length 00:22:04

FB, twitter, South Korean, Aussie gov website <- SoS
pseudo sponsored political attacks.

Aussie gov D0S'd by group that does not like government decision to filter the Internet
- there was an IRC channel for 12hours
there was a count down, but the coordination fall apart
because they didnt know with time zone was used, even when they had a count down.
the after clearing the timing issue they could not agree on the target
they actually managed only to knock down 3 websites
they had created the tools, they had created a wiki, but all fall a part on the coordination.

the one that really works are the one under the radar & well organized - there were too many cooks in the kitchen.

OR there is a reason why people use bots <- no worries about coordination

Pro-Giorgian blogger, his twitter got blasted. They just targeted 1 guy account causing twitter DoS.
They tried to know his FB, but FB didnt go down
Plus, spam his email.
we see little piece of message hidden in the malware....

New version of mac protection is available.

length 00:09:46

short & sweet
5 bulletins
8 vulnerabilities all critical

most critical:
MS09-048: vulnerability in TCP/IP
could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service.

MS09-049: wireless LAN autoconfig <- no user interaction

MS09-047: vulnerabilities in Windows Media Format , malicious MP3 for example.

2 more web-based:

MS09-045: vulnerability in the JScript scripting engine that could allow remote code execution if a user opened a specially crafted file or visited a specially crafted Web site and invoked a malformed script.

MS09-046: vulnerability in the DHTML Editing Component ActiveX control. An attacker could exploit the vulnerability by constructing a specially crafted Web page.

length 00:11:09

9 bulletins <- 5 critical/remote code exec
19 vulnerabilities

most critical: (via web/very critical because of ease to exploit):

MS09-037: same as MS09-035 - vulnerabilities in Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control hosted on a malicious website.
ATL library issue applicable to Adobe products & other vendors.
Affecting commercial product and home grown SW (web pluggin)

MS09-038: vulnerabilities in Windows Media file processing.

MS09-039:vulnerabilities in the Windows Internet Name Service (WINS). Either vulnerability could allow remote code execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service.
WINS b0f, remote desktop , ASP Net DoS
workstation memory corruption <- privilege escalation
messaging service <- privilege escalation

MS09-043: vulnerabilities in Microsoft Office Web Components that could allow remote code execution if a user viewed a specially crafted Web page. in the wild.

MS09-045: vulnerability in the JScript scripting engine that could allow remote code execution if a user opened a specially crafted file or visited a specially crafted Web site and invoked a malformed script. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.


HIPS will help patching manageable
the bulk of today: ATL  & web component
we had out of bad releases MS09-034 & MS09-35 <-updated today.

length 00:07:24

the zero patch Tuesday

compare the last 2 months is is fairly light
6 bulletins
9 vulnerabilities, including the activeX killbit

most critical:
1. MS09-028: MS Directshow 3 CVEs 2009-1537: directX null byte vulnerability
specially crafted quicktime <- very easy to exploit
2. MS09-032: vulnerability in Microsoft Video ActiveX Control killbit update on IE <-exploited in the wild
3. MS09-029: opentype overflow
exploitable via webpage, remote code exploit: CVE 2009-0231, CVE 2009-0232

the rest are important:
- RSA server
- publish
- virtual PC < privilege excalation

lenght 00:23:21

how user's malaise or lack of malaise quantifiable?

One way to check it it: during login: prompt a security related challenged question randomly.
User has to answer 10 questions correctly before they can login.
Then check if it is getting faster or longer for the average user to login.

At the end of the day it is the user who put the network at risk.

Once you got the metric is it really difficult to get the message to the CxO.

latest trends:
1. Application white listing
similar to PCI
McAfee acquired SolidCore.
the world of bad stuff is HUGE and it is growing
BUT the number of known good is relatively small
idea: blended solution <- white listing that blending 2. File integrity monitoring monitors file system, registry, directory tree. preventing changes in real time white listing and file integrity is nothing new, but finally folds realize: all these stuff that people had been screaming may be it was a good idea <- full blown product. is it amazing how long it takes before people realize that 10 ago people were saying the same thing: TCP wrappers, tripwire, pgp... in the future we will be able to make a better quantitative metric compare to qualitative. big part of SOX: cyber control government is getting more and more involved -> there will be more regulation

at the time time cyber crime will adapt to new regulation

risk management role:
- make things as much automated as possible
- killing the 80/20

but 1% left will be the professions malware write getting more sophisticated and more esoteric

risk and compliance: is all about auditing.
-> if you do it properly you can do it once and reporting many many times
-> the effort will be reduced

solidcore: when product and technology works out of the box.

00:20:53

With Stuart McClure Part 1/2
Policy compliance -> risk metric -> reporting of risk management start with vulnerability management - > security risk management -> eventually policy & compliance management.

Vulnerability management: looking at the design flaws of SW & HW, looking for policy that will prevent those vulnerabilities to be exploited even if the vulnerabilities exist.
Risk management: combine vulnerability management with risk management (identification, assessment, and prioritization of risks)

A head of time finding policies -> good computer hygiene practice & guidelines

If there is a critical vulnerability of a critical system, patch immediately or mitigate immediately
Need to know which assets/systems matter most.

Match the countermeasure vulnerability with the criticality
It has to be good timing
Not enough enterprise really understand the importance … It’s depressing, especially bigger enterprise.
Most enterprise have no clue what asset is most critical to them
Got to do tangible to them: “what happen if they loose A, B, C…”

Disaster recovery: if our network goes down what it means to us?
Availability - Confidentiality -

Noways many policies that requires accountability and reporting.
Top 2 ways that drive policy:
1. To be attacked
2. Having compliance mandate
Such HIPAA: I’m going to have jail time or lose my job if I don’t do this…

CardSystems: went bankrupt at the same year that they got hacked.

Sometime to people say malaise that is the most difficult thing to deal.
If you just do 2 things:
1. Do not click link that you don’t trust
2. Do not open attachment
You’ll eliminate 80% of the problem.
IF YOU CANT TRAIN USERS – SECURITY PRODUCT CANNOT HELP

this is a cool stuff

drive-by download analyzer to find the malware object faster

http://www.kahusecurity.com/2014/pinpoint-tool-released/


<snip>

<snip> 

It's great that there are security researchers like darryl making this this world more secure. kudos.

bad enough some search result point to driveby... this is terrible

The Cryptographers' Panel - Ari Juels - RSA Conference US 2013