CCDCOE conference, June 17

Kenneth Geers, American representative to CCDCOE:

– Even if you took a tank or a jet fighter, you could hardly count the number of processors on it.

– Next year US military will have more unmanned than manned aircraft

– It’s not just about vulnerability and exploit — but where does that meet national security? All presentations, have elements that speak to why nat’l security planners would find it interesting.

– This is the best city to host this event. Has to do with historical factors, and accomplishments that Estonia has been able to achieve.

– It’s not surprising that Skype and COE comes from Estonia. (08h40 Tallinn time)

– Mikko and Nart’s talks have been swapped for today/tmrw.

Jaak Aaviksoo, Estonian Minister of Defense:

– Everybody in this room believes that cyber conflicts are here to stay.

– SK military reported 2 days ago that they are suffering 95,000 attacks daily

– This week the Estonian and US presidents met in Washington and our mutual efforts to gain back lost ground

– Cyberattacks against Georgia were a sequel to an aggresive attack against Estonia in 2007

– Cybersecurity is a political issue and it does not need any more advetising. It’s time for action.

– It’s been a year since the CCDCOE has been around, this is its first conference

– Fall will bring new conference

– Estonia has passed cybersecurity laws. Reaches across all fields and cooperation primarily civilian sector is primary approach. Brings together public and private. Solutions must be shared. (08h44 Tallinn time)

– We have valuable experience that hopefully will be found useful by other alliance members

– I look forward to debate

– All the more reason to generate those ideas to discuss where we stand.

– Strategic goals: To have a realistic strategy, to pretoect our citizens, to foster culture, and to construct cooperation on network that multiply our efforts

– I wish you a clear head and a loyal and constructive discussion (08h46 Tallinn time)

Mikko Hyppönen, F-Secure:

– Been working on computer security for 20 year (08h47 Tallinn time)

– We had 300 viruses at the time

– We have so many I can’t give you a number. Maybe millions and more.

– First virus was 1986, Brain.A

– Most virus writers didn’t know what they were doing, didn’t realize how well they would spread. Wished they could turn back time. (08h50 Tallinn time)

– Omega, September 13, 1991. Is a very important virus for me. First one I analyzed. I have a background in Assembly language.

– Printed out source code, hundreds of pages, trying to figure out what it does. Looked like it would activate every Friday 13th. Would display 256 every time, was teh character for omega. I named this the Omega virus.

– Every time somebody has been working for F-Secure, they get an Omega watch. Perhaps I should have named it after Ferrari? (08h53 Tallinn time)

– Initially were jokes, Elvira, Walking virus

– Casino virus, so that on certain dates it would have a casino game to hold your data hostage. It actually works. (1993) If they get lucky they would get their files back.

– “You’ve lost, say Bye to your balls.”

– Then first viruses for Windows in 1992. One_half. Starts encrypting part of hard drive. In memory as soon as you boot up on the computer. Slowly it starts encrypting. Takes a few weeks. As long as the virus is in memory it will decrypt, until if you realize. If you remove the virus it will remove the key. (08h59 Tallinn time)

– Concept didn’t infect files. Infecting your data.

– In 1995, MS Office was still shipping with macro files. Could copy themselves to new documents. That’s what Concept did. Every document you modified would get macros. This would spread much better because those required application programs. Document exchange is much more common. Became world’s most popular virus in a month.

– We don’t know who wrote. But we think that maybe this was within Microsoft or someone who was familiar with Microsoft.

– We later found other macros, Laroux, that infected Excel files

– Would modify some of the data. Just round the numbers up or down by a fraction of a percent. The longer you work, the more incorrect the data get. The changes are so small that you won’t notice. (09h02 Tallinn time)

– You keep backing up wrong data.

– Marburg, 1998. RemoteExplorer, Happy99 was first email virus.

– All these spread mostly over disks, LANs. Happy99 was first true online virus. Would contain executable attachment.

– Today .exe files will be filtered by ISPs. Back then, it was fine.

– Funlove, Melissa virus.

– Loveletter. May 4 2000. “This is a big one. 600 copies in the last hour. Call me for details.” I didn’t think it would spread. I was wrong.

– Annakournikova virus. 2001. (09h08 Tallinn time)

– Someone called us and told us that he was unhappy with our product and said that he didn’t get a picture.

– Badtrans

– Nimda. Was unlike we’d ever seen before this. Trying to draw parallels with attacks to Sept. 11, 2001 and anthrax attacks. This wasn’t the work of a teenage kid. This was someone who knew Windows and crypto. Looked like group work. Continues to be a big mystery. We still don’t know what is the story behind Nimda and who wrote it and why.

– When you were infected by Swen, sent fake email from Microsoft. Explains what it will patch. Says that it’s the update for September 2003 — getting the time from the system computer. Many people fell for this.

– 2001. Code Red. July 19, 2001. That’s the infections around the world. Infections everywhere in the world except for Greenland. Were spreading at completely different speeds than what we had seen before. The mechanisms weren’t talking about aren’t viruses, were worms. Followed by Blaster and Sasser. Actively seeking new machines to infect. Based on IP addresses. Every computer has an IP address.

– All possible IPv4 address are about 4 bil computers. We don’t have enough IPv4 addresses for every human, that’s why we are trying to go to IPv6 sooner or later. (09h13 Tallinn time)

– Would randomly seek IP addresses.

– Will scan and can’t infect but is the wrong kind (Mac, Linux), or was switched off, or was behind a firewall.

– All viruses before this required the user to do something. This one didn’t require anyone to do anything. You could be sleeping as long as the computer is online.

– This creates a bandwidth problem. 2003, 2004. it would crash DLL which would be visible. Windows will reboot. One minute to save your data and then it will reboot. The average user will ignore it. When he keeps getting it he will ask for help.

– You got to Microsoft and find the patch. Problem is that this takes awhile. While you were downloading you would have the minute counter again. This race between downloading security patch was being played around the world millions of times. Most of the time the user lost. Frustrating as hell. (2003)

– January 24, 2003 there was so much network traffic, 20 percent global packet loss. Unprecedented. Starts to affect critical infrastructure. If you look at Blaster, we have some pretty amazing things that happened. Traffic systems, train, air traffic problems, flights delayed, canceled. Internal infections of nuclear power plants. 911 services down. Hospitals. ATMs. Slammer, Blaster, Sasser.

– These worms were not trying to take down banks, but they did. Just as a result of too much traffic. (09h19 Tallinn time)

– Playground has been changed with the introduction of firewalls in modern times.

– Monoculture was the problem. We all have the same system. Windows is on Xbox. You use a Windows PC and the protocol is TCP/IP. Servers are Windows and TCP/IP. Power company is controlling power systems with Windows and TCP/IP.

– Now an attack can target these all. Go beyond where they were intended. Start to affect critical infrastructure.

– Air Canada during Blaster update. August 20, 2003. Flights restored.

– CSX was affected in August 20, 2003. Trains in Washington DC area were stopped. How could that happen? But it did.

– Ponsse tractor running Windows. Guy in the forest with a huge 100 hp tractor to take down trees. This was getting infected.

– Hospitals in Sweden and x-ray machines. Cases of patients being sent to other hospitals because Windows-based x-ray systems were crashing.

– Fizzer was the first virus that we can prove that it was written to make money. 2003. Everything before was written for fun, instruction.

– Wasn’t obvious in the beginning. (09h24 Tallinn time)

– Created a proxy. What is it for? Maybe they’re trying to hack into a server, by using hacked computers. A month later, one of our honeypots started seeing massive amounts of port 25 (SMTP, email) traffic. This was spammers paying virus writers to use computers to write spam. Spam makes money.

– Games has changed. Spam is one of the main ways of making money. Today more with data theft.

– 2003 is the game changing year when the virus writers, it really changed a few things.

– 1986-2003 were coming from Western Europe, USA, Australia, Japan.

– Today mostly coming from Brazil, Russia and China, Including ex-Soviet Union. Belarus. Ukraine. Changed individuals.

– Before 2003 was teens, geeks. After was businessmen types. (09h28 Tallinn time)

– Used stolen credit cards to launder money in online poker. Two million euros. Bought sleeping bags, hiking boots, plane tickets. Would ship to people in Iraq. Link between online crime, Windows trojans, and funding insurgents in Iraq. Unusual.

– 29A a hacker group in charge of writing many viruses. First one for mobile phones. Good ol’ days. Geeks working together for fun. No real reason. Publishing magazines. Academic interest mainly.

– 2003, Alexander Petrov et al, courthouse in Russia. Charged with running botnets. Using DDOS attacks against online only stores. $20,000 to make attacks stop. They were caught and were sentenced. Seven years in jail. (09h32 Tallinn time)

– “Hi I am Ronit. I am in the 9th grade. I struggled a lot in my life. I don’t have any friends. All people are very bad . . . I really want to change my life. Please teach me how to hack credit cards.”

– Parents won’t understand him. Unlikely that local police will stop him. The skills in the working class of the working class comes from the people who have the skills but no opportunity. This a big problem that we’re facing. (09h34 Tallinn time)

– Dark Market forum was run by FBI. Was running for more than two years as a sting. At the time we didn’t know that it was an FBI operation. They noticed that I was there, I visited regularly — guy from Finland visits a lot but doesn’t post. There was a series of arrests. The most important bust was from “Cha0” from Turkey.

– They had a credit card printer. Was buying and selling credit cards using viruses with keyloggers and using embossing devices to look real. The police also found cheap PIN devices. It’s going to be interesting how he explains this. Was caught in Istanbul. He has a pool. Going to court later this year.

– Has a hologram sticker to make illegal copies. You can’t get those from anywhere. You surely can’t go to a Chinese website for $5 a sheet. Except you can. Pretty much anything you can think of you can buy online. (09h40 Tallinn time)

— Had to take 10 minute break —

– “To Adolf Clinton: FUCK OUT, looser!! Go fucks Monica!” 2000

– Reflection attacks reflect real world crisis.

– in 2003 we saw hundreds of sites in US, UK defaced with Koran quote.

– Navy site hacked as well. Highly unlikely that they are part of any organized effort. (09h52 Tallinn time)

– Danish sites hacked after Mohammad cartoon fiasco

– Just making people scared. Just want to get attention.

– So, if we try to sum this all up. I’ve been doing this for 20 years and we’ve been trying to figure out how to react to all this? How can we fight this?

– Most important is that this is a fight between good and evil. We are the good guys. I believe, I want to believe that good will prevail. Thank you. (09h56 Tallinn time)

One comment

  1. Pingback: Liveblogging the CCDCOE conference, Tallinn (Day 1 / June 16) | azsearchengine.com

Comments are closed.