October 2011
Twitter: #cybergamut
I’m a Suit in a
Cyber World!
1
Employment History
Financial
Services
2
Employment History
Financial
Services
3
Employment History
Ski Bum
4
Employment History
Ski Bum
5
Employment History
USAF
Officer
6
Employment History
USAF
Officer
7
Employment History
SAIC
8
Employment History
SAIC Program
Manager
9
Employment History
SAIC Program
Manager
10
Employment History
SAIC Division
Manager
11
Employment History
SAIC Division
Manager
12
Employment History
SAIC Capture
Manager
13
Employment History
SAIC Capture
Manager
14
Education History
King College
BA Economics & Business
Administration
15
Education History
King College
BA Economics & Business
Administration
16
Education History
Chartered Life
Underwriter
17
Education History
Chartered Life
Underwriter
18
Education History
UMD Europe
Bowie State University
MS Management
Information Systems
19
Education History
UMD Europe
Bowie State University
MS Management
Information Systems
20
Education History
PMP
21
Education History
PMP
22
Education History
GCIH
23
Education History
GCIH
24
Large Cyber Procurements
SAIC Capture
Manager
25
Large Cyber Procurements
> $250,000,000
26
Introduction to
cybergamut
29
History and Why Change
• In 2008 SAIC established cybernexus
– Coming together or “nexus” of cyber analysts
– Central Maryland
• In 2011 cybernexus renamed cybergamut
– Runs the “gamut” of cyber disciplines
– Global organization
• cybergamut nodes
–
–
–
–
Socorro, New Mexico
Sioux Falls, South Dakota
San Antonio, Texas
Northern Virginia (Tysons Corner and Herndon)
30
Mission Statement
cybergamut is a worldwide community of
practice for cyber professionals across
industry, academia, and government providing
ongoing education, training, and certification
opportunities throughout all phases of a cyber
professional’s career, utilizing traditional
methods as well as non-traditional techniques
like puzzles, Easter Eggs, and problem solving.
31
Easter Eggs
32
Easter Eggs (eeggs.com)
33
Challenge Cards
34
Challenge Coin
35
Technical Tuesday
• What it is
– a technical exchange
• What it is not
– A sales presentation
– A product endorsement
– For discussion of procurements
– For discussion of procurement related issues
36
PDU and CPE
• PMI PDU’s
– PMI Baltimore approved most Technical Tuesday
events as eligible for PMI PDU’s under Category B,
Continuing Education
• CPE’s for CISSP
– Self certification
• Other certifications
– What do you need?
37
Previous Topics
•
•
•
•
•
•
•
•
•
•
Defending a Large Network
•
–
–
Brian Rexroad of AT&T
2 Dec 2008
–
–
Paul Schnegelberger of SAIC and John Sanders of
Northrop Grumman TASC
Nov/Dec 2008
–
–
Jim Jaeger of General Dynamics
13 Jan 2009
–
–
Aaron Wilson of SAIC
13 Jan 2009
•
–
–
Greg Virgin of RedJack
27 Jan 2009
•
–
–
Peiter “Mudge” Zatko of BBN
27 Jan 2009
•
–
–
David Harris of SAIC
10 Feb 2009
•
–
–
Darryl Ackley of New Mexico Tech
24 Feb 2009
–
–
Clift Briscoe and Nat Cooper of Edge
24 Mar 2009
–
–
George Economou of Akamai
24 Mar 2009
DNI Essentials
Digital Forensics
Case Studies in Cyber Attacks
Trickler
Security Tools
IPv6
•
•
Exploitation Prediction
Analytic and IO Tools
Distributed Systems Technologies and Internet
Intelligence
•
•
Exploring the Social World of the Russian
Hacker Community
–
–
Tom Holt of Michigan State University
10 Mar 2009
–
–
Amber Schroader of Paraben
10 Mar 2009
–
–
Earl Zmijewski of Renesys
14 Apr 2009
–
–
Nico Lacchini of TDI
26 May 2009
–
–
Johnny Long
11 Jun 2009
–
–
Bruce Potter of Ponte Technologies
14 Jul 2009
–
–
Rob Lee of MANDIANT and the SANS Institute
18 Aug 2009
–
–
Sean Bodmer of Savid Corporation
22 Sep 2009
–
–
Stuart McLeod of Global Knowledge
3 Nov 2009
Modern Forensic Investigative Techniques
Defending Against BGP Man-In-The-Middle
Attacks
Examining the Storm Worm
No-Tech Hacking
Dirty Secrets of the Security Industry
Windows Forensic Analysis: Dissecting the
Windows Registry
Silence of the RAM
VoIP Security - Attacks, Threats and
Countermeasures
38
Previous Topics cont.
•
•
•
•
•
•
•
•
A Tale of Two Departments – How Commerce
and State Dealt With Chinese Intrusions:
Lessons Learned Plus: Security Heroes and the
20 Critical Controls
–
–
Alan Paller of the SANS Institute
9 Mar 2010
–
–
Aaron Barr of HBGary Federal
27 Apr 2010
–
–
Paul Frank of ITT
25 May 2010
•
•
Aurora
Malware reverse engineering at ITT
Advanced Cyber Collection Techniques;
Extracting and Analyzing Information from the
Domain Name System
•
•
•
–
–
Tim Cague of The CYAN Group
10 Aug 2010
–
–
Aaron Barr of HBGary Federal
5 Oct 2010
•
–
–
Gene Bransfield of Tenacity Solutions
9 Nov 2010
•
–
•
–
Presented by Michael Collins & Greg Virgin of
RedJack along with Jim Downey of DISA PEO-MA
30 Nov 2010
–
–
Josh Goldfarb of 21st Century Technologies
4 Jan 2011
The Rise of the Social Web
Why Security People S#ck
Insider Threat and Real-World Incident Study
Network Monitoring
•
Network Device Exploitation with Universal
Plug & Play
–
–
Terry Dunlap of Tactical Network Solutions
8 Feb 2011
–
–
Jeff Kuhn of Pangia Technologies
29 Mar 2011
–
–
Tom Parker of Securicon
19 Apr 2011
–
10 May 2011
–
–
Rob Lee of MANDIANT and The SANS Institute
24 May 2011
–
–
Peder Jungck of Cloudshield and SAIC
28 Jun 2011
–
–
Brian Snow
19 Jul 2011
–
–
Jason MacLulich of Endace
9 Aug 2011
–
30 Aug 2011
Deep Packet Inspection for Cybersecurity
ASW&R
Stuxnet Redux: Malware Attribution & Lessons
Learned
Special Technical Tuesday and renaming
APT Intrusion Remediation: The Top Do's and
Don'ts
Deep Packet Inspection
Our Security Status is Grim
Cellular Security
Government Cyber Technical Directors’ Panel
39
Upcoming Technical Tuesdays
• Hacking Windows 7 and defending against physical attacks
– 18 Oct 2011
– Jesse Varsalone
• Looking for more speakers and topics such as:
–
–
–
–
–
–
–
–
–
–
–
–
Tor routing
Malware reverse engineering
Cyber situational awareness
Splunk
Cloud computing and cloud forensics
Geolocation of IP addresses and mobile devices
Digital forensics
E-discovery
Attack attribution
Deep packet inspection
Fuzzing
Writing secure code
To suggest topics, volunteer to speak, or to receive an invitation, please contact: [email protected]
40
Interesting Topics from the
Chief 5uit’s Perspective
41
Remember!
42
Dash
43
Foreign Language
• 1337 = LEET = short for elite (maybe)
– 5uit = Suit
• Pwn = Own
– Your computer has been pwned
• Teh = the
– Accidents become purposeful
– This was before spell checkers – hard to do now
• Texting
– LOL
– ROFL
–  - OMG Powerpoint translated : and ) to this
44
Different Culture
•
•
•
•
•
•
•
•
95% male
Black T-shirts
Interesting facial hair
Body art
Add alcohol and mix vigorously
Stickers everywhere
Lock picking for fun (lock sport)
Hackers aren’t all Bad
– I Hack Charities
• As a 5uit, I’m counter-counter-culture
45
Pure evil
• Wireless diabetes pump exploit
49
Pure evil – or is it?
• Wireless diabetes pump exploit
• Exploit released by a pump user
• Wants manufacturer to fix the problem
• This is typical of many of the things released
50
Bot in a Botnet
• What’s a Bot and what’s a Botnet?
– Computers that have been taken over
– Used for distribution of Spam and Malware
– Used for other nefarious deeds
51
Bot in a Botnet
• What’s a Bot and what’s a Botnet?
– Computers that have been taken over
– Used for distribution of Spam and Malware
– Used for other nefarious deeds
• Does your Mom care?
52
Bot in a Botnet
• What’s a Bot and what’s a Botnet?
– Computers that have been taken over
– Used for distribution of Spam and Malware
– Used for other nefarious deeds
• Does your Mom care?
• Do you care?
53
Digital Hygiene
You can’t Patch
Stupid!!!
You can’t Patch
Stupid!!!
Don’t be “Stupid”
Don’t use Reply
All in a Mail
Storm!!!
You can’t Patch
Stupid!!!
Social Engineering
• Extremely effective
• DEFCON Social Engineering Contest
– Amazing what people will give away
– Help desks were overly helpful
76
Click OK to
Continue
Should I proceed?
79
Should I proceed? I did!!!
80
Phishing and Spearphishing
• E-mails and targeted e-mails
– Usually with a link
– Watch for typo’s and misspelllings
• V1AGRA
• [Insert company name here] has been sold!
81
Classic Phishing – not Nigeria
82
Phishing maybe???
83
Phishing from GA – Bot??
84
Spearphishing
85
Corporate Response
86
Another One!
87
Phishing and Spearphishing
• E-mails and targeted e-mails
– Usually with a link
– Watch for typo’s and misspelllings
• V1AGRA
• [Insert company name here] has been sold!
• DEFCON Skybox Demo
– Trend tracking via Twitter
– Tracking an individual via Social Media
– Tiny urls and Bit.ly
88
GPS and other evil devices
• GPS, iPhones, etc remember everything
• iPhones sync EVERYTHING with their host
• Windows 7 Registry saves things a long time
• Forensics examiner’s dream
• Car thieves “Go Home”
– You’re not home and now you’re stranded
89
GPS and other evil devices
• GPS, iPhones, etc remember everything
• iPhones sync EVERYTHING with their host
• Windows 7 Registry saves things a long time
• Forensics examiner’s dream
• Car thieves “Go Home”
– You’re not home and now you’re stranded
90
Supply Chain
• Where was your code written?
• Where was your hardware produced?
• How did it get to you?
• Thumb drives
• Hard drives
91
X begets Y begets Z…
• Needs beget innovation
• Innovation begets technology
• Policy and strategy follow
•
•
•
•
– aren’t necessarily “begotten”
Lack of policy begets ineffective or non-strategy
Doctrine is the military word for policy
Tactics are the refinement of military strategy
difference between responsibility and authority
– DHS has responsibilities
– DoD has many clearly defined authorities
• National Cyber Policy is challenging
– AFCEA story
92
Steganography
• Stuff hidden in pictures
• Stuff hidden in other non-obvious places
93
Who votes for #1?
94
Who votes for #2?
95
Who votes for #3?
96
Who votes for #4?
97
Steganography
• Let’s check your votes . . .
98
#1 Malamute???; not Malware
99
#2
100
#2 is Malodorous; not Malware
101
#3 is Mal-wear; not Malware
102
#4 is Malicious; not Malware
103
Steganography
• None of those pictures
– I don’t think anyway…
• Very hard to detect in a single picture
– Potential detection if you have both pictures
50 KB
450 KB
104
Other Scary/Cool Concepts
• Segmented polymorphic malware
– Bad stuff that changes its looks, delivered in parts
• Metamorphic malware
– Bad stuff that changes what it does
• Cloud Computing – distributed virtualization
– Which denomination?
• Hadoop – son’s toy elephant
– Cloud Security
– Cloud Forensics
• Zero-day
– Brand new malware or exploits
105
Should I click?
106
Social Networking
• “On the Internet, nobody knows you’re a dog”
– New Yorker Magazine, 1993
– Still true today
• Do you really know who your Friends are?
– Would you cross the street to see them in person?
– What are you revealing in your posts?
107
Fake Profile???
108
Social Networking
• “On the Internet, nobody knows you’re a dog”
– New Yorker Magazine, 1993
– Still true today
• Do you really know who your Friends are?
– Would you cross the street to see them in person?
– What are you revealing in your posts?
• “My Daddy’s dating…”
• Twitter - #cybergamut
– Spontaneous and quick
– No filter
– No retraction after re-tweet
109
Need
this
button
Location-based Services
• Facebook Places and Foursquare
• Preparation for Travel
– Set up light timers
– Make your home look lived in
•
•
•
•
“Check in” at out of state locations
Photo metadata
Okay for my Friends to know
What about Friends of Friends?
– What about Mafia Wars Friends of Friends?
112
Facebook Places
113
Clearly Out of Town
114
• Photo metadata
• Photo metadata
• Facebook actually
removes the
location information
User Names and Passwords
• Anonymous and LULZ Sony Attacks
– 77 million users affected
• Other large data thefts
• User Name and Password combinations
– How many do you use?
– Remember the Bots?!?
– This got my attention!
117
What do we do?
•I don’t know…
•I think education helps…
118
Cyber Increases
• Volume
• Variety
• Velocity
119
Cyber Increases
• Volume = 123 slides
• Variety
• Velocity
120
Cyber Increases
• Volume = 123 slides
• Variety = 25 topics
• Velocity
121
Cyber Increases
• Volume = 123 slides
• Variety = 25 topics
• Velocity = 1 hour = ~29 sec per slide
122
That’s all we’ve got!
123
Descargar

Slide 1