security awareness: #conficker ftw! rob slade
TRANSCRIPT
Security Security Awareness: Awareness:
#conficker FTW!#conficker FTW!Rob SladeRob Slade
http://en.wikipedia.org/wiki/Robert_Sladehttp://en.wikipedia.org/wiki/Robert_Slade
http://www.victoria.tc.ca/techrev/rms.htmhttp://www.victoria.tc.ca/techrev/rms.htm
http://www.infosecbc.org/linkshttp://www.infosecbc.org/links
http://www.linkedin.com/in/rsladehttp://www.linkedin.com/in/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/http://blogs.securiteam.com/index.php/archives/author/p1/
http://blog.isc2.org/isc2_blog/slade/index.htmlhttp://blog.isc2.org/isc2_blog/slade/index.html
http://www.facebook.com/profile.php?id=730092852
http://twitter.com/rsladehttp://twitter.com/rslade
Or: Or: Why Twitter Isn't the Why Twitter Isn't the “Information Security “Information Security
Management Management Handbook”Handbook”
Wrong slides!Wrong slides!• Digital Pearl Harbour, cyber-Katrina, Digital Pearl Harbour, cyber-Katrina,
e-911e-911• EstoniaEstonia• Evil Chinese Hackers & GhostNetEvil Chinese Hackers & GhostNet• Russian cyber-pranksRussian cyber-pranks• Vendor quotesVendor quotes• BBC botnet rentalsBBC botnet rentals• KyrgyzstanKyrgyzstan• e-Palestinee-Palestine• NSA/CIA/DIANSA/CIA/DIA• http://neteffect.foreignpolicy.com/posts/2009/04/11/http://neteffect.foreignpolicy.com/posts/2009/04/11/
writing_the_scariest_article_about_cyberwarfare_in_10_easy_stepswriting_the_scariest_article_about_cyberwarfare_in_10_easy_steps
What is Conficker?What is Conficker?
What is Conficker?What is Conficker?• End of the world as we know itEnd of the world as we know it• End of the Internet as we know itEnd of the Internet as we know it• HoaxHoax• Virus/worm/botnetVirus/worm/botnet• Media hypeMedia hype
What is Conficker?What is Conficker?
• RealReal• aka Downadup, Kiboaka Downadup, Kibo
– at least five variants nowat least five variants now• functions/activity varyfunctions/activity vary• f-secure.com has accurate tech detailsf-secure.com has accurate tech details
What is Conficker?What is Conficker?
• Worm – MS08-067 exploitWorm – MS08-067 exploit– blocks update.microsoft.comblocks update.microsoft.com
• blocks other AV and info sites in later blocks other AV and info sites in later versionsversions
• Worm – weak passwordsWorm – weak passwords• Virus – autorun exploitVirus – autorun exploit
• http://blog.isc2.org/isc2_blog/2008/12/http://blog.isc2.org/isc2_blog/2008/12/autorun.htmlautorun.html
– also net sharesalso net shares
What is Conficker?What is Conficker?
• Update capabilityUpdate capability– P2P P2P – ““random” domainsrandom” domains
Conficker.CConficker.C
• Increased random domains from 250 Increased random domains from 250 to 50,000to 50,000– after April 1after April 1stst
•date verification on major sitesdate verification on major sites
Conficker.CConficker.C
• Risk increase?Risk increase?– means of update onlymeans of update only
•already had P2Palready had P2P– random domains not usefulrandom domains not useful– effect minimaleffect minimal
• But not to the media!But not to the media!
TwitterTwitter• PopularPopular• Available (maybe)Available (maybe)• Up-to-the-minuteUp-to-the-minute• UnmoderatedUnmoderated• Searching/trendingSearching/trending
– March 31March 31stst, 2009, ~8:30 pm PDT, , 2009, ~8:30 pm PDT, “#conficker” #2 search term“#conficker” #2 search term• (“American Idol” #1)(“American Idol” #1)
WikipediaWikipedia
• http://en.wikipedia.org/wiki/Computehttp://en.wikipedia.org/wiki/Computer_virusr_virus
• ““This article may contain This article may contain original researchoriginal research or or unverified claims.”unverified claims.”
• virus virus ≠≠ malware, virus = malware, virus malware, virus = malware, virus ≠≠ malwaremalware
• some useful, some misleading, some some useful, some misleading, some erroneouserroneous
• how do you tell?how do you tell?
Duplications
DuplicationDuplication
• ““Me too!”Me too!”• Retweeting (RT)Retweeting (RT)• Redirectors and URL shorteningRedirectors and URL shortening• Voting no guarantee of quality, utility, Voting no guarantee of quality, utility,
accuracyaccuracy
Reaction?Reaction?
How to protect yourself?How to protect yourself?
• ““So much to know!”So much to know!”– Gloria J. Slade, 20090413Gloria J. Slade, 20090413
• [said in a tone of despair][said in a tone of despair]
• Security awareness trainingSecurity awareness training– 80% of problems involve your employees80% of problems involve your employees– less than 30% of companies plan/use less than 30% of companies plan/use
trainingtraining
What to know?What to know?
• Risk managementRisk management– What is highest risk?What is highest risk?– 2005-6 FBI survey shows malware 2005-6 FBI survey shows malware
highest category of cybercrimehighest category of cybercrime• Based on financial lossBased on financial loss
• Malware not studiedMalware not studied– last decent book 2005last decent book 2005– general security texts cover poorlygeneral security texts cover poorly
Security Security Awareness: Awareness:
#conficker FTW!#conficker FTW!Rob SladeRob Slade
http://en.wikipedia.org/wiki/Robert_Sladehttp://en.wikipedia.org/wiki/Robert_Slade
http://www.victoria.tc.ca/techrev/rms.htmhttp://www.victoria.tc.ca/techrev/rms.htm
http://www.infosecbc.org/linkshttp://www.infosecbc.org/links
http://www.linkedin.com/in/rsladehttp://www.linkedin.com/in/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/http://blogs.securiteam.com/index.php/archives/author/p1/
http://blog.isc2.org/isc2_blog/slade/index.htmlhttp://blog.isc2.org/isc2_blog/slade/index.html
http://www.facebook.com/profile.php?id=730092852
http://twitter.com/rsladehttp://twitter.com/rslade