FOCUS'08: A Souvenir of Las Vegas

Last week, along with 1,200 other attendees from 47 countries, I was in Las Vegas at the FOCUS’08 McAfee Security Conference. In my opinion it was a great success; here are some on-the-spot comments.

On Tuesday, after the welcome session in which McAfee CEO Dave DeWalt announced, among others, the McAfee Initiative to Fight Cybercrime, I chose to hear my colleagues Toralv Dirro and Pedro Bueno present the state of cybercrime around the globe. In this session, the participants learned the actual methods used by cybercriminals: identity theft, phishing, password-stealing Trojans, virtual money laundering, and botnets. “The cybercrime industry is still booming,” the speakers explained. “It moves about US$100 billion per year and is the most successful sector of organized crime, growing 40 percent per year.”

Fortunately, the criminals do not win all the time. A supervisory special agent attached to the FBI Cyber Division gave us proof in the next session. Through example of “Alonzo X,” we learned how the police forces work to catch cybercriminals. Organizing and offering to sell parts of his botnet consisting of approximately 100,000 infected computers, Alonzo was responsible for sending thousands of spam between 2004 and 2007.

During this track, we learned that, as they do for drug rings, the FBI investigators infiltrate criminal operations. And they are sometimes on the horns of a dilemma: To help the inquiry, do they have the right to use for themselves a botnet they purchase and can they send themselves spam? We also learned how it was sometimes possible to calculate the fine by considering the expense for a computer repair ($200) and multiplying that amount times the number of infected computers. The police’s role is also to inform the victims that their computers are infected. It is not an easy task when you have a worldwide network of thousands zombie machines. Someone in the audience asked the agent how much Alonzo earned; the response was approximately $80,000 per year.

In the third track I attended, participants learned about the views of the U.S. Department of Homeland Security. To introduce his talk, Brett Lambo, the Director of the Cyber Exercise Program, gave us a brief outline of the situation: Today malicious insiders and cybercriminals have both the capabilities and the intent to use the Internet as a playground. Other nations, which also have the capabilities, may have the intent, while terrorist groups may have the intent but do not possess capability. Then, Lambo explained America’s cyberinfrastructure serves as a vital link among 17 critical infrastructure and key resource sectors, as well as providing a fundamental element of all emergency response operations at the federal, state, and local government levels. Since 85 percent of the critical infrastructure in the United States is owned by the private sector, this unity between the cyber response community in the government and private sector will be essential to effective protection and defense.

On Monday afternoon, I was busy with my own session: “Malware on Second Life–Myth or Reality?” As businesses begin to embrace virtual worlds, there’s more and more money involved. I conducted some research on this platform to demonstrate that Trojans, worms, phishing, and counterfeiting activities were not a myth. Here’s one incident I found: Two teenagers, 15 and 14 years old, have been convicted for virtual theft in the Netherlands. They had stolen a virtual amulet and mask in the multiplayer RuneScape game by forcing another player to transfer the items under the threat of violence. One defendant was sentenced to 200 hours service, the other to 160 hours. Yes, threats in virtual worlds are a new cause for concern.

One of the Wednesday events was the talk by colleagues George Kurtz and Brian Kenyon (“Hacking Exposed Live 2008.”) The conference room was just large enough to accommodate all the people wishing to see the live demonstration of today’s most advanced attacks and exploits. Perhaps some attendees found this report too technical. For my part, I thank the authors for the 140-page booklet they offered to all the participants.

Also that day I could not miss the report by Joe Telafici (one of my managers and vice president of operations for McAfee Avert Labs) on the “Economics and Finances of Cybercrime.” After a well-documented threat report that demonstrated the business sense of cybercriminals, Telafici explained that we had to “change the equation” by reducing rewards and making the web harder to use for criminals. “We need a multifunctional, cross-discipline, standards-based approach at fixing the protocols and applications [TCP/IP, DNS, SMTP, HTTP(S)] that make up the Internet,” he concluded.

I started Thursday by participating in the Craig Schmugar track on “Sō’shÉ™l Äšn’jÉ™-nîr’Ä­ng.” Social engineering is one of the most successful tactics attackers can use in committing cybercrime–by enticing a potential victim into performing a distinct action. After some examples, my Avert colleague explained that crimeware defense strategies were rarely discussed in public. First, they concern the trade secrets of the anti-malware industry; and, second, they could help criminals in their bad work if they were circulating. Social engineering defense, however, is a bit different. Schmugar discussed social engineering characteristics (source, destination, circumstance, content type), inspecting metadata (freshness of content, file names, extensions, path, ADS, web domain and site names), considering static binary properties (container, file size, icon, use of “obscure” functionality and digital signatures) and considering the environment (service names and description, registry references).

Also on Thursday, the Dmitri Alperovitch talk grabbed my attention, and I did not hesitate to congratulate him after his presentation. The subject was “Organized Online Criminal Enterprises: Profile of Who, Where, and How.” Alperovitch offered an impressive list of criminals from Eastern countries (with supporting photos) involved in all sorts of cybercrime. It is easy to understand why the Alperovitch presentation now available on the Internet has many deleted sections. Seemingly, the crooks are all Russian or Ukrainian; and of course they use WebMoney. His example of stock manipulation was also very explicit. With some professional spammer tools and an Internet application able to manage “Exact Buy/Sell signals,” Alperovitch demonstrated that it is not difficult for a crook to make money. In his example, the “buy” flag for a peticular penny stock was fixed to $3.45 and the “sell” flag was set between $3.90 and $3.95. When the spammer launched his campaign, the stock cost about $3. The whole deal took just 8 hours, from purchase to sale. By manipulating 100,000 shares, the profit reached $50,000.

Now I am heading home to France preparing to inform my family about all the interesting and festive events I saw. See you next year at FOCUS’09!