We just arrived back from Panama City, Panama, where we attended LACNIC XII, the annual conference of the Internet Registry for Latin America and the Caribbean, LACNIC.
As expected, it was a great experience. Below is the report I wrote for the "seguridad@lacnic.net" mailing list.
4th Network Security Event for Latin America and the Caribbean
Panama City, 27 May 2009 – Report by: Carlos M. Martínez
The Fourth Network Security Event for Latin America and the Caribbean was held on Wednesday 27 May 2009. As usual, this event was held within the framework of the LACNIC (Latin American and Caribbean Internet Address Registry) annual event, LACNIC XII.
The event’s program was marked by top-level presentations. Wednesday 27 began with a brief welcome and summary of activities presented by the chair of the event, who highlighted the evolution of the interest that this event has generated on the part of the community, a fact that can be observed not only in the number of papers that were submitted but also in the extension of the amount of time allocated for the event.
Then the proposal evaluation process was explained. In cooperation with the community, the chair of the event prepares a CFP (Call for Proposals) containing some guidelines on topics of interest for the event and a deadline for proposal submission. An evaluation committee made up by elected members of the community is then in charge of evaluating these proposals and accepting or rejecting each one of them individually.
During this fourth edition fourteen (14) proposals were received, eight (8) of which were accepted. This is evidence of how much the event has grown, both in terms of the quantity as well as the quality of the proposals that were received.
The first presentation of the morning was made by Nelson Murillo (Brazil), who demonstrated a software tool called “Beholder” which he himself has developed together with his team and that is used, among other applications, for monitoring wireless network security and performing ethical hacking on these networks.
Next, a new experience in the use of honeypots to proactively defend user communities within a CSIRT environment was presented. Although unable to attend the meeting, the authors of this work - Gonzalo Stillo and Natascha Martínez of Antel Uruguay's CSIRT - entrusted the presentation to the chair of the event, Carlos Martínez, and followed the event remotely through the streaming video that was available during the entire event.
The presentation of the CSIRT Banelco (Argentina) case study by Pablo Carretino showed us an experience in the creation of a CSIRT within an environment in which the owners of the CSIRT (in this case banking institutions based in Argentina), all of which are competing companies, reached an agreement for the creation of a computer incident response team (CSIRT) in order to mutually defend themselves against the growing threats currently faced by the online banking business.
The Banelco case is very well documented and is therefore an excellent case study on the creation of incident response teams.
LACNIC's Executive Director, Raúl Echeberría, launched a new LACNIC project at continent level called “Strengthening of the regional security incident response capability in Latin America and the Caribbean”. Among others, the goals of this project are to create an environment for the development of training materials that will be open to use, and to promote the creation of CSIRTs both at national level as well as at the level of major organizations.
Fernando Gont of the National Technological University of Argentina (Universidad Tecnológica Nacional de Argentina) made two presentations about his work for the IETF. Fernando has been analyzing security issues in the most popular Internet protocol specifications such as IP, TCP and ICMP. In the case of TCP, Fernando spoke of the need to improve the randomization of TCP ephemeral ports (those ports used as ports of origin in outgoing TCP connections), as well as the survey they carried out to determine the current state of the “options” at TCP heading level.
Daniel Araújo Melo, of the Brazilian Ministry of Finance's SERPRO, presented his work titled “Intrusion Detection Systems and Antivirus Data Mining”, which details the application of data mining techniques to alert data reported by antivirus software installed in user work stations.
The presentation “Current BGP Security Issues” by Danny McPherson of Arbor Networks introduced the audience to the current security problems the BGP protocol (Border Gateway Protocol) is facing. BGP is the protocol that Internet providers (ISPs) and major clients use among themselves to exchange information on the routes that allow reaching destinations throughout the Internet. BGP is a little-known but essential component for the proper operation of the Internet as we know it today.
The “DNS.Ar” system, presented by the ArCERT team in the person of Marcela Pallero, showed an experience where an incident response team (in this case ArCERT of Argentina) implemented a security audit system which in this case applies to domain name servers (DNS) and provides ArCERT with tools to defend its community against potential problems at DNS level, such as open recursive servers or other configuration problems.
The final presentation of the event was made by Carlos Martínez-Cagnazzo, who made an introduction to the techniques known as “Fast Flux” or Fast Flux Networks, which are currently being used by those attempting to conduct Internet fraud in order to provide phishing pages with greater resilience against network administrators' attempts to remove them from service.
The final item on the LACSEC program was the Panel on CSIRT Creation and Management, which included the participation of members of different incident response teams from our region:
* CSIRT ANTEL - Carlos Martínez-Cagnazzo
* ArCERT - Marcela Pallero
* CERTbr - Klaus Steding-Jessen / Cristine Hoepers
* GSIRT - Alexis Rodríguez
* GSeTI USP - André Gerhard/Marta Cilento
* CSIRT Banelco - Pablo Carretino
Panel members shared their experiences on three key issues: creation of the team, including the definition of its structural model and target community; financing model (completely funded by a parent organization vs. funded by the contribution of the target community); and the experience gathered in their day-to-day operations.
In closing of the event, a special thank you was extended to the evaluation committee for the work it carried out. This evaluation committee was made up by José Miguel Parrella (Venezuela), Mónica Ábalo (Argentina), Leonardo Vidal (Uruguay), Fernando Gont (Argentina) and Cristine Hoepers (Brazil). During the closing it was also announced that elections will be held during the next few months in order to renew the position of security forum chair.