1. Who are AusCERT, and what do they do?
2. AusCERT 2013 Conference and Tutorials
3. In the news
4. Ransomware case study
5. AusCERT blog posts
Overview
Copyright © 2013 AusCERT
• An operational computer emergency response team (CERT) with nearly 20 years experience
• University-based, non-government
• Independent and impartial
• Self-funded and not-for-profit
AusCERT is
Copyright © 2013 AusCERT
AusCERT’s people
Copyright © 2013 AusCERT
• Incident response
• Security bulletins
• Analysis and processing
• Software development
• Future capability
• System support
• AusCERT Conference
• Marketing
• Membership
AusCERT’s incident response
Copyright © 2013 AusCERT
• Compromised web sites
• Botnet CnC, drones
• Publicly disclosed data
• Vulnerabilities in software products
• Malware
• Phishing and other scams
• Notification and
repatriation
• Assistance for
members
AusCERT’s Services • Incident response assistance – proactive and reactive.
• Security bulletins via web, email and RSS tailored to each individual’s area of interest.
• SMS Early Warning Alert Service (unlimited mobile phones).
• Papers and blogs providing analysis and trends for information security managers.
• Malicious URL feed (blacklist).
• The AusCERT Remote Monitoring Service (ARMS).
• AusCERT Certificate Service for education and research organisations.
• The highly regarded AusCERT information security conference, tutorials and vendors exhibition at substantial discount rates.
Copyright © 2013 AusCERT
AusCERT Conference
Copyright © 2013 AusCERT
Speaker highlights include:
• Keynote: Michael T Jones, Google's Chief Technology Advocate
• Plenary: HD Moore, Rapid7
• Andrew van der Stock, OWASP Australia: “Enabling secure business via positive evidence
based controls”
For more information go to: http://conference.auscert.org.au/conf2013/
Draft program: http://conference.auscert.org.au/conf2013/program_main.html
AusCERT Conference
Copyright © 2013 AusCERT
Tutorials: http://conference.auscert.org.au/conf2013/tutorials.html
Half-day tutorials:
• ARM Android Code Injection
• Introduction to iPhone Forensics and Exploitation
• SAP Security: Attack and Defense
• Social Engineering - Attacks & Countermeasures
• Information Security Risk Assessment – Getting Started
• Advanced Information Security Risk Assessment
• Enterprise Security Architecture Workshop
AusCERT Conference
Copyright © 2013 AusCERT
Tutorials: http://conference.auscert.org.au/conf2013/tutorials.html
Full-day tutorials:
ISM Update (Australian Government Information Security Manual)
SOA, Web Services, & XML Security
Assurance Hands on Wireless Auditing
iOS security for the incident responder
Making the most of Security Metrics
Two-day tutorials:
From the cutting to the bleeding edge - OWASP tools to the REMeDE (short for Recon, Map, Discover Exploit)
In the news: University of Nebraska
• Social Security numbers, addresses, grades, transcripts, and housing and financial aid information for current and former NU students (dating back to 1985) for 654,000 staff, parents, students and applicants.
• Attacker gained access to database in May 2012. SQL injection?
Defences:
• Utilise log processing systems to actively look for attacks.
• Don’t rely solely upon automated vulnerability scans.
• Skilled penetration testers should be utilised to detect flaws in web apps.
• Use web application firewalls to detect attacks.
• Ensure web apps are built from the ground up with security in mind.
Copyright © 2013 AusCERT
In the news: Apple ID two-step verification
Apple have introduced two-step verification using SMS codes on Apple IDs.
• Go to the My Apple ID page
• Select “Manage your Apple ID” and sign in
• Select “Password and Security”
• Under Two-Step Verification, select “Get Started” and follow the on-screen instructions.
• Process takes three days to complete (to verify ownership of the account)
Now do the same for your Google, Facebook and Dropbox accounts!
Copyright © 2013 AusCERT
Ransomware: the simple stuff
• Ransomware “screen lockers” can occasionally be recovered using a “boot CD”.
• However targeted ransomware is the manifestation of a calculated attack by skilled operators.
Copyright © 2013 AusCERT
Ransomware case study
How?
• Access was gained by an insecure remote access system used by the medical practice.
When?
• Over a period of several weeks.
• After initial access was gained, the attacker gathered intelligence and deployed his attack.
What?
• The attacker took control of the medical practice database.
• Two types of regular backup were used by the practice. The attacker disabled one and took control of the other.
The damage?
• The practice database was unavailable.
• A ransom demand was made for $4,000.
Copyright © 2013 AusCERT
Blogs
AusCERT’s blog on ransomware
https://www.auscert.org.au/17155
• Two short case studies of ransomware attacks.
• Links to more information including the DSD’s “Top 4 Mitigation Strategies to protect your ICT System”.
• Tips on what to do if you have already been targeted by ransomware.
Copyright © 2013 AusCERT
Blogs
DSD's Strategies to Mitigate Targeted Cyber Intrusions
https://www.auscert.org.au/16633
• AusCERT’s perspective and advice on how to apply appropriate security controls using a risk-based approach, armed with DSD's Top 35 Cyber Mitigation Strategies.
• Link to AusCERT’s full paper on DSD’s Top 35 (member-only access)
Copyright © 2013 AusCERT
An interesting statistic
Hackers Exploit 'Zero-Day' Bugs For 10 Months On Average Before They're Exposed
Source: http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-
software-bugs-for-10-months-on-average-before-theyre-fixed/
Defences: Use AusCERT’s Security Bulletin Service to find out about software vulnerabilities as soon as possible in a consistent manner.
Tip: You can tailor the bulletin feed to suit your own product suite.
Copyright © 2013 AusCERT
Thank you. Questions?
www.auscert.org.au
Copyright © 2013 AusCERT