Most of these talks were presented at our monthly SECWOG meetings. Locations for the other talks are given where we know.
February 6, 2003 - SECWOG
Patching,
Steve Romig
Rough notes are available.
The topic of discussion at this month's meeting will be patching - why, how, and when. This is pretty timely, given our recent experiences with the SQL Slammer worm.
We'll start with a short presentation (by me) that covers some of the issues - the threat that we're facing, why you need to patch, and where patching fits into the retinue of security tools. We'll also talk about some of the challenges with keeping up with patches. I'll demonstrate Windows Update, the Microsoft Baseline Security Analyser, hfnetchk (from shavlik.com) and the Redhat Alert Notification Tool and up2date.
However, that's just the beginning. We have assembled a great group of seasoned administrators (the, er, "Patch Panel"*) who will talk briefly about how they deal with patches in their different domains (Windows, Solaris, AIX, IRIX and Redhat) and who will answer any and all questions that you present to them.
January 2, 2003 - SECWOG
No meeting
December 5, 2002 - SECWOG
State of the Hack,
Steve Romig
Slides: web,power point
At our December meeting I will give my "State of the Hack" talk -
this is the same talk that I gave at the Columbus ITEC meeting last
month, and an updated version of the talk that I gave at the local
Infragard meeting not long ago. The talk summarizes some of the
presentations from the Blackhat Briefings from Las Vegas this summer
and other interesting malware.
November 14, 2002 - CIO's Wireless Summit
The Draft OSU Wireless Policy,
Steve Romig
Slides: web,
power point,
A short presentation about the draft OSU policy on wireless networks.
November 7, 2002 - SECWOG
Thinking About Security,
Steve Romig
Slides: web, power point
At our November meeting, I will talk about "How to Think About (Computer) Security". This won't be an especially technical talk - I plan to talk about the threats that we face and the solutions that counter those threats in a fairly general way. Most of the talk will focus on security principles, and I'll take a stab at debunking some security related myths that we frequently run into.
October 30, 2002 - Columbus ITEC Meeting
State of the Hack,
Steve Romig
Slides: web,
power point
This is another "state of the hack" talk, summarizing current "advances" in malware and abusive behavior. I drew heavily from the presentations from the Blackhat Briefings from the USA 2002 conference in Las Vegas.
October 3, 2002 - SECWOG
Logging and Monitoring,
Steve Romig
Slides: web,
power point,
At our October meeting we will discuss logging and monitoring, including:
August 28, 2002 Twiki Overview,
Steve Romig
At the August meeting I gave a very informal overview of Twiki, a web based collaboration tool for people participating in our security best practices effort.
July 24, 2002 - SECWOG
Best Practices,
Steve Romig
Notes: plain text
Main topic of discussion: how to go about creating and maintaining a list of "best practices" in areas relating to security and systems administration in a fluid and dynamic world. I'll briefly introduce what I have in mind and outline a proposal for how to work on this (in a nutshell: divide and conquer, top down where possible, referring to or borrowing from existing work where it exists). I'll also talk about some of what I've found so far in my research in this area.
For the non-OSU people: although the effort to create a list of best practices for OSU is (by definition) OSU centric, I think the conversation and general discussion will be of general interest (best practices for OSU in the area of, say, firewalls aren't likely to be very different from what they'd be for a private company). Plus we'd welcome input from non-OSU people who have thought about best practices.
June, 2002 - SECWOG
No meeting?
May, 2002 - SECWOG
No meeting.
April, 2002 - OIT Leader's Advance
The OSU Incident Response Team,
Steve Romig
Slides: web,
power point
A brief description of the OSU Incident Response Team, for the April 2002 OIT Leader's Advance meeting.
April, 2002 - SECWOG
No meeting.
March 27, 2002 - SECWOG
Network Security Recommendations,
Mowgli Assor
Mowgli Assor will talk for a bit about network security recommendations for OSU network administrators, mostly centered on firewalls, wireless networking and DHCP.
February 28, 2002 - SECWOG
Stuff,
Steve Romig
We'll cover a variety of mostly OSU related issues, including vulnerability scanning (ISS scanning will be resuming shortly, I need testers!), firewalls, TCT testing, best practices and security policies.
January, 2002 - SECWOG
No meeting.
December 2001 - SECWOG
No meeting.
November 28, 2001 - SECWOG
I don't have a speaker lined up this month. So I'm thinking instead
we'll do a combination of things:
October 24, 2001 - SECWOG
Wireless access on Campus,
Brian Moeller
Slides: power point
This month, Brian Moeller talks about some of the risks of wireless on campus, and reviews a project where a freely available tool was used to map some of the wireless networks on campus.
October, 2001
Forensic Computer Investigations,
Steve Romig
Slides: various
formats: pdf, ppt
August 22, 2001 - SECWOG
Tripwire
Tammy Bedinghaus, Mark Ermence
This month's guest speakers are Tammy Bedinghaus and Mark Ermence from Tripwire. They will be speaking on intrusion detection systems and tripwire. In addition, Steve will give a general introduction on intrusion detection, and will probably also discuss the ongoing Code Red outbreak.
August 13, 2001 - USENIX Security Symposium
Forensic Computer Investigations,
Steve Romig
Slides: various
formats: pdf, ppt
Think of this as a "forenics for the systems administrator" sort of tutorial. System administrators are often on the front-line of computer investigations, for better or worse. Unfortunately, the natural instincts of most admins is to "fix first, ask questions later", which leads to destruction of what might have been critical evidence.
July 25, 2001 - SECWOG
Code Red,
Steve Romig, Ken Eichman
We'll be talking mostly about the Code Red worm. Ken Eichman from Chemical Abstracts Service (CAS) will be here to talk about his observations, and we'll be on hand to add an OSU perspective.
June 27, 2001 - SECWOG
ISS (and Other Security Tools),
Brian Moeller
Our speaker this month should be Brian Moeller, covering various security tools. With specific emphasis on the ISS system.
June, 2001 - USENIX Annual Conference
Forensic Computer Investigations,
Steve Romig
Slides: various
formats: pdf, ppt
Think of this as a "forenics for the systems administrator" sort of tutorial. System administrators are often on the front-line of computer investigations, for better or worse. Unfortunately, the natural instincts of most admins is to "fix first, ask questions later", which leads to destruction of what might have been critical evidence.
There is a heavy emphasis on principles, rather than a specific set of rigid procedures, since in my view the whole essence of computer investigations is to adapt one's methods (procedures, tools) to the situation at hand, paying due regard to certain basic principles.
May 23, 2001 - SECWOG
Generic Computer Security Q&A,
Steve Romig
We're going to do another "Generic Computer Security Q&A" meeting (read: Steve failed to find a speaker and didn't have time to come up with a presentation on his own :-) Bring your questions (and answers), try to stump us :-)
April 25, 2001 - SECWOG
Network Security Vulnerabilities, Dsniff, Ettercap and etc.,
Albert School
Slides: power
point
Albert will be talking about various network security vulnerabilities, including session hijacking, man in the middle attacks, ARP spoofing, DNS games, TCP sequence number guessing and so on. As an added bonus, he will demonstrate and discuss some of the packages (dsniff, ettercap) that have been developed recently to exploit these vulnerabilities.
James Corder also gave a brief presentation on Venturing Crew 369, which (among other things) trains young people in UNIX systems administration (and does a fine job of it). Visit their web site at http://369.columbus.oh.us for more information.
March 28, 2001 - SECWOG
Forensics Tools,
Steve Romig
Sorry, no notes or slides available!
Our speaker this month is me. I will talk about several tools that are useful for forensic computer investigations, including HashKeeper, parts of The Coroner's Toolkit, Encase, and EMT (Emergency Medical Technician) and F*** (both from Dan Farmer, and yes, the name is socially unacceptable).
I'll give demos/screen shots where I'm legally allowed to do so. I may show crayon representations of screen shots for programs that I'm not allowed to demonstrate, just to spite them :-)
We will probably also talk about recent security bugs and exploits, including the Lion worm.
Oh, I will probably give a brief review of my recent trip to the CERIAS group at Purdue. Much fun!
February 28, 2001 - SECWOG
Legal Issues, Question and Answer Session,
Steve McDonald
Email Steve at mcdonald.108@osu.edu to request
copies of his slides.
Our speaker this month is Steve McDonald. Steve will be on the hot seat for a "legal issues" Q&A session. I imagine that many of the issues (and especially the answers) will be highly specific to OSU, but the general issues explored will probably be of interest to a much wider audience.
If you have questions in mind already, send them to me so that I can forward them to Steve so he can think about them in advance. Its always fun to try to trip him up with unexpected questions, but hey, lets give him a break :-)
January 24, 2001 - SECWOG
Privacy on the Web,
Matt Curtin
Notes (by Steve, with comments from Matt)
Our speaker this month is Matt Curtin. He'll be talking about privacy on the web:
This is a talk-in-progress that discusses key privacy issues as they relate specifically to the Internet and the World Wide Web. Privacy ramifications of various pieces of the architectural puzzle are considered along with several actual examples of privacy problems that arose from failing to account for the nature of the system. The philosophy of privacy-by-policy is compared with privacy-by-technology. Both approaches are considered in the context of secure systems design principles. Finally, the speaker concludes with consideration of the issue of the use of "opt-opt" systems to protect privacy online.
December 27, 2000 - SECWOG
We had a very small meeting with some holiday refreshments. Steve
presented a small part of the material from his invited talk at the
recent LISA conference.
December 7, 2000 - Usenix LISA Conference
Experiences with Incident Response at OSU,
Steve Romig
Slides: web, power point, notes (pdf), 6up slides (pdf), more notes (pdf), more notes (rtf), quake demo
This is a "tour" of incident response, drawn from several investigations at OSU from the last few years. I attempted here to tell some storis that illustrated why incident response is hard, to show both how to and not to pursue it, and to have some fun.
You definitely want to download the quake demo. Get a copy of quake (the first one), copy quake.dem to the "id1" directory, start quake, go to the console, and type "playdemo quake.dem".
The "more notes" document (stuff-text) contains a more verbose description of some of the events.
December 6, 2000 - Usenix LISA Conference
Cisco NetFlows and the OSU Flow Tools Package,
Steve Romig
Mark Fullmer
Slides: web, power point, pdf (notes), pdf (6up), paper - pdf
Software: Available
at www.net.ohio-state.edu/software.
This is a brief description of the OSU flow-tools package, a set of tools that facilitates the collection and analysis of Cisco NetFlow records.
December 5, 2000 - Usenix LISA Conference
Forensic Computer Investigations,
Steve Romig
Slides: web, power point, slides - notes (pdf), slides - 6up (pdf), handouts (rtf), handouts (pdf), handouts (original text and postscript)
This is an updated version of my forenics tutorial from the fall of 1999. I'm estimating that its a bit over two day's worth of material.
Think of this as a "forenics for the systems administrator" sort of tutorial. System administrators are often on the front-line of computer investigations, for better or worse. Unfortunately, the natural instincts of most admins is to "fix first, ask questions later", which leads to destruction of what might have been critical evidence.
There is a heavy emphasis on principles, rather than a specific set of rigid procedures, since in my view the whole essence of computer investigations is to adapt one's methods (procedures, tools) to the situation at hand, paying due regard to certain basic principles.
November 29, 2000 - SECWOG
Note that this is NOT the 4th Wednesday - we rescheduled due to the
Thanksgiving holiday.
The meeting will be on Wednesday, November 29 from 3-5 PM in Baker
Systems 120. We haven't settled on a topic yet.
October 25, 2000 - SECWOG
CERIAS Tools for Vulnerability Management and Incident Response,
Pascal Meunier
Risk minimization is a race between crackers and IT professionals. It is the role of IT professionals to minimize the window of exposure. However, reading Bugtraq, related newsgroups and polling other sources of information is time-consuming. The expense of verifying the up-to-date status of systems is significant and may involve audits. One approach is to use automated vulnerability scanning tools. Another is to deduce the applicable vulnerabilities from the list of applications and services present on a host (a profile), without possibly objectionable active scanning. We present a profiling tool (currently with manual entry) that automates vulnerability database searches and currently works with NIST's ICAT. This tool also reports by email the appearance of new vulnerabilities that match profiles, thus trading the delay necessary for the vulnerability to appear in the database for convenience, reduced manpower and manageability.
The second tool that we are developing is a web-based cooperative vulnerability database, designed for the sharing of sensitive vulnerability information. The database sports an enhanced scientific classification system that also helps research.
Information about the incidence of security breaches is difficult to obtain. Emergency situations are not favorable to the maintenance of records, the security breaches are embarrassing and possibly damaging, and disclosing information about the incidents may reveal some sensitive information. Moreover, the nature of the incident and its cause are not always fully known. Because of this, the frequency and cost is difficult to assess by type of incident.
The CIRDB (CERIAS Incident Response DataBase) project attempts to provide a framework to record incident information and duration. Domains provide confidentiality to match areas of responsibility, with multi-level access. Information about the incident can be shared on a case-by case basis with outsiders (e.g., CERT). Email support provides a time-stamped log of the incident. A classification system used with profiles will attempt to provide lists of vulnerabilities relevant to specific incidents by doing queries of the ICAT database. With this system, we hope that 1) organizations using the same type classification can directly share data; 2) organizations not using the same type classification can translate data based on the properties of the types formalized in the CIRDB; 3) statistical data from many different organizations can be assembled to present a coherent picture of incident costs and frequencies on a national scale.
September 27, 2000 - SECWOG
The Law Of The Jungle,
Mowgli Assor
Slides: web
August 23, 2000 - SECWOG
Correlating Evidence in Incident Investigations,
Steve Romig
Slides: web,
pdf
Steve Romig will talk about how to correlate evidence from different sources together when you are conducting a investigation into various sorts of computer related misdeeds (crimes, performance problems, etc. - the techniques and challenges are much the same). Here's a teaser from an article I've written on the subject for the USENIX ;Login: magazine:
One common goal in these sorts of investigations is to reconstruct a chronological record of events and a list of other facts. ... Obviously, how well we can construct the record of events and fit the pieces together has great bearing on the outcome of the investigation.
There are several issues that we need to consider. First, we need to be proficient at finding the evidence. If you can't find the evidence in the first place, you'll have a hard time fitting it into your reconstructed chain of events :-) We also need to understand what the evidence actually means. If we misunderstand the evidence, then either our reconstruction will be wrong or we'll create faulty theories that explain the evidence. Finally, we need to understand how to piece evidence from different sources together to create a cohesive reconstruction. If we know where the evidence can be found, what it means, and how it fits together then we'll be well on our way to reconstructing the chain of events. Note that I am totally ignoring issues concerning preservation of evidence for use in a civil or criminal trial. Sorry!
My talk will mostly focus on the third issue, that of correlating the pieces together into a coherent whole.
July 26, 2000 - SECWOG
Security for OSU's ResNet (dorm networks),
LC Boros
Slides: web
LC Boros (ResNet Manager) will be talking about security in the ResNet community at OSU. ResNet is the network environment in the dorms at OSU. Here's the abstract for this talk:
Students tend to do bad things with their computers, which means administrators need to act as recess monitor, detective, and den-mother means adopting a wide variety of tools. Using Statscout, Cisco Netflow and other software has allowed ResNet@osu.edu to create an effective incident response team that both partners and works separately with the university's central IRT.
June 2000 - SECWOG
Canceled,
Is canceled. I forgot to finalize arrangements for it before leaving for vacation, and don't have things ready! Sorry!
May 24, 2000 - SECWOG
Shibboleth: a private mailing list manager,
Matt Curtin
Slides: pdf
According to Matt: We describe Shibboleth, a program to manage private Internet mailing lists. Differing from other mailing list managers, Shibboleth manages lists or groups of lists which are closed, or have membership by invitation only. So instead of focusing on automating the processes of subscribing and unsubscribing readers, we include features like SMTP forgery detection, prevention of outsiders' ability to harvest usable email addresses from mailing list archives, and support for cryptographic strength user authentication and nonrepudiation.
May 29, 2000 - Central Ohio Technical College/OSU Newark
Digital Evidence,
Brian Moeller
Slides: web
Brian Moeller of the OSU Network Security Team talks about digital evidence and where to find evidence of computer-based crimes. Evidence can be in places you might not have suspected. Even if the suspect's system isn't available for inspection, you may still be able to find out what happened. Slides available here, but multimedia case studies are not.
April 26, 2000 - SECWOG
SITAR and IDB - Building An Incident Tracking System,
Mowgli Assor
Slides: web
Mowgli Assor of the OSU Incident Response Team will talk about and demonstrate SITAR and IDB. SITAR is an incident tracking system, which we use in the OSU team for day to day work. IDB is the intrusion detect database, which records events recorded for each day.
As Mowgli describes them:
When looking at incident tracking systems early on, we found that the current set either weren't specific to security incident tracking, or were somewhat cumbersome to use. We decided to develop our own, so that they would be platform-independent, and yet as cheap (economically) as possible. To this end, we are using free (at least for educational institutions) software.
We came up with two separate projects, called IDB and SITAR. IDB is a fairly generic incident database, which simply contains the fact that an incident occurred, and what source we received it from. This database is designed to be shared with other entities (including some external to the university). It contains data we don't consider secret.
SITAR is a much deeper incident tracking system, designed to handle the various issues we deal with in tracking an incident - E-mail, files/tarballs, notes, etc. As such, this data is secret, and is designed to only allow access to members of the incident response team.
Both systems work together to allow us to track an incident, and to see general trends in attacks or perceived attacks at the Ohio State University.
April 14, 2000 - HECC Meeting
Computer Crime,
Det. Rick Amweg (OSU Police),
Steve Romig,
Slides: web,
pdf
This is the same Computer Crime talk that Rick and I have given before, though we had a bit more time for general discussion of crackers and their activities.
April 12, 2000 - OSU Web Interest Group
Security for Webmasters,
Steve Romig,
Slides: web,
pdf
A general talk about computer security, discussing the need for firewalls and host level security practices such as applying patches, turning off unnecessary services, and so on.
April 10, 2000 - CIC Security Working Group Meeting, Columbus
Use of CISCO Netflow Logs at OSU,
Steve Romig,
Slides: web,
pdf
We covered parts of a previous talk on OSU's tools for processing CISCO Netflow logs, and then moved on to recent updates, including tools for sorting flow logs and a discussion of future hardware plans for storing and processing these logs at OSU.
April 6, 2000 - Columbus OHECC Meeting
State of the Hack (2000),
Steve Romig,
Slides: web,
pdf
A brief survey of relatively recent twists in the world of crackers. We'll talk about the use of remote file systems, loadable kernel module rootkits, the increase in exploit automation, and distributed scans, intrusions and denial of service attacks.
March 22, 2000 - SECWOG
Demo of the ISS System Scanner,
Steve Romig,
Slides: web,
pdf
March 8, 2000 - OEDSA Meeting
Computer Crime,
Det. Rick Amweg (OSU Police),
Steve Romig,
Slides: web,
pdf
February 23, 2000 - a local business meeting
The OSU Incident Response Team,
Steve Romig,
Slides: web,
pdf
February 23, 2000 - SECWOG Bull Session,
I had been planning on giving a demo of the ISS System Scanner, and a presentation of how to install/use it. I'm postponing that till March - I haven't had time to put much together.
The meeting is still on for Feb 23, but we won't have a presentation per se - we'll shoot the breeze, answer questions, ask questions, etc.
February 9, 2000 - Columbus OarTech Conference
Distributed Denial of Service Attacks and CISCO Netflow Logs,
Steve Romig,
Slides: web,
pdf
January 26, 2000 - SECWOG
Distributed Denial of Service Attacks,
Steve Romig,
OSU News slides: web,
pdf,
DDOS slides: web,
pdf
Steve will talk about (in roughly this order :-)
Distributed attack and denial of service tools. We'll talk about Tribe Flood Network (TFN), TFN2k, Trinoo and Stacheldraht and probably EggDrop. Possibly others, depending on how much more research I get done between now and then.
The most common mode of attack we're seeing these days is highly automated attacks where probes are done from one set of hosts, the results are shared through some mechanism with tools on another set of hosts which commit the initial intrusion on the vulnerable hosts, and a third set of hosts is used to enter through back doors that the 2nd set of hosts left behind and do their dirty work.
Attackers are now often leaving behind sophisticated agents (like Stacheldraht) on hundreds or thousands of hosts, which they can then "command" through "master" programs to commit various denial of services attacks with devastating results.
Time permitting, we'll also talk a bit about how we're progressing with our various intrusion detection and scanning efforts.
December 1999 - SECWOG
Canceled,
Is canceled, due to Christmas. I had originally planned to have the meeting anyway, but just realized that Thursday and Friday are vacation days for OSU, so I suspect that many people will want to get home earlier Wednesday.
November 1999 - SECWOG
Canceled,
Is canceled, due to Thanksgiving. We'll meet in December, though I don't know when yet.
Sorry about the late notice - this snuck up on me.
Note that we *always* see an increase in intruder activity in the Thanksgiving-Christmas time frame - be alert! Watch your logs for unusual activity!
October 27, 1999 - SECWOG
Topics in Forensic Computing,
Steve Romig,
See Steve's longer forensic computing workshop (next).
We'll talk about a variety of topics, including computer forensics (I'll go through some of the material for a half day tutorial I'm working on), recent security issues, and security plans/projects for OSU.
October 1999 - various locations, including OSU
Forensic Computing,
Steve Romig,
Slides: web,
pdf,
handouts
Slides from a roughly 6 hour presentation on Forensic Computing, initially presented at the University of Michigan. Parts of this have also been presented at other sites, including OSU.
October 22, 1999 - Dayton OHECC Conference
Use of CISCO Netflow Logs at OSU,
Steve Romig,
Slides: web,
pdf
October 22, 1999 - FIRST Technical Colloquium
Building An Incident Tracking System,
Mowgli Assor,
Slides: web
September 9, 1999 - SECWOG
Bull Session,
No planned presentation this month. If you're interested, stop on by to BS, ask questions, etc. I'm sure some of us will be there (I will be).
September 1999 - OSU ResNet consultants meeting
ResNet Ethics,
Steve Romig,
Slides: web,
pdf
August 31, 1999 - Ohio Business Privacy Forum
Miscellania,
Steve Romig,
No slides, handouts, or notes available.
August 25, 1999 - SECWOG
Using PGP,
PGP stands for "Pretty Good Privacy" - its a program that allows you to use public key cryptography to send and receive encrypted messages and to digitally sign messages.
We'll talk about what all that means, why you'd be in interested in using it, and I'll give demonstrations of its use under both Unix and Windows.
July 28, 1999 - SECWOG
Mowgli Down Under,
Mowgli Assor (OSU),
Mowgli recently returned from a trip to Australia where he attended the annual FIRST (Forum of Incident Response and Security Teams) general meeting. He'll tell us about his trip and the meeting.
Jeff Schmidt from OSU will also be there to tell us about the ntbugtraq meeting that he attended recently (in Toronto?)
And I imagine that we'll spend some time talking about the events from the July 4 weekend and the effects it has had at OSU.
June 23, 1999 - SECWOG
Canceled,
Is canceled (would have been June 23rd). I'll be out of town. We will be meeting as usual in July.
May 26, 1999 - SECWOG
Bull Session,
I have no planned topic for this month. I had been hoping to go through incident statistics and scan statistics, but haven't been able to compile the data. So, we'll just leave it open and talk, answer questions, order pizza, I don't know :-)
April 28, 1999 - SECWOG
Highlights of Usenix Intrusion Detection Workshop; Security Best Practices (from the audience),
We've got a couple of different things for the agenda. I'll start with a brief summary of the Usenix Intrusion Detection Workshop from a few weeks ago, and we'll talk briefly about the state of various software site license projects at OSU (particularly S2 and ssh).
I'd like to spend the rest of the time running around the room and talking about security practices that people have attempted - what worked, what didn't work, what they'd like to do, what they wish they had done. I'll start the ball rolling with a brief recap of some recent security problems at OSU, touching both on what worked well, and what I wish we had done instead/in addition.
I realize that some security people are not comfortable with sharing their companies security practices or short comings (or aren't legally able to) - that's fine, come listen!
March 24, 1999 - SECWOG
Security Q&A,
I couldn't think of a special topic of discussion, but didn't want to just cancel the meeting, so we'll call it "generic q&a" and see what happens... :-)
March 16, 1999 - ASIS (Columbus Chapter)
Internet Security,
Steve Romig,
Slides: postscript
February 24, 1999 - SECWOG
Risk Assessment,
Greg Adams,
Brian Moeller,
Greg and Brian will be talking about risk assessment.
At most of our past meetings we've talked about security vulnerabilities (what the risks are) or about security tools (which help identify the vulnerabilities or to fix them in some way). This month we'll look at the process of risk assessment.
Brian will start by discussing "Information Security Risk Assessment Method", which is an attempt to quantify exactly what a vulnerability means to you. It allows one to take more factors into consideration than just the vulnerability. These factors are the value of the information and access to it, the safeguards that are already in place, and the type of threat that would take advantage of the vulnerability.
Greg will then talk about and demonstrate the L-3 Security Expert, which is a tool that helps walk you through this process and which automates many of the tasks.
There's a rumor that we'll be having cookies and milk, also :-)
January 27, 1999 - SECWOG
Firewall Architectures, Packet Filtering (Continued),
I'll finish the discussion of firewall architectures and packet filtering that we started last month.
January ??, 1999 - 2nd Vulnerability Database Workshop
IDB - An Incident Database,
Mowgli Assor (OSU),
Paper: postscript
This is a paper accepted at the 2nd Vulnerability Database Workshop held at Purdue University sometime in January, 1999. The paper describes a small, shareable incident database which was developed and implemented at OSU.
1998 - Northwestern University Security Day
A Security Incident at OSU,
Slides: postscript
1998 - FIRST Workshop Panel?
Working With Law Enforcement,
Steve Romig,
Notes: text
December 16, 1998 - SECWOG
Firewall Architectures, Packet Filtering,
Notes: text
I'll talk about firewall architectures and packet filtering; recent security (or insecurity :-) activities at OSU; and give updates on various things.
We probably won't have time to finish the firewall/packet filtering talk - if not, we'll finish it in January. I had planned to go through a summary of 1998's incidents, but we'll defer that to January as well.
I've moved the meeting up - it will be on Wednesday Dec 16, from 4-6 PM.
November 1998 - SECWOG
Canceled,
Is canceled, due to Thanksgiving. I plan to schedule something in early December, but I don't have a date yet. I'll post something ASAP.
Sorry, and happy thanksgiving!
October 28, 1998 - SECWOG
SSH Talk and Demo,
Steve Romig,
Notes: text
September 1998 - ResNet consultants meeting
ResNet Ethics,
Steve Romig,
Slides: web,
pdf
September 1998 - ISSA (Columbus Chapter)
Intrusion Detection,
Slides: postscript
Brief discussion of intrusion detection methods, followed by an overview of how we tested one system (NetRanger) using packet logs containing recorded cracker activity.
September 23, 1998 - SECWOG
Canceled
There won't be a meeting this month. I couldn't think of a topic to cover, and Wednesday is the first day of classes at OSU, which sounds like 2 great reasons for not meeting. I'm sure it will be near chaos here, especially with regard to parking. Sorry!
I'm sure we'll be meeting in October. I'll send details about the topic and speakers when I have them. That meeting would be on October 28th, 4-6 PC.
August 1998 - SECWOG
Secure access to email through SSH tunnels,
Bill Yang (Columbus Free-Net),
Notes and references: web
In today's anti-spam-relaying and packet-filtering environment, roving users are difficult to manage -- it seems like every one of them wants an exception to be made to the local security policy because "e-mail is a vital business resource." When senior management -- who do not want to understand the technical implications of relaxing security restrictions -- are among the roving users, some solution needs to be put into place to resolve their needs without making systems unreasonably vulnerable.
Using the Secure Shell (SSH) tunneling protocol, it is possible to permit authenticated access to e-mail and news following a one-time configuration of standard mail and news clients, with only minimal re-education of users. This can resolve many of the security risks associated with "open" access to the Internet messaging services (password sniffing, exploits against vulnerable services, and weak authentication protections) with packet filtering and the addition of application-level encryption in an almost completely transparent manner.
This presentation will include demonstrations of free and commercial SSH tunneling packages for modern Windows platforms in combination with host-level security measures on UNIX (Solaris), protecting Internet messaging protocols including IMAP, POP, SMTP, and NNTP.
Mowgli Assor will also be on hand to answer questions, and possibly give a surprise demo.
July 22, 1998 - SECWOG
AUSCERT UNIX Security Checklist, Highlights of the FIRST,
Workshop
Steve Romig,
No slides or notes available, see the AUSCERT web site for their list
of papers. Look for something called the Unix Security Checklist.
June 1998 - SECWOG
Canceled (I think),
May 27, 1998 - SECWOG
ISS' Real Secure, System Scanner,
Alan Bergen (ISS),
Brent Huston (MicroSolved),
Allan Bergen of ISS and Brent Huston of Microsolved will be talking about RealSecure and System Security Scanner (S3), two ISS products.
Though we don't often invite vendors to do dog-and-pony shows, I thought it was appropriate in this case since I am hoping to set up some sort of site licensing for both products at OSU, and thought this would be a good way to introduce them to people here.
RealSecure is a network intrusion detection system - it watches the packets on the net and would normally be configured to alert you in the event of an intrusion attempt. It can also be used to log the contents of these network sessions.
S3 is a host based security checking program - it has some of the same features of COPS, Tiger and Tripwire, rolled into one system. Its currently available for UNIX, an NT version is coming soon. This is a great complement to their network security scanner (which we already have a license for).
Allan and Brent will talk about the products and give a demo. I will also talk a little about how things have gone with the network scanning so far. I am hoping that by Wednesday we'll have the schedule nailed down for campus wide network scanning - we're ready (finally) to move ahead with that.
April 22, 1998 - SECWOG
Bull Session - Random Holes, Recent Incidents,
The unknown topic. :-)
Actually, I thought we might talk about some random security holes, recent incidents at the University, and discuss the possible uses of packet filters and firewalls at OSU.
I'm also hoping that we'll have some people on hand who have had real experience setting up or administering firewalls and packet filters, who can share their experiences and maybe answer some questions for the rest of us.
March 25, 1998 - SECWOG
Draft OSU Acceptable Use Policy,
Steve McDonald (OSU),
Steve McDonald of OSU Legal Affairs will join us to answer questions about the draft OSU computer acceptable use policy and other related issues.
We'll have copies of the draft policy on hand, but you might want to retrieve a copy from ftp.net.ohio-state.edu in /users/romig/policy/osu-draft.doc.
February 28, 1998 - Columbus School for Girls
Internet Safety,
Steve Romig,
Slides: postscript
February 25, 1998 - SECWOG
Meet the OSU-IRT Staff; OSU Security Projects,
This will be a fairly informal meeting, and hopefully fairly short.
I'd like to introduce the newest members of the OSU security group. Mowgli Assor will be joining our group in a full time position starting in March, assisting me with incident response and the various projects we have going on. We've also hired Eric Stewart as a student programmer, who will also work on incidents and various other things.
I'll also like to spend part of the meeting brainstorming about security projects for the OSU campus, and talk in particular about training and educational needs relating to security.
February 05, 1998 - SECWOG
USENIX Security Symposium Highlights; Intrusion Detection; NFR,
Notes: text
Steve McDonald can't make it this month, so we'll discuss the OSU draft policy at some future meeting.
So, at this meeting, we will talk about:
January 1998 - SECWOG
Unknown - canceled?,
Winter 1997 - ITC
Incident Response,
Steve Romig,
Slides: postscript
December 1997 - SECWOG
Canceled,
November 1997 - SECWOG
Logging and Monitoring,
Peter Honeyman, Joe Saul (University of Michigan),
"Logging and Monitoring: Technical and Legal Aspects"
Dr. Peter Honeyman and Joseph M. Saul, of the University of Michigan.
Sponsored by the Network Security Business Unit (in Dublin, Ohio) of Ascend Communications, Inc. and The Ohio State University (see below).
Peter and Joe will give a lively presentation covering the technical and legal issues involved with logging and monitoring computer activity of all sorts. I have given them copies of some of OSU's policies, practices and guidelines regarding these issues so that they can inject some local flavor into the talk. Although we will be talking to some degree about OSU specific issues, I think that the discussion will be of interest to everyone since they'll be using us as examples (both good and bad, I'm sure), not as primary source material.
Peter and Joe prepared this talk for the Committee on Institutional Cooperation (CIC) Security Education Consortium. The CIC Security Education Consortium is a unique, cooperative arrangement among the CIC member institutions to make available low-cost, high quality training and educational opportunities in the security aspects of system and network administration. The Logging and Monitoring seminar will be the first of these to be held at OSU.
Peter and Joe gave a condensed version of this talk as an Invited Talk at the 1997 LISA conference last week which was well received.
October 22, 1997 - SECWOG
Review: a package for viewing the contents of tcpdump logs,
Steve Romig,
Slides: web,
pdf,
paper: web,
postscript
This month we will be talking about tools for analyzing the contents of network traffic for computer security investigations.
It is sometimes useful to record the network traffic pertaining to security incidents so that you can go back and try to discern exactly what the crooks were trying to do and how they did it. We do this at times at OSU when we investigate security intrusions on our systems. In some investigations from the last year we accumulated over 20 gigabytes of log files. The complexity of these logs, as well as the overwhelming amount of information this represents encouraged us to write better tools for viewing and summarizing logs of packet contents. We call this software system "review", since we use it for reviewing our packet log files.
Steve talk about these logs and the review software. At the very least we will cover some "screen shots" showing how the software works and what it can do, with luck we will also have a live demo.
Fall 1997 - FIRST Technical Colloquium
Incident handling at OSU,
Steve Romig,
Slides: web,
pdf,
September 24, 1997 - SECWOG
Survey of this year's incidents at OSU. News: ISS is here!,
Steve Romig,
Notes: text
This month, Steve will dissect several recent security incidents from Ohio State University, detailing the impact, aftermath, and good and bad aspects of the investigation and response. The discussion will touch on issues concerning law enforcement, international investigations, software piracy, and resource allocation. I will also present a summary gleaned from our records of incidents from the last few years, which might prove interesting.
The discussion will not involve flaky laptop demos or access to protected web pages, so it might actually run smoothly this time :-)
August 27, 1997 - SECWOG
Setting Up Secure Hosts With Read-Only Disks,
Mowgli Assor (Infinet),
Oops.
Before I left for vacation, I thought I had posted an announcement about this months meeting. I apparently forgot.
One of the things on the list of things to do when I got back was to repost the announcement. I forgot to look at the list of things to do.
We are still (probably) having a security meeting this month, today, August 27, 4-6 PM in Baker 120.
Assuming that a reasonable number of people show up, Mowgli will give what should be a wonderful presentation about setting up secure systems.
July 23, 1997 - SECWOG
Myths, Scams, Hoaxes and Spam: a standards-based attempt to control the cost of unsolicited electronic mail at the Greater Columbus Free-Net,
Bill Yang (Columbus Free-Net),
Notes and references: web
This month's meeting features Bill Yang and Mowgli Assor.
Bill will present "Myths, Scams, Hoaxes, and Spam: a standards-based attempt to control the cost of unsolicited electronic mail at the Greater Columbus Free-Net"
With the explosion in the number of Internet-connected hosts and the unprecedented growth of the number of people using the Internet, there is a serious erosion problem on the 'Information Super Bike-Path.' One of the most visible problems for the Internet is the issue of 'spam' -- unsolicited electronic mail which is generally of a commercial nature. It is possible to define patterns with which we can identify spam and thus put into place measures which will reduce the volume (and cost) of running electronic mail services without undermining legitimate use of such systems.
Mowgli will kibitz and fill in with comments about his own experiences
July 02, 1997 - SECWOG
Better Incident Response - mistakes I've made (and how to avoid them)
Steve Romig,
Notes: text
I will be the speaker (so it is especially important that I attend). I'll run through the highlights of the FIRST workshop (which I will be attending next week), and give a short talk about what I wish I had done better in the incident response world in the last year or so.
Also: all about FIRST, review of the FIRST Workshop. News on local hackers - microman was busted. OSU news - ISS, account security issues.
June 1997 - FIRST Annual Conference
Review: a Tool for Reviewing Tcpdump Logs,
Steve Romig,
Slides: web,
pdf,
Paper: web,
postscript
The Ohio State University uses tcpdump to log the network traffic of crackers who use our modem pool or other computer resources so that we can identify them and monitor their activities and targets. Reading through the logs is tedious and time consuming, due in part to the quantity of information, and because some of the network traffic is hard to decipher. Picking text out from among terminal escape sequences is painful, and deciphering traffic to or from X Windows servers is very difficult to do without special tools.
We have written some tools to make it easier to read through our tcpdump logs. The main program, which we call Review, allows one to view various summaries of the logs and to view the packet contents. The program also allows the user to replay remote login and X Windows sessions at a controlled rate, so the user can reconstruct what would have appeared on the cracker's screen.This talk describes the inner workings of the Review system and its uses. We also discuss some of what we have learned from reading our logs, and we list some of our future plans.
May 28, 1997 - SECWOG
Canceled,
199x - Penn State University, University of Michigan, OSU
State of the Hack,
Steve Romig,This is a roughly half day lecture Steve gave on crackers - who they are, what they do, how they do it, the tools they use.
Slides: web, pdf,
handouts (text)
April 23, 1997 - SECWOG
NT Security,
Jeff Schmidt
The speaker this month is Jeff Schmidt, the topic is NT security.
Jeff says: I expect many non-NT people so I'll gear the talk appropriately.
March 24, 1997 - SECWOG
Scheduled Speaker Canceled - Informal Meeting. Recent,
security news - INN security problems and Internet Explorer bugs
Steve Romig,
We'll have a very informal (and probably short!) meeting this month. The speaker I had been hoping on had to cancel, and I haven't been able to find a replacement on such short notice. I thought it would be useful to meet anyway and talk about some of the recent security news, like the INN security holes and Internet Explorer problems.
February 20, 1997 - OSU Marion Campus, Criminal Justice Fellows Program
Internet Security,
Slides: postscript
February 20, 1997 - SECWOG
The Crypto Snake Oil FAQ and the RSA Key Cracking Challenges,
Matt Curtin (MegaSoft),
Matt will be our speaker this month. He will tell us about the Snake Oil FAQ, which give useful advice about evaluating encryption and other security products. He will also tell us about the RSA Key Cracking Challenges, and tell us about the group he's working with, which is working on cracking the 56-bit DES challenge.
January 22, 1997 - SECWOG
Scanning, ISS, Phf probe detection and response, TCP probe response, news on "our" hackers, Dan Farmer's survey, crypto news, packet filtering at OSU, OSU guidelines review
Steve Romig,
Notes: text
This month I'll talk about miscellaneous unrelated topics. I'm planning to talk a bit about some recent security problems that have cropped up, I'd like to have a free-form discussion about disclosure and dissemination of security information, and I'd like to talk a little about packet filtering and security policies for campus.
December 18, 1996 - SECWOG
Miscellania,
Steve Romig,
Notes: text
We'll have an informal (well, more informal than usual) security meeting this month. I'll talk briefly about the last year's worth of incidents that we've seen, share some things I learned from the Information Security Day at Northwestern University that I recently attended, and we can talk about anything else that comes to mind. I may demonstrate some tools I've been working on.
Since the 4th Wednesday this month falls on Christmas day, I've rescheduled the meeting for 4:30 PM (NOT 4:00 pm!) on Wednesday, December 18th, in Baker 120. Note that this meeting starts 30 minutes later than usual.
November 27, 1996 - SECWOG
Canceled
We'd normally have a OSU network security meeting this next Wednesday (November 27), but since I (a) don't have a speaker lined up and (b) I expect a lot of people might be leaving early to go places, I'm canceling the meeting instead.
October 1996 - COLUG (Columbus Linux User's Group)
TCP/IP Security Issues,
Steve Romig,
Slides: web
October 23, 1996 - SECWOG
Miscellania - ISS, OSU News, Email Spam,
Steve Romig,
Notes: text
It's that time of year again. The leaves are red and gold, the air is crisp. Sniff, sniff - what's that I smell? Cinnamon, cloves...ah, its potpourri!
Yes, we're going to talk about potpourri. Well, not the stinky stuff - I mean that we're going to talk about a variety of topics.
We can also just generally talk about things, discuss questions that people might have, talk about some of the proposed fixes for the TCP SYN attacks, etc.
September 25, 1996 - SECWOG
Incident Response, TCP SYN Attacks,
Steve Romig,
Notes: text
The next OSU Network Security meeting will be this next Wednesday, September 25th from 4-6 PM in Baker Systems Engineering room 120 on the Ohio State University main campus.
I'll be speaking this time. We'll talk a bit about the TCP SYN attacks that are plaguing the Internet these days, and I'll talk alot about incident response. I'll be referring back to recent experience, as we've had several significant incidents on campus lately and so I've had recent experience in how to respond to security problems (and how not to :-)
August 1996 - Aegis
Security Through Comfort Foods,
Steve Romig,
Notes: text
August 1996 - COQA (Central Ohio Quality Assurance)
Internet Security,
Steve Romig,
Notes: text
August 28, 1996 - SECWOG
Battelle's Security Group,
Neal Owens, Kirk Reilly (Battelle),
USENIX Security Symposium Trip Report,
FIRST Workshop Trip Report,
Steve Romig,
July 24, 1996 - SECWOG
Canceled,
June 26, 1996 - SECWOG
Meet the Cypherpunks,
Notes: text
May 22, 1996 - SECWOG
Intrusion Detection and Handling,
Steve Romig,
Notes: text
April 1996 - OSU Meeting
OSU-IRT Roll out,
Slides: postscript
April 24, 1996 - SECWOG
Media Law 101 and the Internet,
Steve McDonald (OSU),
March 27, 1996 - SECWOG
Viruses,
Steve Romig,
Slides: postscript
February 28, 1996 - SECWOG
Host and Port Probing and Probe Detection,
Matt Blaze's Cryptographic File system,
PGP Key Servers,
PGP Key Signing Party,
Steve Romig,
Slides: postscript
January 24, 1996 - SECWOG
Recent Trends,
Moira West (CERT),
December 20, 1995 - SECWOG
Critter Talk,
Steve Romig,
Notes: text
November 1995 - ISSA (Columbus chapter)
Internet Security,
Steve Romig,
Notes: text
November 30, 1995 - SECWOG
IP-watcher and SSH demo,
Net Security '99 trip report,
Steve Romig,
Notes: text
October 25, 1995 - SECWOG
Penn State University CERT,
Kathy Kimball (PSU),
September 20, 1995 - SECWOG
Syslog, SSL and Loadmodule,
Steve Romig,
Intro slides: postscript
Syslog slides: postscript
SSL slides: postscript
Loadmodule slides: postscript
August 1995 - SECWOG
Firewalls,
Brent Chapman (Greatcircle Associates),
July 26, 1995 - SECWOG
Security Web Pages,
Jim Ebright (OSU),
Karlbridge News,
Doug Karl (OSU),
June 28, 1995 - SECWOG
Public Records Laws,
Steve McDonald (OSU),
FBI and Computer Crimes,
Roger Wilson (FBI),
May 24, 1995 - SECWOG
SATAN,
Dan Farmer,
Slides: postscript
April 26, 1995 - SECWOG
COPS, Tiger and Tripwire,
Steve Romig,
Notes: text
March 22, 1995 - SECWOG
SecureConnect demo,
Morningstar,
Trip report,
Fred Crowner (OSU),
SATAN demo,
Steve Romig,
February 22, 1995 - SECWOG
PGP,
Jim Ebright (OSU),
January 25, 1995 - SECWOG Kickoff
IP Sequence Number Guessing Attacks and the Tap kernel module,
Steve Romig,
Notes: text
1994 - OSU (I think)
ATM at OSU/CIS,
Steve Romig,
Slides: postscript
1994 - Bay-LISA
ATM at OSU/CIS,
Steve Romig,
Slides: postscript
1991 - USENIX LISA Conference
Some Useful Changes to Boot RC Files,
Steve Romig,
Slides: postscript
1991 - USENIX LISA Conference
Customizing Cloned Hosts,
Steve Romig,
Slides: postscript