Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Conference

BruCON 2011

Comments Off on BruCON 2011 Posted by on September 16, 2011


It’s that time of year again when all the European hackers flock to Brussels to experience the best beer security Europe has to offer. BruCON is in its 3rd year now, and if the first 2 years have any say in it, I’m sure year 3 will be a blast.

I’ll be helping out a little with the lightning talks on day 2 and hopefully (if I can get time to finish start some slides), doing a quick lightening talk about as well. So many topics, so little time 😉 The organisers are still however looking for a few helping hands… so if you have an hour to help make BruCON great, head over here and put your name down! Be part of the solution!

If you’re interested in signing up for a lightening talk, head over to the BruCON site and sign-up… lots of fun to be had! There’s also a great list by @Security4all of the events going on around the conference (meet-ups parties, etc…). So make sure to check it out to get the best out of your trip.

I’ll be sticking around after the conference to attend the mobile application security testing class by Joe McCray… so if you’re around come and say hi!

Hope to see you there…

Links .:

Conference, Security ,

#FIRST2011 – Round-up

Comments Off on #FIRST2011 – Round-up Posted by on July 11, 2011

Well the 23rd Annual FIRST conference has come and gone. Despite the lateness of this blog post (it’s been a tough month), it was a great conference, and as usual the attendees where what made it special. I’ve come to realise that the networking and contacts you gain from conferences like FIRST are more important than the presentations 90% of the time, and I really tried to use that opportunity this time around.

#FIRST2011 Blog posts .:

Alongside networking and seeing the odd presentation (see blog posts above) I also had the chance to work with a friend of mine and somebody I respect greatly in this industry, Martin McKeay from the netsec podcast. We actually met for the first time back at the FIRST conference in 2009 (Kyoto, Japan) and have been friends ever since. I started my journey into security listening to his podcast (amongst others) and have him to thank at least in part for my foray into podcasting in the last year. So, it was with great pleasure (and a little bit of panic) that I agreed to help out with this years FIRST podcast. I’ve learnt a lot along the way, and even started to do face-to-face audio interviews, thanks to Martin’s coaching. So I hope you’ve enjoyed them (or will enjoy them soon).

If you’ve not already heard the podcasts, please check them out and let us know what you think! Feedback is always welcomed.

#FIRST2011 Podcasts (to date) .:

The interviews are still being released (Weekly releases are planned for each Wednesday) and will continue over the coming months, so make sure to keep an eye on the FIRST podcast page to keep up to date 😉

Hope to see you next year at FIRST in Malta!

Conference, Security, Technology , , , ,

#FIRST2011 – Funny Pharma: Inside the Web’s leading Rogue Pharmacies

3 Comments Posted by on June 14, 2011

Funny Pharma: Inside the Web’s leading Rogue Pharmacies

Brian Krebs

This talk will cover the world of rogue pharmacies through the lens of 2 of the biggest out there.

When we think of pharmacies we often think of Viagra. However there are many other types on offer, and only cover a small part of the problem.

Around 65% is some form of male enhancement drugs. The rest however, are for much more serious conditions (heart conditions, etc…).

When looking through the affiliate lists of these pharmacies, you find often that they got started in the adult entertainment industry. Because of this it’s often easy to go back in time and find out a lot of information about them. After all, they probably never thought they’d be a cyber-criminal one day. 

If Marijuana is a gateway drug, then maybe the adult industry is a gateway service!

Alongside the adult content and pharma services, many of these criminals are also deeply involved in credit card fraud and in particular Rogue AV. Because of the limited resources for processing these credit cards within the underground, you often find them linked back through Chronopay (started by Pavel Vrublevsky and Igor Gusev, who himself got his start in the Adult industry).

After Igor Gusev and Pavel Vrublevsky parted ways, Igor moved into the Pharmacy industry (Glavmed). Not to be outdone, Pavel followed suit and began a competing service. It was about this time that Glavmed was shutdown by the authorities, opening up the change for Pavel to move in and become the biggest processor for this industry.

[If you want to read more about the tangled web between Pavel Vrublevsky and Igor Gusev, there are several stories on the Krebs On Security blog that cover things in detail]

At the peak of the program they were brining in $6 million a week.

Despite Chronpay moving their internal communications to a program called Megaplan and using pseudonyms… they were still hacked again and their information exposed. Due to many of the Chronopay users forwarding their pseudonyms to their real Chronopay email addresses, they could all be linked very easily.

Organization chart from ChronoPay’s MegaPlan Intranet system –> http://krebsonsecurity.com/wp-content/uploads/2011/05/CurlyRx.jpg

The Buyers

40 years worth of buyer data to mine.

After spending 100s of hours tracking and talking to buyers. Despite the rumours, many of them were happy with what they got. It looked the same, worked the same and was a quarter of the price.

In the US, people tend to pay much more for drugs. Which is one of the drivers for this entire industry. People are just trying to survive.

Geographical Differences

In the US 65% of buyers were buying male enhancement drugs

In Europe 98% of buyers were buying male enhancement or recreational drugs. Price differences for normal drugs wasn’t that much, reducing the demand.

On the record

The DEA hasn’t found a large number of foreign sites selling controlled substances, but those that do offer them, often are scams, Boggs said. “Most are scams, or you get something different than what you order,” he said. “They offer to sell you this or that, and you might get Viagra, or you might not get anything.

This comment goes against the evidence that Brian has found. Most appeared happy, and despite worries, credit card information appears to have been hidden from affiliates and very few buyers comment on CC theft.

The Problem

The credit card processing firms are the same that are dealing with fake AV… So maybe if the payment processing dried up, the industry would as well! The banks and firms that deal with Pharma CC processing however, aren’t the kind of people to get pushed around. Take AG Bank for example… just take a look at their advert!

60% of sales can be traced back to 5 issuing banks in the US. If they would set a policy not to process payments for these known pharma companies, then it would make a huge impact on the industry.

In an interview with Igor Gusev regarding pharma, he commented the following regarding the problem .:

They need to put pressure on the card processors, which are monsters which only regulate on very negative public pressure. I think it would be a very powerful strike, and online pharma would be dead within two years if they could switch off the merchants who is somehow connected to online pharma.

Note: I’m sure this is all much more elegantly written over on Brian’s blog (linked below). These are purely notes from the live presentation. I would suggest following the Krebs on security blog, if you’re not already!

Note [16/06/2011]: I have removed some of the post due to the confusing way in which it’s written. Following the complex story live and writing in real-time was a little hit and miss. So I would suggest following the story straight on the Krebs On Security blog where it was originally documented.

Links:

Conference, Security, Technology , , , ,

#FIRST2011 – Security Challenges For Future Systems

1 Comment Posted by on June 13, 2011

Security Challenges For Future Systems

Steve Purser (ENISA)

Although a lot of things are obvious, it doesn’t mean that we’re doing them. How many people have seen a perfectly implemented intrusion detection system that rings bells all day with nobody monitoring it!

  • Effectiveness –> Doing the right thing
  • Efficiency –> Doing the thing right

These might be close to each other, but doing the wrong thing right, still doesn’t make it right! We need more effectiveness…

Who is ENISA?

The European Network & Information Security Agency (ENISA) formed in 2004

The agency supports the commission and the EU member states in the area of information security

Facilitate the exchange of information between EU institutions, the public sector and the private sector

The Trends

You have to be very careful trying to calculate future trends from historical data… especially if the data isn’t suitable. In Infosec, the data we have isn’t good enough.

Computer architectures have changed enormously in the last 20 years. From mainframe environments through to COBRA and WebServices.

These architectures are secured according to different principles

The weak point often lies in the connection between these technologies

  • De-Centralisation
  • Globalisation
    • Most IT architectures are embedded in a global environment, even if they were never designed that way
    • Users regularly switch context from intranet to Internet sessions
    • Authentication != Trust
  • Empowerment of the end user
    • More choice to the user… more freedom, at a price
    • Move towards browser based applications
    • End Users are not ready to rise to the challenge
  • Need for Speed
    • First on the market wins… security is a second thought
    • Users are beta testers
    • Products released unfinished

Scope and Requirements

An operational system is not just technology

System = Software + People + Procedures

Secure software will not always function correctly if we make unrealistic assumptions about how people behave.

The key challenge to developing secure systems is understanding and responding to the limitations of the target environment(s)

Understanding the Threats/Risks

Risk = Threat + Probability + Impact

This process isn’t a one-off… it needs to be a cyclical model, with constant review.

Functional Requirements

We can distinguish between functional and non-functional security requirements

Traditional security functional requirements are reasonably well understood

  • Confidentiality
  • Data and session integrity
  • Availability
  • Accountability
Certain requirements are more difficult
  • Which data is considered private
  • Security vs. Privacy

Non-functional Requirements

Many real-life security issues arise out or poor definition of non-functional requirements
  • Scalability
  • Operational Constraints
  • Flexibility
    • Modularity
  • Usability
If you have the best solution in the world, but it need 50 admins to keep it running… if you don’t have 50 admins, then it’s not feasible.

Software Layers

Different software layers perform different security functions
This has led to a difference between infrastructure services and application services. It’s not often that your software service performs AV checks… this is an infrastructure issue.
In the future we should strive for a closer integration. The flaws are exposed in the connection between infrastructure and application services.
The OS is the key to everything. All security relies on your OS being secure… root is king!

Evolving security models

Different IT architectures require different security models. This isn’t just about technology, but also about associates procedures.
Established architecture can’t always be modified to meet new demands. Sometimes you need to rethink the architecture to gain security.

Example:

Mainframe Architecture
We authenticate to the OS and we stay on the ‘box’
Highly Distributed Architecture
Here we need to re-authenticate
  • Relay user authentication
  • Object-to-object
  • How easy is it to implement?
  • How easy is it to manage?

New security models

As the trend towards de-centralisation continues, we will need to consider new security models
Peer-to-peer networks have no central point of control by definition. Such networks operate on the basis of distributed trust.
cloud computing puts new demands on the scalability of applications. Predicted scalability is feasible, on-demand scalability for secure applications is hard (key-management)

Some design considerations

  • Think about non-functional requirements
  • Use defense in-depth
    • Don’t rely in a single control
    • Have fallback

Methodologies

Integration of security methodologies into development methodologies is a must

Many current methodologies are essentially linear

There is the risk of not seeing the forest for the trees… what is the problem we’re trying to mitigate?

ENISAs Contributions

  • Community building
  • Policy Alignment
  • Technical Work
    • Cloud Computing
    • Secure Software Development

Conclusions

Trends in system development include increasing decentralisation, global connectivity, more empowerment of the end users and short development cycles.

The key challenge to developing secure systems is understanding and responding to the limitations of the target environment(s)

Sufficient weight should be given to non-functional security requirements

Security design should be based on architectural principles

Traditional centralised security models are being pushed to their limits – new models are emerging

End-to-end security is more important than single system security for distributed environments

Links:

Conference, Security, Technology , , , ,

Older posts

Newer posts