Saturday, November 24, 2012

IRISSCON 2012

Click on images for larger versions

It's that time of year again. This year's IRISS Cybercrime Conference took place in the same venue as last year, The Berkely Court Hotel, now known as the Clyde Court, in Dublin 4. You can get the programme and speaker bios at the link above, so I'm not going to repeat them below. As of 3/12/12 you can also access most of the presentations through the above link.


As with last year's conference, there was an impressive array of speakers at the main session which, again, was very well attended, despite a mandatory fee this year replacing last year's voluntry contribution. As you will gather from the picture above, I turned up very early.

Next door to the main room was the traditional hacking competition which went on right through the day in parallel with the main sessions. More on this later. But, for now, back to the beginning in the main room.


Brian Honan, of IRISS, welcomed the attendees for an early morning start to a packed day. Brian is the lynchpin of the event and he is helped by an enthusiastic band of volunteers. The rising reputation of the event is such that it can attract top notch practitioner speakers from abroad as well as the support of those at home.

Presentations are authoratative, crisp and always delivered within the time allotted.


Brian (left) and Gordon Smith, the IT journalist who comperes the day, also tweet their way through the sessions as do many in the audience. Check out the conference hashtag.

I reported in extenso on last year's conference, which was my first. This year I intend just hitting what for me were the highlights and, where available, I'll link to presentations or commentary.


The most emotionally challenging session promised to be Michael Moran's Tackling Online Crimes against Children. And so it proved. Michael's down to earth and friendly manner of presentation took not one whit from the viciousness of his subject matter. He came with a health warning: if you thought what was coming might be too much for you to bear, you were quite in order to take a pinkelpause at this juncture. Nobody would think the worse of you.

I'll wager there was more than myself with a tear running down their cheek at the end of the presentation.

Michael had circulated a link to the NYT in advance of the conference. This was to a piece by an employment agony aunt, responding to an employee who wondered what they should do after finding inappropriate images of children on their boss's computer. The advice, after much tossing and turning, was to do nothing.


I couldn't believe it. And I was all fired up to see how this advance piece of homework could be defended by the speaker on the day. Thankfully, it was made perfectly clear, in a quiet steely voice, that this was precisely what not to do. Further damage to children was what was at stake here and any self respecting and concerned person was under a moral, and possibly legal, obligation to report their findings to their national abuse enforcement centre.

And the audience was left in no doubt that they were at the head of the queue of those relied on to shine the light on this stuff, wherever it emerged.

One of the hard bits was Michael's emphasis on the prevalence of "pre-speech" as opposed to "pre-pubescent" material. This sickening feature underlined his central contention that what we are dealing with is not just pornography; it is not pornography at all; it is child abuse.

Somewhere in the middle of all this emotional turmoil, we also heard stories of hard slog traditional detective work: images where backgrounds were analysed for the locations of rocks or trees; common backgrounds which identified serial abusers, and so on.

It's just as well the session lasted only half an hour. It was tough going even at that. All credit to Michael for a magnificent if disturbing presentation.


It then fell to Gordon to provide the link in to the next speaker: Neira Jones, who would talk on Incident Response and the Social Media.


While Brian was linking up the hardware, I was fleetingly thinking of Brigitte Bardot, and then we launched into a very tight and structured presentation which demanded all my attention.

Neira took the audience through the various stages of responding to a security breach. The key was to have at least a web page template prepared in advance, and, when a breach occurred, to feed in as much information as possible about the breach. Then the various social media could be used to direct people to the web page. That way the company stayed in control and stood a reasonable chance of maintaining the trust of its customers.

Otherwise the public will be directed by Google to other sources of information and speculation and the company will be on the back foot responding to its irate customers.

The company should always be up front with information on the latest developments and give a full frontal apology. It's not enough to blame the mess on someone else, such as a firm to which you have outsourced your security or your processing.

Neira took the example of the theft of some millions of passwords last June where LinkdIn's response was tardy, incomplete, and self-serving. They had lost the plot from the outset.

While I was listening to this I was wondering why she had not based her example on the recent appalling reaction of Ulster Bank (a rival of Neira's own Barclays) to its problems which caused huge hardship to a whack of its customers. It then struck me that the Ulster thing was a monsterous cock-up rather than a breach of security. However, all of her advice, in terms of response, was equally relevant to the Ulster case. This is an infographic presentation of that advice.


The keynote speaker at the conference was Marcus J Ranum, who has been a leader in the cyber security area for the last 30 years. He was speaking on Cyberwar in the Era of Stuxnet. His interest in the area embraces the wider politics as well as the technicalities of cyberwar. He took as his text the Geneva Convention and its relevance in today's cyber environment. He examined how it is being breached daily by the major powers, with particular reference to his own country, the USA.

He pointed out that the Convention did not refer to war as such, only to conflict, and participants in a conflict had rights. He trashed the conceit of the Bush administration in attempting to get round the Convention by defining "alleged terrorists" as a new class of "enemy combatants" and thereby enabling the administration to detain civilians indefinitely without trial.

The Convention was clear in its prohibition of the targetting of civilian installations. But this was being done all the time. And even where military installations were being targetted, shared bandwidth could mean that the functioning of civilian facilities, such as hospitals, was put at risk.

He drew attention to the anomaly of Hilary Clinton's call for China to be punished for mounting cyber attacks on USA assets, while, at the same time, the USA was releasing Stuxnet into cyberspace in an attempt to sabotage Iranian civil facilities. It was quite clear he considered that the Convention would view this as a war crime.



Gavin O'Gorman took us on a trip Investigating Law Enforcement themed Ransomeware. This stuff is usually picked up off porn sites. Your computer freezes and you can't access its contents, but you get a very official message which includes, in the Irish case, the Garda logo. This tells you that you have been a bad boy and you will have to pay to have your computer freed up.

The perpetrators have ingenious and safe ways of getting hold of your money and in almost all cases, even after paying up, your computer remains frozen. Welcome to the big bad world of cybercrime.


In what may turn out to be one of the most relevant presentations to the Conference, Mathieu Gorge warned that security in the Irish cyber infrastructure was not up to scratch and a successful attack could lead to a loss of credibility in the sector with many of the current multinationals moving out. This is not alarmism. Mathieu's credentials are impeccable. He has an international reputation and, for the last number of years, through Infosecurity Ireland (ISI), he has been attempting to promote interaction and cooperation across the sector to develop Ireland as a centre of excellence in information security. In my view there are serious lessons to be learned here from the recent collapse of the Irish financial sector and it is getting very late in the day.


A major benefit of the Conference is the intensive networking that goes on during the coffee and lunchtime breaks. And afterwards in the bar, it must be said. People, including the most sought after, are very accessible. Even a non-professional like me could manage a long and animated conversation with Marcus Ranum, with a piece of video footage thrown in. I say thrown in because the sound quality in particular is pretty shit. I should have got him into the abandoned main room with a bit of quiet. Anyway, I'm linking to it just to prove I'm not spinning a yarn.



Meanwhile, next door in ROOM 101,the hackers were hard at work. This year's challenge was world domination. A number of servers represented countries around the world, and the objective was for each team to see how many servers they could capture while also defending those already captured. Points were given for each minute's possession of a server.


The results were even more dramatic than an Ireland/Fiji rugby scoreboard - 513:10.


And the winners (above) took the trophy for the fourth successive year.


A subsidiary challenge was to turn of the Zombie's mobile phone without touching it. A vulnerability had to be identified and exploited. As it turned out there was a three way tie in this one as the phone took a while to turn off and three teams hit the target during this critical period. The problem was solved with a conventional cyber-runoff.


There is a serious purpose to all this fancyful stuff. The goal of the Cyber Security Challenge is to identify Ireland's top cyber security experts. Teams compete against each other in a controlled environment to determine which one will be the first to exploit weaknesses in a number of systems and declare victory. Competitors see how attackers could gain access to their systems and how to prevent such attacks from impacting their network.

And, as Brian remarked, if you hire any of the successful competitors, you get what it says on the tin and bucketfulls more besides.


The challenge was run by The Honeynet Chapter and they got great feedback on the day.


I attended on behalf of
.

No comments: