Tuesday’s sessions commenced with a look at rogue pharmacy sites by Brian Krebs, well known for his column Krebs On Security. He explored the history of some of the major players in this black-market industry, including some of the other industries that some of them have been involved. He then went on to explore what efforts are being taken by law enforcement to track and take action against these gangs, the steps that have been taken to prevent people from purchasing from them, including the futility of attempting to influence some of the less well respected banking institutions when it comes to the question of who they permit as customers and what questions they ask. One surprising observation was that these sellers often had very high quality customer service, and were at least as likely to take steps to deal with missing goods/incorrect shipments as more reputable vendors.
The second session of the morning was given by John Stewart, Chief Security Officer of Cisco, a frequent presenter at FIRST conferences. His interesting and entertaining presentation looking at incidents of the past, and trying to explore the question of whether we are winning in the fight against those who wish to cause disruption and harm.
After lunch, we were again given a choice of presentation tracks to follow and again we made the conscious decision to separate and focus on two different areas.
In one stream, we were presented first with a talk from ECSC (an educational security research team) in Korea examining their process of collating data from a wide variety of sensors based in different universities across Korea. Their concept had a lot of interesting features, and their deployment towards separate networks is both something that could be explored at a cross University level, or at the level of the University. One thing the speakers were not sure of (because of the way that the system was devised) was to what extend to collaboration has allowed rules to be created that would not have been possible as a single site. Of course within the UK any system collecting data centrally like this is liable to require careful thought from a legal perspective.
Second to come to the stage was a hastily prepared talk from the US based ICS-CERT, the speaker was standing in at the last minute after a presenter was unavailable. Nonetheless the talk gave a fascinating insight into the world of industrial computer systems, reminding us that the vast majority of these were designed with the view that they would never be connected to anything but an isolated network, but despite this inevitably almost always are. The vast majority of these systems are still developed using practices that were dropped more than 10 years ago in other sectors because of the risks they pose. It was also pointed out that the challenges in patching many industrial systems cannot be underestimated.
Finally within this track, we had a talk looking at the risks of the “extended enterprise”. This was not a term with which we were previously familiar, but turns out to encompass a wide variety of people with whom an organisation has some form of business relationship which might involve transmitting data to/from. This can include business partners, auditors, legal advisors and the ever present customer.
Within the other streams, one of the talks was again by a Cisco employee, Patrick Gray, who comes from a background in law enforcement with the police and the FBI. As with the morning’s talks this wasn’t overly technical in nature, concentrating on the human threats to organisations and stressing the need for constant user education in order to create a “human firewall”. Social networks are increasingly used both by businesses and individuals, although a show of hands revealed a substantial proportion of the audience have yet to join any of Facebook, YouTube or Twitter. Many Facebook users are far too keen to friend anyone who asks, citing a study which revealed that 46% of randomly-selected users were willing to grant full access to their profile from a plastic duck and from a cat. The information gathered can be invaluable in social engineering attacks: he cited a case of a senior banker being stalked by criminals who, having found her high school yearbook, picked a classmate without a Facebook account and create a fake presence; a friend request was duly acknowledged and subsequently they invited her to identify further classmates in a photo. Only thing is, clicking on it resulted in a malware infection and a vector into the bank’s network. Targetted intrusions are far too common and not limited only to major corporations: he cited several pages of examples from public and private sector, all from the past two weeks.
A representative of JPCERT spoke about their Cyber Clean Center Project, started in 2005 with the aim of reducing the number of infected broadband users within Japan. Using honeypots to identify infected systems, and with the co-operation of Japanese ISPs, users were contacted informing them of the infections, inviting them to download custom software for disinfection. Initially this saw a relatively low success rate, but with improved publicity and education, things improved. Nevertheless there were doubts as to the overall effectiveness of such an approach – similar tactics can be (and indeed are) used by scammers to persuade users to install malicious software. Additionally there were some instances of the disinfection tool rendering systems completely inoperable, to the dissatisfaction of the users.
On a different track was a talk on preparations for the 2010 Winter Olympics in Vancouver, with the aim of minimising the risks of physical or information security breaches. This requiring a huge amount of planning over many months and co-operation among a large number of authorities and organisation across Canada, and several exercises staging multiple attack scenarios. The event passed off without major incident: a few targetted emails, standard malware such as Conficker and ZeuS, and an instance of criminals taking advantage of a fatal accident in training to attract people into viewing video of the incident, actually serving malware in the form of a fake video codec. The lessons learned are being carried forward for those planning for the London Olympics next year.
Rounding off the presentations was a special session on the response from security teams to the Japanese earthquake, tsunami and subsequent radiation leaks in March. After a moment’s silence in respect of the many victims, the speakers, mostly based in the Tokyo area, each had their own tales from the day itself in the face of disrupted tranportation and communications. In the following days, initially there was little specifically for CSIRTs to do: the immediate priority was business continuity and restoring communications as far as possible. Many organisations were forced to use unorthodox methods for a time – institutional bans on sites such as GMail and Facebook can suddenly backfire when the usual channels are down, while remote access channels suddenly became essential. Inevitably various rumours, hoaxes and scams were observed in the following days and weeks and considerable effort was expended in protection of those affected or genuinely trying to offer assistance. It was acknowledged that sooner or later there will be other disasters on a similar scale or worse, and, while no-one can prepare totally for such incidents, much more can be done to increase readiness.
Official events for the day were wrapped up with an opportunity to speak to exhibiting vendors over drinks. These ranged from large organisations such as BT and RSA to niche players offering specialist products: we were particularly interested in speaking to a couple offering malware analysis systems operating along similar lines to our own malware analysis system currently under development.