Security Awareness: #conficker FTW! Rob Slade

Security Security Awareness: Awareness:

#conficker FTW!#conficker FTW!Rob SladeRob Slade

http://en.wikipedia.org/wiki/Robert_Sladehttp://en.wikipedia.org/wiki/Robert_Slade

http://www.victoria.tc.ca/techrev/rms.htmhttp://www.victoria.tc.ca/techrev/rms.htm

http://www.infosecbc.org/linkshttp://www.infosecbc.org/links

http://www.linkedin.com/in/rsladehttp://www.linkedin.com/in/rslade

http://blogs.securiteam.com/index.php/archives/author/p1/http://blogs.securiteam.com/index.php/archives/author/p1/

http://blog.isc2.org/isc2_blog/slade/index.htmlhttp://blog.isc2.org/isc2_blog/slade/index.html

http://www.facebook.com/profile.php?id=730092852

http://twitter.com/rsladehttp://twitter.com/rslade

Or: Or: Why Twitter Isn't the Why Twitter Isn't the “Information Security “Information Security

Management Management Handbook”Handbook”

Wrong slides!Wrong slides!• Digital Pearl Harbour, cyber-Katrina, Digital Pearl Harbour, cyber-Katrina,

e-911e-911• EstoniaEstonia• Evil Chinese Hackers & GhostNetEvil Chinese Hackers & GhostNet• Russian cyber-pranksRussian cyber-pranks• Vendor quotesVendor quotes• BBC botnet rentalsBBC botnet rentals• KyrgyzstanKyrgyzstan• e-Palestinee-Palestine• NSA/CIA/DIANSA/CIA/DIA• http://neteffect.foreignpolicy.com/posts/2009/04/11/http://neteffect.foreignpolicy.com/posts/2009/04/11/

writing_the_scariest_article_about_cyberwarfare_in_10_easy_stepswriting_the_scariest_article_about_cyberwarfare_in_10_easy_steps

What is Conficker?What is Conficker?

What is Conficker?What is Conficker?• End of the world as we know itEnd of the world as we know it• End of the Internet as we know itEnd of the Internet as we know it• HoaxHoax• Virus/worm/botnetVirus/worm/botnet• Media hypeMedia hype


• RealReal• aka Downadup, Kiboaka Downadup, Kibo

– at least five variants nowat least five variants now• functions/activity varyfunctions/activity vary• f-secure.com has accurate tech detailsf-secure.com has accurate tech details


• Worm – MS08-067 exploitWorm – MS08-067 exploit– blocks update.microsoft.comblocks update.microsoft.com

• blocks other AV and info sites in later blocks other AV and info sites in later versionsversions

• Worm – weak passwordsWorm – weak passwords• Virus – autorun exploitVirus – autorun exploit

• http://blog.isc2.org/isc2_blog/2008/12/http://blog.isc2.org/isc2_blog/2008/12/autorun.htmlautorun.html

– also net sharesalso net shares


• Update capabilityUpdate capability– P2P P2P – ““random” domainsrandom” domains

Conficker.CConficker.C

• Increased random domains from 250 Increased random domains from 250 to 50,000to 50,000– after April 1after April 1stst

•date verification on major sitesdate verification on major sites

Conficker.CConficker.C

• Risk increase?Risk increase?– means of update onlymeans of update only

•already had P2Palready had P2P– random domains not usefulrandom domains not useful– effect minimaleffect minimal

• But not to the media!But not to the media!

TwitterTwitter• PopularPopular• Available (maybe)Available (maybe)• Up-to-the-minuteUp-to-the-minute• UnmoderatedUnmoderated• Searching/trendingSearching/trending

– March 31March 31stst, 2009, ~8:30 pm PDT, , 2009, ~8:30 pm PDT, “#conficker” #2 search term“#conficker” #2 search term• (“American Idol” #1)(“American Idol” #1)

WikipediaWikipedia

• http://en.wikipedia.org/wiki/Computehttp://en.wikipedia.org/wiki/Computer_virusr_virus

• ““This article may contain This article may contain original researchoriginal research or or unverified claims.”unverified claims.”

• virus virus ≠≠ malware, virus = malware, virus malware, virus = malware, virus ≠≠ malwaremalware

• some useful, some misleading, some some useful, some misleading, some erroneouserroneous

• how do you tell?how do you tell?

Duplications

DuplicationDuplication

• ““Me too!”Me too!”• Retweeting (RT)Retweeting (RT)• Redirectors and URL shorteningRedirectors and URL shortening• Voting no guarantee of quality, utility, Voting no guarantee of quality, utility,

accuracyaccuracy

Reaction?Reaction?

How to protect yourself?How to protect yourself?

• ““So much to know!”So much to know!”– Gloria J. Slade, 20090413Gloria J. Slade, 20090413

• [said in a tone of despair][said in a tone of despair]

• Security awareness trainingSecurity awareness training– 80% of problems involve your employees80% of problems involve your employees– less than 30% of companies plan/use less than 30% of companies plan/use

trainingtraining

What to know?What to know?

• Risk managementRisk management– What is highest risk?What is highest risk?– 2005-6 FBI survey shows malware 2005-6 FBI survey shows malware

highest category of cybercrimehighest category of cybercrime• Based on financial lossBased on financial loss

• Malware not studiedMalware not studied– last decent book 2005last decent book 2005– general security texts cover poorlygeneral security texts cover poorly

Security Security Awareness: Awareness:

#conficker FTW!#conficker FTW!Rob SladeRob Slade

http://en.wikipedia.org/wiki/Robert_Sladehttp://en.wikipedia.org/wiki/Robert_Slade

http://www.victoria.tc.ca/techrev/rms.htmhttp://www.victoria.tc.ca/techrev/rms.htm

http://www.infosecbc.org/linkshttp://www.infosecbc.org/links

http://www.linkedin.com/in/rsladehttp://www.linkedin.com/in/rslade

http://blogs.securiteam.com/index.php/archives/author/p1/http://blogs.securiteam.com/index.php/archives/author/p1/

http://blog.isc2.org/isc2_blog/slade/index.htmlhttp://blog.isc2.org/isc2_blog/slade/index.html

http://www.facebook.com/profile.php?id=730092852

http://twitter.com/rsladehttp://twitter.com/rslade

Security Awareness: #conficker FTW! Rob Slade

Documents

conficker ftw

rob sladehttp

update onlyalready

exploitblocks update

highest risk

virus malwaresome useful

cincreased random domains

risk managementwhat