Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

21st FIRST Conference – Day 5

Today is the last day of the conference. It’s been great so far, but it’s not over yet 😉

Security and the younger generation – Ray Stanton

This is the first time in history that many countries have 4 generations of people working alongside each other.

Who are the younger generation ?

  • Language
  • Culture
  • Demands
  • Speed of learning
  • Expectations
  • Pushing the boundaries

Generation Y (refers to a specific group of people born between 1982-2000). The majority of Gen Y spent a significant amount of time leading an online lifestyle.

Gen Y statistics (Junco and Mastrodicasa Study 2007)

  • 97% own a computer
  • 94% own a mobile
  • 76% use Instant Messenger (15% logged in 24/7)
  • 34% use websites as their primary source of news
  • 28% author a blog and 44% read blogs
  • 49% download music using peer-to.peer file sharing
  • 75% of college students have a Facebook account
  • 60% own some type of portable music and/or video device such as an iPod

Companies must make their security policies relevant to Gen Y. Language that is easily understood and interpreted by Gen X, is interpreted differently by the newer generation.

Gen X are fast at adopting the new technologies (they are also the largest group), however Gen Y are the ones the push the boundaries and innovate.

Find ways to make it work

  • Moodles – styles of eduction
  • Listen
  • Engage
  • Never, ever, say No! They will just go around you
  • Participate
  • Embrace

10:15 Conficker Research project – Aaron Kaplan (CERT.AT)

The guys from Cert.at gave a nice graphic geographical representation of infection rates of conficker using a google earth overlay.

By looking at the the scale of infections over time it was possible to create an animation showing the  clean-up process in various countries around the world. To of the list of infections were China, Brazil, and Russia

11.00 Show me the evil: A graphical look at online crime – Dave Deitrich (Team Cymru)

Bad neighborhoods (most infected systems) – China, US, German and Brazil are top. However these are the locations with the largest number of online users. When looking as a percentage of online users, these countries are way down on the list.

Charts of infections by IP-ranges and statistical information available on Team Cymru’s website.

Concentration of bot-net controllers in more developed regions – US, Germany, Korea

When tracking bot activity (conficker) the number of bots reporting in dips on a Sunday due to systems in companies being powered off. The time of systems reporting in also supported this assumption as most bots where reporting in within working hours (depending on the region of the bot)

DDoS tracking showed the targets in US and Europe were most popular. However everybody is effected as service providers spread the cost of DDoS protection between all of it’s customers.

Lack of data collection in areas such as Africa is a problem when forming statistics. If more data was available then a completer picture could be put together.

11:30 Internet Analysis System (IAS): Module of the German IT early Warning System – Martin Bierwirth/Andre Vorbach

Designed as part of a project to protect critical infrastructure. Passive sensors are located at partner sites and provide information (filtered and anonymous) on network traffic. These partners are most in government networks, but are also installed in other partner networks.

Every five minutes a sensor transmits about 560kb of data

IAS data privacy

  • Does not monitor data with personal reference
  • Does not reassemble TCP flows
  • Independent of IDS systems
  • Revoke context of a packet after building it’s counter

Manual research on the data is done through a program developed in co-ordination with German universities. Tracking of outbound HTTP traffic get-requests allowed BSI to check the agent strings and confirm that users are not using insecure versions of software like Firefox. Charting showed versions from 1.0 through to the latest (at the time of data) 3.0x version.

IAS gives data to be able to ask the right questions. By using profiling it is possible to automatically identify traffic patterns that are out of the norm for the network.

Example: DNS spike of traffic across 3 separate networks. By looking at the traffic it appeared to be a large number of spoofed DNS requests for the “.” record. Source IP-Addresses were spoofed. It was discovered that the 3 networks were being used as part of a reflective DDoS attack. By tracking across multiple partners it is easier to see when attacks are targeted. When monitoring government networks it is easy to think that all attacks are targeted ones.

Aggregated data extends the perspective of individual networks.

Prospects: Deploy more sensors, Automatic correlation of data

13:30 New Developments on Brazilian Phishing Malware – Jacomo Piccolini

Changes from 2008 to 2009

Malware levels have remained around the same. 30-40,000 unique per year. Although the amount has remained constant, the quality has increased. Less usage of Delphi, Visual Basic in programming. Move towards Java / C++.

Targeted attacks are rare. Most attacks spread through the use of spam email giving links to users (themed attacks).

Many malware samples are using simple attacks that alter the local hosts file to redirect victims to phishing sites (password stealing, etc…). This is not rocket science. Keep it simple. Most examples concentrate on adding hosts entries for Brazilian banks.


Attacks against government information systems using malware. Access to the Brazilian database gives you access to all information on a citizen (car registration, job information, income, Tax information, travel permits, Visas, family ties, personal information, arrest history, picture, gun permit information, signature, etc…). The malware uses a simple overlay to steal the logon for a user. These logons were on sale on the streets of Sao Paulo, Brazil for $1000.

This information was covered in the media in Brazil. I can’t find the footage in English, however the original is available on youtube.

Newer malware used to install a BHO (Browser Helper Object). This then routes all your traffic through a single proxy when the traffic meets specific criteria (in most cases access to bank websites). The proxy would then re-direct to another phishing server to steal the credentials. When this malware was run through virustotal, no AV vendor discovered it.

Stronger focus on malware. Blocking access to documents, pictures and a range of other files. The machine then warned the user to use a specific AV to clean the system. For $10 you can then buy the AV product (scam product) to regain access to your files. Low cost extortion. The malware locks the files through “GetActiveWindow” call to block the applications. All files are still present. If you copy the file off to another machine then they are all available again.

DNS cache poisoning is also still an issue. On 11th April 2009 one of the biggest banks in Brazil suffered a dns poisoning and redirected traffic to a phishing site. This issue was resolved in 7 hours (it was on a Sunday).

Brazilian Initiatives

Defensive Line website (www.linhadefensiva.org) –> community blog that deals with end-user infections. Acts as a CSIRT team (ARIS-LD) and also provides anti-malware tool (bankerfix). This team is looking for assistance in developing their new software solution. Please check the website if you can assist them.

Malware partol (www.malwarepatrol.net)–> Provides blocking lists to many applications (mta, proxy, dns…). These are updated on an hourly basis and made available for any purpose. Some files tracked by Andre are still online after 4 years of tracking them.

Federal Police: Operation Trilha –> 691 law enforcement agents, 139 arrest warrants, 136 search warrants, 12 Brazilian states (28 cities), in addition to arrests in Brazil, 1 arrest was made in the US.

Malware is an alternative source of income and for some “just a job” – social issue

My take from this presentation is that the Brazilian malware economy is very internally focused. Brazilians targeting specifically other Brazilians and Brazilian banks in particular. This is something to watch in the future however, as the malware authors become more proficient they are beginning to branch out into other markets.

Overall the FIRST conference was a great experience and gave me a different perspective than my normal conferences (mostly hacker style cons like CCC, Blackhet, etc…). The fact it was in Japan just adds to the overall effect of course. I wish I had more time to look around and really take in the culture. Hopefully I can arrange some time next year to make a long tour of Japan with my lovely girlfriend. I’m accepting donations 😉 Here’s to next years FIRST conference in Miami.

Comments are closed.

%d bloggers like this: