year will be held in the hotel itself in their meeting facility, and will feature a catering room, as well as a a vendor display area and a place to set up your computer to check e-mail. There will be a wireless 802.11 network and a number of demonstrations and challenges over the wireless net, on-going throughout the presentations. There will be a display in the speaker room during the talks with the attack target web page where the current “owner” of the of the target servers will be able to put up their advert, logo, pithy quote, or whatever. If you are bringing a PC with a wireless card, please ensure your firewalls are in good working order, as we assume no liability for what kind of traffic may be seen. (:-) A small number of loaner wireless cards will also be available for attendees to use to check their mail.
This year, we will have a permanent coffee stand (after feedback from last year’s sessions). Seating is limited and the venue is slightly smaller than last year so please book early to ensure a spot.