Higher Education Copyright and Bandwidth Practices
Elliot Kendall (Brandeis University)
In November, I ran a survey of policies and practices for copyright/DMCA issues and bandwidth management in the higher education community. The results I published didn’t include much analysis in order to avoid political fallout, but the data can teach us a lot about what is and is not effective and how reality differs from the story that often appears in the media.
Automated DMCA Complaint Processing
Joel Rosenblatt (Columbia University)
When processing DMCA takedown notices got to the point of take up one FTE, we decided it was time to automate. We have developed a fully automated process, from intake of complaint email, validating complaint, converting IP/Time to MAC address, Ticket generation, Capture & verification of student, Copyright Quiz and finally, report to appropriate dean.
I got my FTE back and we have discovered some very interesting things about the timestamps that are sent with the notices.
Security Breach Notification Laws
Ron Weikers, Esq. (Weikers & Co. | Software-Law.com)
Ron Weikers will discuss the new Massachusetts data security breach notification law, as well as other state data security breach notification laws. He will also discuss a recent legal trend that tends to establish a duty of care by companies that handle personal data.
Slides from the presentation:
State Security Breach Notification Laws 2007 (Word Document)
Mass Security Breach Law (PDF File)
Computer Intrusion and Cyber Crime Investigations
Jim Burrell (Federal Bureau of Investigation)
This session will provide an overview of criminal and terrorist exploitation of technology, investigative and forensic response, technical and investigative challenges, and investigative coordination between academic institutions and law enforcement. The recent trends and results of the FBI Computer Crime Survey will be discussed. This session will also include recent FBI investigative case presentations.
Slides from this presentation are not yet available. The video that was shown during the presentation is available directly from CNN here.
Web Application Attack Vectors
Sherri Davidoff (Intelguardians)
Web application development in the university environment is often very decentralized. Some applications are designed by central IT staff, but more often than not, students and research groups set up their own web applications, to suit their individual needs. Developers (and sometimes university security staff) often do not realize that flaws in their web applications can be leveraged to launch effective attacks against other university internal applications and systems.
In this talk, we will review a couple of common web application attack vectors, such as Cross-Site Scripting (XSS) and SQL injection, and discuss in detail how they can be used to execute increasingly sophisticated attacks. We will begin with very simple attacks the illustrate the principles, and then move on to show how XSS and/or SQL injection can be used to run commands on the host system, enumerate browser history, exploit administrative applications, port scan other systems on the network, and more.
We will pay special attention to Web 2.0 technology, defining the term and technologies such as AJAX, and discussing the ways in which Web 2.0 hightens web application security issues.
This talk will provide university security staff with a better understanding of how vulnerabilities in individual web applications threaten the security of the entire network infrastructure.
DIY Web Application Assessments
Phil Rodrigues (NET2S)
Are you concerned about the security of your organization’s web applications? Was your yearly budget exhausted hiring an external firm to perform just one vulnerability assessment? Don’t want to pay the five-figure price tag for an automated web application scanner? Don’t Panic! This talk will describe easy ways to test web applications for the most common security vulnerabilities using free or open-source tools (or none at all). I will also cover common industry testing methodologies and various ways that other organizations integrate security testing into their software development and acquisition life-cycles.
Slides: Phil has requested that anyone interested in having a copy of his slide contact him directly. To help Phil avoid spam, I have encoded his email in ROT-13 format. So after you decode it, you can email him at cuvy.ebqevthrf [ng] tznvy.pbz.
PCI and Departmental Security Review
Randy Marchany (Virginia Tech)
VA Tech started doing Payment Credit Industry (PCI) self-assessments of University departments that handle credit card transactions. These PCI self-assessments are being done in anticipation of a full, official PCI audit of the University. This talk describes the process and tools used to perform these “audits”. Examples of modified PCI assessment questionnaires and other documents will be shown.
Building Security Standards
Daniel Adinolfi (Cornell University) and Brian Smith Sweeney (New York University)
Daniel Adinolfi and Brian Smith Sweeney were kind enough to provide us with a replacement presentation which they just happened to have. We were very appreciative of this last minute addition to our program.