parallel session: security
TRANSCRIPT
Parallel session G: Security
Chair: Frances Burton
SPONSORED BY
Please switch your mobile phones to silent
19:30
No fire alarms scheduled. In the event of an alarm, please follow directions of NCC staff
Dinner (now full)Entrance via Goldsmith Street
16:30 - 17:30
Birds of a feather sessions
15:20 - 16:00
Lightning talks
University of Kent and SpamhausResponse Policy Zone Trial
David Hayling - University of KentPeter Dorey - Spamhaus Technology
The UK’s European university
RPZDavid Hayling
RPZ Response Policy Zone
• Basically ‘real time blocking lists’ for DNS lookups• Developed by ISC• In BIND since ver 9.8• Load a zone from <some-source>
• Full transfer (AXFR)• Incremental (IXFR)
• DNS server check RPZ zone for each resolve request• If negative then resolve name as normal• If positive then return a pre-configured IP address (‘walled garden’), or
return ‘non-existent domain’ (NXDOMAIN)
simples
‘Normal levels’ of malware
RPZ | David Hayling
‘Normal levels’ of malware – what is ‘normal’?
RPZ | David Hayling
‘Normal levels’ of malware – term time in full swing
RPZ | David Hayling
‘Normal levels’ of malware – we’re ready to start blocking
RPZ | David Hayling
‘Normal levels’ of malware – it works!
RPZ | David Hayling
‘Normal levels’ of malware – Christmas break
RPZ | David Hayling
‘Normal levels’ of malware – spring term – the ‘New Normal’
RPZ | David Hayling
Don’t just take RPZ’s word for it …
• Suricata Intrusion Detection System• Log file analysis by Splunk
RPZ | David Hayling
Don’t just take RPZ’s word for it …
• Suricata Intrusion Detection System• Log file analysis by Splunk
RPZ | David Hayling
RPZ Response Policy Zone - issues
• Load a zone from <some-source>• Incremental (IXFR) after long gap causes BIND to ’barth’• Full transfer (AXFR)
• False positives• No reports• but …blocking Twitter isn’t popular• Whitelists• Blacklists
• Google DNS (et al)• Should we block?• or redirect the query to local DNS• or do nothing
RPZ | David Hayling
RPZ Response Policy Zone
“The greatest improvement in our malware defense, in one easy step”
RPZ | David Hayling
Networks Team, Server Infrastructure Team, and Operations
https://blogs.kent.ac.uk/unseenit/?s=rpz
With thanks to Matthew Trump
www.kent.ac.uk
RPZ Trial12/04/2017
Spamhaus Technology
» What we do
90% of the world’s email traffic is spam…still
100 spam operations in North America and Europe account for 80% of spam
Protecting 3 billion mailboxes world-wide
RPZ Trial12/04/2017
Spamhaus Technology
RPZ Trial12/04/2017
» What it is - Domain Based Threat Intelligence
Response Policy Zones
RPZ Trial12/04/2017
Response Policy Zones» Standard• bad-nameservers.zone ~18,000
entries • dbl.zone ~1,400,00 entries• dblsr.zone ~2,500,000 entries
» Malware• botnetcc.zone ~ 500 entries • dga-domains.zone ~1,200,000
entries• malware.zone ~ 67,000 entries• malware-aggressive.zone ~ 4,000
entries• malware-adware.zone ~ 4,000
entries
» Abused• abused-legit.zone ~35,000 entries • adservers.zone ~18,000 entries• bogon.zone ~ 6,000 entries
» Diverse• sbl.zone ~ 550,000 entries • tor-exit-nodes.zone ~1,000 entries
» DROP & eDROP ~1,000 entries
RPZ Trial12/04/2017
» How it worksResponse Policy Zones
DNS resolver
DNS root server
DNS .com TLD
DNS example.com
RPZ Trial12/04/2017
Response Policy Zones
DNS resolver
DNS root server
DNS .com TLD
DNS example.com
» How it works» Distribution via IXFR•8 Core CPU with at least a 2.4 gHz clock speed•8 GB of RAM•Servers should be bare metal - not virtualized
RPZ Trial12/04/2017
Hosting environment result»Tips for implementation
Botnet C&CC&C other
Outbound
Inbound
RPZ Trial12/04/2017
The Results»Tips for implementation
1. Testing & Implementation2. Whitelists3. Tracking and metrics (log re-writes)
RPZ Trial12/04/2017
What next
»Sign up for DROP &eDROP
www.spamhaus.org www.spamhaustech.com
@spamteq
Search Groups ‘Spamhaus Technology’
Addressing the skills shortage
in Cyber SecurityDebbie Tunstall, Cyber Security challenge
Debbie TunstallEducation Team Manager -
Cyber Security Challenge UKEnsuring We Have The Cyber Skills
for Tomorrow12 April 2017
Cyber Security
Cyber security has become prominent in recent years, moving from a back-office ‘techie’ activity to an industry that is at the heart of Britain’s business success and its protection from major online criminals and terrorists.
Current Picture»The eight annual (ISC2) Global Workforce Survey
predicts there will be a shortage of 1.8 million Information Security
Professionals by 2022
»The Government will invest £1.9 billion in a National Cyber Security Strategy to ensure government, businesses, law enforcement and UK citizens have the right skills and knowledge
But: are we doing enough as a nation?
Why is there a skills shortage?• Profession is relatively new• Understanding of the nature of the jobs is poor• The pathways into it are ill defined• Lacking diversity: we recruit from half the
population -7% women
• Our education system was not delivering for us.
Peter Clarke, Nov 2015 Masterclass winner
Ben Jackson (18), Nov 2016Masterclass winner
The world is your oyster
»The UK cyber security industry contributes over £17 billion to the UK economy
» Tens of thousands of home-grown experts are working to protect UK businesses
»Globally, the rise in online crime is outpacing the supply of cyber defenders
»Exports of UK cyber products and services are growing by over 15% a year
Employers Need You!
Attributes:Quick thinkers
Strong communicators Have an inquisitive and analytical mind
Problem solversGood at thinking outside the box
Creative – can stay one step ahead
Introduction to Cyber Security Challenge UK
Cyber Security Challenge UK was set up to support the National Cyber Security Strategy and to help address the critical skills gap
A not-for-profit organisation attracting government and commercial sponsorship
Over 80 Sponsors of all sizes
Cyber Education and Skills: High on the list of UK Governmental Priorities
What is on OfferFrom The Challenge ?Competitions for all – National and EuropeanUniversity CompetitionsSchools Competitions – Cyber GamesCyberCenturionOnline Gaming – PoD – MMOGE CyphinxToolkitsVirtualsCyber CampsFace-to-Face learning and competitionsMasterclass and FinalsPrizesMentoringCareersAlumni Group - Whitehatters
2015 Schools Final Winners at Cheltenham Science Festival
.
Education – Schools
• Schools Programme• Lesson Plans and
Activities• CyberCenturion• Online Gaming – PoD• CyPhinx• Cyber Extended Project
Qualification [EPQ]
CyberCenturion finals – TNMOC Bletchley Park 2015, 2016
Education - Universities
• FE – HE - Universities• Insight Camps• Capture the Flags• Careers Events
Kane Small – Greenwich Camp
The Cyber Security Challenge camp was such an enlightening event and the amount of information that I absorbed in just three days was phenomenal. Before the event I had no idea I even wanted to pursue a career in Cyber Security, but after the event I literally didn't know why I hadn't looked into the field sooner! Having industry experts attend and provide such rich and engaging talks, not only about their own experiences but the threats that exist now and are constantly evolving and adapting, was an absolute eye-opener. I really would encourage anyone who is interested in cyber security even in the slightest to attend, you will not regret it for a second!
Education - UniversitiesJessica Williams – Development Camp, Student Ambassador, Masterclass Finalist, European Team, speaker.
Cyber Security gave me the opportunity to attend loads of cyber networking events. I meet many prospective employers and ended up getting loads of interviews and eventually my job at BT, this was all before I'd even finished my degree. I also got to work with the National Grid on my final year project.I had so much fun meeting all these great people, its also given me a great bit of PR that I'm still getting contacted about! Cyber Security Challenge gave me the confidence to do all these things, really recognised my achievements even when sometimes my university didn't.Cyber Security Challenge has literally changed my life.
Education – Career Transitioners
My first experience of the Cyber Security Challenge UK came at the end of a 6 year career in the Royal Marines. Looking for a career change and with zero technical background, the challenge gave me hands on experience into an exciting and challenging industry.
Tim Carrington,Masterclass Finalist, European Team, Whitehatters
Switzerland October 2015:
European Cyber Security Challenge
Careers – Find out more
Inspired Careers
http://www.inspiredcareers.org/browse-careers/cyber-security/
jisc.ac.uk
03/05/2023
Thank you
Debbie Tunstall Cyber Security [email protected]
Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
“It started with a phish...”
Or, how we got USED for Bitcoin
Jethro PerkinsInformation Security Manager, LSE
It was 15.52 on a Friday afternoon...• ...and I was due to go on holiday the next day• I was contacted by the (physical) Security Office• Someone thinks they’ve been hacked• “[John], below, claims his computer was hacked
when he corresponded with someone purporting to be from LSE. It would seem that the perpetrator was using LSE website/credentials (or is he LSE).”
We have a problem...• Victim suspected:
– he had fallen for an elaborate scam perpetrated by “Professor Zhai”
• (who is in no way a criminal mastermind from a film)– Prof Zhai claimed to the victim he was researching bitcoin
exchanges… – …but was really hacking bitcoin exchanges… – …using malware packaged as GoToMeeting binaries…– Downloaded from learningresources.lse.ac.uk
Uh oh…• We don’t have a Professor Howard Zhai• But we do have a postgraduate student in another
Department with the referenced email address• We don’t use (or distribute) GoToMeeting binaries• What the hell is learningresources.lse.ac.uk?
– Is it some fake resource lurking on our network? – Or a cunning redirect to something somewhere else?
We’ve been hacked! – Oh, wait...• Is this a scam being run by a postgrad student masquerading as a professor?• Or is it a compromised account being used for nefarious purposes?• (Or is it an evil genius from a film trying to take over the universe?)• We disable the account
– Was this a mistake?– Did it alert the attacker?
• Is learningresources.lse.ac.uk a real thing?• Turns out it is. How has it been hacked?• Turns out – it hasn’t• Anyone can create an account and upload stuff• This is its function by design• <headdesk>
Learningresources.lse.ac.uk• Built long ago for lecturers to be able to upload and share resources• Before formal Project reviews and Solution Design Authorities existed – so no identification
of the potential issue in the functionality• Little used, but not decommissioned because “there’s some good stuff on it”• It was patched• We guessed pretty quickly that the upload facility had been abused, but we couldn’t be
sure...• So we spent quite a lot of time trying to work out whether someone had root privileges...• ...and if so, then we would have a bigger problem on our hands• At the same time, the attacker realised something was up (the disabled AD account?) and
deleted all their stuff from the server – as we were looking at it
Learningresources.lse.ac.uk II• In the end, we took all three related servers down for the weekend, just to play
it safe• Learningresources was never switched back on again• There was no indication of compromise• They just used learningresources as it was meant to be used (kind of)• We checked the firewall logs for any hint of the attacker going after other targets
– It took a long time, as our logs are huge – And our SIEM capabilities are, ahem, *not perfect*
• They had been sniffing around other departmental systems – we alerted the administrators
What had happened• “It started with a phish...”• Two compromised postgraduate accounts• Were they spear-phished, or were the accounts just
bought from a pool?– (interestingly, later, one of the students reset his password
to the one that was compromised and his account started sending out spam – indicating maybe the latter)
Making a Professor of Economics• Being a Professor of Economics is easy• You need:
– a phished account– Learningresources.lse.ac.uk– A nice fake CV you can upload to it
• You give the account a name that fits the email account• Then you can email bitcoin exchanges asking for them to participate in your classes• You can direct them to your fake CV on the ambiguously-named learningresources.lse.ac.uk
– Authentic, huh?• And chat with your buddy on the other compromised @lse.ac.uk address, for added
authenticity• If asked why you’re not on the LSE website, you say you’re new, and it’s only updated in
September, ready for the new year
Talking to the Bitcoin exchanges• “Professor Zhai” contacted several• Same story each time: • “We pay special attention to the development of digital
currencies and Blockchain technology, and we consider that these technologies can have a significant impact on the development of the world economy. Our University is interested in cooperation with people who can share some practical experience in this area.”
Next...• For anyone who fell for this, the next stage was:• “We regularly run webinars with directors of major companies, government
experts and entertainers. Students and teachers can ask any questions online and discuss burning issues in the field of digital currencies”
• This was followed up with a Skype conversation• And then Bitcoin exchanges log into the “lecture” using...• ...You guessed it...• ...the malware hosted on learningresources.lse.ac.uk, masquerading as
GoToMeeting
Next II• “Professor Zhai” then claims there have been some technical
issues, and he’ll get back in contact when these have been resolved• Meanwhile, the malware is hunting around for whatever it is
hunting around for, and is talking back to a server in France • He tries to string the exchanges along for as long as possible, to
give the attackers a chance to try what they’ve got• Some get a bit angry and give up. • Only one realises the game and has the presence of mind to get in
contact with us
Mopping up• We contacted all of the Bitcoin exchanges
“Professor Zhai” had emailed, in order to let them know it was fake
• We hardened the remaining servers that ran the same system as learningresources
• No more creating user accounts, logging in and uploading any old thing!
What we learned• Authenticity is hard – faking it is easy• A victim who’s willing to help makes all the difference to an investigation• Everything still starts with a phish. All it took were two careless postgraduate students• The attackers took the easiest route in - forgotten legacy services• The scam was elaborate and carefully planned, but...• …the only sophisticated technical aspect was the malware
– (and that was probably purchased)– (and we don’t know if it actually worked)
• The rest was achieved by a combination of social engineering and opportunism• LSE press releases and “chatty” website information give attackers plenty of “insider information” • …which they relentlessly leverage• Don’t go on holiday
Any questions?
Thank you