Internet Security Systems - AlertCon(TM)

Conference Time – OWASP and VB2008

Posted by Gunter Ollmann on October 01, 2008 at 1:37 PM EDT.

VB2008

Here I am in Ottawa for the annual pedigree anti-virus conference that is Virus Bulletin 2008 (VB2008), and will be onstage and presenting in about an hour’s time.

I’ll be speaking with a colleague from X-Force, Holly Stewart (you’ll find a few posts by her on this blog), and we’ll be covering “Intentions of Capitalistic Malware” (I’ve included the abstract of the talk at the bottom of this blog) – and hopefully having a bit of fun while we’re at it. The talk itself really covers the merging of the malware and vulnerability exploit cyber-crime markets and how, as that business “matures”, their internal rivalry and competition make it a little easier for security vendors to reduce the threat. I don’t think that window of opportunity will remain open for too long, but we should take advantage of it while we can.

I’m also speaking again tomorrow. A colleague from another part of IBM was due to be presenting first thing Thursday morning on “How Secure is Your Virtualized Network”. Josh Corman unfortunately had to attend an urgent meeting (these things happen), so I’ll be the fill in guy (Josh - you owe me a few beers for this). It should be an interesting talk regardless. I’ve been dealing with virtualized security for several years now, so I have more than my share of war-stories that’ll keep attendees interested.

OWASP NYC

Last week I presented at the annual OWASP Web Application Security conference in New York. It was a great experience, and all the attendees were incredibly enthusiastic about the topic I presented (I spent more than a hour afterwards dealing with questions). So much so, that the room I was speaking at over flowed and a lot of people couldn’t get in. Looked like the topic of "Multidisciplinary Bank Attacks" was a hit.

I hear that a video of the presentation should be appearing on OWASP TV shortly.

There were two other notable talks (as far as I was concerned). I enjoyed Adam Boulton’s talk “Security Assessing Java RMI” as he stepped through the process of remotely enumerating objects and service calls, and how to start assessing them from a security perspective – something guaranteed to cause many RMI authors a few sleepless nights. Adam will be releasing automated versions of the tools he demoed over the next couple of weeks, and I’m expecting them to be quickly added to many pentesters tool packs.

The other notable talk was from Dave Aitel. An accomplished speaker and always controversial, Dave’s talk on “Corruption” was notable for his frank and open discussion of how it’s getting more and more difficult to develop reliable exploits for the latest operating system vulnerabilities. And, more precisely, how the level of skills and experience necessary to be good in that line of work are fast becoming a sizable barrier for entry to new professionals (and criminals) in the field, and how the cost of writing exploits is increasing.

Years ago you could knock up a reliable heap exploit against the latest operating system in a few days, today – writing one for Vista etc. – may take 1-6 man-months of effort. That said, just because it takes a while, doesn’t mean there isn’t any value to be reaped from the ecosystem – you could argue that those exploits are in even more demand today and worth considerably more money (supply and demand). It's a topic close to my heart, and no doubt I'll be blogging in depth on the subject sometime soon.

 

VB2008: Intentions of Capitalistic Malware

Abstract:

Following established capitalistic traditions, malware authors have adopted a mercenary approach to their new malicious business opportunities. With competition rife amongst malware authoring teams as they battle amongst each other to secure new customers and subscribers of their services, plagiarism and cloning are a way of life; there is no honor amongst thieves.

Not only must each author protect their IP investment, but in order to retain “market share” they must be competitive in ways beyond the capabilities of the actual malware. For example, malware teams now promote aspects such as “ease of use”, command and control uptime, bot-agent retention rates, encryption strength, reliability and server hosting bandwidth.

We’ve been observing the commercialization of malware and the way these businesses have been developing. From the evolution of phishing-kits through to the development of bank-specific man-in-the-browser proxy Trojans, the threat may have already exceeded the technologies capable of thwarting them.

In this session we will closely examine the competitive drivers behind the malware developed for (and used by) organized crime syndicates, study which trends can be extrapolated to a horizon-three timeframe, and how the competitive nature of malware capitalism may actually make it easier for the security industry to battle them.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.