iriss

The IRISSCERT Cyber Crime Conference took place in the D4Berkely Hotel, Dublin, Ireland, on 23 November 2011.

The Irish Reporting and Information Security Service (IRISS) is a voluntary body created to to "aid Irish based organisations and citizens to better secure their information technology". The organisers put a huge amount of their free time in to the conference. Consequently, donations are appreciated and can be made through their website. As well as the gargantuan work that went into organising the conference itself, a further 500+ man hours were spent setting up the HACKEIRE Capture The Flag (CTF) competition.

As a non-security-professional, the most interesting presentation for me was Dale Pearson's tutorial on how to get inside an organisation via the physical route. He outlined how criminal hackers study social media to build up a profile of a company's employees, their activities and relationships. He explained the advantages of targetting the newest employees by, for example "accidentally" meeting up with them at their favourite lunchtime haunts. He showed how to gain access to buildings, including keeping an eye out of misplaced usb sticks. And how to virtually steal the furniture if you had a mind to. Fascinatingly dangerous guy. Incidentally he may have inadvertantly provided me with an explanation for the locked wheelie bins in Leeson St. which may well be worse than I originally thought.


Mikko Hypponen's contribution was a fascinating, if helter skelter, journey through the evolution of the virus. He showed examples of the, neutered, visual content of the early viruses. Some of these reminded me of the old game of tennis which was the first contact many of us had with the computer, and this at a time when "hacker" was a respectable term and these guys were doing it just for fun. The byte-a-time animations reminded me of Clive Sinclair's ZX Spectrum (16KB to those of you who can still think so small). Mikko then took us through the more destructive phase when malicious hackers just wanted to screw up your computer. And on to the time when criminal hackers figured they were on to a financial goldmine. Some of these created criminal cyber empires, outsourced the coding and advertised widely for virus code which the authors had finished with and which they could use in their wider field of operations. He finished up with the latest phase of intergovernmental cyber war, Stuxnet and Duqu – which he said came from the same stable. He also covered the recent Certificate Authority (CA) breaches which in part arose from the refusal of the international community to grant CA rights to Iran and led to that country hacking an existing Dutch CA. He observed that the current CA system was breaking up. He also mentioned that there were relatively less viruses out there for mobile devices as the guys were all busy doing the easier and more remunerative traditional hacking and there were a lot of different mobile systems. As Android looks like becoming the predominant operating system here, it is likely to be targeted by criminal hacker activity before long. Mikko's contribution was the only overtly political one. From his opening shot of the East German Typewriter ⁽¹⁾ to that of the latest laser printer, he stressed how the individual citizen's privacy was being eroded by government and how what originally brought howls of protest was now meekly accepted and proceeding apace behind the scenes (or inside the black box, so to speak).

Stephen Bonner was a real communicator, with high PR skills. He gave a rundown on the user awareness (TH!NK PRIVACY) campaign which they had run in Barclay's Bank. This campaign was very effective, and he gave examples of how, and how not, to measure effectiveness. The campaign had resulted from some serious brainstorming within the company. Some of the ideas they had come up with were so scary that they had to be scaled down in implementation. His illustrations were great and his technique for getting audience participation was a little unusual. Anyone asking or answering a question, or making a remark, from the floor during the presentation had a Ferrero Rocher chocolate pegged at them along with an invitation to their nearest neighbours to try and intercept it in flight. I was first to put up my hand in response to an invitation to receive a paperback book which was part of the Barclay's campaign and promptly had a copy pegged at me from the stage. I've just started reading it. One of his observations was certainly an indication of some of the lateral thinking that went into the campaign. He observed that arts graduates could be employed for peanuts compared to what IT/Security and other professionals demanded. So low budget arts graduates were extensively used in the campaign, along with authors/writers who were only too glad to see their work in print and who wrote the short stories in the campaign booklet which I had caught in mid-air. Great example of how to do a presentation. Serious material entertainingly presented.

Ryan Jones took us through an incident where a seller's online cart stopped working at at 2am and it was not clear what was going on. On closer investigation it turned out that the whole database had got dropped. He gave two different versions of an incident follow-up investigation. In the first there there were no proper database logs, so the investigator was relying on whatever else was on the system. The results were inconclusive. The second was where much more comprehensive logging had been undertaken and this revealed that the system had been compromised for some time and credit card and other details had been siphoned off. The company meanwhile, and unrelated to any incident, had decided to outsource the purchase module and as a result the hackers information stream dried up. So he came back and maliciously dropped the database. I asked Ryan was this not a silly thing for him to have done as it only drew attention to the fact that the system had been compromised. He replied that the hacker would have sold on the information and by that stage people should have been getting unusual entries on their credit card statements. So the hacker had nothing to lose. On reflection, though, there had been no mention of any complaints about this to the company. Probably the card holders had no idea where in cyberspace their details had been compromised. Interesting. In relation to the more comprehensive logging, Ryan made the point that, despite apparently huge storage space requirements, this could nevertheless be relatively selective – for example, you didn't have to store all the actual video material in the case of a Youtube account. He recommended looking up Trustwave's Global Security Report.

Robert McArdle demonstrated features from HTML5 which seems to have integrated almost anything you might wish to do into a HTML environment. The problem is that because this is all in realtime and under the contol of and within the browser it bypasses a lot of the traditional security mechanisms. We are obviously coming to the point where not only will new mechanisms be required but you will need to shut down all browser windows/tabs when not actually in use. The background is becoming a dangerous place. Still, the stuff looks magic, right up to 3D arcade/playstation interactive cyber gaming. Bob is now blogging his IRISS talk in three parts at Trend Micro.

John Burroughs (standing in for Rik Ferguson) gave a very clear exposition of the security problems arising from the move to cloud computing. The distributed nature of cloud computing over virtual machines, storage sharing, and the need for speedy security updates in a rapidly changing realtime environment, not to mention controlling the “hyper visor”, all pose complex security problems, which is one of the reasons for many people delaying migration to the cloud. There are also issues of control of, and responsibility for, security which have not been fully resolved. I can empathise with a certain suspicion of the cloud and a reluctance to cede all computation to a source outside my own controlled environment. I have no wish to be reduced to the status of a dumb terminal. I've been there in the early 1980s and I have no wish to go backwards.

Dave Venman's presentation, on Fun and Games with IPS, went a bit over my head both due to the content (I am not competent at the packet level) and the style of presentation. He did, however, recommend checking out the Verizon Data Breach Report. Eoin Keary dealt with mobile devices but again content and presentation meant I didn't really get a grip on this presentation.

Brian Honan and his team, are to be congratulated on a great piece of organisation, from getting the speakers, to running the day itself. Gordon did a great job as MC.

The material above is supplementary to irlpol's post
_________________________________________________________________

⁽¹⁾ Manual typewriters had to be registered in East Germany, along with a sample typed page, so that any (subversive?) literature produced on them could be subsequently traced to the source. Modern laser printers carry id coding which is transferred to documents to enable subsequent tracing. At the Q&A session I mentioned my experience from another former Communist country in 1991. In Vilnius (Lithuania) the internal phone directory in the hotel room was a vast matrix of apparently unrelated numbers. I enquired about this and was told that they were all direct phone lines. I really thought this most inefficient and couldn't understand why, even under the Soviets, this apparently modern hotel didn't have a normal automatic switchboard. However its (political) efficiency was another matter as all the direct lines went through the nearby police station.