Monday, June 2, 2008

TechnoSecurity Day 1





I arrive at the marriot in my smelly clothes, hauling my backpack full of travel gear and I find my way to registration...can you say lack of directional signs?

The registration process was simple. Last name only and they verify on a check-sheet. Hmm a security conference and the only verification is done by last name? No other authentication mechanism, such as presenting a receipt, or confirmation email? My how interesting.

Anyways I got my fancy padfolio and badge - kind of cool by the way - and an obnoxious bag from a sponsor. Sorry guys but that's rediculous. I thought to myself "what the hell am I supposed to do with this huge bag?" I dumped the bag as soon as I could.

Quotes from the day:

"Did you see that cop's wrist? Harley accident in the mountains, he hit black ice and was dead for 27 seconds."

I did a massive double take on that one. Did I hear that right? I ended up meeting said cop on day two. I'll have to confirm that story with him. Nice guy by the way..will add comments on that discussion later.


First talk of the day:

Roel Schouwenberg(sp?) from Kaspersky labs talking about Malware Ecosystems and their evolution.

Takeaways from his talk:
The threat is not changing (people like to say that), it already has changed.
Malware authors are using search engines optimization to get their hacked sites rated higher on google searches so it's more likely the links will be clicked.
They are expecting 20 million threats this year (ouch)
He spoke on a Criminal to Criminal business model - kind of like the B2B model but for criminals. There are multinational rings involved and the players take roles such as (translators, money mules, R&D, Spammers).

I found that particularly interesting in that he exposed a little bit about the organization of the criminals, which is to say that it's a pretty impressive mode of operation.

Roel surmised that the next large area of focus for criminals will be mobile banking. Which is to say banking from a mobile device will be very interesting shortly.

Talk 2:
James Aquilina - Stroz Friedberg - Malware investigations and their legal implications. This talk was a lot of lawyerese, but he made some very interesting points and had good information.

If you didn't know, James was the prosecutor in the Anchetta case (botnet related, received a lot of press). James had a very amusing talk at first. He had great graphics designed to make complex topics understandable by judges and non-technical people.

Some interesting stuff on the implications of using packet sniffers for investigations such as collection beyond the scope of the investigation so, instead of doing a full packet capture at a choke point, you should only do the capture against the affected victim computer and the attacker. Doing the full capture could be outside the scope of the investigation, this could come in to play in many cases. Other points:

When investigation/prosecuting a minor who's a malcode author you may not refer to them by name in any notes. This could be construed as releasing their name and identifying a minor is a no-no.

I have a lot of post processing of his talk to do.


Talk 3: Chris Mellen - AccessData - Volatile and memory analysis in a network environment.

I actually ended up taking no notes during this talk. It quickly seemed to turn in to a "this is AD enterprise and here's how we do memory analysis" talk. The talk ended early which allowed me to sneak in to a great talk..

Talk 4: Jack Wiles - Social engineering in progess.

Wow what a good talk. I ended up not taking notes here either, mainly because I was focused on Jack. Lot's of props and even some sleight of hand tricks to illustrate the point that as adults our minds have been trained to ignore the "sleight of hand" or the tricks of the social engineer. Very interesting stuff from a social sciences standpoint of looking at human relationships and trust.


Thoughts from today:

When did it become ok for us to trojan corporate systems with "forensic tools" that utilize rootkit hiding mechanisms?

2 comments:

H. Carvey said...

When did it become ok for us to trojan corporate systems with "forensic tools" that utilize rootkit hiding mechanisms?

Huh?

hogfly said...

This was in reference to the current trend in enterprise forensics software. Just some thoughts I'd had that day considering what separates us from hired goons when we start using rootkit hiding mechanisms in our tools.