Johannes Ullrich was our MC for the evening. He covered off where the ISC came from, the major data collection projects we have ongoing (Dshield Firewall logs, the 404 Project and the Web Honeypot). He also covered off many of the major stories that we’ve seen over the last 12 months.
Russ McRee discussed DDOS attacks against Microsoft as well as service abuse against cloud offerings
Rob VandenBrink - The Microsoft Root Certificate compromise/abuse story was pretty big, along with the follow-on windows update to fix windows update. This is something that's been predicted - - it’s been a part of SEC504 and SEC560 for some time now, and really they should have been more prepared for something like this.
Related to that - SSL support on most browsers do not correctly use the CRL (Certificate Revocation List) - only Opera correctly uses the CRL. So while the "correct" fix for the Microsoft issue would have been to revoke the affected certificate, only Opera would have correctly used that fix !
Manuel Humberto Santander Pelaez highlighted SCADA attacks in South America, as well as the challenges SCADA hardware faces in having to support the legacy protocols and co-exist on general purpose networks. We had a deeper discussion on this after the panel discussion, with some different issues and viewpoints from the Oil and Gas sector thrown in. SCADA was a big part of the evening, both in the follow-on Q and A, and the after-panel-panel.
- Mobile malware is rapidly on the rise
- With mobile platforms being pushed by both users and management, we’re seeing admins “giving up” on real security for BYOD
- Again related to BYOD, the network perimeter is no longer easy to define. We’ve got external devices, not owned by the corporation that now demand internal access
- With new protocols (IPv6 for one), we're seeing all the old attacks becoming new (and successful) again
- Many of our new web app problems aren't new. Most of our web apps don't do anything against the newer attacks, we've got our hands full keeping up with the old stuff
- We tend to solve problems that have easy fixes, one thing at a time, ignoring problems that need multiple solutions to actually solve
- Focus on pentest is only looking at one face - mechanisms for defense of web apps are simply not being deployed
- For instance, look for hash compromises next year - we're still not hashing correctly
- We’ve seen a rise in hacktivism over the last while - these folks often don't have budget, they just have time on their hands and the will to succeed
Lenny Zeltser discussed the impact of PCI - for all that many view it as "the minimum bar" for security rather than as a demanding standard, it has had a marked, positive impact on the state of internet security, especially on smaller businesses
But PCI compliance still gives a false sense of security, again, especially to smaller businesses. While it raises awareness, many of them view their security as a solved, completed problem with PCI certification done.
Security products need to become more intelligent, more automated and cheaper – what’s custom and expensive now needs to become automated, smarter, commodity products
William Salusky covered off his top 5:
- spear phishing, targetted at and originating from AOL
- compromised accounts - specifically webmail accounts. targetting financial data, contact lists, leverage compromised pwds against other things (like bank and financial sites)
- hacktivism - not politically motivated, each hactivism group want to be "better” than the last hactivism group. Most aren't particularly political, this phenomena seems to be more of a "We're badder than Lulzsec" one-upmanship thing
- More discussion on certificate authorities and the recent compromises
- Lots and lots (and lots) of malicious advertising has been seen this year - ads with malware embedded / drive by compromises
Lots of questions followed on, notably several on malware and especially several SCADA questions
After the panel, the fun continued with a good after-after-panel discussion ranging over some future SDN (Software Defined Networking) compromises and resourcing issues, what we can see coming on AVB (Audio Video Bridging) compromises, lots on web app security and defense, and a truly great software demo that we can’t really disclose (but stay tuned)