Infrastructure Security Abstracts

The New Frontier for Zeus and SpyEye

We will discuss the most recent adaptations used by cybercriminals when deploying variations of Zeus & SpyEye. These malware families are no longer targeting only large banks. There has been a dramatic shift in the type of targets fraudsters are going after as credit unions, community, and regional banks have come under the recent focus of Zeus & SpyEye.

Ryan conducted research into many different versions of Zeus & SpyEye over a period of six months to answer several key questions:

- What are the targets that Zeus & SpyEye primarily focus on now?

- What is the exact process that these criminal operations follow to extract funds from victim accounts? How do they remain hidden?

- What kind of forensics evidence is available to detect their presence from a log collection standpoint?

Ryan Sherstobitoff is an independent security researcher. He formerly was the Chief Corporate Evangelist at Panda Security, where he managed the US strategic response for new and emerging threats. Ryan is widely recognized as a security & cloud computing expert throughout the country. He can be contacted at sherstobitoff52@gmail.com.

Red Team Tales - Pwning People for Ultimate Access

Information Security Consultant Steve Stasiukonis will explain some new ways to deceive your way into an organization’s facility and network. The presentation will explain some recent projects that leveraged the use of unconventional tactics using people, processes, and technologies. Steve will share his real world experiences on how he and his company used these techniques to breach the networks of various companies.

Steve Stasiukonis is president and founder of Secure Network Technologies Inc. His background in information security began as co-founder of Network Audit Systems. In 1999, he sold the company to Armor Holdings (NYSE:AH) and served as Vice President of Technology Risk Management (TRM). In 2001 Stasiukonis regained private ownership of TRM group, renaming the company Secure Network Technologies, Inc. Secure Network Technologies, Inc. maintains its offices in New York, serving the banking and financial sectors with penetration testing and security assessments. Steve also serves as a security expert and columnist for Information Week Magazine and Darkreading.com.

Hiding from Big Brother Using Distributed Steganography

Stegg0 is an application which provides plausible deniability of encrypted data. Stegg0 breaks a file into data blocks and encrypts each chunk of data prior to Stenography to provide an extra layer of confidentiality. In addition, Stegg0 creates a cryptographic hash of the file and each binary chunk to ensure data integrity. Each Stegg0’ed image is then uploaded to a public web site to provide data availability using the DeStegg0 application. Stegg0 is a distributed stenography application which utilizes the defense-in-depth strategy to provide confidentiality, integrity, and availability of sensitive data.

In this presentation, we unveil a new proof-of-concept tool that combines the confidentiality of encryption, the integrity of message hashing, the availability of a distributed architecture, and the stealth of steganography into a single cohesive application. This new use of these mature technologies creates a secure environment for your data and easy retrieval, without the liability of keeping it on your personal system. This unique approach to data storage can help you keep the data you value the most from falling into the wrong hands.

The goal of this presentation is to get attendees thinking about the various issues with our current means of data protection and to show them a new way of securing their data utilizing a combination of encryption, message hashing, and steganography in a distributed architecture. Our proof-of-concept tool will show attendees that this is not a hypothetical use case, but one that can actually be put into practice to protect data in various forms.

Mr. Orlando Barrera II has worked in communications within the United States Army Signal Corps, 35th Signal Brigade, stationed at Fort Bragg,N.C. While completing his Bachelor of Science Degree he worked within the Computer Science Department at Texas State University. His previous positions also include working as a code monkey, software developer, and security researcher. He has presented at AHA and is an active member in the local OWASP chapter. His vulnerabilities and exploits published include: CVE-2009-3371, CVE-2010-0160, and CVE-2010-4109.

Dark Reading:

http://www.darkreading.com/vulnerability-management/167901026/security/application-security/228300479/researchers-uncover-holes-in-webos-smartphones.html

Command-line Forensics using Backtrack

"Command-line Forensics using Backtrack" will step through the analysis of a forensic image using open-source tools included in the Backtrack distro. Command-line tools such as sleuthkit, file, fatback, and foremost will be highlighted in order to dissect the low-level activities that take place during a forensic exam.

This material is innovative or significant or an important tutorial because commercial forensic tools can cost thousands of dollars and may not be affordable for an incident response toolkit or fledgling forensics practice. However, much of the same data can be easily gleaned using the free open-source forensic tools included with Backtrack.

Rich Savacool is the Chief Security Officer for Nixon Peabody, LLP, a law firm based out of Rochester, N.Y. He has twenty year’s of experience in networking and systems security for both the commercial and government sectors. Rich holds numerous industry certifications including the CISSP, CEH, CCE, and GPEN, and has a Master’s degree in Computer Security and Information Assurance from Rochester Institute of Technology.

Covert Access: Rootkit Techniques and Defense

As defensive measures against malicious hackers grow, the toolsets they use continue to develop to become stealthier and more effective. One of the most effective tools they have to keep them hidden and embedded in a system is with rootkits. With a rootkit, an attacker can covertly operate so deep inside a system that it is very difficult to be detected and removed from the system without having to wipe the machine clean. Even though the concept of rootkits is well known, very few actually understand how they operate.

‘Covert Access: Rootkit Techniques and Defense’ is designed to be an introduction to the inner workings of a rootkit and a discussion about techniques that can be used to detect and protect against these types of threats.

Gerry Brunelle is a System Security Engineer for Boeing in the Washington, D.C. area. He is also currently a candidate for a MS in Computer Security and Information Assurance from RIT and has a BS in Network and System Administration for RIT.

Gerry has participated on the red team for the Northeast Regional Collegiate Cyber Defense Competition and the Mid-Atlantic Regional Collegiate Cyber Defense Competition as well as the DoD Cyber Defense Exercise. He also designed and ran the first Capture the Flag for the Rochester Security Summit in 2009.

Anatomy of a Database Attack

Traditional perimeter network security is not a sufficient enough means on its own to defend against dynamic threats to applications already residing on enterprise systems and accessible over the Internet. Web-accessed databases are especially susceptible, partially because of the appeal of their lucrative repositories of customer and sales data, and partially because IP entry affords hackers a broader range of methods with which to invade and gain access to database information.

In this presentation, the speaker will describe some of the sophisticated methods used in invading enterprise databases.

The speaker will conclude by proposing essential steps IT managers can take to securely configure and maintain databases in order to avoid malicious breaches entirely. Attendees will leave with a basic understanding of the most effective methods for protecting their data, which is really an enterprise’s most prized asset, from attackers today and in the future.

The session will provide guidelines and best practices on security and compliance in a variety of database systems including Oracle, Microsoft SQL Server, IBM DB2, and Sybase.

Richard Tsai is a senior product manager at Application Security, Inc., where he is responsible for the DbProtect™ product offering - the company’s industry-leading database security suite. Richard has been evangelizing database security and finding innovative solutions to the security, risk, and compliance challenges since the early 2000s. Richard has been a guest speaker at various IT security, IT audit, and digital forensics conferences.

Richard is a technology veteran who possesses a deep blend of security knowledge and practical business risk mitigation. His perspective is shaped by his 15+ years of experience from developing database encryption and assessment solutions, consulting on EAI and B2B integration, and developing web solutions. Richard has been a key strategic member at Application Security since its inception, occupying various leadership roles in the engineering, marketing, and strategic technology organizations.

Richard also enjoys tinkering with gadgets, cycling, basketball, and skiing.

Richard holds a BS in Computer Science from Binghamton University.

Don’t Bring a Knife to a Gun Fight: A Guide to Hacker Intelligence

Today’s security world is fraught with statistics on web vulnerabilities, yet lacks a clear analysis of actual exploited vulnerabilities. When security teams operate with limited budget, keeping an eye on the opponent rather than on the theory of the threat is necessary to maintain effective security. This talk will focus on real threats plaguing today’s practitioners and provide up-to-date statistics on actual attacks.

By analyzing this data we will provide answers to three important questions:

- What are the most commonly exploited vulnerabilities?
- What are the trending topics hackers are discussing?
- Where should practitioners focus their web security controls?

We will discuss each of these questions separately and provide data collected from:

- Imperva’s own honeypots which track and record live attack traffic
- Monitored discussions on hacker forums
- Analyzed hacker kits and changes to the evolving threatscape

Noa Bar Yosef is a senior security strategist at Imperva. In this role Noa researches and analyzes the trends in the threat landscape. She is a frequent contributor to different security magazines, comments on security-breaking news, and is regularly invited to speak at industry events. Currently, Noa writes a bi-weekly column on hacker trends and techniques for SecurityWeek. Previously, she held the position of a senior security researcher for Imperva’s Application Defense Center. While at the ADC, Noa conducted research on database and Web application vulnerabilities. She holds a MSc degree (specializing in information security) from Tel-Aviv University.

VLAN Hopping and Secure Networks

Many networks use 802.1Q VLANs as a method of network segmentation. While very effective in logically separating the collision domains of various departments or customers, much care needs to be taken if 802.1Q VLANs are used as a security control. Various vulnerabilities exist within the 802.1Q protocol and the Ethernet switches that use it. These vulnerabilities can lead to exploits generally known as "VLAN Hopping". VLAN Hopping allows an attacker to send Ethernet frames to a target directly through the Layer-2 switching fabric, bypassing the desired VLAN segmentation and Layer-3 controls such as firewalls.

We will explore methods by which VLAN Hopping is accomplished, and some countermeasures that the Network Administrator can employ to help protect against it.

Kevin Wilkins is Chief Technology Officer for iSecure, LLC and is a Certified Information Systems Security Professional. Kevin has more than ten year’s industry experience in system and network engineering and platform management.

After coursework at Rochester Institute of Technology, Kevin’s professional experience includes ISP and VOIP operations. In the last few years, a focus on information security has brought his experiences together into a consolidated viewpoint of enterprise-wide security policy and implementation.

Android Platform Security

The most widely purchased operating system in the smart phone market with a 52% share, as well as a 33% share in the tablet market, Google’s Android OS puts power and control in the hands of everyday users. This requires a new level of mobile responsibility from both users and developers.

This talk discusses the Android OS and the design decisions that affect the overall security posture of the devices that people use every day. I'll include a breakdown of the security features of Android that some developers aren't using, cutting edge tools that you can use to analyze the operating system and its apps, and give an example analysis of apps that are out there that aren't being developed with security in mind.

Hopefully you'll come away with a better understanding of the securability of Android and some skills to help you start hacking yourself.

Mark Manning is a security consultant working at Intrepidus Group, a mobile security penetration testing company. He performs mobile application and device testing with expertise in the Android operating system. An RIT grad, Mark is also the organizer of the Rochester 2600, a member of DC585, and one of the founding members of the local hackerspace, Interlock Rochester. He has presented material on various security subjects in the Rochester area as well as the Security BSides Conference in Las Vegas.

Visualizing APT: Analyzing the Zeus Attack against Government and Military

The flood of raw data generated by intrusion detection systems (IDS) is often overwhelming for security specialists, and telltale signs of intrusion are sometimes overlooked in all the noise. Security visualization provides an easy, intuitive means for sorting through the dizzying data and spotting patterns that might indicate intrusion. The methods described lend to identifying malicious actors in advanced persistent threat (APT) scenarios. We'll focus on specific tools and methodologies to aid you in establishing security data visualization practices in your environment.

Russ McRee is a senior security analyst, researcher, and founder of holisticinfosec.org, where he advocates a holistic approach to the practice of information assurance. His predominant focuses are incident response and web application security; he does both as team leader of Microsoft Online Service’s Security Incident Management team.

Russ speaks and writes frequently regarding Infosec topics, including ‘toolsmith’, a monthly column for the ISSA Journal. IBM's ISS X-Force cited him as the 6th ranked Top Vulnerability Discoverers of 2009.

Ralph Durkee is the principal security consultant and President of Durkee Consulting, Inc. since 1996. Ralph founded theOWASP Rochester, N.Y. Chapter in 2004 and currently serves as a member of the OWASP Global Conferences Committee. Ralph also serves as President of the Rochester ISSA Chapter and chairs the annual Rochester Security Summit. He performs a variety of security audits and software security assessments and software development consultations for clients in the Rochester, N.Y. area. His expertise in penetration testing, incident handling, secure software development, and secure Internet and web applications is based on over 30 years of both hands-on and technical training experience. He has developed and taught a wide variety of professional security seminars including custom web application security training, SANS SEC401 & SEC504 - Hacker Techniques and Incident Handling, and CISSP bootcamp courses since 2004. Ralph regularly consults on the development and implementation of a wide variety of security standards such as web application security, database encryption, Windows and Linux security, as well as compliance with the Payment Card Industry Data Security Standard.

Ralph Durkee holds CISSP, GSEC, GCIH, GSNA, GCIA, and GPEN certifications.