Just this past Sunday I had the pleasure of attending the 4th annual BSides conference in Toronto. It was a perfect day for a conference - the weather was warm, wet, and just dingy enough that we would happily sit inside a dark lecture room without a twinge of regret. So grateful was I for the padded seats, I couldn't complain that the venue wasn't licensed for drink, on a Sunday at 9am.
Ben Hughes kicked the day off with his talk "How you actually get hacked." We were encouraged to keep our threat models based on reality, not on TV. Are we good at evaluating risk? Ben reminds us that the NSA should probably not be in our threat model (unless we are google), ditto for the nation state attackers. Though my thoughts are that you probably want to keep the nation states in the threat model if you are a major utility company, a hosting provider for the electronic health record, or the operator of a major subway network. However, point taken, most of us don't need to be concerned about being attacked by Russia, I mean China, hold on, Russia.
Next Boris Rudakov appealed to our inner Batman - using bad for good we learned how the Rootkit feature that can "hide my docs" can be used to evade ransomware itself. Boris provided a nice demonstration and explanation for how to hide the Documents folder by loading the rootkit as a driver at boot time and defeating the kernel functions commonly used by ransomware for crawling the file directories. I'm interested to hear more about if we could, in future, be using this file hiding technique, together with randomly generated locations determined at system start-up, and white-listing applications to avoid ransomware and other malware.
Rounding off the morning Mahesh Tripunitara enlightened us on the Android approach to privilege management using capabilities instead of setuid permissions. He presented the setuid approach in Unix and its risks, even considering the addition of fixed capabilities. He demonstrated how Android permissions groups and confusing naming conventions are not a huge improvement over the setuid approach. And even with fine-grained privilege management, users really ultimately have only two choices: accept all privileges requested, or risk that your Android app won't work.
In the afternoon, Adam Greenhill and Christina Kang presented their group research project (members also included: Desiree McCarthy, and Peter Chmura, not presenting) with a very catchy name "Decryptonite." We saw how this team, with limited time and resources, were able to quickly learn Windows internals and analyze over 80 unique families of malware to write an application capable of heuristic detection of Ransomware. Decryptonite looks at file I/O operations and kills processes running with unusually high writes/second or encryption behaviours. To learn more about Decryptonite, check out the open source project on github https://github.com/DecryptoniteTeam/Decryptonite
Judy Nowak presented her ideas for what is needed to integrate security incident reporting in an IT Ticketing system. Through her research we were shown how many IT ticketing systems are incompatible with the fields needed to track security incidents. She also had us consider some of the complexities involved, such as exposing sensitive security information to IT helpdesk, transferring tickets that are erroneously categorized, and the need to track the actual incident date vs incident reported date. Spreadsheets are a start, but I'm thinking that these would not provide the immutability needed for a medium to large enterprises. It was noted by a member of the audience that BMC Remedy has these features available, but if your IT ticketing system does not provide the fields you need to track security incidents, then this talk should serve for you to be a call to action - make request for improvement with your ticketing system provider, and make the world of security incident reporting and tracking a better place.
The last formal presentation was provided by the good folks from Telus ( "the future is friendly" tm) - Milind Bhargava and Peter Desfigies. They presented their research results on the Canadian Darknet. This is not, as I imagined, an outlet for the sale of blackmarket goods in exchange for maple syrup. The Canadian Darknet allows for the sale of Canadian identities and other illegal or shady items, for currencies, sometime digital like bitcoin, or paid for by other stolen goods such as PayPal accounts or gift cards. Is that kijiji advertisement by the 26 year old single female looking for someone to show her how to use the Darknet a legitimate request, or police entrapment? I leave it for you to decide.
Thanks to everyone who presented, including those that I didn't cover in my review. You all gave me something valuable to think about. And the conference organizers for providing an awesome BSides Toronto 2016 event!
------
Ann-Marie Westgate is an information security consultant with Digital Logic Solutions Inc.
Follow me on Twitter @AM_Westgate
Subscribe to me on YouTube: https://www.youtube.com/channel/UCRKrOK7r4jq5M5Bawx8wnMg
------
Ann-Marie Westgate is an information security consultant with Digital Logic Solutions Inc.
Follow me on Twitter @AM_Westgate
Subscribe to me on YouTube: https://www.youtube.com/channel/UCRKrOK7r4jq5M5Bawx8wnMg
No comments:
Post a Comment