CCCC 2015 Presentations for Download
Adam Lebech, DI ITEK:
Gabor Szappanos, Sophos:
Inbar Raz, PerimeterX:
Jan Kaastrup, CSIS:
Manuel Vigilius, ISS:
Marion Marschalek, Cyphort:
Paul Vixie, Farsight Security:
Peter Kruse, CSIS:
Righard Zwienenberg, ESET:
Information security – current challenges and perspectives
The Attack of the Killer Tomatoes
Physical [In]Security: It’s not ALL about Cyber
Cloud Computing from a security perspective
Don’t be an ostrich – be a chipmunk
The Stuxnet-O-Meter: Measuring Complexities
Waterfall Computing – Creating Value in the Absence of Big Data
How Website Insecurity Can Ruin Your Business
PUA – Potentially Unwanted Advice
The download file is password protected. The password was sent to all conference participants after the event. In case you attended the conference, but can’t find the password anymore, please, send an email to mah(@)csis.dk in order to have it resent.
ATM Jackpotting in the Wild
Thomas Siebert, Marc Ester, G DATA
Technical level: Medium
ATMs, being full of money, are a classical target of criminals. In recent times, attackers shifted their attacks from physical brute force to computer assisted attacks.
Some attacks use malware like the highly publicized Tyupkin or Ploutos. Other attacks don’t install the malware on the existing operating system, but start an own operating system containing the malware…
This talk discusses the attack vectors and shows how the groups behind the attacks actually operate, including footage from surveillance cameras. It is also discussed which security problems the attacks are based on and what possibilities exist to overcome them.
Can Encryption Save the World?
Peter Landrock, Cryptomathic
Technical level: Medium
There is only one way to protect data: Using cryptographic techniques, be it for authentication, integrity or confidentiality. And we do have sufficiently strong publically known algorithms, but too many implementations have bad random bit generators or other short comings and thus completely fail their intended purpose. From time to time, discussions evolve around the other side of the coin: Encryption can also be used by e.g. criminals and terrorists. Not least because of this there will from time to time be attempts to limit the widespread use of encryption, which in the USA is classified as weapons of so-called second degree, and in the late 90’ties there were strong attempts to limit its general availability, led by USA, but the attitude changed a few years later. The problem now appears to be a hot topic again, and we shall discuss to what extent attempts to limitations could be successful at all and whether certain algorithms have so-called trapdoors that can be used by e.g. law enforcement agencies – for noble but alas as well for less noble purposes, it appears.
DKCERT – An Academic Computer Security Incident Response Team in the Global CERT- and CSIRT-Network
Henrik Larsen, DKCERT
Non-Technical
DKCERT – the Danish academic Computer Security Incident Response Team – is an organisation within DeIC, Danish e-Infrastructure Cooperation. DKCERT is the oldest Danish CERT, founded in 1991.
Bearing the internationally recognized trademark CERT, we are obligated – and happy – to participate in the global cooperation between CERTs and CSIRTs. As an academic CERT, we are participating in both Nordic and European networking. The goal of this cooperation is to strengthen information security and fight cybercrime.
DKCERT is assisting the Danish universities and other research and education institutions, connected to the National Research and Education Network, with cyber- and information security issues.
The presentation will outline these levels of international cooperation and point out its importance for the joint Danish efforts against cybercrime, as laid out in the recent National Strategy for Cyber- and Information Security.
Don’t be an ostrich – be a chipmunk
Manuel Vigilius
Non-Technical
One thing is certain about crises: Sooner or later you will run into one. It can ruin your company or boost your reputation. It all depends on the way you handle it and how you communicate yourself through it; but the work starts way before the crisis hits you; in how you develop relationships and create trust in the media as well as transparency and awareness in your own company. Based on experience, real life examples, and key rules of thumb, this presentation should give you a head start in creating a robust IT crisis preparedness.
How I hacked my Home
David Jacoby, Kaspersky Lab
Technical level: Low
In the IT-security industry, we are at the moment releasing articles about how hackers and researchers find vulnerabilities in for example cars, refrigerators, hotels or home alarm systems. All of these things go under the term IoT (Internet of Things), and is one of the most hyped topics in the industry. The only problem with this kind of research is that we cannot really relate to all of it.
I decided to conduct some research from which I thought was relevant, trying to identify how easy it would be to hack my own home. What can the attacker actually do if these devices are compromised? Is my home “hackable?”. Before I started my research, I was pretty sure that my home was pretty secure, I mean, I’ve been working in the security industry for over 15 years and I’m quite paranoid when it comes to applying security patches! It turned out I was wrong, and that I had many devices connected to my network, which was very vulnerable.
How Website Insecurity Can Ruin Your Business
Peter Kruse, CSIS Security Group
Technical level: Low
A large number of corporate websites in Denmark are vulnerable to different types of attacks, which can compromise the content of the website and thereby expose the user to malicious code or unwanted content.
The number of vulnerable websites has dramatically increased during the past year and this serves as a window of opportunity for hackers to spread malicious code to the masses or even leverage waterhole attacks. Let us have a look at the facts and consequences of running outdated and insecure external services and ways of mitigating the exposure and risks.
Information security – current challenges and perspectives
Adam Lebech, Director, DI ITEK
Non-Technical
Information security should be on top of the agenda for CEOs today – not just in the ICT industry, but increasingly in more traditional industries. Cloud computing, big data and the growth in the number of Internet-enabled devices are increasingly challenging traditional models of information security and requiring companies to find new solutions to protect their IT systems and data. The keynote will highlight how these challenges affect Danish companies, and what needs to be done to alleviate them.
Operation Potato Express: Analysis of a Cyberespionage Toolkit
Robert Lipovsky, Anton Cherepanov, ESET
Technical level: High
The talk uncovers details about an espionage malware family used against targets in numerous countries, including Russia and Ukraine. The malware has been deployed in a number of unrelated APT campaigns since 2011. The subjects of these campaigns cover a wide range of interests, from financial fraud to military. We will describe the various spreading mechanisms used by the malware and provide technical details from the analysis of its modules.
Physical [In]Security: It’s not ALL about Cyber
Inbar Raz, Hacker of Things, VP of Research, PerimeterX
Technical level: Low
Today’s threat landscape is all about Cyber. We have cyber threats, cyber security, cyber warfare, cyber intelligence, cyber espionage… Cyber is a synonym for the Internet, but sometimes, it’s not -all- about the internet. Focusing defenses on the Internet front leads to some wrong assumptions and the overlooking of much simpler, yet just-as-dangerous attack vectors.
Practical experiences in Outsourcing
Kurt Sejr Hansen, TDC Group
Non-Technical
The presentation will give a short overview of what to consider before, under and after signing an outsourcing contract with a partner – focusing on security and experiences done in several cases.
The presentation will also focus on the benefit of sharing best practice in relation to Outsourcing.
PUA – Potentially Unwanted Advice
Righard Zwienenberg, ESET, Senior Research Fellow
Non-Technical
For a long time now, security experts have advised users to use ad-blockers, pop-up blockers, and other browser plugins/add-ons such as “NoScript” to create a safer environment while browsing the internet. Recently we have observed a trend among websites to alert visitors that in using these added layers of protection (these blockers and/or browser plugins/add-ons) they are running a risk. Given that some add-ons and plugins are unequivocally malicious, this may be correct in the strictest sense, but the motivation of these websites often seems financial or even malicious rather than altruistic, and the suggestion is ill-advised.
Another problem is the use of the installation framework that software download sites are likely to use. These sites wrap the original software into an installer package that, on execution, advises the user to also install other – often sponsored – software or, even worse, install these without the user’s consent. This can result in unwanted and sometimes amusing situations, but can be very confusing for the end user.
The presentation will examine the relationship between the blockers and plugin/add-ons, the advice commonly given and the possible implications of following that advice from a user, website and security vendor’s point of view, and also discusses the confusing situations that can arise when using installers for software obtained from websites other than the vendor’s own site.
A real life case scenario with all the ins and outs will be presented to show that end-users should be forensic experts to see the traps being built for them.
Points to cover:
1. Pros and cons of using blockers and plugins/add-ons
2. Overview of all kinds of blockers and plugins/add-ons
3. The problems with the advice often given
4. Data Leakage consequences of following the advice
5. The problems around installing applications from download sites
The Attack of the Killer Tomatoes
Gabor Szappanos, Sophos PLC
The increase in quantity and quality of organised cybercrime against global financial institutions and how Barclays Plc mitigate that threat.
The SBDH Espionage Toolkit
Robert Lipovsky, Thomas Gardon, ESET
Technical level: High
Malware authors are not shy about borrowing ideas. One of the most typical cases was the Tomato Garden incident, where several different groups used the same zero-day Microsoft Word exploit leaving the exploiting document part and the shellcode intact, only changed the appended encrypted executable at the end.
Something very similar happened just recently, as part of a longer campaign targeting India. This Rotten Tomato campaign span several months, from August 2014 up to March 2015.
During this time span, different variants of the Plugx backdoor were observed as the final payload, including classic Plugx, next generation Plugx, P2P Plugx, and just recently Plugx with payload in registry. Apparently, this was a continuous operation, where the actors behind it used the latest available versions, as they came out of the factory. Additionally, a few affiliated malware families were distributed to the targets using similar distribution vector. The presentation covers the timeline of development in the Plugx backdoor during the campaign.
Additionally to that, interesting development was observed in the exploitation part as well. The malware authors made multi-step efforts to integrate the CE-2014-1761 vulnerability into their repertoire. The presentation covers the timeline and major steps in this (otherwise unsuccessful) attempt. We were able to track exactly what external sources were used during the development process.
The Stuxnet-O-Meter: Measuring Complexities
Marion Marschalek, Cyphort Inc.
Technical level: High
A few years back the threat detection industry introduced the imaginary line between common mass malware and targeted malware. In 2015 we have to recognize that this line starts to blur. In reality, the operators of both, mass as well as targeted malware, are not necessarily different groups any more. The term advanced persistent threat has been created to describe malicious software, which is difficult to detect, thus advanced, and remains on infected systems for a long period of time, thus persistent. Yet, the true nature of targeted malware in general remains unclear, their sophistication hard to evaluate.
This talk will introduce measures of complexity for current malware and apply these measures to a chosen set of targeted malware. Examples of such measures are sandbox and analysis resistance, detection evasion and the level of system infiltration and persistence on infected machines. By better understanding threat complexity the defending side can gain a crucial advantage countering the enemy they can’t see.
Waterfall Computing – Creating Value in the Absence of Big Data
Paul Vixie, Founder and CEO, Farsight Security
Technical level: High
Buzzword compatible Internet security startups like to talk about their Big Data Stack. But just because we’ve been processing data by putting it into databases and running queries in arrears since the days of punch cards and green bar paper, does not mean there aren’t other ways to do things. In this talk, Vixie will describe the ‘waterfall computing’ approach taken at Farsight, which is used to produce everything from Newly Observed Domains to DNSDB. The middleware used in all examples, NMSG, is unencumbered open source software, available on GitHub.
The narrow line between APT and common malware is shrinking: targeted attack players are snatching ideas from the other group. The fact that the attempt was less successful does not deny the fact that a symbiosis exists between the two distinct criminal groups, and ideas are floating in both directions.
Panel Debate
Topic: Cloud Data Storage Security and Threats
Panelists:
Henning Mortensen, DI ITEK
Henrik Lund Kramshøj, Solido Networks
Jesper Lund, IT-Politisk Forening
Poul-Henning Kamp
Paul Vixie, Farsight Security