REMINDER: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog. Please continue to follow me there.
In the latest social engineering tactic targeting people who like to play games online, a new spam campaign has emerged attempting to lure users into downloading a Monopoly game, which is more like a game of Russian Roulette. The email arrives as a seemingly innocuous invite from a random user (usually your first clue that this is something to avoid!) using an inviting subject line like "Play Online Together" or "Tom has invited you to play Monopoly":
If the recipient follows the link to the monopoly2009.com web site, they are greeted with a web page that actually looks fairly well done advertising the Monopoly "game" and encouraging the user to download using several links dispersed throughout the page after giving a brief history of the game and providing some fun facts.
No code is injected on the user's computer just by visiting the web page. They need to download and install the monopoly.exe executable file that the site tries to deliver. The executable file is just the first stage of the process, however. A fairly common tactic being deployed by hackers is that the code that is installed as a result of the web site download is only the beginning. At this point the trojan is activated on your computer, and now it is going to go out to another computer behind the scenes and download the second stage of the malware, the piece that turns your machine into a spam sending zombie touting Canadian Pharmacy products.
As the icing on the cake, the folks who created the page also included a hit counter at the bottom to lead you to believe that there are people playing the game online right now. Don't be fooled. This is merely a counter of how many people have visited the page thus far.
ALERT: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog. Please continue to follow me there.
Now onto today's blog post :)
Another celebrity death. Another recycled scareware tactic attemping to lure users to download malware by telling them that their PC is infected with a virus. We saw it after the deaths of Michael Jackson, Farrah Fawcett, and Natasha Richardson earlier this year. Now the attention of cyber criminals has turned to Monday's death of Patrick Swayze as the soup du jour for malware distribution.
Queries for information on the death of the popular actor may lead to news stories that look legitimate when returned in search results, but when followed will lead users to a site that looks like this:
This similar tactic of presenting a window to the user that looks very much like a legitimate Windows popup has been used many times before in various forms. The Windows Explorer-like screen presented to the user also uses geolocation to attempt to identify the country and city that the user is coming from in an attempt to make the user believe that their data is actively under attack. Popups with phrases like "Scan procedures finished. 34 Potential aggressive items was found!" and "Your computer remains infected by threats! They might lead to data loss and file structure damage, and needed to be heal as soon as possible. Return to Total Security and download it secure to your PC" also attempt to trick users into believing that the only way that they can protect themselves from infection is by downloading bogus security software.
Clearly scareware tactics are something that cyber criminals have latched onto as a popular method for malware distribution as it continues to be a recurring and evolving theme. Conficker/Downadup largely popularized scareware with its success (although it wasn't the first to use it) and now others are riding of that popularity to repurpose it for their own scams.
Friday usually get people excited since it’s countdown to the weekend but this week we’re excited about it because we’re going to be having some stellar guests participate in the SecurityBuzz podcast.
As you may recall last week Robert Scoble’s WordPress blog Scobleizer was hacked. We’ve asked Scoble and Rob La Gesse, director of customer development at Rackspace to join us to discuss corporate blogs and security issues they face, how to prevent them, etc.
The podcast will be posted Friday afternoon so stay tuned. In the meantime, let us know if you have any questions you’d like for us to ask these guys and/or answer during the podcast. You can post them here or send me a note via Twitter - @smasiello.
Earlier this morning our Threat Operations Center noticed a new spam campaign originating from the Cutwail botnet that is sending out emails spoofing the IRS. We are currently observing traffic averaging about 90,000 messages per hour using this tactic.
The email that users are receiving which appears to come from no-reply@irs.gov is attempting to get them to believe that they misreported their income on their taxes and that the IRS is giving them an opportunity to fix it.
The email provides a link for the user to view their recent tax statement online. This link does not directly infect the user's machine, but instead directs them to a website where the malicious code is being delivered from.
If the user clicks on any of the links on this page, they are directed to download an application called tax_statement.exe. As of the time of this posting, AV detection for this new variant is low.
Please remember that the IRS does not know your email address and will not conduct official business with you over email. Any email purporting to do so is a scam and should be deleted immediately.
Early this morning our Threat Operations Center noticed a new spam campaign originating from the Cutwail botnet spoofing the IRS that is attempting to lure users into clicking on a link which directs them to a web site to download malware. Over the past 3 hours we have been watching approximately 90,000 of these messages hitting our systems per hour.
The email attempts to trick the user into believing that they misreported their income and gives them a link where they can review their tax statement online.
The link in the email does not directly install malware on the user's machine. Instead, potential victims are directed to a web site where they can download an executable file named tax_statement.exe, which contains the malicious code.
In my copious amounts of spare time one of the things that I like to put thought into is where I believe the Threat Landscape is headed. Even in just the last 10 years since the Melissa virus (yes, I know viruses extend quite a bit further back than that. I'm just using this as a reference point) we've gone from mass mailing viruses to network worms that run through your network compromising any vulnerable host as quickly as it can to social engineering tricks that sometimes even make it difficult for the trained professional to tell whether something is real or fake.
So, the question that I pose to myself is "What's Next?" Taking even just the events of the last decade into account, where are we headed for the next few years? Some of this is obviously hard to determine because that also involves being able to forecast what new technologies will be released, but we can start to make some assumptions based off of what is available today.
Since this is a blog post, I'll try to keep this relatively brief. Maybe it is something that I can submit as an article to some technology pub as a full byline article (Here's a free plug for the folks over at (IN)Secure Magazine, who just released Issue 22 today. I like them and I've had the opportunity to write for them twice now) at some point soon.
Some things to think about:
-- The Insider Threat
Especially given the current economic conditions and the uneasiness around many offices around the country as to whether or not their companies will remain viable, organizations need to be ever cognizant of the data that is leaving their organization. Given that the latest USB 3.0 spec that was released in November 2008 allows for data transfer speeds at about 5Gb per second sensitive, proprietary corporate data can be pulled off a company's network an onto a thumb drive faster than ever before. Couple that with the number of disgruntled employees who either see the writing on the wall for their own jobs or who are upset at benefit and wage freezes/cutbacks, and you have a dangerous cocktail for data theft. We need to make sure we are putting as much focus on protecting our sensitive assets from insiders who much more easily have access to proprietary data as we do keeping the external threats at bay.
-- VoIP
Voice over Internet Telephony technologies are being adopted at an ever increasing rate. This is happening not only in the enterprise space, but in the consumer market. Services like Vonage make it easier than ever for people to have portable phone numbers so that they can be easily reachable at local numbers by family members out of state. VoIP implementations at organizations are also becoming ever popular as well. As these technologies become more widely adopted we have started to see hints of what abuse of these tools might look like. Throw away phone numbers used to make spam phone calls have started to become more common. There are services available online which allow you to purchase throw away numbers in blocks. Spammers and can use and abuse these numbers just like they do IP addresses now.
Another thing to watch out for is the compromise of VoIP systems as vulnerabilities start coming out in larger quantities. Threats like direct voicemail injection will become another method that cyber criminals will use in order to get advertisements delivered to end users. As the social engineering used in these threats improves, they could easily be used to steal personal identities and corporate data.
-- Mobile Malware
Let's face it. The phones that we carry in our pockets are little personal computers. Although they lack the computing power of the quad-core processors now becoming commonplace on personal computers, they are another "always connected" device that people always have turned on. I think the only time that I turn mine off on a weekly basis is when we are doing our weekly recording of the Security Buzz podcast, and that is mainly because the GSM buzz wreaks havoc with the microphones (and our Executive Producer's headphones :) ). As mobile phone manufacturers have opened up their APIs to developers to create third party applications, they will need to be ever diligent in their QA processes to make sure that applications don't get posted to their distribution channels that contain some form of malware or open up a trojan backdoor to the device. The mobile phone industry is growing by leaps and bounds with the addition of new, better, more feature rich smartphones entering the market. The smartphone market is too large of a target for cyber criminals to ignore, especially if you consider the value of the data that we are now storing on these devices. Secure sandboxing of third party applications is a must, but that is only a start. Only hundreds of mobile malware variants exist today (compared to the approximately 1 every 4 seconds that is released for PCs), but that number is slowly growing and as hackers pay more attention to how they can penetrate mobile devices, that number is sure to only increase.
-- Social Networking
Social networks provide an interesting shift in the information sharing game because the rules that typically govern what personal data people are willing to share seem to have gone out the window. This has really opened the door for cyber criminals. With the data that is now available online through the use of social media sites like Facebook, Myspace, and Twitter criminals can much more easily target attacks to specific individuals or groups of individuals using data made available via public profiles or geolocation tools that map your IP address to what town you live in (or near) so that they can deliver compelling content which direct you to malware infected downloads (ala the Waledac botnet). The Web of Trust that exists between users on social networking sites is being actively exploited regularly by hackers looking to take advantage of the fact that users will click on whatever their friends send to them. It's already been proven that people will click on links and open attachments from people they don't know so why would they judge more closely the content from those that they do.
-- Political Hacktivism
Recently cyber criminals have picked up the pace a bit with respect to using online resources like social networking sites to quickly spread political messages in order to help them spread propaganda and recruit people to fight for their cause. Due to the sensitive nature of political issues and the passion that people have for them, social engineering techniques like creating highly controversial views on sensitive topics is something that cyber criminals will latch onto in order to get people to react quickly and irresponsibly to either open attachments or visit websites that they would normally scrutinize more closely.
These are only a small sampling of what I believe we will be encountering as we move forward (I didn't even go into the increased prevalence of compromise of legitimate web sites, and the further use of file sharing services, and calendar spam!), but they are things that we will need to keep top of mind as we look toward what threats are coming down the road. Hackers will go where the money is and the money is where the people are. So, whether it is Twitter, MySpace, Facebook, email, instant messenger, or our phones, criminals will leverage whatever technology is available because in their eyes the goal is to make money regardless of the available technologies, and if one person can be the one to figure out how to exploit a technology for their own financial gain before the others they'll end up getting the lion's share of the notoriety as well as beat defense mechanisms to the punch.
Proof of concept code has been made available online to take advantage of a newly reported IIS vulnerability that exists on both IIS 5 and IIS 6 that will allow a hacker to take advantage of a web server and give them System level access.
The IIS vulnerability exists in their FTP server in a directory with write access which means that the FTP server must both be turned on and a user (anonymous users also included) must be able to write to a directory in order to exploit the hole.
The suggested workaround until a patch can be released is to turn off write access to the FTP server.
Most IIS installations are not vulnerable to this exploit due to the nature of the configuration required to take advantage of it, however it will affect enough of them where it is cause for concern. Take the necessary precautions to review your IIS web server configuration. With proof of concept code available online, it will only be a short matter of time before malicious exploits are making their rounds.
*** UPDATE 9/1/2009 9:00pm MDT *** Microsoft has acknowledged the IIS FTP 0-day via the bulletin posted here. Microsoft is still determining whether or not it will release an out of band patch and does not currently believe that there are any malicious exploits in the wild taking advantage of the vulnerability.
According to this ThreatPost article the main web site for apache.org was hacked earlier today through an SSH key compromise where the intruder was able to gain root access to Apache's server. The current apache.org site has been redirected to one of its European mirrors while the other server has been taken offline.
While on the machine the attacker was able to replace the ssh (Secure Shell) client and server applications with versions that would log the usernames and passwords of those who were to access that machine.
Although the Apache folks believe that they identified and remediated the vulnerability quickly, and that no software available on the site was compromised, if you have recently downloaded software from the Apache web site, you might want to take a cynical approach and remove and reinstall the software from the uncompromised site that Apache has up now.
Information is still slowly coming out about this story, and we will likely know more in the coming days. It is important to note at this point that although Apache believes that they identified and fixed the problem quickly, the possibility remains until we hear otherwise that this server may have been compromised by hackers for some time and that many software downloads had potentially been affected if any publicly available software was modified.
My advice: Be over-protective. Keep a close eye on the traffic coming in and going out of your network to look for anything suspicious. With over 50% of the web server installations worldwide, Apache is a potential high-value target for criminals as any infected software downloads could lead to backdoors in systems that install binaries with embedded trojans.
On Friday morning (like every Friday) we will be taping the next episode of the Security Buzz podcast, and we are looking for your security questions that you would like to see answered.
Please contact us at securitybuzz AT mxlogic DOT com with your questions or thoughts and we'll try to cover them during the next or upcoming tapings of the show.
Thanks for listening to us on the Security Buzz podcast. We hope that you find the show both enjoyable and educational!
Byron Acohido of the USA Today poses a question that we have been battling for a long time in his latest piece on GSM conversation eavesdropping. That question is how much time is enough time to give a vendor to patch an issue before the vulnerability becomes public knowledge?
The debate rages as to who is should be the one to set the time frame for responsible disclosure? Should the person who identified and reported the vulnerability to the vendor also be the one to determine that timeframe? That sounds a bit like extortion to me. "Fix this problem by the time I say you should have it fixed by else we'll expose you to the world" seems an awful like someone who is sitting more toward the "black" end of the white/black hat spectrum.
Should the vendor be the one to control that timeframe based on their knowledge of the risk factors (i.e. how exploitable is this problem?, Is it already being exploited?, What is the potential for damage if it were to be exploited?, How will it affect our market position, amongst other criteria) and other defined priorities? Should they be held accountable for patching known flaws regardless of these factors due to their fear of being taken to task by the person who found the bug?
In Byron's article, he specifically mentions a campaign by Karsten Nohl, who is threatening to expose a longstanding flaw in the encryption method used on GSM phones that will allow eavesdropping of conversations to take place. Nohl mentions in the article that this is already being exploited widely, but is also calling upon the community of hackers to crack the encryption method. If it is already being exploited (meaning that proof of concept code exists), why is he calling on the community do it? Isn't that somewhat reinventing the wheel? I didn't quite follow this path in Byron's article.
So, what's the point to all of this? On one side we have "grey hat" (in my opinion this designation is silly. Grey hat is just a candy-coated way of saying "black hat", but wanting to appear as if you have the public's best interests in mind) hackers who feel like they are the superheroes of the security community by holding threat of humiliation over the heads of companies who don't fix software flaws on their timeframe (Nohl suggests that the flaw he threatens to expose has existed for 15 years. I am not sure how many of us are truly in the position to either confirm or refute that claim). One the other we have companies who may have good intentions to fix vulnerabilities, but clearly perform their own internal risk assessments first based on a number of criteria, only a few of which I mentioned earlier.
In my opinion, the answer to the question "how long should a vendor have to fix a reported vulnerability?" lies with the vendor and with the vendor alone. Certain factors may cause a company to shift those priorities and release a patch outside of their regular software release cycles or the flaw might be something that doesn't get fixed until the next major software release. Either way, if you really have the common good (as opposed to your own inflated ego) in mind, you'll let the vendor responsible for fixing the bug do so on a timetable that is acceptable to both them and their customers. If their customers aren't happy with whatever that timeframe is, don't worry, they'll complain loudly (customers do that :) ) and the vendor will be forced to shift their priorities accordingly. The process self-regulates that way and leaves the over inflated egos out of it.
Obviously there are many opinions on both sides of the fence on this issue. So, let's have them! Feel free to drop me a note at sam AT mxlogic.com or on Twitter as "@smasiello".
What should we expect from the threat landscape next month? Here are some highlights from the MX Logic September Threat Forecast that will be posted Wednesday morning:
As we head into September, we anticipate spam levels to remain at all time highs, accounting for more than 9 out of 10 emails sent. Hackers continue to look for new ways to exploit email and Web for personal gain. With the web of trust that users generally have with the people they are connected to on social networking sites, we expect to see an increase in spam and malware disguised as legitimate messages from someone the recipient knows. In addition, as the U.S. healthcare reform debate continues to heat up, there’s a strong chance we’ll begin to see forms of political ‘hacktivism’ impacting the performance and availability of popular social networking sites.
Key findings from August include:
·Overall spam volume (total number of spam messages) slowed slightly, however spam levels (percentage of spam versus all email) inched up to 94.9 percent of all email sent.
·The United States continues to hold a slim lead over Brazil with respect to being the country that produces the most spam.
·Healthcare remained the most prevalent category of spam.
·Fake UPS or DHL invoices remain the most popular theme to use with malware attached directly to email. In fact, this tactic made up 4 of the top 5 malicious email campaigns
Windows IT Magazine is asking IT pros, DBAs, and developers what they think the best products and services are and so are we. If you have two minutes we’d really appreciate your vote for The 2009 Community Choice Awards in the Best Cloud Computing/SaaS Product or Service category. For some unknown reason MX Logic’s Email and Web Security Solutions aren’t even listed as a choice to vote for. (Given than we have 5 million users worldwide, I’m a bit dumbfounded as to why we weren’t included...) So, we’re asking our readers and partners to let them know about our SaaS offerings by voting and listing MX Logic’s Email and Web Security Solutions in the section titled “Other” in the Best Cloud Computing/SaaS Product or Service category. Thanks and we appreciate your support.
Our Threat Operations Center has recently noticed a new type of phishing campaign attempting to phish login credentials to Yahoo!'s Local Search Marketing tool. This is similar to the Google Adwords phishing campaign that we reported back in May 2008 attempting to obtain login credentials to Google's Adwords site from customers. In this instance the email that is being sent is spoofing a from address @yahoo-inc.com (Yahoo's internal email domain) and trying to convince the user that their account is about to be suspended. Sounds like just about every other phishing campaign, right?
The phish reads as follows:
Dear Advertiser,
We just want to remind you that, on August 25, 2009, your Local Sponsored Search account will be discontinued. You will be upgraded to a new Sponsored Search account with geo-targeting and other great new features.
Please note the following: In order for us to upgrade your account you need to verify your user/password of your account. Please remember to input your Sponsored Search user and password correctly NOT your email and password.
Please visit the following link to verify your account:
hxxp://onlinemarketingyahoo.com/adui/signin/loadSignin.htm
Sincerely,
Your Partners at Yahoo! Search Marketing Copyright 2009 Yahoo!, Inc. All rights reserved.
Note the generic nature of the introduction, which should generally be one of your first tipoffs that the email is not authentic. If you have a personal relationship with a company and they wanted to send you an important email communication they would use your real name. Also note the missing period between "onlinemarketing" and "yahoo" in the URL. If you weren't looking closely, this could be easily missed by someone reading the email (even if it were present, the actual URL for Yahoo!'s Local Advertising tool is "searchmarketing.yahoo.com", not onlinemarketing,yahoo.com. This point might also be missed by the casual recipient.
The potential audience being targeted by this email is somewhat limited because it will only make sense to those who are customers of this Yahoo product. That rarely seems to stop most spammers.
Wow! It certainly hasn't felt like 3 weeks since I last posted.
In case you haven't heard, on July 30th McAfee has announced its intentions to purchase MX Logic. It all went down while I was at the Blackhat Conference in Las Vegas so I have to admit that I felt somewhat disconnected from everything while the initial excitement was happening at the office. That changed quickly when I returned though as my staff had (understandably) lots of questions about what the future holds for the company and for them personally. I feel like the initial FUD, however has turned to excitement as the reality has set in that this acquisition opens up a whole new world of possibilities, particularly as it relates to my Threat Operations team. McAfee has a ton of threat research data that I personally can't wait for my team to be able to both integrate with and also share. Just thinking about the possibilities makes me feel like a kid in a candy store. I think my team can really make a positive contribution not only to the business unit with McAfee that we are about to become a part of, but to the organization-at-large.
All that being said, there has been a lot of work going on internally for the McAfee onboarding process as well. I know that it has certainly kept management hopping while we have tried to keep our teams focused on business as usual. It's important that everyone internally focus on advancing what has gotten us to this wonderful point, and that is executing on the plans that we already have in motion. So far the people at McAfee that I have had an opportunity to interface with have been very welcoming and excited to have us coming onboard. I can report that from my personal and my team's vantage point, the feeling is mutual.
Greetings from Las Vegas and the Blackhat Conference.
As I mulled over what I was going to write, I realized that if I said everything that I wanted to say I would be an epic post and that most people probably wouldn't make it all the way through. So, I'll try to keep my editorials brief and to the point as I review Day 1 at Blackhat.
The morning started with a keynote by Douglas Merrill, formerly of Google (and several other places, but he is mostly likely most known for his work at Google). This was a great talk where he said, among other things, that we are doing security incorrectly. In large part I agree with him. This is generally because it appears that the goals of the security program from the Information Security Officer's perspective and the CEO are very different. We already know that support from executive management is critical to the success of your security program, but I don't think we are doing enough of is making sure those goals are aligned. That comes down to better coordination between the security officer and the CEO. The CEO might fully support the work that you are doing, but you need to be sure your intentions are aligned otherwise you might be focusing on the wrong thing, which could end you up in hot water should an event happen which the CEO thought you had well in hand. There were many other things that he covered as well, but I want to move on to the rest of the day.
The next session that I attended was one on Router exploitation. This was also a very interesting talk because the presenter segregated his talk into different ranges: part of the talk was at a level more for the managerial types in the room and the other was geared more toward the hardcore assembly programmers in the room (and some in between). The primary focus of this presentation was on the ranges of exploitability (is that a word?) between different types of routers. He zeroed in on Cisco's IOS, mostly because they manufacture the most widely used routers on the internet. Also discussed were the difficulties in exploiting Cisco's routers. Why? Because their code is so secure that it is nearly unbreakable? No. Because of the different variations in their build process. According to Cisco's feature navigator as of June 2009 they have over 272k different builds of their IOS software, which probably contain about as many different memory and heap layouts. These different memory layouts make exploiting a router very difficult because you have to write your shellcode based on a memory layout which is entirely variable based on who you are targeting. He also discussed how to potentially exploit a router using ROMMON (ROM Monitor) and some of the challenges associated with that type of hack as well.
Next I attended a presentation on fighting Russian cyber crime mobsters. This was a very interesting talk with a lot of historical references and timelines primarily with respect to the Dark Market FBI sting headed up by Agent Keith Mularski, who was one of the folks speaking. He gave detailed accounts of his undercover operation and how well crafted it was. It was so well done that people in his own agency couldn't figure out he was the one participating in the sting. He also gave accounts of how he earned the trust of the top members of Dark Market, even to the point of getting them to move the Dark Market forums to FBI servers (of course the Dark Market folks didn't know they were FBI servers) when the site was under a DDoS attack. Very entertaining.
The next session was about cross site scripting (XSS) and how to craft XSS that will bypass some of the known filters out there like Noscript, IE 8's built-in functionality, PHP-IDS, and mod_security. I learned a few new XSS tricks that I am looking forward to bringing back and playing with. The moral of this talk was that even though there are ways to construct XSS attacks that can bypass these filters, overall they do a pretty good job (save for mod_security which you should steer clear of) of detecting the common attacks and even do well at picking off the not so common ones. The biggest issue with mod_security is that its filtering looks for specific keywords and doesn't handle many different encodings (so it is easily fooled).
The next talk was about the underground economy. Although I found this talk very interesting and full of facts, I don't necessarily agree with some of the statements that were made. One of their overriding assertions during this talk was that spammers aren't making very much money. The quote was that "If anybody can do it, everybody does, and nobody makes any money." I believe that this assertion largely depends on what part of the spammer "food chain" you are looking at. At the bottom rung of the food chain you have the grunts, the mules, the infantry....the ones who are most at risk of being caught. These are generally the folks who are running the drop accounts, the accounts that are used to move money from one account to the next. These folks are the most expendable and make a small wage for their time. Consider them the burger flippers and french fry makers of the organization (no offense intended to burger flippers and french fry makers!). As you move up the food chain you are dealing with people who are generally less visible to the operation and are also pulling in more money. Continue to move up the chain until you get to the guy at the top. Now, if you are playing off of sheer percentages, yes, a good percentage of the operation, the front line folks, aren't making that much money. The reality, however is that if spammers weren't making much money they wouldn't have the motivation to continue doing it. It is a financially motivated economy and the only reason these guys stay in the game is because they can make money, lots of it.
They did make one point which I thought carried a lot of weight, and that was the reasoning behind why more banks have not implemented something the security community has been asking for: two factor authentication. Some banks have implemented some cosmetic features like on-screen keyboards and SiteKeys, but the reality according to their figures is that banks lose an average of 34 cents per year per person. The average support phone call that gets through to a person is about $10/call. So, even if 10% of a bank's customers made one phone call to the bank on a support issue, that still dwarfs the losses from phishing. So, at the end of the day the cost/benefit analysis of whether or not to implement two-factor authentication falls on the "no" side of the fence.
The last talk I attended today was one called Internet Special Ops (Stalking Badness Through Data Mining). This talk started off kind of rough. Paul Vixie started his portion of the presentation by apologizing (doesn't he know this is one of the things that you NEVER do during a presentation) to the audience because the slides he was going to present were probably too high level for the audience (another one of the things you NEVER do. You must know your audience). He said he was expecting more people in suits than technical folks. I am assuming he has spoken at Blackhat before??? Anyway, the other two presenters were decent, talking about Conficker and how to correlate different disparate data points to put together a story. I have to admit though that because of how this presentation started, this was the one that I was most underwhelmed with. It was also the end of a long, learning filled day so you could also accuse me of being a bit apathetic at that point and I wouldn't argue with you about that point.
I also attended Johnny Long's talk about Hackers for Charity where he also talked about his story from where he began to how he got to the "Internet Rockstar" status he currently has. This guy is laugh out loud funny. I know quite a few people who make me laugh pretty hard, but I can usually control it to a low roar. This guy made you laugh out loud to where you are completely unable to keep yourself from doing it. In addition to Hackers for Charity being a great organization, he had a great message as well. That message was that in the security community we have great power and knowledge. We should use that great power and knowledge to make sure we are doing things that are bigger than ourselves. Don't focus on personal gains. Focus on how you can help other people. A great message that we should all live by regardless of our professions.
So, that is my wrap up from Day 1 at Blackhat. Overall a great day and I am looking forward to tomorrow being just as fruitful.
