OxCERT's blog

Tuesday’s sessions commenced with a look at rogue pharmacy sites by Brian Krebs, well known for his column Krebs On Security. He explored the history of some of the major players in this black-market industry, including some of the other industries that some of them have been involved. He then went on to explore what efforts are being taken by law enforcement to track and take action against these gangs, the steps that have been taken to prevent people from purchasing from them, including the futility of attempting to influence  some of the less well respected banking institutions when it comes to the question of who they permit as customers and what questions they ask. One surprising observation was that these sellers often had very high quality customer service, and were at least as likely to take steps to deal with missing goods/incorrect shipments as more reputable vendors.

The second session of the morning was given by John Stewart, Chief Security Officer of Cisco, a frequent presenter at FIRST conferences. His interesting and entertaining presentation looking at incidents of the past, and trying to explore the question of whether we are winning in the fight against those who wish to cause disruption and harm.

After lunch, we were again given a choice of presentation tracks to follow and again we made the conscious decision to separate and focus on two different areas.

In one stream, we were presented first with a talk from ECSC (an educational security research team) in Korea examining their process of collating data from a wide variety of sensors based in different universities across Korea. Their concept had a lot of interesting features, and their deployment towards separate networks is both something that could be explored at a cross University level, or at the level of the University. One thing the speakers were not sure of (because of the way that the system was devised) was to what extend to collaboration has allowed rules to be created that would not have been possible as a single site. Of course within the UK any system collecting data centrally like this is liable to require careful thought from a legal perspective.

Second to come to the stage was a hastily prepared talk from the US based ICS-CERT, the speaker was standing in at the last minute after a presenter was unavailable. Nonetheless the talk gave a fascinating insight into the world of industrial computer systems, reminding us that the vast majority of these were designed with the view that they would never be connected to anything but an isolated network, but despite this inevitably almost always are. The vast majority of these systems are still developed using practices that were dropped more than 10 years ago in other sectors because of the risks they pose. It was also pointed out that the challenges in patching many industrial systems cannot be underestimated.

Finally within this track, we had a talk looking at the risks of the “extended enterprise”. This was not a term with which we were previously familiar, but turns out to encompass a wide variety of people with whom an organisation has some form of business relationship which might involve transmitting data to/from. This can include business partners, auditors, legal advisors and the ever present customer.

Would you share your personal information with this person?

Within the other streams, one of the talks was again by a Cisco employee, Patrick Gray, who comes from a background in law enforcement with the police and the FBI.  As with the morning’s talks this wasn’t overly technical in nature, concentrating on the human threats to organisations and stressing the need for constant user education in order to create a “human firewall”.  Social networks are increasingly used both by businesses and individuals, although a show of hands revealed a substantial proportion of the audience have yet to join any of Facebook, YouTube or Twitter.  Many Facebook users are far too keen to friend anyone who asks, citing a study which revealed that 46% of randomly-selected users were willing to grant full access to their profile from a plastic duck and from a cat.  The information gathered can be invaluable in social engineering attacks: he cited a case of a senior banker being stalked by criminals who, having found her high school yearbook, picked a classmate without a Facebook account and create a fake presence; a friend request was duly acknowledged and subsequently they invited her to identify further classmates in a photo.  Only thing is, clicking on it resulted in a malware infection and a vector into the bank’s network.  Targetted intrusions are far too common and not limited only to major corporations: he cited several pages of examples from public and private sector, all from the past two weeks.

A representative of JPCERT spoke about their Cyber Clean Center Project, started in 2005 with the aim of reducing the number of infected broadband users within Japan.  Using honeypots to identify infected systems, and with the co-operation of Japanese ISPs, users were contacted informing them of the infections, inviting them to download custom software for disinfection.  Initially this saw a relatively low success rate, but with improved publicity and education, things improved.  Nevertheless there were doubts as to the overall effectiveness of such an approach – similar tactics can be (and indeed are) used by scammers to persuade users to install malicious software.  Additionally there were some instances of the disinfection tool rendering systems completely inoperable, to the dissatisfaction of the users.

On a different track was a talk on preparations for the 2010 Winter Olympics in Vancouver, with the aim of minimising the risks of physical or information security breaches. This requiring a huge amount of planning over many months and co-operation among a large number of authorities and organisation across Canada, and several exercises staging multiple attack scenarios. The event passed off without major incident: a few targetted emails, standard malware such as Conficker and ZeuS, and an instance of criminals taking advantage of a fatal accident in training to attract people into viewing video of the incident, actually serving malware in the form of a fake video codec. The lessons learned are being carried forward for those planning for the London Olympics next year.

Rounding off the presentations was a special session on the response from security teams to the Japanese earthquake, tsunami and subsequent radiation leaks in March.  After a moment’s silence in respect of the many victims, the speakers, mostly based in the Tokyo area, each had their own tales from the day itself in the face of disrupted tranportation and communications.  In the following days, initially there was little specifically for CSIRTs to do: the immediate priority was business continuity and restoring communications as far as possible.  Many organisations were forced to use unorthodox methods for a time – institutional bans on sites such as GMail and Facebook can suddenly backfire when the usual channels are down, while remote access channels suddenly became essential.  Inevitably various rumours, hoaxes and scams were observed in the following days and weeks and considerable effort was expended in protection of those affected or genuinely trying to offer assistance.  It was acknowledged that sooner or later there will be other disasters on a similar scale or worse, and, while no-one can prepare totally for such incidents, much more can be done to increase readiness.

Official events for the day were wrapped up with an opportunity to speak to exhibiting vendors over drinks.  These ranged from large organisations such as BT and RSA to niche players offering specialist products: we were particularly interested in speaking to a couple offering malware analysis systems operating along similar lines to our own malware analysis system currently under development.

Monday saw the first full day of the conference.  After some opening remarks, the morning consisted of two plenary talks, the first by Peter Zinn of the Netherlands National Crime Squad.  His presentation concentrated on some of the cybercrime cases with which his team had been involved, such as card fraudsters and botnet takedowns, and the need for collaborative workings across international borders in order to achieve the desired results.  Also one 15 year old who had decided one day to launch a DDoS attack on Interpol – not his brightest move.  The incidence and severity of cybercrime is increasing exponentially, approximately in step with Moore’s Law, and by analogy with the age-old tale of the grains of wheat on the king’s chessboard, what starts slowly will before long get completely out of hand.

The second was by Melissa Hathaway of Harvard Kennedy School, formerly the USA’s Acting Senior Director for Cyberspace.  Following the theme of this year’s conference, “Security lessons: what can history teach us?”, Melissa started her presentation with an in-depth review of the development of cybersecurity threats, from the earliest days of ARPANET to the present, and reminding us that many of today’s problems (and solutions) have been around for a surprisingly long time.  But, as with the chessboard analogy, the extent of the problems has got far worse.  We’ve seen apparent cases of cyberwarfare in Estonia and in Georgia, the Operation Aurora attacks against Google and others, Stuxnet, and recent major compromises at RSA and Sony, devastating for both firms.  The problems have evolved from threatening the security of individual corporations to those threatening national security and indeed global economic security.  Melissa sees a distinct lack of coherence in approaches to the threats and in legislation, and without concerted and rapid action, a lot more of the same may be expected.  But for how much longer will the population accept it?

The afternoons see the conference split into three separate tracks.  With two of us present, we can attend the two most relevant to our work, generally the more technical talks.

Within the first stream, one presentation was entitled “Five Years of Persistent Targeted Attacks”, also known as Advanced Persistent Threats (APT).  As opposed to the randomly-distributed malware dealt with on a daily basis, these are targetted at specific individuals with specific aims in mind, for instance acquisition of corporate secrets as seen at RSA, and apparently also the International Monetary Fund.  The talk looked at the history of such attacks, the constant evolution of the malware to evade detection, and some of the mitigating tactics available but often little-used.

The second talk was on intrusion suppression, an approach going far beyond that available from standard commercial solutions, with the aim of identifying and containing APT intrusions within minutes rather than weeks.  While this demonstrated what is in principle possible with heavy investment, the resources required are sadly well beyond those available to most organisations.

Finally was a talk on data exfiltration: the problem of how to get valuable information out of a tightly-managed organisation following a successful intrusion.  Sending the data out directly over the internet may be too easily detected, but there are other means at hand.  The speaker has worked on demonstrating some of the possibilities.  For instance, encoded or encrypted data may be sent to a printer.  Most users will simply regard the output as garbage, apparently containing no sensitive information, and with no need to shred it.  Old-fashioned dumpster diving then allows the information to be collected.  Another interesting approach leveraged VoIP technology within the corporation to transmit suitably encoded to an external voice mailbox.

The other group of talks covered such topics as the risk management issues associated with remediation of compromised systems, including in cases where an organisation has many hundreds of thousands of client systems and where shutting down to rebuild is not a viable option. Many of the incidents investigated went back several years, and were only detected when law enforcement became aware of an issue and informed the administrator that action needed to be taken.

One particularly striking point that was made was the lengths that a determined attacker might make to get into an organisation, targeting malware to a small group for instance attendees of a particular conference, and using so-called spear phishing to gain access to the network, and then using the access they had to compromise further machines moving laterally across the network, eventually gaining something important.

This was quickly followed by two talks tackling the issue of botnets head on. The first of these looked in detail at the question of peer-to-peer botnets, investigating how they have evolved and developed over the past 5 years, how they work, and analysing techniques to both  detect, and subvert these networks. Of course attempting to subvert an active botnet is a thorny legal issue and is liable to be difficult to do legally without the involvement of law enforcement.

The final talk focused on the evolution of the concept of a botnet and the typical bot-herder from that of a single technical group who developed bots, ran botnets, and used them for their nefarious purposes into a more general underground economy, one in which money flows between various parties, some of which build the basis of a bot, others who develop the means to easily configure the bot, still others who sell data that the bot can use and yet more people who put it all together and run a “botnet”. The speaker explored the builders supplied with three common pieces of malware: ZeuS, SpyEye, and TDL/TDSS.

In the evening a substantial group of delegates set out from the hotel on a gentle photographers’ walk around the city, passing through the nearby Stadtpark towards the splendid St Stephen’s Cathedral (unfortunately heavily shrouded in scaffolding).  The walk ended beside the Danube river (which, contrary to popular conceptions, is not blue), before the group fragmented and a small group of us went for dinner near the cathedral.

Two members of OxCERT are currently attending the annual conference of FIRST (Forum of Incident Response and Security Teams). As a truly international body, the venue for the conference moves around the world each year; recent venues have included Seville, Vancouver, and Kyoto. This year it is being held in the Hilton Hotel in Vienna, a short walk from the many cultural, historic and gastronomic delights that the city has to offer. We aim to post periodic updates through the week as time permits.

On Sunday, before the start of the conference proper, we have been attending a meeting of educational and research networks, allowing us to focus on the specific issues being faced within our community. Many of the teams present operate at the national level, equivalent to JANET-CSIRT in the UK, although some other university sites were represented; additionally some members fulfil dual roles both as part of a university CERT as well as that for their national research/educational network.

As the teams introduced themselves it became apparent how much we have in common, facing common threats, using common tactics to detect incidents and defend their constituency, and dealing with common problems in terms of user education. Nevertheless there are many differences. One team posts over 2000 security bulletins each year, an order of magnitude more than we do, and without careful targetting, we feel liable to overwhelm the recipients. Another had given up entirely on posting such advisories.

Comparing incident statistics raised several questions, not least in terms of huge differences as to what was being compared. This is a problem we are already addressing through work with other UK universities in drafting a set of standard incident categories; work which in time we hope to share with the wider community. Substantial differences will nevertheless remain; for instance we can detect a lot of malware infections ourselves through local monitoring which is impractical or impossible for others to do – they must instead rely on third-party reports.

Approaches to copyright infringement were discussed, with considerable variation, from those who do little with the notifications to those such as ourselves who take a strong line. It was generally felt necessary to stress that copyright violation is not a security issue and should not be treated as such. We were amused by one approach of requiring the offender to give a lecture to others on what they had done wrong.

Discussion over coffee revealed a team using the same incident tracking sofware (AIRT, Application for Incident Response Teams) as ourselves and provided us with an opportunity for sharing of customisations to the core code base. Many teams, like ourselves, are keen to increase the amount of automation of handling routine incidents in order to concentrate staff resources on the more unusual.

In the evening, the main conference started with a drinks reception, allowing us to catch up with old friends, chat to colleagues previously only encountered online, and to meet new people. Here the varied backgrounds of the various participants becomes evident, with discussions including the challenges facing a major multinational telecommunications provider, or the risks of ever-increasing reliance on computerisation in a car. Nevertheless, some of the underlying issues are similar: co-ordination of a large number of national networks is perhaps not so far from that faced by the University with the departments and colleges, while in the automotive industry, there is the challenge in getting the product developers to think about security from the start, something we can appreciate all too well.