IRISSCON 2011

Supplementary material on IRISS conference.

The material below is supplementary to my short illustrated post on the IRISSCERT Cyber Crime Conference in the D4Berkely Hotel, Dublin, on 23 November 2011.

The original of this text appeared on the Nodecity Wiki, but, as that has since been closed to public access, I have transferred the material to here.

The Irish Reporting and Information Security Service (IRISS) is a voluntary body and the organisers put in a huge amount of free time. That's why donations are appreciated and can be made through their website.

A huge amount of organisation went into the conference itself and a further 500 manhours into setting up HACKEIRE.



As a non-security-professional, the most interesting presentation for me was Dale Pearson's tutorial on how to get inside an organisation via the physical route. He outlined how criminal hackers study the social media to build up a profile of a company's employees, their activities and relationships. He explained the advantages of targetting the newest employees, having purposely met up with them at their favourite lunchtime haunts. He showed how to gain access to buildings, keeping an eye out of misplaced usb sticks. And how to virtually steal the furniture if you had a mind to. Fascinatingly dangerous guy. Incidentally he may have inadvertantly provided me with an explanation for the locked wheelie bins in Leeson St. which may well be worse than I originally thought.



Mikko Hypponen's
contribution was a fascinating, if helter skelter, journey through the evolution of the virus. He showed examples of the, neutered, visual content of the early viruses, which would remind you of the old game of tennis which was the first contact many of us had with the computer, and at a time when hacker was a respectable term and they were doing it for fun. He took us through the more destructive phase when malicious hackers just wanted to screw up your computer. And then on to the time when criminal hackers figured they were on to a financial goldmine. Some of them created criminal cyber empires, outsourced the coding and advertised widely for virus code which author had finished with and they could use in their wider field of operations. He finished up with the latest phase of intergovernmental cyber war, Stuxnet and Duqu - which he said came from the same stable. He also covered the recent CA breaches which in part arose from the refusal of the international community to grant CA rights to Iran and led to that country hacking an existing CA. He observed that the current CA system was breaking up. He also mentioned that there were relatively less viruses out there for mobile devices as the guys were all busy doing the easier and more remunerative traditional hacking and there were a lot of different mobile systems. However if, as looked likely, Android scooped the market we could expect increased hacker activity in this area. Mikko's contribution was the only overtly political one. From his opening shot of the East German Typewriter [1] to that of the latest laser printer, he stressed how the individual citizen's privacy was being eroded by government and how what originally brought howls of protest was now meekly accepted and proceeding apace behind the scenes (or in the black box, so to speak).



Stephen Bonner was a real communicator, with high, if slightly patronising, PR skills. He gave a rundown on the user awareness (TH!NK PRIVACY) campaign which they had run in Barclay's Bank. This campaign was very effective, and he covered how to measure effectiveness, and had resulted from some serious brainstorming within the company. Some of the ideas they had come up with were so scary that they had to be scaled down in implementation. His illustration were great and his technique for audience participation unusual. Anyone asking or answering a question or making a remark from the floor during the presentation had a Ferrero Rocher chocolate pegged at them along with an invitation to their nearest neighbours to try and intercept it in flight. I was first to put up my hand in response to an invitation to receive a paperback book which was part of the Barclay's campaign and had it pegged at me from the stage. I've just started reading it. One of his observations was certainly an indication of some of the lateral thinking that went into the campaign. He observed that arts graduates could be employed for peanuts compared with what IT./Security and other professionals demanded. So low budget arts graduates were extensively used in the campaign, along with authors/writers who were only too glad to see their work in print and who wrote the short stories in the campaign booklet which I had caught in mid-air. Great example of how to do a presentation. Serious material entertainingly presented.



Ryan Jones took us through an incident where a seller's online cart stopped working at at 2am and it was not clear what was going on. On closer investigation it turned out that the whole database had got dropped. He gave two different versions of an incident follow-up investigation.In the first there there were no proper database logs, so the investigator was relying on whatever else was on the system. The results were inconclusive. The second was where much more comprehensive logging had been undertaken and this revealed that the system had been compromised for some time and credit card and other details had been siphoned off. The company meanwhile, and unrelated to any incident, had decided to outsource the purchas module and as a result the hackers infromation stream dried up. So he came back and maliciously dropped the database. I asked Ryan was this not a silly thing for him to have done as it only drew attention to the fact that the system had been compromised. He replied that the hacker would have sold on the information and by that stage people should have been getting unusual entries on their credit card statements. So the hacker had nothing to lose. On reflection, though, there had been no mention of any complaints about this to the company. Possibly the card holders had no idea where in cyberspace their details had been compromised. Interesting. In relation to the more comprehensive logging, Ryan made the point that this could nevertheless be relatively selective – for example, you didn't have to store all the actual video material in the case of a Youtube account. He recommended looking up Trustwave's Global Security Report.



Robert McArdle demonstrated features from HTML5 which seems to have integrated almost anything you might wish to do into a HTML environment. The problem is that because this is all in realtime and under the contol of and within the browser it bypasses a lot of the traditional security mechanisms. We are obviously coming to the point where not only will new mechanisms be required but you will need to shut down all browser windows/tabs when not actually in use. The background is becoming a dangerous place. Still, the stuff looks magic, right up to 3D arcade/playstation interactive cyber gaming.

John Burroughs (standing in for Rik Ferguson) gave a very clear exposition of the security problems arising from the move to cloud computing. The distributed nature of cloud computing over virtual machines, storage sharing, and the need for speedy security updates in a rapidly changing realtime environment, not to mention controlling the "hyper manager" all pose complex security problems which is one of the reasons for many delaying migration to the cloud. There are also issues of control of, and responsibility for, security which have not been fully resolved. I can empathise with this and in my own case, as a private personal computer, do not wish to be reduced to the status of a dumb terminal. I've been there in the early 1980s and I have no wish to go backwards.

Dave Venman's presentation, on Fun and Games with IPS, went a bit over my head both due to the content (I am not competent at the packet level) and the style of presentation. He did, however, recommend checking out the Verizon Data Breach Report.

Eoin Keary dealt with mobile devices but again content and presentation meant I didn't really get a grip on this presentation.



Brian Honan, and his team, are to be congratulated on a great piece of organisation, getting the speakers to running the day itself. Gordon did a great job as MC.

24/11/2011


Footnotes

[1] Manual typewriters had to be registered in East Germany so that any (subsersive?) literature produced on them could be subsequently traced to the source. Modern laser printers carry id coding which is transferred to documents to enable subsequent tracing. I mentioned my experience from another former Communist country in 1991. In Vilnius (Lithuania) the internal phone directory in the hotel was a vast matrix of apparently unrelated numbers. I enquired about this and was told that they were all direct phone lines. I really thought this most inefficient and couldn't understand why, even under the Soviets, this apparently modern hotel didn't have a normal automatic switchboard. However its (political) efficiency was another matter as all the direct lines went through the nearby police station.