Event 34th M3AAWG presentations

June 8 • MONDAY

Chairs and Moderators Review + Town Hall
Chairs: Michael Adkins (Chairman M3AAWG, Facebook), Len Shneyder (Program Committee, M3AAWG)

All chairs and moderators for the Dublin meeting should attend as a final status check for their sessions this week.  We will also start discussion on what panels, speakers and presenters we want for the Atlanta M3AAWG meeting.

The goal of the town hall is to provide an open forum for committee chairs and others to talk about how we’re doing as an organization…what is going well…what is NOT going well.  To discuss as a group things that we want to do at a high level, how to take our high level plans and turn them into practical work. We will cover current challenges facing M3AAWG as an organization to figure out strategies to address them.

What to See & Do around Dublin
Chairs: Udeme Ukutt (Mailjet)

Open to all meeting attendees and their guests: Come hear about the sights, sounds and all that has Dublin has to offer. We will allow plenty of time for Q&A. Presented by the local convention and visitors bureau.

Email Authentication & DMARC
Speakers: Steven Jones (DMARC.org)

Email authentication is maturing and becoming more central to the sending and receiving of email. Regulatory and government bodies are joining industry groups in urging the adoption of email authentication – including SPF, DKIM, and now DMARC. This session will provide an overview of the technologies for those who are unfamiliar with them and then will move on to their strengths and weaknesses when used alone and in combination. It will also cover privacy concerns, recent developments in the IETF, and may introduce some implementation details for better understanding and scoping of deployment work efforts.

Securing Your Home Network, Personal Computers and Mobile Devices
Sr. Tech Advisors: April Lorenzenu

This training is for the less-technical person with little knowledge about network and device security. Corporations are finding they benefit from training employees about personal devices and home network security. Good security-think starts at home with the individual's assets and grows to help prevent security missteps at work. Participants will come away with a concrete list of better security steps they can carry out at home and a fresh understanding of the significance of man-in-the-middle attacks, sinkholes and password strategies. As a group, we will investigate the pros and cons of BYOD policies, the realities of using a company device on a home network, and widespread employee security training. We aim to be fun and to enlighten non-technical people about why they should care, how the technical issues affect them and what they can do about them.

Maximizing Group Collaboration
Speakers: Michael Goldman (Facilitation First) 

This session will include at least one break, as fits the content. Picture this … you’ve been asked to lead a group discussion for purposes of getting input, brainstorming, defining best practices, building consensus or other needs. And you’re expected to get everyone to participate, come up with some recommendations and build buy-in for the results – all within one hour! Sounds easy, right? NOT. This workshop is therefore geared to train you on techniques for building quick, effective group collaboration that ultimately shapes participant buy-in. Participants will also have to a chance to apply their new skills in facilitating a topic group during the Open Round Table sessions. Audience: Committee Chairs, Meeting Session Moderators or Session Leaders or anyone who needs to leverage and maximize group collaboration! This session is required for new committee chairs

Guide Prep Meeting  
Chairs: Alyssa Nahatis, Vincent Schonau)

A brief prep meeting for the Guides before the New Attendee Orientation starts. We'll discuss the goals of the guide program, and some items we hope you will discuss with your guidees. This is not just for Dublin Guides, but also for future potential Guides.

Investigating SMS Spam, Case Studies – A Regulatory Approach
Moderators: Annalivia Ford
Speakers: David Clancy (Information Commissioner’s Office United Kingdom), Peter Merrigan (Department of Internal Affairs New Zealand)

During this session I am planning to cover the following broad topics, present on how the New Zealand regulator works with ideas and suggestions for participants to consider. All of the broad topics will be underpinned through examples of our enforcement and operational activities.

  • SMS spam in New Zealand: Current situation. Nuisance V Harm?
  • Complaint Reporting to the Regulator: “7726” - GSMA – Cloudmark SRS – analysis – patterns – trends.
  • Domestic Spam V Overseas Spam.
  • The Department of Internal Affairs - A responsive regulatory approach.
  • Legislative Approach and opportunities for International Collaboration.
  • Displacement and Disruption.
  • Internal Affairs and the New Zealand ISP’s. What’s happening on my network.
  • CAD analysis.
  • An overview of past and current investigations into SMS spam in New Zealand.
  • General discussions questions and answers.

 

Pretty Good Privacy (PGP)/GNU Privacy Guard (GPG): Just Enough Training To Make You Dangerous

Sr. Tech Advisors: Joseph St Sauver

PGP/GPG is widely used in the operational security community to protect messages all the way from their origin to their final destination, i.e.,ʺend-to-end.ʺ The number of people who actually routinely use PGP/GPG remains rare, however, largely due to its perceived complexity. This training session will give you just enough PGP/GPG skills to let you become minimally functional, while skipping esoteric options and more theoretical considerations. You will learn how to create your own keypair, obtain others' public keys, and send and receive PGP/GPG signed and encrypted messages. Suitable for Mac, PC and Unix/Linux attendees. No prior crypto instruction expected.

M³AAWG Growth and Development

Chairs: Michael Adkins

TThis is a kick-off meeting to streamline a more effective growth and engagement effort - How do we recruit new members? How do we get them involved once they show up?

New Attendees Orientation

Speakers: Alyssa Nahatis 
Chairs: Vincent Schonau

A brief meetup of guides before the New Attendee Orientation starts. We'll discuss the goals of the guide program, and some items we hope you will discuss with your guidees. This is not just for SF Guides, but also for future potential Guides. 

June 9 • TUESDAY

Open Roundtables

Moderators: Jordan Rosenwald (Comcast), Melinda Plemel (ReturnPath), Michael Goldman (Facilitation First), Vincent Schonau

Facilitated round table discussions, open to all M3AAWG members, where new ideas can be incubated and best practices discussed. Day1 collects input from as many people as possible about three of the topics that interest you. Day 2 builds on the collected input from Day 1 to decide on work that can be carried forward into future content and/or investigations. Be sure to submit any ideas for Dublin ORT topics at /submissions

Chairman opening & Mary Litynski Award

Moderators: Jerry Upton (M3AAWG), Michael Adkins

Welcome by the Chairman followed by an early presentation of the 2016 Mary Litynski award. In 2010 M3AAWG and the Internet industry as a whole lost a great friend and supporter, Mary Litynski. To honor her behind-the-scenes efforts and commitment, we have created an annual award to recognize an individual who has significantly contributed to making the Internet safer for all.

Marketing BoF

Moderators: Jerry Upton (M3AAWG)
Chairs: Linda Marcus

We're looking for all marketing types, bloggers and social media troupers, with or without experience, from anywhere in the world: You’ve seen all the exceptional work that’s being done at M3AAWG and you’d like to be part of getting the word out about it. Join us to brainstorm new ideas in our new Marketing Committee. We'd like your input on new marketing ideas during the BoF and then, hopefully, your continued involvement. Please also invite any marketing, public relations or social media people in your company you think should participate. For information, contact Linda Marcus, M3AAWG public relations, at LMarcus@astra.cc and M3AAWG Executive Director Jerry Upton at jerry.upton@m3aawg.org.

 

Combatting Abuse of At-Risk Groups

Moderators: Jamie Tomasello (Access)
Speakers: James Shank (Team Cymru)

This session provides a perspective into the threats, abuse and security issues that at-risk civil society actors and users, such as activists, journalists and NGOs, are dealing with and how platforms and service providers of social, email and mobile services are being mis-used by the malicious actors to get to these sensitive groups. The session will explore which features and processes may be causing issues for civil society actors and opportunities for creating feedback to these platforms and service providers to learn how their services are used and depended upon by civil society actors.

Why DANE? - One Year of DANE - Tales and Lessons Learned

Moderators: Janet Jones (Microsoft), Alex Brotman
Speakers: Patrick Ben Koetter

The Pervasive Monitoring SIG is working to determine next steps for securing email in transit post Opportunistic TLS deployment in order to mitigate Man-in-the-Middle (MITM) attacks where possible. During this session you will hear lessons learned around DANE post deployment and understand why it is an important standard. and some common uses for DANE, such as helping secure email and jabber.

Into the mindset of Volatile Cedar

Moderators: Paul Ferguson (Trend Micro, Inc.)
Speakers: Irena Damsky (Check Point)

Volatile Cedar is a campaign with possible Lebanese origins that had been targeting hosting companies, telecommunications, media, defense contractors and educational institutions worldwide for over the past 3 years. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques. This talk will try to get into the mindset of the attackers by examining a real use case of an attacked target. We will follow the intelligence data, timelines and other evidence to try and understand what and how the attacker was trying to achieve.

 

Building Bridges with Developing Economies

Moderators: Andre Leduc, Industry Canada
Speakers: Thezi Mabuza, National Consumer Commission, South Africa, Jerry Upton, M3AA Foundation, Robert Ravi, TRAI India, Monica Josi, SAFIS, Switzerland

The Internet has linked the world in ways thought unimaginable 25 years ago. Progress is not even, though, and many economies remain burdened by spam, botnets, inadequate bandwidth and other impediments to a resilient Internet. This panel will explore the challenges faced in different economies, searching for practical solutions to deliver on the promise of a connected and robust global network.

Practical Phishing Defenses for ESPs

“No presentation for posting” Moderators: Paul Kincaid-Smith
Speakers: Quintin Zuber (SendGrid), Patricia Golden-Andrews, Amanda Jackson, Tim Moore, Ken Simpson

As defenses against spam have grown stronger over time, sophisticated abusers have sought ever softer targets. Attackers are now focusing resources on the theft of credentials from authorized users of ESP accounts and ESP employees, and once compromised, using those accounts to send spam and launch other attacks. Successful attacks not only help the thieves circumvent reputation-based defenses against abuse, but degrade the hard-won reputation of the compromised sender. In this session, our ESP panelists will share their war stories and experiences - successful and otherwise - of their efforts to detect and disarm phishing attacks of ESP customer or employee credentials, and how they were able to recover afterwards.

The Attack of the Killer Tomatoes

Moderators: Paul Ferguson (Trend Micro, Inc.)
Speakers: Gabor Szappanos (Sophos)

The presentation will take a peek inside the development process of an active APT group using a campaign, named Rotten Tomato, that spans several months from August 2014 to March 2015. During this campaign, we were able to observe the sophisticated development of the infamous Plugx backdoor. But in parallel to that, we will demystify the APT group by showing the lack of understanding of the exploits they were using in distributing the malware.

PixelVault: Securing Cryptographic Operations Using Graphics Processors

Moderators: Manos Antonakakis Speakers: Michalis Polychronakis

Protecting the confidentiality of cryptographic keys in the event of partialor full system compromise is crucial for containing the impact of keyleakage attacks. The Heartbleed vulnerability of April 2014, which allowedthe remote disclosure of secret keys from HTTPS web servers, is anindicative example of such a catastrophic event. In this talk, I willpresent our recent work on PixelVault, a system for keeping cryptographickeys and carrying out cryptographic operations exclusively on the GPU, whichallows it to protect secret keys from leakage even in the event of fullsystem compromise. We have implemented a PixelVault-enabled version of theOpenSSL library that allows the protection of existing applications withminimal modifications. Based on the results of our evaluation, PixelVaultnot only provides secure key storage using commodity hardware, but alsosignificantly speeds up the processing throughput of cryptographicoperations for server applications.

Private Rights of Action Against Spammers: Adding cops to the beat

Speakers: Kelly-Anne Smith (CRTC), Betsy Broder (FTC), Aaron Foss, (Nomorobo), John McHugh (Sr Mgr EMEA Investigations, Digital Crimes Unit, Microsoft)

Are private rights of action against spammers effective? Although some strongly support such measures as part of a broader set of tools to fight spam, others are indifferent, citing the unproven effectiveness in deterring spam, while still others oppose them on the grounds that government is better placed to enforce laws against spam. This panel will explore the private right of action tool as defined and/or used in their jurisdiction and discuss its benefits in the fight against spammers.

DMARC: Deployment, Recent Developments, and Domain-based Reputation

Moderators: Severin Walker (Comcast)
Speakers: Marcel Bekker (AOL), Steven Jones (DMARC.org), Ed Tucker (HMRC)

This panel will feature an update on DMARC and the growing importance of domain-based reputation, as well as implementation experiences from senders and receivers. Panel includes speakers from a UK government agency and a global mailbox provider who have successfully implemented DMARC, and the director of DMARC.org.

Security Analysis of Embedded Firmware

Moderators: Manos Antonakakis
Speakers: Davide Balzarotti

As embedded systems are more than ever present in our society, their security is becoming an increasingly important issue. However, with many recent analysis of individual firmware images, embedded systems acquired a reputation of being often insecure. Despite these isolated examples, we still lack a global understanding of embedded systems security as well as the tools and techniques needed to support such general claims.

In this talk, we present the first public, large scale, analysis of firmware images. In our experiments we unpacked 32K firmware images into 1.7M individual files, which we then statically analyze. We leverage this large scale analysis to bring new insights and outline several open challenges when performing such experiments. We also show the main benefits of looking at many different devices at the same time and of linking our results with other large scale datasets, such as the ZMap SSL collection. We discuss results that would not have been possible to achieve without such a wide-scale analysis.

In summary, without performing sophisticated static analysis, we discovered a total of 38 previously unknown vulnerabilities in over 693 firmware images. Moreover, by correlating similar files inside apparently unrelated firmware images, we were able to extend some of those vulnerabilities to over 123 different products. We also confirmed that some of these vulnerabilities altogether are affecting at least 140K devices accessible on the public Internet.

2020: SESSION MOVED TO HERBERT/PEMBROKE ROOM

THIS SESSION HAS BEEN COMBINED WITH THE aBUSE IN THE DUTCH HOSTING PROVIDER MARKET AT THE REQUEST OF THE PRESENTERS. THE COMBINED SESSION WILL BE IN THE HERBERT/PEMBROKE ROOM.

Abuse in the Dutch Hosting Provider Market AND 2020: Welcome to a Spam-Free World! How did we get here?

Speakers: Michel van Eeten, Pepijn Vissers

We present an approach to develop reputation metrics for the security of hosting providers. The existing security rankings are based on limited sources of abuse data. More importantly, they do not adequately take into account the size of hosting providers.

June 10 • WEDNESDAY

Open Roundtables

Moderators: Jordan Rosenwald (Comcast), Melinda Plemel (ReturnPath), Michael Goldman (Facilitation First), Vincent Schonau

Facilitated round table discussions, open to all M3AAWG members, where new ideas can be incubated and best practices discussed. Day1 collects input from as many people as possible about three of the topics that interest you. Day 2 builds on the collected input from Day 1 to decide on work that can be carried forward into future content and/or investigations. Be sure to submit any ideas for Dublin ORT topics at /submissions

Keynote: The Economics of Botnet Mitigation

Speakers: Michel van Eeten

he fight against botnets has been going on for over a decade, but they still impose significant cost on society. Internet Service Providers (ISPs) have become increasingly central to the effort, as they can undertake mitigation more economically efficiently than end users. This paper evaluates the role and performance of ISPs in mitigation. We employ three datasets of infected machines and map these to ISPs in 60 countries to measure the number of infections per subscriber. We find that ISPs are indeed control points and that they differ significantly in infection rates, even when operating under the same competitive pressures. We also find that national anti-botnet initiatives have had a positive, albeit limited, impact so far. The differences in performances can partially be explained by measures that reduce the cost of mitigation, partially by institutional factors, and partially by regulatory pressure. We discuss the implications of these lessons for cybersecurity policies.

Collaboration Committee Chairs & Abuse Desk SIG Chairs BoF

Moderators: David Romerstein (Apple), Angela Knox, Sara Roper

Chairs Lunch BoF- Invite Only

BoF- When your lightbulb starts to do morse code… badness and the Internet of Things.

MModerators: Michael O'Reirdan (Comcast)

In all seriousness, lets talk about what are the emerging issues for service providers and other M3AAWG members. Although much hyped, there are and will continue to be real security problems here and whilst some will be addressable by current techniques, we may need to take new approaches to manage the issues that surface here. This may be a kick off for some serious work, there are definitely malware and messaging issues to be addressed.

Spamhaus Users BoF

Speakers: Spamhaus Team

Spamhaus users are invited to join Spamhaus team members at lunch for an informal discussion of our current data-sets, methods being used to prevent spam & abuse, and to go over ways where using Spamhaus in ones environment can be improved or upgraded. There will be time for questions and feedback from attendees.

Training Committee BoF

Moderators: Annalivia Ford, Vincent Schonau, Udeme Ukutt

M3AAWG Training sessions have become an integral part of the value at our meetings. We are looking for additional participation from the M3AAWG membership to continue this momentum and ensure we are providing training on topics of interest to all M3AAWG attendees. Join us during lunch and share your thoughts and ideas.

The Russian Data Protection Law and Other EU updates

Moderators: Bill Wilson (M3AAWG)
Chairs: Dennis Dayman

A new law In Russia goes into effect September 2015 and requires data to be stored inside Russia. Plus other European Union regulatory updates.

Redirector Abuse and Remedies

Moderators: Ryan Harris
Speakers: Jeremy Abraham, Justin Frechette, James Hoddinot

ESPs and their customers rely on redirectors to provide their customers with message performance data. Recently, bad actors have identified and abused a number of redirector vulnerabilities and loopholes that permit them to piggyback onto the target ESPs sending reputation and circumvent domain and content reputation filters in order to send abusive mail. The panel will describe specific vulnerabilities identified during those attacks, how they were corrected, and methods of monitoring to identify and pre-empt new attacks.

Spam and Child Abuse Material:The connection

“Presentation not available for posting”
Speakers: Jean-Christophe Le Toquin (Socogi), Mick Moran Chairs: Paul Vixie (Farsight Security)

The anti-spam community can play a vital role in stopping the distribution of Child Abuse Material (CAM). This workshop will give you the knowledge to deal with a CAM incident on your network, and will help you understand the impact of your actions, when dealing with an incident, on the child, law enforcement, your fellow professionals and your network.

Designing a Whitehat Platform from the Ground Up

Moderators: Paul Kincaid-Smith
Speakers: Tom Monaghan, Hubspot

Opinionated product decisions become guardrails for your customers. Senders' Committee presents a case study on the planning and build-out of an automated marketing platform from scratch, with anti-abuse requirements as a key design component. Topics to be addressed include:

  • Defining your “email religion” and sticking to it.
  • Not all marketing email is bad. Know the difference to make a difference.
  • Why training has to come first for everyone - all employees (yes, even engineers and execs) and all customers.
  • When firing customers isn't white hat -- and can be wrong for your business and for the industry.

 

Overview of The Equation Group
“Presentation not available for posting”
Moderators: Paul Ferguson (Trend Micro, Inc.)
Speakers: Cosin Raiu (Kaspersky)

An overview of the Equation Group, a highly advanced secretive computer espionage group. Because of the group's predilection for strong encryption methods in their operations, the name Equation Group was chosen by Kaspersky Lab, which discovered this operation and also documented 500 malware infections by the group's tools in at least 42 countries.

Sending Email in the European Union

Moderators: Bill Wilson (M3AAWG)
Speakers: Tobias Knecht
Chairs: Dennis Dayman

Email senders who are sending to various countries in the European Union have to deal with 28 different legislation and jurisdictions. Come learn more about the EU opt-in regime and the EU eCommerce and Data Protection Directives.

Quantification of Damages Best Practices Working Session

“No presentation for posting”
SModerators: Neil Schwartzman (CAUCE), Chris Boyer (M3AAWG), Rudy Brioché

A working session on developing a best practices document that quantifies the damages suffered by companies by various types of cyber-attack. There was a kick off meeting in Boston.

Lizard Squad and The Skids who Stole Christmas

“Presentation not available for posting”
Moderators: Paul Ferguson (Trend Micro, Inc.) Speakers: Allison Nixon (Deloitte), Lance James (Deloitte)

Deloitte's Threat Intelligence group has been conducting research into attention motivated hacking groups. They have also been studying their behaviors and the culture they arise from, and performing attribution on some of the more prominent individuals. In this talk we will discuss Lizard Squad, their high profile attacks against companies and private individuals, and what this means for the future of attention motivated hacking.

Abuse Desk Tools

Moderators: Autumn Tyr-Salvia (Message Systems)
Speakers: Chuck Helstein

What are the necessary tools of the trade to set up a good abuse desk? How do you decide whether to build something internally or to look for an outside product? When do you share tools with other teams, and when does it make sense to get your own? Representatives from different types of abuse teams (sender, ISP, hosting provider) will discuss what types of tools they use, their experiences building and implementing them, and share lessons learned. Same broad subject we discussed in San Francisco, but with new speakers and new information.

SS7 Attacks and Defences – Defending the (mobile) core

“Presentation not available for posting”
Moderators: Edilberto Cajucom
Speakers: Cathal Mc Daid (AdptiveMobile)

This talk will give an overview of recent reported techniques and attacks over the SS7 protocol, the core signalling network that controls and co-ordinates all mobile operators worldwide. This network is used by more people than the internet, but security in it is known to few. AdaptiveMobile will give an overview of how and why attacks can be executed, and ways in which they can be defended.

M³AAWG/LAP/CAUCE Omnibus Best Practices Update highlights - OPERATION SAFETY-NET

Speakers: Andre Leduc, Industry Canada Chairs: Neil Schwartzman (CAUCE)

In October 2012, LAP and M³AAWG prepared and submitted to the OECD Consumer Protection Committee a plain language report entitled “Best Practices to Address Online and Mobile Threats.” Often referred to as the OECD Best Practices Report, it was one of the first, and best, global efforts to encourage the adoption of best practices to address a variety of online and mobile challenges. Much has changed in the three intervening years. With the input from more than 100 industry and public sector leaders, the collaborative has produced a revised version, which includes updates to the four original sections, and added discussions of VoIP fraud, Caller ID Spoofing, abuse issues at Hosting and Cloud Services Providers, and a side-bar focused on online harassment. Among the current problems we are addressing are DDoS attacks and data breaches.

June 11 • THURSDAY

Brand SIG Closed Session

Moderators: Kurt Andersen (LinkedIn), Franck Martin

This Brand SIG closed session provides an opportunity to exchange sensitive information related to the current abuse issues participants are experiencing. Typically, participants are focused on abuse rather than delivery issues. M3AAWG members who believe they meet the requirements (an employee of an end-user facing brand that is not an ISP, ESP or vendor) should submit a request to join the Brand SIG through the All Groups page on the M3AAWG members-only website or contact one of the session moderators.

Identity Management SIG Document Working Session

Sr. Tech Advisors: Joseph St Sauver

M3AAWG's Identity Management Special Interest Group has been working on a document around password management practices for providers and for end users. This session will be a final review of the draft document that has been refined over the past year before the document is submitted for publication.

Case Study - Analysis of SSL certs in the SMTP world (Yahoo)

Moderators: Janet Jones (Microsoft), Alex Brotman
Speakers: Binu Ramakrishnan

There has been a push for email providers to implement STARTTLS for MTA transport security over the last few years, but, TLS in SMTP is not used the same way compared to HTTPS. Self-signed and expired SSL certificates are not uncommon with SMTP. Recently, we scanned over 1 million domains to analyze SSL certificates and determine STARTTLS maturity in the SMTP world. This session will be to share some of our findings on 1) STARTTLS maturity level - domains that support STARTTLS (and not), 2) Domains with self-signed SSL certificates, exired certificates and CA issues certificates, 3) Domains with 3rd party hosting (ex. Google, Yahoo, etc.), 4) Certificate specifics - CN, SAN certificate chain validations, negotiated ciphers and key length, and other interesting metrics of interest. This session is in support of the Pervasive Monitoring SIG efforts to improve MTA to MTA transport security and will provide a good baseline in terms of STARTTLS and SSL certificates used in SMTP.

VBA Revived! 

Moderators: Paul Ferguson (Trend Micro, Inc.)
Speakers: Graham Chantry (Sophos)

Back in the 1990's, VBA (Visual Basic for Applications) was a serious player in the malware game in the form of viruses, such as the infamous Melissa virus. Fast-forward to 2013, and macro malware could be considered practically extinct. In recent months, however, VBA has been re-vitalised as the perfect method of delivering malware to endpoint systems. In this talk we will analyse the reasons behind this sudden re-emergence, look at what malware families are utilizing them (such as Dridex), and discuss what measures the AV industry is taking to prevent them.

Hosting SIG

Moderators: Justin Lane (Bluehost), Matthew Stith (Rackspace)

This is a open session for Hosting SIG we will be looking at what area we should be focusing on next in order to keep producing material that will continue moving our mission forward.

The Enduring Challenge of Traffic Analysis

Moderators: Janet Jones (Microsoft), Alex Brotman Sr. Tech Advisors: Joseph St Sauver

M3AAWG member companies have made huge strides when it comes to improving customer privacy through the use of encryption. For example, over 80% of the email that is emitted from Google is now encrypted, as shown on their Safer Email page. However, to-date the M3AAWG community has largely ignored traffic analysis and bulk collection of metadata. When it comes to email or voice traffic, traffic analysis is the analysis of message source and destination, message frequency, message duration, and every other message characteristic *except* for consideration of the message body itself (and the content of the message subject header). Traffic analysis may not sound particularly powerful, but in fact, traffic analysis can be hugely revealing. This talk will describe the traffic analysis problem, explain its importance, and suggest a scalabe and easily implemented means by which ISPs can protect customers' email and voice traffic from bulk collection of metadata and traffic analytic attacks.

Public Policy Working Session 
Moderators: Jerry Upton (M3AAWG)

Public Policy Working Session Lansdowne (middle room) Moderators: Jerry Upton (M3AAWG) Public Policy Committee’s updates on, North American regulatory items, PPC Roadmap, and other items

Technical Chairs BoF

Moderators: Paul Ferguson (Trend Micro, Inc.)

Technical Chairs BoF- Invite Only

Data Sharing: What to do, What not to do

“No presentation for posting”
Moderators: Kelly Molloy
Speakers: Don Owens (Cisco/Spamcop), Tom Bartel (Threatwave), Elizabeth Zwickey (Yahoo!), TR Shaw from SURBL

Data sharing is a hot topic these days, whether it's FBLs or spamtrap data or reputation data. What are some benefits of data sharing? What are the pitfalls? What kind of data should be shared? What should not be shared? How can you make the best use of shared data? These questions will be answered by a panel of experts with diverse experiences in sharing many different kinds of anti-abuse data.

RIPE NCC & Community: An introduction to their Place in the Anti-Abuse World

Moderators: Angela Knox, Sara Roper
Speakers: Ivo Dijkhuis, Mirjam Kuehne, Brian Nisbet

The RIPE NCC is the Regional Internet Registry for Europe, the Middle East and parts of Central Asia. The RIPE Community is the wider, open forum who who form working groups to ensure the administrative and technical coordination necessary to enable the operation of the Internet. Both of these groups are tightly bound up with fighting network & services abuse. This talk will outline current activities undertaken by both the NCC and the wider RIPE Community including interactions with law enforcement; the present and future for abuse-c; tools such as RIPE Stat and the RIPE Atlas network and how RIPE Policy is formed and how you can be involved.

Mirjam Kuehne is the RIPE Labs Community Builder at the RIPE NCC. Her colleague Ivo Dijkhuis is the Information Security Officer. Brian Nisbet is the Co-Chair of the RIPE Anti-Abuse Working Group.

Evolution of Customer Security Event Management

Speakers: Matthew Moleski (Comcast)
Chairs: Richard Harman (TWC)

This session revisits our look at the evolution of the abuse desk from its former guise and through the growth and availability of big data and the expansion of roles and responsibilities of this area to include fraud, identity and risk management in general. A look at where we are now and where we might be headed in the future.

Code Injection and Reuse Payloads in Memory Error Exploits

Moderators: Manos Antonakakis
Speakers: Kevin Z. Snow

Today's most widely exploited applications are the web browsers and documentreaders we use every day. The immediate goal of these attacks is to compromisetarget systems by executing a snippet of malicious code in the context of theexploited application. Technical tactics used to achieve this can beclassified as either code injection — wherein malicious instructions aredirectly injected into the vulnerable program — or code reuse, where bits ofexisting program code are pieced together to form malicious logic. In thistalk, we present a new code reuse strategy that bypasses existing and up-and-coming mitigations, as well as methods for detecting attacks by identifyingthe presence of code injection or reuse payloads. More specifically, our new code reuse strategy, dubbed just-in-timeexploitation, exposes the limitations of contemporary fine-grained addressspace layout randomization as well as all other widely deployed mitigations.In doing so, we motivate the need for detection of such exploits rather thansolely relying on prevention. To address that need, we also discuss two newtechniques for detecting attacks by identifying the presence of a payload.Code reuse payloads are identified by first taking a memory snapshot of thetarget application, then statically profiling the memory for chains of codepointers that reuse code to implement malicious logic. Code injectionpayloads, on the other hand, are identified with runtime heuristics thatleverage hardware virtualization for efficient sandboxed execution of allbuffers in memory. We close with ideas for future work.

Peeking behind the curtains of the Malvertising problem

Speakers: James Pledger

Malvertising has become an increasingly pervasive threat to consumers over the last decade. Since many large web properties rely on advertising for a significant amount of their income, threats to this ecosystem have a significant impact to not only the web properties themselves, but the advertisers themselves.

This talk will give incident responders and analysts an overview of the advertising ecosystem, focusing on the different components that attackers focus on. We will go over the different components of the advertising ecosystem and how they interact with each other, such as demand side platforms, supply side platforms, ad networks as well as exchanges. This portion will be interactive, so bring your questions. After this, we will go into real world threat types that are seen on a regular basis. Time permitting, we will go into a few examples of malvertising that we have seen in the wild over the last 90 days.

Statistically Modeling APT attacks, from the perspective of a practitioner

Moderators: Manos Antonakakis Speakers: Jeremy Demar

The dangers posed by advanced persistent threats (APT) are well known to the security community, but nearly all of the work to detect and analyze them has been fully manual, and largely done by industry. As APTs become more of a concern, we must move beyond manual detection efforts.

This talk will focus on three hard problems; (1) how can we forensically reason about APT events, (2) how can we efficiently mine, detect and model such APT attacks using vast datasets, and finally (3) what is the role of a modern threat analyst in the effort to statistically model such APT attacks. Instead of mathematical terms and models, we will use practical examples of real APT threats (and various data points that describe them) to argue about these three points. We aim to conclude this talk by summarizing the most common pitfalls we saw in practice when we tried to model APT threats.

BCP discussion about NSP/ISP filtering of destination port 1900 SSDP and other ports

Chairs: Sara Roper

SSDP (Simple Service Discovery Protocol) is a the discovery protocol of UPnP (Universal Plug and Play) intended for use in residential and SOHO LAN networks. Many common HSI/Cable devices have allowed this protocol on the WAN level as well. In a perfect world, the modems would have this protocol disabled or filtered, however, reality is that the incredible volume of modem manufacturers, types, versions, and ability for an ISP to remotely manage these devices makes disabling SSDP on the Internet cost, time, and resource prohibitive. So, in order to reduce the impact of reflective DDoS attacks due to this vulnerability, NSPs and ISPs should consider filtering or limiting destination port 1900, and possibly limiting source port 1900 based on packet size. Much like M3AAWG supports port 25 filtering, supporting port 1900 filtering or limited can be an effective anti-abuse strategy for NSPs and ISPs. This session will discuss the creation of a possible BCP to support this strategy.

Tales from a Spamtrap Collection

Moderators: Paul Kincaid-Smith
Speakers: Atro Tossavainen

Come learn about mail flowing to hundreds of thousands or millions of spam traps. What categories of mail hit these traps? What are the trends? How do spammers evade major public blocklists and spam filters? What practical steps can responsible ESPs and mailbox providers take to detect and limit spam? Atro Tossavainen shares insights of a long-time spam trap operator.

Chairman's Closing

Moderators: Jerry Upton (M3AAWG), Michael Adkins

Meeting closing with Committee highlights and a brief set of important announcements from the M3AAWG Chairman and Executive Director