• Terms of engagement
• Wireless access
• Coffee and snack availability
• Bathroom locations
• Lightning talk proposals for tomorrow
• Evening BoFs

WUSTL representative welcome and brief remarks

Background on The Data Driven Collaborative Security Approach, including a brief recap of the first DDCSW

In this presentation we look at the evolution of the security threat posed by vulnerabilities in the programs of typical end-user PCs over the last five years, and provide an outlook for 2010 based on the data of the first six months of this year. The study is based on data from more than 2.6 million private users of the Secunia Personal Software Inspector (PSI), which provides unique insights into the distribution and types of programs typically present on end-user PCs. Further data analysis shows an alarming development - vulnerabilities affecting the portfolio of the Top-50 programs typically present on end-user PCs almost doubled from 2005 to 2009; and an almost four-fold increase is expected to the end of this year. A breakdown of the vulnerability contributions by operating system, Microsoft programs, and 3rd party programs (non-Microsoft) clearly identifies the primary source of the increased trend, and quantifies the complexity of keeping an average PC secure.

The Domain Name System (DNS) is an essential protocol used by both legitimate Internet applications and cyber attacks. For example, botnets rely on DNS to support agile command and control infrastructures. An effective way to disrupt these attacks is to place malicious domains on a "blocklist" (or "blacklist") or to add a filtering rule in a firewall or network intrusion detection system. To evade such security countermeasures, attackers have used DNS agility, e.g., by using new domains daily to evade static blacklists and firewalls. In this paper we propose Notos, a dynamic reputation system for DNS. The premise of this system is that malicious, agile use of DNS has unique characteristics and can be distinguished from legitimate, professionally provisioned DNS services. Notos uses passive DNS query data and analyzes the network and zone features of domains. It builds models of known legitimate domains and malicious domains, and uses these models to compute a reputation score for a new domain indicative of whether the domain is malicious or legitimate. We have evaluated Notos in a large ISP's network with DNS traffic from 1.4 million users. Our results show that Notos can identify malicious domains with high accuracy (true positive rate of 96.8%) and low false positive rate (0.38%), and can identify these domains weeks or even months before they appear in public blacklists.

Incentives are needed for collective action to counter the illicit economy of spammers and bot herders. Email providers (from ISPs to universities) care about their reputation: nobody wants to be branded a spam haven. A reputation system showing how providers rank daily can convert outbound spam from an economic externality to an internal incentive.

Just as John Moody began by collecting, aggregating, and interpreting huge amounts of data on a variety of companies, the IIAR project at the McCombs Business School of UT Austin has been collecting, reducing, and analysing spam blocklist data for more than a year, working up elements of such a reputation system.

This talk is about the scope (the entire Internet as viewed by half a dozen blocklists), consistency (daily), variety (hosts, volume, botnets, selected by registrar, country, or ASN, ranked raw or normalized by size, etc.), and applicability of this data, with graphical depictions of rankings and example events.

Deployment will involve establishing organization structures, which may separate the daily publication of high level rankings (the RS) from a certification authority (CA) to certify providers in classes analogous to bond ratings. Sources of income in production may range from subscriptions for more detailed rankings to custom drilldowns and analyses.

At the business level, the project is studying how to use certification to turn cheap talk (as in a provider says its doing good security, but how does a customer know whether to believe that) into effective communication between providers and customers, thus producing a more effective market. Or as Scott Adams puts it, turning a confusopoly into a transparent market.

• OPTION A: Department of Commerce's "Cybersecurity, Innovation and the Internet Economy"
  Facilitator: Brian Allen
  
  Participants choosing option A will work on developing comments to be submitted in response to the following Department of Commerce request from the Federal Register:
  
  "The Department of Commerce's Internet Policy Task Force is conducting a comprehensive review of the nexus between cybersecurity challenges in the commercial sector and innovation in the Internet economy. The Department seeks comments from all stakeholders, including the commercial, academic and civil society sectors, on measures to improve cybersecurity while sustaining innovation. Preserving innovation, as well as private sector and consumer confidence in the security of the Internet economy, are important for promoting economic prosperity and social well-being overall. In particular, the Department seeks to develop an up-to-date understanding of the current public policy and operational challenges affecting cybersecurity, as those challenges may shape the future direction of the Internet and its commercial use, both domestically and globally. After analyzing comments on this Notice, the Department intends to issue a report that will contribute to the Administrations domestic and international policies and activities in advancing both cybersecurity and the Internet economy."
  
  See http://www.ntia.doc.gov/frnotices/2010/FR_CybersecurityNOI_07282010.pdf
  Federal Register, Vol 75, Number 144, pps 44216-44223
  28 July 2010 (comments due on or before 13 September 2010)
  
  The Federal Register announcement does a nice job of framing the issue, including offering a discussion of our current situation, and then mentioning at least eight themes (among others) that may be be comment worthy (each of these themes has multiple paragraphs of background and context information, and often specific subtopics or questions, which participants should review individually):
  • Quantifying Economic Impacts
  • Raising Awareness
  • Web Site and Component Security
  • Authentication/Identity Management
  • Global Engagement
  • Product Assurance
  • Research and Development
  • An Incentives Framework for Evolving Cyber-Risk Options and Cybersecurity Best Practices

  What advice should we give the Department of Commerce on their inquiry and these topics? How can we insure that policies are driven by data and meet the Internet's needs?
  
  

• OPTION B: Welcome to the Hotel California: Your Data Can Check In, But They Can Never Leave
  Facilitator: John Kristoff
  
  
  We all generally have a pretty good intuitive sense of how IP addresses and domain names get added to block lists -- we observe spam from network sources, or we see sites dropping malware, scanning our hosts, attempting to brute force logins, being used as botnet C&Cs, contributing to DDoSes, etc. In a nutshell, bad behaviors result in IPs getting listed and traffic getting blocked.
  
  But how do (or how *should*) IP addresses and domain names get taken *OFF* of block lists, particularly block lists that may be silently blackholing traffic? Or are we implicitly in a world where once an IP or domain name is flagged as bad, it can never be "cleaned"/usefully "rehabilitated?"
  
  This longstanding issue is becoming more pressing as old (and sometimes widely abused) IPv4 netblocks, now reclaimed, may end up being reassigned or reallocated to innocent customers, customers who may find that they've received "damaged goods," and worse yet, that there are no pristine IPv4 IPs even available any longer.
  
  Should blocklists be run as FIFO queues of fixed size, with newly observed abuse automatically popping the oldest observed abused IP from the queue? Should an IP or domain that hasn't been seen engaged in abuse for a period of time, perhaps a year or so, be automatically presumed to have been cleaned up? Should anyone be able to request delisting of any IP for any reason? (After all, if an IP is still being abused, and automated means are used to list abusive IPs, any IP that still has problems would just quickly end up getting relisted)
  
  Or has the time come for a central clearinghouse which can accept and distribute IP and domain name delisting requests, perhaps keeping a public history of all such requests?
  

This session is meant to provide an opportunity for attendees to introduce themselves to the attendees and to take no more than 3 minutes each to talk about:

• Data they have that may be of interest: "I have data about X, which we collect via Y and deliver to users via Z"
• The collaboration you'd like to encourage: "We're looking for more data of this sort" or "We'd like to invite additional people to use this data" or whatever.

Participants making a 3 minute announcement during the Data Flea Market may wish to continue discussions during lunch or during an evening BoF.

Current best estimates are that IANA will exhaust its pool of unallocated IPv4 addresses on 17-Jun-2011, just ten months from now, with the RIRs running out some eight months after that. Are we ready for a data collection and analysis environment that will continually have more and more reliance on IPv6 (and IPv4 address-conserving strategies such as NAT)? Are our tools and databases ready for a dual stack environment? What will we do when techniques we used in IPv4 (such as block lists) don't port well to IPv6? How will we attribute abuse in an environment where stateless autoconfiguration, RFC3041 privacy addresses and poorly instrumented networks frustrate attempts at accountability?

This talk will fly through current developments in Internet identity and trust, including federated identity, OpenId and NSTIC, etc. It will then fly through expected developments in integration of federated identity to non-web apps, user privacy and consent, etc. It will then spend more time challenging the audience to think of ways to leverage this emerging infrastructure in their work and their approaches to security.

NMSG (ftp://ftp.isc.org/isc/nmsg) is a flexible, extensible, open source, high-performance, scalable data transport used at ISC's Security Information Exchange (SIE). During this presentation we will learn the reasons for its creation, understand its concepts and methods, and see examples of how it is used in production.

Eric Ziegast from ISC will touch upon the recently released DNS Response Policy Zones (RPZ) - what they are, how the technology works, and may even have some examples to share. The policy considerations surrounding this new technology are similar to sharing analysis feeds and may be worth of discussion in that context.

Collective Intelligence is a social problem. Ultimately data comes from people, whether it's from an IDS sensor with a particular ruleset that a person chose or a forensics investigation. At some point along the way, someone within a particular context found something worth sharing from within their particular bias. They see, present and store their data from a specific point of view based on everything from their sociological perspective to their field expertise. The Collective Intelligence Framework ("CI-Framework") is geared to normalize higher level security intelligence (malware, infrastructure, url's, etc). This framework provides an open-source foundation for translating both public and private intelligence into a native perspective using a "schema-less data" theory. This allows for analysts to focus on the analytics and applications (the 'real value') of the data rather than the mechanics of collection and storage. It's also geared to standardize the mechanics of knowledge transfer within large heterogeneous federations, lowering the barrier to sharing.

Last year we showed how the Security Event System "SES" normalized and correlated machine driven security event messages. This next phase we will show how to normalize machine driven correlations with public and private data regardless of data structure in an effort to rapidly deploy mitigation and reputation analysis based on multiple intelligence sources.

http://code.google.com/p/collective-intelligence-framework/

Immediately before dinner with colleagues on your own, there will be a PGP key signing. To join in prepare the following in advance:

1. upload your public key to http://biglumber.com/x/web?keyring=1082,
2. bring a government-issued ID with your picture, preferably at least 2 IDs if possible,
3. bring plenty of business cards,
4. print out your own PGP info cards that include your name, email address and PGP fingerprint if not already present on your business card.

For more information about the key signing event, please contact John Kristoff <jtk@cymru.com>

• ISC BoF (8pm-9pm)
  
  Quasi-public information regarding: SIE, DNSDB, DNS RPZ, NMSG, SNS, DLV, F-Root
  Private conferences and demos are available after 9pm.
  
  
• Other BoFs as arranged onsite during today's breaks

Way back when, MOREnet Security was using null routes to block members from going to the bad places on the Internet but our null routes were both too aggressive and not aggressive enough. We were blocking legitimate sites but people were still getting infected. We decided that with the advances of malware and fast-flux that the better way to protect users was to set up a Blackhole DNS server. Originally, we were using the zone file from Malwaredomains.com but they were not fast enough with their updates and weren't as thorough as we would have liked them to be. In January 2010, we started generating our own zone file with malicious domains. We still use the feed from malwaredomains but it isn't our primary feed anymore. This presentation will talk about how our list is put together and maintained. It will also discuss our efforts to proactively block new malware domains as they are registered instead of waiting until they are actively serving malware.

The DRG will present a brief overview and update of the all new volunteer organization before covering some of the major projects underway including the DRG Distro, a UNIX-based custom insight & analysis platform that is being deployed throughout the world. We will highlight some of the technical capabilities and challenges in deploying and managing the distro as well as highlight some of the recent insight such as SSH password authentication attacks, HTTP probes and DNS lame delegations. We will also briefly enumerate some other ongoing and future work such as SQL injection attack monitoring, IPv6 monitoring and the next major release of the DRG Distro.

After compromised data is found what is normally done with the information? If you give it to the proper organization did it make it to the right person? Did the person get the data quick enough to mitigate the risk? It is the intention of the IFA project to become an international clearinghouse and alerting mechanism to solve these issues and more. We will cover in this talk the goals of IFA, the process flow for data, the work flow for the IFA system and some of the current hurdles facing the young project.

We hope that this will bring more people to the table, if not to submit data, at least to express opinions and ideas on a problem that has vexed a large number of people.

The FBI has made the investigation of botnets one of its top priorities. Botnet activities have been linked by FBI investigations to numerous illegal Internet operations, such as distributed denial of service attacks (DDoS), spam campaigns, extortion, propagation of malware, clickfraud, and identity theft schemes. Damages from botnet activities are well in the billions of dollars from reported losses. To address the threat botnets pose to the United States, the FBI has formed the Botnet Threat Focus Cell (BTFC). The BTFC is a working group comprised of law enforcement, other government agencies, and private sector participants whose mission is to identify and neutralize priority botnet threats. The cell has developed a list of fifteen priority/high-threat botnets based on the threat they pose to the U.S. telecommunications infrastructure and economy.

• OPTION C:
  Facilitator: Joe St Sauver
  
  BTOP, the Broadband Technology Opportunities Program administered by the NTIA, recently funded the United States Unified Community Anchor Network (U.S. UCAN), a project which will provide a nationwide, coast-to-coast advanced network infrastructure that, together with state and regional network partners, will enable the connection of America's community anchor institutions -- schools, libraries, community colleges, health centers and public safety organizations -- to support advanced applications not possible with today's typical Internet service. (see http://www.usucan.org/ )
  
  It is anticipated that U.S. UCAN will deploy a 100 Gbps national backbone dedicated to supporting an estimated 200,000 community anchor institutions through U.S. UCAN's regional partners; this network will be able to easily scale in multiples of 100 Gbps to insure that there will always be sufficient capacity for innovative applications.
  
  Participants in this breakout group will first spend some time becoming familiar with the new U.S. UCAN project based on publicly available materials, and then work on developing an analysis of potential security considerations which may merit further study or analysis as this project moves forward.
  
  
• OPTION D: User Data Reporting and Commercial Data Dissemination
  Facilitator: John Kristoff
  
  Participants in this breakout session will consider two broad topics:
  
  1) How Can We Help Users Give Us Incident Data We Can Actually Use, and 2) How Can We Insure That the Data We Collect Gets Broadly Used, Including By Commercial Entities?
  
  Part 1: Non-technical users are often interested in providing reports about the network abuse (spam, malware, network scans, etc.) they encounter.
  
  Unfortunately, often their attempted reports:
  • lack critical information (such as Received: headers in spam samples), or are
  • forwarded weeks or months after the fact, or are
  • misdirected, or
  • report phenomena that represent normal network activity rather than an attack (e.g., a report may describe how "someone is trying to hack my firewall with port 53/UDP packets whenever I go anywhere on the network!").
    
    

If users operate within a captive web framework, such as a proprietary webmail interface, it may be possible to integrate a "report abuse" button to automatically handle the mechanics of abuse report submission, including screening for timeliness, properly structuring the report, and delivering it to the right entity, but obviously not all sites, users or types of abuse incidents are covered by that sort of approach. Are there other things we should be doing to insure that we can easily get timely and correctly formatted incident reports from all our users? For example, should we be promoting browser toolbars/add-ins to tackle detection and reporting of web-based malware and phishing?

Part 2: Collection of information security-related data can be painful and expensive, and is often done by those of us in academia or non-profits without any explicit plan to commercialize that intellectual property.

Yet security data, particularly data about system and network security incidents, is most powerful when it is broadly shared, including with commercial entities doing for-fee information security work and incident remediation.

How, then, are we to appropriately share system and network security data with commercial entities, considering issues such as:

• scalability and sustainability of self-funded data collection initiatives
• management of false positives/data quality issues (including monetary indemnification)
• the pros and cons of exclusive commercial usage rights vs. non-exclusive commercial licensing

Nmap has added many additions and improvements in the last few years and is quickly becoming an excellent tool for vulnerability and application scanning in addition to its exceptional port scanning ability. Unlike vulnerability scanners and IDS/IPS systems, Nmap is also excellent as post-intrusion-detection when other security layers let a compromise slip through.

Nmap scanning can be hard to scale for large networks but with fastnmap.pl and npwn.pl the process of scanning and analysis is mostly automated.

This presentation will cover a brief review of nmap, then discuss how fastnmap.pl works and how to scan an entire large network with it, and finally look at a case study of using fastnmap.pl at Washington University in St. Louis.

Lightning talks are a tradition we've co-opted from the Internet2/ESNet Joint Techs meetings (see http://jointtechs.es.net/ if you're not familiar with Joint Techs). Lightning talks last five minutes, and are delivered by interested participants on a topic relevant to this workshop.

If you would like to give a lightning talk at DDCSW, please send your proposal to ddcsw@internet2.edu by close of business Tuesday.