MEETING SPONSORS
Microstaff (www.microstaff.com) provided refreshments and pizza
Copy Diva (www.copydiva.com) provided the audio-visual equipment
NCAR (www.ncar.ucar.edu) provided the facility
ONEWARE (www.ONEWARE.com) sponsored these minutes.
We thank all of them for their support.
-------------
The meeting was held September 11, 2007 at The National Center for
Atmospheric Research (NCAR) in Boulder, Co.
About 25 people attended the meeting.
Facilitator: Josh Zapin
Secretary for meeting notes: Jill Arnson
----------------------
ANNOUNCEMENTS
Josh Zapin welcomes all suggestions for topics for future meetings,
please email Josh at josh@... with your ideas.
Josh Zapin – Texturemedia – They are looking for web designers
Elaine Miller – AITP - upcoming lunch meeting 9/20 11AM - 3PM at
Park Hill Golf Club – topic: Microsoft across America
Gabe Swicegood - Booz Allen Hamilton - they have open positions SCI
clearance positions
Elijah Chancey – seeking - looking for Systems Administration position
Jay Roe – seeking – messaging and security position jaehroh@...
617-852-7932
Paige Sandborn - Gem Resourcing - recruiting – have a lot of open
positions
---------------
INTRODUCTION (Josh Zapin)
The incidence of web attacks has gone up as well as expenditures on
security
Relating to the airplane attacks on 9/11 What about our cyber-world?
Has it suffered the same types of attacks?
Are we more vulnerable than we think?
----------------------
ABOUT THE SPEAKERS
Gerhard Eschelbeck (geschelbeck@...) is the Chief Technology
Officer and Senior Vice President of engineering at Webroot Software,
Inc., Gerhard is responsible for developing and driving the company's
overall product strategy. He also manages Webroot's development and
threat research teams, and further expands the capabilities of
Webroot's Phileas, the industry's first and only automated spyware
research system. He was named one of InfoWorld's 25 Most Influential
CTOs in 2003 and 2004, and received this honor a third time in 2006 as
Webroot chief technology officer and senior vice president of
engineering. Gerhard holds masters and PhD degrees in computer science
from the University of Linz, Austria.

Dirk Anderson (Dirk.Anderson@...) is the Director of
IT Governance and Compliance Services for Coalfire Systems, Inc. His
fifteen years in the field of information technology has provided him
with extensive experience in the development of policy and awareness
programs for multi-national corporations, where he has held the
positions of Practice Lead/Sr. Analyst, Chief Security Architect, Sr.
Manager Global Security Architecture, and Manager of Information
Security & Internet Systems. He is a member of Vista Research's
Society of Industry Leaders and the Gerson Lehrman Group's Council of
Advisors. He also writes on the topic of information security, and has
contributed to works such as the SANS "Incident Handling - Step by
Step" guide.

-----------------------

The Internet as a Tool for Crime and Terrorism
presented by Dirk Anderson – Coalfire Systems
Defining the threat
Should we worry about a cyber Pearl Harbor?
Definition - Cyber-warfare – the use of computers and other devices
to attack an enemy's information systems as opposed to an enemy's
armies or factories
It is difficult to try to trace back a perceived attack to your
computer and where is it truly coming from if the IP address is
spoofed – this makes differentiating between and labeling attacks as
terrorist, criminal or warfare more difficult in a cyber attack than
in the "real world"
As time progresses, different technologies are used to support
terrorism – Internet is a great tool for propaganda – chatrooms,
information gathering, communications
Recent events:
• Italy: 10,000+ systems attacks within a few days,
• Estonia: DDoS in April 2007 , shut down central bank, and entire
country disconnected from the Internet to fix problem; initial thought
was that it was nationally organized, but seems at this point to be
renegade groups
• US 2007 – DNS DDoS Attacks – press as it was the Military G node
1 in 7 Americans had personal and/or credit card information stolen in
2006 – 246,035 cases of ID theft
2007 – 278 security breaches affecting 75,782,892 individuals
There is a lot of formal organization in attacks now, as well as
credit card numbers being sold in the open in chatrooms; some of the
info is email lists for phishing
Cost of the Theft of Intellectual Property $250Billion; loss of data
in 1/3 of companies in past 12 months – most common is to send the
information in an email

The world today
DWS – customer DB was hacked
FTC fined Choice Point $10 million for unfair business practices for
failure to protect consumer data
The impact
Legislation – SOX GLBA Privacy regulations
Private regulation – PCI DSS, ISO
Growth of regulatory requirements has grow exponentially
States now have a lot of privacy requirements and banks can no longer
keep it quiet, but must report intrusions
Economics - $182 / account but a company needs to keep its reputation
Costs are now as part of the cost of doing business - fines
Solutions
Layers of control
Risk based controls
Spyware detection
BOT hunting
Centralization of security mgmt and logging
End game
Need to be proactive – just because it hasn't happened doesn't mean we
don't have to be prepared; the means and methods keep growing

QUESTIONS FOR Dirk
• Attacks – is it just the front end and where are the holes?
If one can compromise a web server from the outside they can get to
rest of infrastructure as they are already past the firewall; holes in
FW are to let legit users in and are taken advantage of and what are
you exposing on the back end that aren't meant to be publicly seen
• Any through grove networks?
None I'm presently aware of
• Controls are no longer internal as many things are outsourced (e.g.
payroll, firewall monitoring, interconnectivity between business
partners – the perimeter is now nebulous
How to mitigate ID management?
Key in certain areas - restricted access

The State of Spyware
presented by Gerhard Eschelbeck –Webroot
Purpose is generally malicious – said to be stealing system resources,
unwanted advertisements, hijacking; now stealing information,
harvesting user information – accounts, files
Differences between Spyware and Viruses
• Viruses – user KNEW that there was something wrong with computer,
• Spyware – covert, harder to remove, harder to keep up, can change
hourly, someone generally is making money on it
Finding where spyware is coming from is the hardest, so generally not
bothered with, concentrate on removing and preventing
Browser is the main gateway to problems – often from mistyping the url
of a well known web site
Infections are often in peer-to-peer networks, Trojan horses-
so-called tools to remove spyware are often infecting the computer
e.g. Adware Pro and Adaware
Some malware is encrypted, and injected into valid processes (e.g.
Internet Explorer)
Spyware can work on multiple process, so killing one process – the
other process brings it back
How to Research Spyware
Automate the process – global process that surfs the `dark corners' of
the Internet – distributed architecture with a centralized core to
perform task – root kits and how being used
Phileas – 7.9 billion urls found checking about 4,000,000 sites/week
for malicious content, with 2,000 new sites/day with potential malware
Major exploit sites - US (34%) UK(14%) Italy(14%)
The largest increase in spyware has been with keyloggers and rootkits
Trojans are the most dangerous – not just as key loggers, but capture
the screen shots
Tips to avoid spyware
• Just say `no' to free software
• Use Mozilla Firefox as it is not a targeted environment YET
• Always patch your system – MS, Adobe, etc
• Avoid questionable sites
• Be suspicious of email
• Use public kiosks with extreme caution – often are loaded with malware
• Keep anti-virus and anti-spyware technology updated
• When on internet use non-admin account to login

QUESTIONS FOR Gerhard
• Is it safe to do business online?
Do on a dedicated computer; be aware of what you are doing and what
info is being transmitted
• What do you do if you get infected?
Continuous race between good guys and bad guys
• What authorities are notified and how are they contacted?
Some are established contacts; usually don't talk to the affect
organization – contact the FTC, FBI, etc. These organizations are
specialized and given a technical assessment
Find tract and cure and then handed over to authorities
• What platforms are most affected?
Vista, 2000, and XP are reasonably secure as MS keeps them updated
with patches. Windows 98 is not secure anymore
Spyware is generally 100% on MS platform at this point
• Is concept of least privilege good?
A manner of degree

GENERAL QUESTIONS:
• What is the threat environment for mobile phones for financial
transactions?
Gerhard – just a matter of time before it is seen on phones Simbian
(mobile OS) a version of MS on them as well; transactions are lower so
not as big a target
Dirk – most people are not doing banking on phone currently
• Once a rootkit has been `neutralized' are they still considered a
threat?
Gerhard - Yes – cannot trust data; examine the hard disk directly and
not trust the integrity of the OS; need to find the raw data on disk
to neutralize rootkits
Dirk - are not always entirely successful in removing them entirely;
will be a continuous issue as they can be in a lot of different places
• Is it spyware heuristically based?
Gerhard - Take a heuristic and integrated fashion
• For spyware updates - How often is the server needed to be
contacted, especially if on a closed network?
Gerhard – It can be setup to be performed automatically; don't need a
permanent connection – can use an internal distribution
• Does threat of prosecution serve as a deterrent to misanthropes?
Dirk - no – not many cases have been prosecuted, international
barriers are an issue
Gerhard - sometime hard to tell where it is coming from
• Is there a worry about the Internet being brought down?
Gerhard – the botnets are the issue; spyware is being used to build
botnets; e.g. the issue in Estonia was from botnets; botnets are the
biggest challenge
Dirk – concur with Gerhard; still a lot of research in its infancy;
Homeland security is funding a lot of research in this area
• Are large scale botnets available for sale now?
Gerhard –Yes
• Is this threat part of extortion attempts?
Gerhard –Yes; much is not open to public discussion
Dirk – yes; spike during boxing matches and such
• Why hasn't al-Qaeda done this?
Hard to get bandwidth in a cave LOL!
Dirk – To look at the type of damage wanted, it will need to be
sustained for a fairly long period of time, for the economic chaos and
therefore is fairly difficult
• Why hasn't this happened to the critical infrastructure
Dirk - Other attack mechanisms are easier (bombs)
Backup and recovery are built into the systems, so would not go down
for long

LINKS
http://www.webroot.com
http://www.coalfiresystems.com