Hacker Halted: Day 1 Notes

Here are my notes from the first day of the Hacker Halted conference.

Keynote Address – OSI Exposed & Examined

• Level 8 politics, level 9 religion, level 10 economics
• $200 per workstation is average for IT budget
  • 10% of that budget should be the security budget at the least
• If no security budget, do one or two things that are cheap and effective to build the case for security
  • Don’t do it by yourself
  • Bring the most important issue to the table first
• For most, companies/people don’t care about security until something happens to them
• Biggest challenge is showing a return on investment
• Different business slant – information assurance instead of security – consumer protection

Evolution of an International Conglomerate – The Malware Ecosystem

• Last year Kaspersky collected 2 million malware samples
• This year they collected 20 million samples (already)
• Like B2B, criminals have their own network -  C2C
• DIY malware kit can be bought for $20 USD.
• An undetected trojan can be bought for $1000 USD.
• Some come with an SLA
  • Once detected by AV, get a new one
  • Guaranteed infection rates
  • Technical support
• There needs to be a high profile arrest to scare the criminals
• Social networks provide tons of information
• Targeted social engineering attacks are on the rise
• RBN is dead; they all relocated to China and Taiwan

Malware Forensics Investigations

• Prosecution takes lots of time and coordination
  • One case was between five states, and involved multiple homes, and collocation center
• To preserve data do you need a license?
  • In some states, it can be criminal if you don’t have a license
  • Exemptions – lawyers
• Private authority
  • Job description gives you authority for internal investigations
  • Written incident response policies
    • If not done right, can be not admissible
• Contractors
  • Engagement document / Statement of work
  • Service agreement
  • NDA
• Laws
  • Lots of various laws to keep in mind with various cases
  • COPPA / Juvenile act
  • UK – Computer misuse act of 1990 and Justice act of 2006
  • Germany – Misuse of devices – 2007

VOIP Security Uncovered

• VOIP Security Blog
• Mark Collier’s slides

No Tech Hacking – Techno Style

• Hackers for Charity
• Vince’s Van Eck Phreaking van – HAD to sell it to the NSA
• Profiling people from what they wear
• Shoulder surfing came from pay phones and calling cards
• Art of electronic deduction – Determine a person’s technical skill level by what the taskbar shows running
• Profiling people from their cars
  • Cost of the car
  • Oil change stickers to determine the area of where they live
  • Parking stickers
  • Bumper stickers
  • License plate holders and vanity plates
• Locks
  • Some can be opened with common house hold products like a bic pen, toilet paper, cardboard, or soda bottle

Tags: Hacker Halted