[ISN] Cyberthreat experts to meet at secretive conference

From: InfoSec News (alerts@private)
Date: Mon Jan 22 2007 - 23:17:51 PST


By Joris Evers
Staff Writer, CNET News.com
January 22, 2007

Internet security experts are gathering at a secretive conference later 
this week to strategize in their fight against cybercriminals.

The meeting on Thursday and Friday at Microsoft's Redmond, Wash. 
headquarters is slated to bring together representatives from security 
companies and government and law enforcement officials, as well as 
others involved in network security. The agenda focuses on botnets and 
related topics, seen by experts as a prime threat to the Internet.

"Unlike most other security conferences, we allow only members of the 
different relevant groups access, and we discuss organized crime and 
threats across borderswith a strong lean toward how we can make things 
better," said Gadi Evron, an evangelist at security firm Beyond Security 
and organizer of the event.

Botnets are networks of hijacked computers, popularly called zombies. 
Cybcercrooks use these networks to relay spam, bring down Web sites, 
distribute spyware and perform other nefarious acts. Microsoft has 
fingered zombies as a top threat to Windows PCs.

In the battle between cybercrooks and those protecting the Internet, the 
bad guys are often at least one step ahead. Authorities are cracking 
down and have had successes in catching, prosecuting and convicting 
phishers and bot herders in recent years. But criminals are organizing 
better and moving to more sophisticated tactics, including the use of 
peer-to-peer technologies in their bot software. The gathering this week 
is the good guys' effort to team up.

"These events have been a great way to build trust in the security 
community, which can lead to collaboration and data sharing. This helps 
in the overall efforts to combat the cybercriminals," said Dave Jevans, 
chairman of the Anti-Phishing Working Group, who is slated to speak at 
the event later this week.

The two-day meeting is held behind closed doors. "For reasons of 
practicality as well as to help members feel safe to share and work in 
our environment, some privacy is required," Evron said. "Not everything 
can be common knowledge if we are to be successful in combating these 

It is not unusual for such meetings to be confidential. After all, it 
doesn't make much sense to let the criminals in on the efforts being 
made to catch them. Also, this isn't a new thing for Microsoft--the 
company regularly holds meetings at its campus that require a 
nondisclosure agreement.

Scheduled presentations at this week's event include two talks by 
Microsoft on security vulnerabilities that have no patch, known as 
zero-day flaws, and the software maker's response to those. There has 
been a significant rise in the use of zero-day bugs in cyberattacks. 
Criminals often exploit security holes to add PCs to their botnets.

"Microsoft will be presenting our analysis of trends and patterns in its 
security response process," a company representative said. 
"Additionally, we will be reviewing vulnerability exploitation trends, 
with a specific focus on the usage of zero-day vulnerabilities, to 
attack customers."

Microsoft also said it is "proud to sponsor the workshop, which provides 
an opportunity for the security operations community to discuss security 
trends, share information and plan for the future."

Trojan horses, phishing and spam--oh my

Aside from various talks specifically on botnets, other presentations 
dive into Trojan horses, new styles of denial-of-service attacks, spam, 
phishing and weaknesses in protection technologies such as sandboxes and 
virtual keyboards on banking sites, according to the event agenda.

Douglas Otis of Trend Micro plans to give a talk on how e-mail 
authentication technology called Sender ID could be abused to launch 
denial-of-service attacks, he said. Sender ID is a specification pushed 
heavily by Microsoft for verifying the authenticity of e-mail by 
ensuring the validity of the server from which it came.

Jevans of the Anti-Phishing Working Group plans to present a multiyear 
overview of phishing statistics and discuss new trends in the 
data-thieving scams, he said. These new trends include use of 
subdomains, more man-in-the-middle style attacks and changing attack 
patterns to also focus on smaller banks and payment services, he said.

Alex Shipp, a senior antivirus technologist at e-mail security company 
MessageLabs, is scheduled to deliver a talk on Trojan horses targeted at 
a small number of companies or even individual. It is an update to a 
presentation he gave at the Virus Bulletin conference last year. These 
targeted Trojan horse attacks are considered dangerous because they 
could evade traditional protection mechanisms trained to look for known 
attacks or mass attacks.

But Shipp also hopes to leave with answers to a number of questions. 
Ultimately, the event should better arm attendees in the fight against 
cyberattacks, he said

"What are the bad guys doing now and how can we stop them? Can we do 
better than we are currently or do we need a seismic shift in the way we 
do things now to solve the problems? What kind of co-operative efforts 
can we put in place that would benefit us all?" are some of those 
questions, Shipp said.

Among those scheduled to attend are representatives from security firms 
such as Symantec, Trend Micro and Websense, as well as people from AOL, 
Cisco Systems, Microsoft, Sun Microsystems and Qwest. Government and law 
enforcement expected to attend include the Federal Bureau of 
Investigation, Secret Service and United States Computer Emergency 
Readiness Team, or US-CERT. Various universities are also expected to 
send representatives.

"Cooperation at all levels, technical, legal, government, is needed to 
contain the problem," said Righard Zwienenberg, chief research officer 
at Norman Data Defense Systems, who is slated to speak on sandboxes at 
the event Thursday. "Without worldwide laws and cooperation, we might 
lose the battle in the end."

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Mon Jan 22 2007 - 23:34:08 PST