Euro Security Watch with Mathew J. Schwartz

Anti-Malware , Data Breach , Technology

11 Takeaways From RSA Conference 2017 Mirai Botnets, Breach Response Basics, a Security Guru Cocktail and More
11 Takeaways From RSA Conference 2017
Photo: Mathew Schwartz

For a roundup of the latest data breach, hacking, malware and other cybercrime trends, it's tough to beat the keynote presentations, sessions and even hallway discussions at the annual RSA Conference in San Francisco.

See Also: Defend Against Spear Phishing: Encouraging Developments Gaining Momentum

Here are 11 highlights from last week's event:

1. Mirai Botnet Pwns in 60 Seconds

Demonstration of Mirai honeypot via Intel Security's Chris Young. (All photos: Mathew Schwartz)

The Mirai botnet, which first debuted in 2016, is just one of the malware families built to target internet-connected devices. In the case of Mirai, for which the source code is now freely available, the malware is designed to target default or weak usernames and passwords present on various types of digital video recorders, CCTVs, routers and other internet of things devices.

"Given the amount of infected devices out there, what's the risk that a new device can be co-opted into a Mirai botnet?" asked Chris Young, senior vice president and general manager of Intel Security, in an opening keynote at RSA. To find out, McAfee researchers bought a DVR that was known to be targeted by Mirai to use as a honeypot and connected it to the internet. Just over one minute later, Young says, the device was compromised.

2. No Margin For Error

Intel Security's Raj Samani.

The Mirai botnet was used to launch a record-breaking attack against domain name system provider Dyn, after which the company lost 14,500 customers, says Raj Samani, CTO for Europe, the Middle East and Africa for Intel Security. "Here was a company that, from what I could see, did their due diligence ... [and] understood security, and were doing remarkable and incredible work to help push making the internet a safer place by doing analysis and research into cybersecurity," he told me.

And yet because of the attack, the company lost customers. "That is frightening," Samani said. "You can still be unfairly impacted just because other people didn't do the right thing."

3. Governments Should Hack First

Adi Shamir speaking on the Cryptographers' Panel.

Is hacking back ever justified? That question was posed to panelists on the annual Cryptographers' Panel, which included the participation of Israeli cryptographer Adi Shamir, the "S" in the RSA asymmetric cryptographic algorithm.

"If you talk about private sector attacks, I'm completely against hacking back in revenge," Shamir said. "If you talk about governments, I would completely flip it ... not to hack back, but my government should hack before, in order to learn about the tools and plans" of other governments.

4. Segment Your Backup Environment

Left to right: Mandiant's Robert Wallace and Charles Carmakal.

To better block attackers, as well as ransomware, enterprises need to ensure that their backup environments are as segmented from the corporate network as possible, said Charles Carmakal, vice president at FireEye's Mandiant, in a session devoted to lessons learned from disruptive breaches that the company has investigated.

"Most of the time, when a threat actor has full control over an Active Directory environment, it's trivial for him to gain access to the backup environment and destroy the data," he told me after the presentation. "Of course, organizations need some level of connectivity between production systems and backup environments in order for the backup process to work. It's best for organizations to lock down administrative access to the backup servers by requiring jump boxes, multi-factor authentication," and so on, he said.

5. Watch For Fakers

Extortion note received by a Mandiant client.

For any organization that receives a ransom demand or other extortion threat, first verify that the threat is real. "For every real actor out there, there are a ton of fakers out there who will try to make money," Carmakal said. "We had a lot of clients who sent us this same exact email: 'Should we pay? It's only 5 bitcoins," he said. Many times, however, his team realized that the supposed attackers, who in many cases threatened to launch a distributed denial-of-service attack against an organization unless they paid a ransom, "never demonstrated that they had a DDoS capability," he said.

"You've got to make sure it's actually a breach before you decide to do anything," said co-panelist Robert Wallace, a director at Mandiant.

6. Use VirusTotal Wisely

The homepage of VirusTotal.

When investigating suspected attacks, here's another incident response tip: Think twice before checking malware using services such as the VirusTotal malware-scanning service. "I would caution against blindly uploading files to VirusTotal if you think it might be related to a targeted attack ... and we've seen this countless times," said Mandiant's Carmakal.

"VirusTotal is an excellent tool for the community to determine if a file may be malicious," he told me. "The main caution, though, is that sometimes malware may have hard-coded credentials, strings or DNS information that is specific to a victim. That sensitive information could be inadvertently released to the community."

7. Ransomware Crooks Don't RTFM

Horror-themed Jigsaw ransomware deletes files while users watch.

Speaking at RSA, James Lyne, global head of security research at the security firm Sophos, demonstrated a piece of ransomware that was built using a malware-building tool available via a "dark web" .onion site - reachable only by using the Tor anonymizing browser - that offers buyers' multiple ransomware-building modes, ranging from basic to "paranoid."

The site also includes extensive documentation. For example, it advises users to change the name of various processes associated with the malware.

Evidently, however, some users weren't paranoid enough. Indeed, for one ransomware sample reviewed by Lyne - which turned out to be the torture-themed Jigsaw - it was obvious the user failed to fully read the documentation. Notably, while they renamed the crypto-locking process into the innocuous-looking "firefox.exe" - as instructed - they failed to rename the process named "bitcoinBlackmailer.exe" before dispatching the ransomware to infect endpoints.

8. Please Hack IoT Devices

James Lyne of Sophos takes apart a ransomware sample.

Beyond demonstrating ransomware failings, Lyne also called on RSA attendees to be aware that so many IoT devices use crypto that's 10 or 15 years old, if it was built with any security in mind at all.

Cue fun for anyone who ever dreamed of hacking an internet-connected device. Beyond the fun factor, however, Lyne said security professionals are also duty-bound to highlight the problem of insecure devices. "Don't we want to fix these problems whilst these devices are predominantly still toys?" he asked. "Before long they will be embedded into the infrastructure of our everyday lives - and at this rate just as embarrassingly unsecure."

9. Weighing IoT Regulation

Bruce Schneier talks internet of things regulation.

To help address internet of things security shortcomings, Bruce Schneier, CTO of IBM's Resilient, said new regulatory agencies at home and abroad might be the answer, because strong regulations in one domain could lead to improvements everywhere. "Regulations are interesting, because software is write once and sell everywhere," he said, since it's easier to not have to customize software for different markets. "If you have to make it more secure because the EU demands it, you might as well sell it everywhere."

In the United States, a new regulatory agency - following in the footsteps of agencies helping to tackle everything from trains and cars to radio and television - could also bring a useful modicum of fear to bear. "Nothing motivates the U.S. government like fear," he said.

Speaking on the cryptographers' panel, Adi Shamir suggested having governments crack down on such devices. "The government should definitely do something about it - they should not allow devices which are not sufficiently secure to be connected to the public internet," he said.

10. Technology Policy: Cybersecurity Experts Required

Participants on an RSA panel discussing IoT regulation, from left to right: Olaf Kolkman, Craig Spiezle, Bruce Schneier

With so many new types of internet-connected devices, many RSA speakers said it's clear that new laws will be required, especially with the rise of driverless cars and related liability questions. "This is going to be the internet of sensors, of surveillance, and a lot of it doesn't fall neatly into privacy rules that we have in the United States," Schneier said during a panel discussion about whether regulation is required to solve the internet of things security problem.

Expect Europe to solve this challenge first. "In Europe, the approach to privacy is a little more advanced, so to speak, than the rest of the world," said Schneier's co-panelist, Olaf Kolkman, chief internet technology officer for the Internet Society.

Whatever policies do get crafted, however, there's still the challenge of what to do with existing devices, said co-panelist Craig Spiezle, executive director of the Online Trust Alliance.

Schneier said technologists must learn to work with and advise policymakers. "If you watched Apple versus FBI, what you saw were technologists and policymakers talking past each other," he said.

11. Schneier: Cocktail, Yes; Presidency, No

An extract from Schneier's blog.

To help build better technology-related laws and polices, one audience member asked Bruce Schneier: "Will you please run for president?"

"I don't tweet, so that's kind of a disqualification," responded Schneier, who's long blogged his thoughts instead. "I'm not convinced that we serve best in front of the podium, but behind."

Schneier said such input can take many forms. "I would much rather advise elected officials and government agencies, and I do a lot of that." he said. "You don't have to quit to be the person that your Congress critter has on speed dial, when something happens. I think an advisory role is just as valuable as being the person whose name is in the voting booth."

And if they couldn't elect him president, Schneier said they were welcome to stop by IBM's booth and get a free, signed copy of his book, as well as to sample a "special Bruce Schneier cocktail."

Schneier, an outspoken libertarian, promised to not check anyone's ID.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network