AusCERT 2013

Mike Holm

Manager, Coordination Centre

AusCERT, April 2013

Copyright © 2013 AusCERT

1. Who are AusCERT, and what do they do?

2. AusCERT 2013 Conference and Tutorials

3. In the news

4. Ransomware case study

5. AusCERT blog posts

Overview

Copyright © 2013 AusCERT

• An operational computer emergency response team (CERT) with nearly 20 years experience

• University-based, non-government

• Independent and impartial

• Self-funded and not-for-profit

AusCERT is

Copyright © 2013 AusCERT

AusCERT’s people

Copyright © 2013 AusCERT

• Incident response

• Security bulletins

• Analysis and processing

• Software development

• Future capability

• System support

• AusCERT Conference

• Marketing

• Membership

AusCERT’s incident response

Copyright © 2013 AusCERT

• Compromised web sites

• Botnet CnC, drones

• Publicly disclosed data

• Vulnerabilities in software products

• Malware

• Phishing and other scams

• Notification and

repatriation

• Assistance for

members

AusCERT’s Services • Incident response assistance – proactive and reactive.

• Security bulletins via web, email and RSS tailored to each individual’s area of interest.

• SMS Early Warning Alert Service (unlimited mobile phones).

• Papers and blogs providing analysis and trends for information security managers.

• Malicious URL feed (blacklist).

• The AusCERT Remote Monitoring Service (ARMS).

• AusCERT Certificate Service for education and research organisations.

• The highly regarded AusCERT information security conference, tutorials and vendors exhibition at substantial discount rates.

Copyright © 2013 AusCERT

AusCERT Conference

Copyright © 2013 AusCERT

Speaker highlights include:

• Keynote: Michael T Jones, Google's Chief Technology Advocate

• Plenary: HD Moore, Rapid7

• Andrew van der Stock, OWASP Australia: “Enabling secure business via positive evidence

based controls”

For more information go to: http://conference.auscert.org.au/conf2013/

Draft program: http://conference.auscert.org.au/conf2013/program_main.html

AusCERT Conference

Copyright © 2013 AusCERT

Tutorials: http://conference.auscert.org.au/conf2013/tutorials.html

Half-day tutorials:

• ARM Android Code Injection

• Introduction to iPhone Forensics and Exploitation

• SAP Security: Attack and Defense

• Social Engineering - Attacks & Countermeasures

• Information Security Risk Assessment – Getting Started

• Advanced Information Security Risk Assessment

• Enterprise Security Architecture Workshop

AusCERT Conference

Copyright © 2013 AusCERT

Tutorials: http://conference.auscert.org.au/conf2013/tutorials.html

Full-day tutorials:

ISM Update (Australian Government Information Security Manual)

SOA, Web Services, & XML Security

Assurance Hands on Wireless Auditing

iOS security for the incident responder

Making the most of Security Metrics

Two-day tutorials:

From the cutting to the bleeding edge - OWASP tools to the REMeDE (short for Recon, Map, Discover Exploit)

In the news: University of Nebraska

• Social Security numbers, addresses, grades, transcripts, and housing and financial aid information for current and former NU students (dating back to 1985) for 654,000 staff, parents, students and applicants.

• Attacker gained access to database in May 2012. SQL injection?

Defences:

• Utilise log processing systems to actively look for attacks.

• Don’t rely solely upon automated vulnerability scans.

• Skilled penetration testers should be utilised to detect flaws in web apps.

• Use web application firewalls to detect attacks.

• Ensure web apps are built from the ground up with security in mind.

Copyright © 2013 AusCERT

In the news: Apple ID two-step verification

Apple have introduced two-step verification using SMS codes on Apple IDs.

• Go to the My Apple ID page

• Select “Manage your Apple ID” and sign in

• Select “Password and Security”

• Under Two-Step Verification, select “Get Started” and follow the on-screen instructions.

• Process takes three days to complete (to verify ownership of the account)

Now do the same for your Google, Facebook and Dropbox accounts!

Copyright © 2013 AusCERT

In the news: Ransomware

Copyright © 2013 AusCERT

Ransomware: the simple stuff

• Ransomware “screen lockers” can occasionally be recovered using a “boot CD”.

• However targeted ransomware is the manifestation of a calculated attack by skilled operators.

Copyright © 2013 AusCERT

Ransomware case study

How?

• Access was gained by an insecure remote access system used by the medical practice.

When?

• Over a period of several weeks.

• After initial access was gained, the attacker gathered intelligence and deployed his attack.

What?

• The attacker took control of the medical practice database.

• Two types of regular backup were used by the practice. The attacker disabled one and took control of the other.

The damage?

• The practice database was unavailable.

• A ransom demand was made for $4,000.

Copyright © 2013 AusCERT

Blogs

AusCERT’s blog on ransomware

https://www.auscert.org.au/17155

• Two short case studies of ransomware attacks.

• Links to more information including the DSD’s “Top 4 Mitigation Strategies to protect your ICT System”.

• Tips on what to do if you have already been targeted by ransomware.

Copyright © 2013 AusCERT

Blogs

DSD's Strategies to Mitigate Targeted Cyber Intrusions

https://www.auscert.org.au/16633

• AusCERT’s perspective and advice on how to apply appropriate security controls using a risk-based approach, armed with DSD's Top 35 Cyber Mitigation Strategies.

• Link to AusCERT’s full paper on DSD’s Top 35 (member-only access)

Copyright © 2013 AusCERT

An interesting statistic

Hackers Exploit 'Zero-Day' Bugs For 10 Months On Average Before They're Exposed

Source: http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-

software-bugs-for-10-months-on-average-before-theyre-fixed/

Defences: Use AusCERT’s Security Bulletin Service to find out about software vulnerabilities as soon as possible in a consistent manner.

Tip: You can tailor the bulletin feed to suit your own product suite.

Copyright © 2013 AusCERT

Thank you. Questions?

mike@auscert.org.au

www.auscert.org.au

Copyright © 2013 AusCERT