OARtech Talks and Presentations Archive

Most of these talks were presented at our monthly SECWOG meetings. Locations for the other talks are given where we know.


No meeting

February 6, 2003 - SECWOG
Steve Romig
Rough notes are available.

The topic of discussion at this month's meeting will be patching - why, how, and when. This is pretty timely, given our recent experiences with the SQL Slammer worm.

We'll start with a short presentation (by me) that covers some of the issues - the threat that we're facing, why you need to patch, and where patching fits into the retinue of security tools. We'll also talk about some of the challenges with keeping up with patches. I'll demonstrate Windows Update, the Microsoft Baseline Security Analyser, hfnetchk (from shavlik.com) and the Redhat Alert Notification Tool and up2date.

However, that's just the beginning. We have assembled a great group of seasoned administrators (the, er, "Patch Panel"*) who will talk briefly about how they deal with patches in their different domains (Windows, Solaris, AIX, IRIX and Redhat) and who will answer any and all questions that you present to them.

January 2, 2003 - SECWOG
No meeting


December 5, 2002 - SECWOG
State of the Hack,
Steve Romig
Slides: web,power point

At our December meeting I will give my "State of the Hack" talk - this is the same talk that I gave at the Columbus ITEC meeting last month, and an updated version of the talk that I gave at the local Infragard meeting not long ago. The talk summarizes some of the presentations from the Blackhat Briefings from Las Vegas this summer and other interesting malware. November 14, 2002 - CIO's Wireless Summit
The Draft OSU Wireless Policy,
Steve Romig
Slides: web, power point,

A short presentation about the draft OSU policy on wireless networks.

November 7, 2002 - SECWOG
Thinking About Security,
Steve Romig
Slides: web, power point

At our November meeting, I will talk about "How to Think About (Computer) Security". This won't be an especially technical talk - I plan to talk about the threats that we face and the solutions that counter those threats in a fairly general way. Most of the talk will focus on security principles, and I'll take a stab at debunking some security related myths that we frequently run into.

October 30, 2002 - Columbus ITEC Meeting
State of the Hack,
Steve Romig
Slides: web, power point

This is another "state of the hack" talk, summarizing current "advances" in malware and abusive behavior. I drew heavily from the presentations from the Blackhat Briefings from the USA 2002 conference in Las Vegas.

October 3, 2002 - SECWOG
Logging and Monitoring,
Steve Romig
Slides: web, power point,

At our October meeting we will discuss logging and monitoring, including:

  • Why, what, and how to log information about security and other events on your computers.
  • How to monitor your logs.
  • Why you might want a central log server, and how to do that. We'll include a discussion of shipping Windows eventlogs to Unix syslog, and visa versa, and we'll discuss syslog replacements.
  • How to interpret and read your logs.
  • Why you might want to send the OIT network security group some of your logs, and how.

August 28, 2002 Twiki Overview,
Steve Romig

At the August meeting I gave a very informal overview of Twiki, a web based collaboration tool for people participating in our security best practices effort.

July 24, 2002 - SECWOG
Best Practices,
Steve Romig
Notes: plain text

Main topic of discussion: how to go about creating and maintaining a list of "best practices" in areas relating to security and systems administration in a fluid and dynamic world. I'll briefly introduce what I have in mind and outline a proposal for how to work on this (in a nutshell: divide and conquer, top down where possible, referring to or borrowing from existing work where it exists). I'll also talk about some of what I've found so far in my research in this area.

For the non-OSU people: although the effort to create a list of best practices for OSU is (by definition) OSU centric, I think the conversation and general discussion will be of general interest (best practices for OSU in the area of, say, firewalls aren't likely to be very different from what they'd be for a private company). Plus we'd welcome input from non-OSU people who have thought about best practices.

June, 2002 - SECWOG
No meeting?

May, 2002 - SECWOG
No meeting.

April, 2002 - OIT Leader's Advance
The OSU Incident Response Team,
Steve Romig
Slides: web, power point

A brief description of the OSU Incident Response Team, for the April 2002 OIT Leader's Advance meeting.

April, 2002 - SECWOG
No meeting.

March 27, 2002 - SECWOG
Network Security Recommendations,
Mowgli Assor

Mowgli Assor will talk for a bit about network security recommendations for OSU network administrators, mostly centered on firewalls, wireless networking and DHCP.

February 28, 2002 - SECWOG
Steve Romig

We'll cover a variety of mostly OSU related issues, including vulnerability scanning (ISS scanning will be resuming shortly, I need testers!), firewalls, TCT testing, best practices and security policies.

January, 2002 - SECWOG
No meeting.


December 2001 - SECWOG
No meeting.

November 28, 2001 - SECWOG
I don't have a speaker lined up this month. So I'm thinking instead we'll do a combination of things:

  • I have a bunch of books that we've added to our library in recent months. I'll bring them and talk about them briefly and pass them around.
  • We'll talk about online information resources that are useful (mailing lists, web sites, etc.) Bring your own favorites to share!
  • We'll talk about recent security problems (SSH and Microsoft SQL bugs, etc.)
  • And we'll informally about "first response" issues. How do you approach a computer that's to be investigated? Log in, look around? Halt it? Reboot it? Power it off? Unplug it from the network?

October 24, 2001 - SECWOG
Wireless access on Campus,
Brian Moeller
Slides: power point

This month, Brian Moeller talks about some of the risks of wireless on campus, and reviews a project where a freely available tool was used to map some of the wireless networks on campus.

October, 2001
Forensic Computer Investigations,
Steve Romig
Slides: various formats: pdf, ppt

August 22, 2001 - SECWOG
Tammy Bedinghaus, Mark Ermence

This month's guest speakers are Tammy Bedinghaus and Mark Ermence from Tripwire. They will be speaking on intrusion detection systems and tripwire. In addition, Steve will give a general introduction on intrusion detection, and will probably also discuss the ongoing Code Red outbreak.

August 13, 2001 - USENIX Security Symposium
Forensic Computer Investigations,
Steve Romig
Slides: various formats: pdf, ppt

Think of this as a "forenics for the systems administrator" sort of tutorial. System administrators are often on the front-line of computer investigations, for better or worse. Unfortunately, the natural instincts of most admins is to "fix first, ask questions later", which leads to destruction of what might have been critical evidence.

July 25, 2001 - SECWOG
Code Red,
Steve Romig, Ken Eichman

We'll be talking mostly about the Code Red worm. Ken Eichman from Chemical Abstracts Service (CAS) will be here to talk about his observations, and we'll be on hand to add an OSU perspective.

June 27, 2001 - SECWOG
ISS (and Other Security Tools),
Brian Moeller

Our speaker this month should be Brian Moeller, covering various security tools. With specific emphasis on the ISS system.

June, 2001 - USENIX Annual Conference
Forensic Computer Investigations,
Steve Romig
Slides: various formats: pdf, ppt

Think of this as a "forenics for the systems administrator" sort of tutorial. System administrators are often on the front-line of computer investigations, for better or worse. Unfortunately, the natural instincts of most admins is to "fix first, ask questions later", which leads to destruction of what might have been critical evidence.

There is a heavy emphasis on principles, rather than a specific set of rigid procedures, since in my view the whole essence of computer investigations is to adapt one's methods (procedures, tools) to the situation at hand, paying due regard to certain basic principles.

May 23, 2001 - SECWOG
Generic Computer Security Q&A,
Steve Romig

We're going to do another "Generic Computer Security Q&A" meeting (read: Steve failed to find a speaker and didn't have time to come up with a presentation on his own :-) Bring your questions (and answers), try to stump us :-)

April 25, 2001 - SECWOG
Network Security Vulnerabilities, Dsniff, Ettercap and etc.,
Albert School
Slides: power point

Albert will be talking about various network security vulnerabilities, including session hijacking, man in the middle attacks, ARP spoofing, DNS games, TCP sequence number guessing and so on. As an added bonus, he will demonstrate and discuss some of the packages (dsniff, ettercap) that have been developed recently to exploit these vulnerabilities.

James Corder also gave a brief presentation on Venturing Crew 369, which (among other things) trains young people in UNIX systems administration (and does a fine job of it). Visit their web site at http://369.columbus.oh.us for more information.

March 28, 2001 - SECWOG
Forensics Tools,
Steve Romig
Sorry, no notes or slides available!

Our speaker this month is me. I will talk about several tools that are useful for forensic computer investigations, including HashKeeper, parts of The Coroner's Toolkit, Encase, and EMT (Emergency Medical Technician) and F*** (both from Dan Farmer, and yes, the name is socially unacceptable).

I'll give demos/screen shots where I'm legally allowed to do so. I may show crayon representations of screen shots for programs that I'm not allowed to demonstrate, just to spite them :-)

We will probably also talk about recent security bugs and exploits, including the Lion worm.

Oh, I will probably give a brief review of my recent trip to the CERIAS group at Purdue. Much fun!

February 28, 2001 - SECWOG
Legal Issues, Question and Answer Session,
Steve McDonald
Email Steve at mcdonald.108@osu.edu to request copies of his slides.

Our speaker this month is Steve McDonald. Steve will be on the hot seat for a "legal issues" Q&A session. I imagine that many of the issues (and especially the answers) will be highly specific to OSU, but the general issues explored will probably be of interest to a much wider audience.

If you have questions in mind already, send them to me so that I can forward them to Steve so he can think about them in advance. Its always fun to try to trip him up with unexpected questions, but hey, lets give him a break :-)

January 24, 2001 - SECWOG
Privacy on the Web,
Matt Curtin
Notes (by Steve, with comments from Matt)

Our speaker this month is Matt Curtin. He'll be talking about privacy on the web:

This is a talk-in-progress that discusses key privacy issues as they relate specifically to the Internet and the World Wide Web. Privacy ramifications of various pieces of the architectural puzzle are considered along with several actual examples of privacy problems that arose from failing to account for the nature of the system. The philosophy of privacy-by-policy is compared with privacy-by-technology. Both approaches are considered in the context of secure systems design principles. Finally, the speaker concludes with consideration of the issue of the use of "opt-opt" systems to protect privacy online.


December 27, 2000 - SECWOG
We had a very small meeting with some holiday refreshments. Steve presented a small part of the material from his invited talk at the recent LISA conference.

December 7, 2000 - Usenix LISA Conference
Experiences with Incident Response at OSU,
Steve Romig
Slides: web, power point, notes (pdf), 6up slides (pdf), more notes (pdf), more notes (rtf), quake demo

  • This is a "tour" of incident response, drawn from several investigations at OSU from the last few years. I attempted here to tell some storis that illustrated why incident response is hard, to show both how to and not to pursue it, and to have some fun.

    You definitely want to download the quake demo. Get a copy of quake (the first one), copy quake.dem to the "id1" directory, start quake, go to the console, and type "playdemo quake.dem".

    The "more notes" document (stuff-text) contains a more verbose description of some of the events.

December 6, 2000 - Usenix LISA Conference
Cisco NetFlows and the OSU Flow Tools Package,
Steve Romig Mark Fullmer
Slides: web, power point, pdf (notes), pdf (6up), paper - pdf
Software: Available at www.net.ohio-state.edu/software.

This is a brief description of the OSU flow-tools package, a set of tools that facilitates the collection and analysis of Cisco NetFlow records.

December 5, 2000 - Usenix LISA Conference
Forensic Computer Investigations,
Steve Romig
Slides: web, power point, slides - notes (pdf), slides - 6up (pdf), handouts (rtf), handouts (pdf), handouts (original text and postscript)

This is an updated version of my forenics tutorial from the fall of 1999. I'm estimating that its a bit over two day's worth of material.

Think of this as a "forenics for the systems administrator" sort of tutorial. System administrators are often on the front-line of computer investigations, for better or worse. Unfortunately, the natural instincts of most admins is to "fix first, ask questions later", which leads to destruction of what might have been critical evidence.

There is a heavy emphasis on principles, rather than a specific set of rigid procedures, since in my view the whole essence of computer investigations is to adapt one's methods (procedures, tools) to the situation at hand, paying due regard to certain basic principles.

November 29, 2000 - SECWOG
Note that this is NOT the 4th Wednesday - we rescheduled due to the Thanksgiving holiday. The meeting will be on Wednesday, November 29 from 3-5 PM in Baker Systems 120. We haven't settled on a topic yet.

October 25, 2000 - SECWOG
CERIAS Tools for Vulnerability Management and Incident Response,
Pascal Meunier

Risk minimization is a race between crackers and IT professionals. It is the role of IT professionals to minimize the window of exposure. However, reading Bugtraq, related newsgroups and polling other sources of information is time-consuming. The expense of verifying the up-to-date status of systems is significant and may involve audits. One approach is to use automated vulnerability scanning tools. Another is to deduce the applicable vulnerabilities from the list of applications and services present on a host (a profile), without possibly objectionable active scanning. We present a profiling tool (currently with manual entry) that automates vulnerability database searches and currently works with NIST's ICAT. This tool also reports by email the appearance of new vulnerabilities that match profiles, thus trading the delay necessary for the vulnerability to appear in the database for convenience, reduced manpower and manageability.

The second tool that we are developing is a web-based cooperative vulnerability database, designed for the sharing of sensitive vulnerability information. The database sports an enhanced scientific classification system that also helps research.

Information about the incidence of security breaches is difficult to obtain. Emergency situations are not favorable to the maintenance of records, the security breaches are embarrassing and possibly damaging, and disclosing information about the incidents may reveal some sensitive information. Moreover, the nature of the incident and its cause are not always fully known. Because of this, the frequency and cost is difficult to assess by type of incident.

The CIRDB (CERIAS Incident Response DataBase) project attempts to provide a framework to record incident information and duration. Domains provide confidentiality to match areas of responsibility, with multi-level access. Information about the incident can be shared on a case-by case basis with outsiders (e.g., CERT). Email support provides a time-stamped log of the incident. A classification system used with profiles will attempt to provide lists of vulnerabilities relevant to specific incidents by doing queries of the ICAT database. With this system, we hope that 1) organizations using the same type classification can directly share data; 2) organizations not using the same type classification can translate data based on the properties of the types formalized in the CIRDB; 3) statistical data from many different organizations can be assembled to present a coherent picture of incident costs and frequencies on a national scale.

September 27, 2000 - SECWOG
The Law Of The Jungle,
Mowgli Assor
Slides: web

  • Mowgli Assor of the OSU Incident Response Team will talk about several recent security problems, and do a small hacking demonstration. This will include a demonstration of the Snort intrusion detection tool.

August 23, 2000 - SECWOG
Correlating Evidence in Incident Investigations,
Steve Romig
Slides: web, pdf

Steve Romig will talk about how to correlate evidence from different sources together when you are conducting a investigation into various sorts of computer related misdeeds (crimes, performance problems, etc. - the techniques and challenges are much the same). Here's a teaser from an article I've written on the subject for the USENIX ;Login: magazine:

One common goal in these sorts of investigations is to reconstruct a chronological record of events and a list of other facts. ... Obviously, how well we can construct the record of events and fit the pieces together has great bearing on the outcome of the investigation.

There are several issues that we need to consider. First, we need to be proficient at finding the evidence. If you can't find the evidence in the first place, you'll have a hard time fitting it into your reconstructed chain of events :-) We also need to understand what the evidence actually means. If we misunderstand the evidence, then either our reconstruction will be wrong or we'll create faulty theories that explain the evidence. Finally, we need to understand how to piece evidence from different sources together to create a cohesive reconstruction. If we know where the evidence can be found, what it means, and how it fits together then we'll be well on our way to reconstructing the chain of events. Note that I am totally ignoring issues concerning preservation of evidence for use in a civil or criminal trial. Sorry!

My talk will mostly focus on the third issue, that of correlating the pieces together into a coherent whole.

July 26, 2000 - SECWOG
Security for OSU's ResNet (dorm networks),
LC Boros
Slides: web

LC Boros (ResNet Manager) will be talking about security in the ResNet community at OSU. ResNet is the network environment in the dorms at OSU. Here's the abstract for this talk:

Students tend to do bad things with their computers, which means administrators need to act as recess monitor, detective, and den-mother means adopting a wide variety of tools. Using Statscout, Cisco Netflow and other software has allowed ResNet@osu.edu to create an effective incident response team that both partners and works separately with the university's central IRT.

June 2000 - SECWOG

Is canceled. I forgot to finalize arrangements for it before leaving for vacation, and don't have things ready! Sorry!

May 24, 2000 - SECWOG
Shibboleth: a private mailing list manager,
Matt Curtin
Slides: pdf

According to Matt: We describe Shibboleth, a program to manage private Internet mailing lists. Differing from other mailing list managers, Shibboleth manages lists or groups of lists which are closed, or have membership by invitation only. So instead of focusing on automating the processes of subscribing and unsubscribing readers, we include features like SMTP forgery detection, prevention of outsiders' ability to harvest usable email addresses from mailing list archives, and support for cryptographic strength user authentication and nonrepudiation.

May 29, 2000 - Central Ohio Technical College/OSU Newark
Digital Evidence,
Brian Moeller
Slides: web

Brian Moeller of the OSU Network Security Team talks about digital evidence and where to find evidence of computer-based crimes. Evidence can be in places you might not have suspected. Even if the suspect's system isn't available for inspection, you may still be able to find out what happened. Slides available here, but multimedia case studies are not.

April 26, 2000 - SECWOG
SITAR and IDB - Building An Incident Tracking System,
Mowgli Assor
Slides: web

Mowgli Assor of the OSU Incident Response Team will talk about and demonstrate SITAR and IDB. SITAR is an incident tracking system, which we use in the OSU team for day to day work. IDB is the intrusion detect database, which records events recorded for each day.

As Mowgli describes them:

When looking at incident tracking systems early on, we found that the current set either weren't specific to security incident tracking, or were somewhat cumbersome to use. We decided to develop our own, so that they would be platform-independent, and yet as cheap (economically) as possible. To this end, we are using free (at least for educational institutions) software.

We came up with two separate projects, called IDB and SITAR. IDB is a fairly generic incident database, which simply contains the fact that an incident occurred, and what source we received it from. This database is designed to be shared with other entities (including some external to the university). It contains data we don't consider secret.

SITAR is a much deeper incident tracking system, designed to handle the various issues we deal with in tracking an incident - E-mail, files/tarballs, notes, etc. As such, this data is secret, and is designed to only allow access to members of the incident response team.

Both systems work together to allow us to track an incident, and to see general trends in attacks or perceived attacks at the Ohio State University.

April 14, 2000 - HECC Meeting
Computer Crime,
Det. Rick Amweg (OSU Police), Steve Romig,
Slides: web, pdf

This is the same Computer Crime talk that Rick and I have given before, though we had a bit more time for general discussion of crackers and their activities.

April 12, 2000 - OSU Web Interest Group
Security for Webmasters,
Steve Romig,
Slides: web, pdf

A general talk about computer security, discussing the need for firewalls and host level security practices such as applying patches, turning off unnecessary services, and so on.

April 10, 2000 - CIC Security Working Group Meeting, Columbus
Use of CISCO Netflow Logs at OSU,
Steve Romig,
Slides: web, pdf

We covered parts of a previous talk on OSU's tools for processing CISCO Netflow logs, and then moved on to recent updates, including tools for sorting flow logs and a discussion of future hardware plans for storing and processing these logs at OSU.

April 6, 2000 - Columbus OHECC Meeting
State of the Hack (2000),
Steve Romig,
Slides: web, pdf

A brief survey of relatively recent twists in the world of crackers. We'll talk about the use of remote file systems, loadable kernel module rootkits, the increase in exploit automation, and distributed scans, intrusions and denial of service attacks.

March 22, 2000 - SECWOG
Demo of the ISS System Scanner,
Steve Romig,
Slides: web, pdf

March 8, 2000 - OEDSA Meeting
Computer Crime,
Det. Rick Amweg (OSU Police), Steve Romig,
Slides: web, pdf

February 23, 2000 - a local business meeting
The OSU Incident Response Team,
Steve Romig,
Slides: web, pdf

February 23, 2000 - SECWOG Bull Session,

I had been planning on giving a demo of the ISS System Scanner, and a presentation of how to install/use it. I'm postponing that till March - I haven't had time to put much together.

The meeting is still on for Feb 23, but we won't have a presentation per se - we'll shoot the breeze, answer questions, ask questions, etc.

February 9, 2000 - Columbus OarTech Conference
Distributed Denial of Service Attacks and CISCO Netflow Logs,
Steve Romig,
Slides: web, pdf

January 26, 2000 - SECWOG
Distributed Denial of Service Attacks,
Steve Romig,
OSU News slides: web, pdf,
DDOS slides: web, pdf

Steve will talk about (in roughly this order :-)

Distributed attack and denial of service tools. We'll talk about Tribe Flood Network (TFN), TFN2k, Trinoo and Stacheldraht and probably EggDrop. Possibly others, depending on how much more research I get done between now and then.

The most common mode of attack we're seeing these days is highly automated attacks where probes are done from one set of hosts, the results are shared through some mechanism with tools on another set of hosts which commit the initial intrusion on the vulnerable hosts, and a third set of hosts is used to enter through back doors that the 2nd set of hosts left behind and do their dirty work.

Attackers are now often leaving behind sophisticated agents (like Stacheldraht) on hundreds or thousands of hosts, which they can then "command" through "master" programs to commit various denial of services attacks with devastating results.

Time permitting, we'll also talk a bit about how we're progressing with our various intrusion detection and scanning efforts.



December 1999 - SECWOG

Is canceled, due to Christmas. I had originally planned to have the meeting anyway, but just realized that Thursday and Friday are vacation days for OSU, so I suspect that many people will want to get home earlier Wednesday.

November 1999 - SECWOG

Is canceled, due to Thanksgiving. We'll meet in December, though I don't know when yet.

Sorry about the late notice - this snuck up on me.

Note that we *always* see an increase in intruder activity in the Thanksgiving-Christmas time frame - be alert! Watch your logs for unusual activity!

October 27, 1999 - SECWOG
Topics in Forensic Computing,
Steve Romig,
See Steve's longer forensic computing workshop (next).

We'll talk about a variety of topics, including computer forensics (I'll go through some of the material for a half day tutorial I'm working on), recent security issues, and security plans/projects for OSU.

October 1999 - various locations, including OSU
Forensic Computing,
Steve Romig,
Slides: web, pdf,

Slides from a roughly 6 hour presentation on Forensic Computing, initially presented at the University of Michigan. Parts of this have also been presented at other sites, including OSU.

October 22, 1999 - Dayton OHECC Conference
Use of CISCO Netflow Logs at OSU,
Steve Romig,
Slides: web, pdf

October 22, 1999 - FIRST Technical Colloquium
Building An Incident Tracking System,
Mowgli Assor,
Slides: web

September 9, 1999 - SECWOG
Bull Session,

No planned presentation this month. If you're interested, stop on by to BS, ask questions, etc. I'm sure some of us will be there (I will be).

September 1999 - OSU ResNet consultants meeting
ResNet Ethics,
Steve Romig,
Slides: web, pdf

August 31, 1999 - Ohio Business Privacy Forum
Steve Romig,
No slides, handouts, or notes available.

August 25, 1999 - SECWOG
Using PGP,

PGP stands for "Pretty Good Privacy" - its a program that allows you to use public key cryptography to send and receive encrypted messages and to digitally sign messages.

We'll talk about what all that means, why you'd be in interested in using it, and I'll give demonstrations of its use under both Unix and Windows.

July 28, 1999 - SECWOG
Mowgli Down Under,
Mowgli Assor (OSU),

Mowgli recently returned from a trip to Australia where he attended the annual FIRST (Forum of Incident Response and Security Teams) general meeting. He'll tell us about his trip and the meeting.

Jeff Schmidt from OSU will also be there to tell us about the ntbugtraq meeting that he attended recently (in Toronto?)

And I imagine that we'll spend some time talking about the events from the July 4 weekend and the effects it has had at OSU.

June 23, 1999 - SECWOG

Is canceled (would have been June 23rd). I'll be out of town. We will be meeting as usual in July.