New flash zero-day exploit demonstrated by CSIS at Data Security Conference

posted Jan 29, 2015, 12:58 PM by Niels Jensen   [ updated Jan 30, 2015, 5:54 AM ]
Today Safepark attended the 3rd annual Data Security Conference in Copenhagen arranged by Computerworld. This year conference passed 200 attendees at the Park Inn by Radisson venue.The conference was opened by the leader of GovCERT at Center for Cyber Security under Danish Defense Intelligence Service (DDIS). Mr. Ebbe B. Pedersen during his talk showed two interesting videos. The first was a video on advanced persistent treaths (APT) available on YouTube here. The second was a CNN video on a staged attack on a generator. The video showed the generator self-destruct due to operating beyond its safe parameters (I was not able to play this vidoe from the CNN web-page about this Aurora experiment). It appears the video was inspired by the Stuxnet (link will download a pdf-file from Symantic) malware, which destroyed centrifuges at an Iranian nuclear facility some years ago, and the exploit kit based on this technology currently available on the internet. During the presentation the use of USB-stick was also compared to having unsafe sex.

The second talk was by the Nordic SE manager Jan Johannsen from CheckPoint, started by drawing everybody's attention to their ZoneAlarm Capsule available for Android at One can test the app for free for a time, but after that it will cost you US$ 25 per year. I have downloaded this app, an will test it over the next week or so. Mr. Johannsen's talk was focused on good IT security practices, and he shared experiences from the public sector, the retail sector and the finance sector, and finished by pointing to 4 key areas: zero second exploits, mobile, embedded code, and critical infrastructure.

After these two plenary lectures we had a choice of three tracks: internal threats, security as a service and cyber threats. Safepark attended the last track. A focus was last weeks ransom-ware attack, which hit 6 to 8 Danish municipalities. First PwC's manager of security and technology Mads N. Madsen talked about the importance of getting business management concerned about security. In the area of process safety this happened after the 2005 explosion and fire at BP's Texas City Refinery and the Baker Report (link will download a pdf-file with the report from the Canadian organisation ABSA) about that. Mr. Johannsen said you can spend 3 kinds of money on security: Good money before an event, Panic money during an event, and Frustration money during restoration of normal operations. He also told us, that the average cost of a cyber security incident is 2.7 M$, and with more than 42 million events in 2014, then the annual cost to industry is more than 100 M$. PwC also talked about PwC's involvement in the response to last weeks ransom-ware attack on several Danish municipalities. The attack PwC was involved in turned out to just involve a single infected computer. However, even with just one computer infected the ransom-ware managed to encrypt more than 35,000 files, which this computer had access to. PwC recommended, that the municipality informed the media about the event. This generated an enormous interest from journalist across the country over the following days, which the municipality had not anticipated. Later Peter Schjøtt, who is cyber security specialist and evangelist with Symantec also talked about last weeks worldwide ransom-ware attack, which hit especially hard in Australia and appeared to involve a dozen coordinated groups. During and after the attack Symantec have detected more than 1000 variants of this malware. Mr. Schjøtt also told us, that a survey they performed found that 60% of organisations experience more than 25 incidents per months, and that the average time to discovery was 8 months. 90-95% of the cases the ransom-ware arrive as spam and in 5-10% of cases the ransom-ware arrive through browsing. A ransom is payed in 1-1½% of incidents - without any garantee of getting the files decrypted. Also on the cyber threats track global enterprise sales manger Nikolaj Holm Vang of SMS Passcode described their 3rd generation authentication system, and industry analyst
Marcelo Pereira from Secunia talked about business enablement versus security, and how the security model has changed from a hard shell (firewall) with a soft core to a soft shell with a hard core. He also showed the trend in zeo-day events over the last six years, and hinted, that the data for 2014 were not good.

Finally a group of four persons from CSIS under the leadership their CTO Jan Kaastrup to create a demo of a zero-day flash exploit to shows us how hackers use social media to find the easiest way to the person the wanted to attack inside the targeted organization. After sending an e-mail to the person, and the person clicking on the link in the e-mail they showed us how they "hacker" now had full control of the computer, including the ability to turn on/off the build-in webcam and microphone, and naturally download any on the system. After such a demo one become much more careful about clicking on any link in an e-mail with first inspecting it, by hovering the mouse pointer above it and making sure, that the link points to a known location. 

At conference such as this one your welcome package usually include a number of advertisements from the sponsors of the event. Todays conference was no different. However, sometimes I wonder wath the line of thinking in the marketing department was when creating these. See for example the picture on the left from a flyer about a service from Deloitte. When I see this
picture of large antennas my thoughts immediately turns to the worldwide surveillance by the NSA and other goverment entities. Another example is the picture on the right from a flyer from SMS Passcode, which provide intelligent 3.rd generation authentication tools. This drawing makes me thing about Dark Vader from Star Wars. What are your thoughts, when seeing these pictures in material aimed at data protection?