Here are my notes from the first day of the Hacker Halted conference.

Keynote Address – OSI Exposed & Examined

  • Level 8 politics, level 9 religion, level 10 economics
  • $200 per workstation is average for IT budget
    • 10% of that budget should be the security budget at the least
  • If no security budget, do one or two things that are cheap and effective to build the case for security
    • Don’t do it by yourself
    • Bring the most important issue to the table first
  • For most, companies/people don’t care about security until something happens to them
  • Biggest challenge is showing a return on investment
  • Different business slant – information assurance instead of security – consumer protection

Evolution of an International Conglomerate – The Malware Ecosystem

  • Last year Kaspersky collected 2 million malware samples
  • This year they collected 20 million samples (already)
  • Like B2B, criminals have their own network -  C2C
  • DIY malware kit can be bought for $20 USD.
  • An undetected trojan can be bought for $1000 USD.
  • Some come with an SLA
    • Once detected by AV, get a new one
    • Guaranteed infection rates
    • Technical support
  • There needs to be a high profile arrest to scare the criminals
  • Social networks provide tons of information
  • Targeted social engineering attacks are on the rise
  • RBN is dead; they all relocated to China and Taiwan

Malware Forensics Investigations

  • Prosecution takes lots of time and coordination
    • One case was between five states, and involved multiple homes, and collocation center
  • To preserve data do you need a license?
    • In some states, it can be criminal if you don’t have a license
    • Exemptions – lawyers
  • Private authority
    • Job description gives you authority for internal investigations
    • Written incident response policies
      • If not done right, can be not admissible
  • Contractors
    • Engagement document / Statement of work
    • Service agreement
    • NDA
  • Laws
    • Lots of various laws to keep in mind with various cases
    • COPPA / Juvenile act
    • UK – Computer misuse act of 1990 and Justice act of 2006
    • Germany – Misuse of devices – 2007

VOIP Security Uncovered

No Tech Hacking – Techno Style

  • Hackers for Charity
  • Vince’s Van Eck Phreaking van – HAD to sell it to the NSA
  • Profiling people from what they wear
  • Shoulder surfing came from pay phones and calling cards
  • Art of electronic deduction – Determine a person’s technical skill level by what the taskbar shows running
  • Profiling people from their cars
    • Cost of the car
    • Oil change stickers to determine the area of where they live
    • Parking stickers
    • Bumper stickers
    • License plate holders and vanity plates
  • Locks
    • Some can be opened with common house hold products like a bic pen, toilet paper, cardboard, or soda bottle