Aucert 2007 Update

Published: 2007-05-21
Last Updated: 2007-05-21 21:38:14 UTC
by Mark Hofman (Version: 1)
0 comment(s)
Johannes, Marc and I are currently at the Auscert Conference on the Gold Coast in Queensland Australia. It brings together a number of speakers from all over the world and is attended by over 1100 delegates.  I'll be summarizing some of the information here.  Both Johannes and Marc had their presentations today, both of which were very well attended and received.

The keynote today was delivered by Ivan Krstić (One Laptop Per Child).  Ivan's presentation was thought provoking for many of the attendees.  One of the ideas he presented is that the security industry as a whole has failed our users.  We are asking people to make decisions that they really should not have to make.  For example the bad certificate warning that we are all familiar with.  The majority of users will click yes or OK because that makes things work.  One of the problems is, Ivan suggests, that we are living with a concept from 1971,  user based permissions.  "Why do programs have to run with the permissions of the user?" he asked us.  Programs typically do not need the same permissions, for example mine sweeper does not need to download files, calc does not need to save files.  

Another thought he presented was that in the security industry we don't look enough into the past.  Better models than the user permissions model were available as far back as 1959.  When scientists need answers they often look into the past to see what has gone before.  In security it seems that everything is a new idea, even though it has been done before.  For example virtualisation, a hot concept, but to ex-mainframe people like myself it is certainly not new concept.  It has been around for years, and is done well.

Ivan also talked about one of the solutions they developed (bitfrost) to have a system that can run any code, malicious or not, that will not damage the underlying system, basically using virtualisation for each piece of code, essentially a sandpit for each program.  An interesting talk and a good start to the day.

Toxbot Takedown
Scott McIntyre (FIRST, KPN-CERT, XS4ALL) presented on the Toxbot takedown.  An entertaining presentation where he not only demonstrated his aptitude in Australian, but also showed us some home truths regarding the size and complexity of this botnet.  Toxbot received quite a lot of press with a large number of bots and the perpetrators eventually ending up with jail sentences and fines.   The presentation went into some of the numbers of machines infected, which BTW is very high, as well as information on the number of machines that are still infected today.  He discussed the large number of variations and how new exploits were tagged on to the malware as they became available.   Scott also went into  PHP attacks seen and how botnets use both legit IRC services as well as setting up their own C&Cs.  He also suggested that many ISPs can do  a lot better in the incident handling and security space, which makes commercial sense for them as customers increasingly ask for this.  

Exploits, rootkits, bootkits, fruitkits!
Paul Ducklin (Sophos) showed people some static malware analysis tricks and pulled apart the ANI exploit.  Explaining that a number of exploits that we see are often because IE will blindly execute things that it "trusts".

More tomorrow.

0 comment(s)


Diary Archives