SAS Day One: Kaspersky Showcases Company, Industry Talent

PUNTA CANA – Security professionals, law enforcement officials, and journalists converged on the Dominican Republic’s Punta Cana resort town for Kaspersky Lab’s extravagant Security Analysts Summit, which came on the coattails of two other Kaspersky events. By day the attendees sat in on their choice of various security briefings from three separate tracks. By night the conference-goers were wined and dined at beach parties (and in at least one cave).

As magnificent as the accommodations were on the tropical, cloudless island, the contents of the conference itself were even better. Kaspersky Lab’s Global Research and Analysis Team (GReAT) unveiled the details of a new advanced persistent threat campaign [PDF] known as “Careto”, a spanish word, the meaning of which is debatable. Some spanish speakers said ‘careto’ is not a word, while others claimed it to be the word for an ugly face or mask, which is why you may have seen the campaign referred to as “the Mask.” At least one person told me it is a pejorative slang in Madrid for ‘face’.

At any rate, the director of GreAT, Costin Raiu delivered a fascinating presentation unveiling the Mask APT campaign and claiming that it is the most sophisticated such campaign he has seen in years. That is saying a lot considering the laundry list of such campaigns that Raui and his colleagues have uncovered in recent years.

This one, he explained Monday, is unusual for two primary reasons: the first is that the malware and exploits used in the campaign appear to have been developed by Spanish language speakers. The second is that there seems to be no link to China whatsoever, a hotbed for APT and state sponsored hacking. The Mask targeted government agencies and energy companies in more than 30 spanish speaking countries. It can target Windows and Mac machines and traffic coming into the command and control server controlling the campaign – which Kaspersky researchers have taken control of – suggests that the Mask may also have modules capable of targeting the Linux, iOS, and Android operating systems.

The people responsible for the campaign – whoever they are – shut everything down within hours of the press release issued by the company last week. However, Raiu warned that they could restart that campaign very easily if they wanted to.

The conference also boasted a robust list of speakers, including Microsoft security strategist Katie Moussouris, who has almost singlehandedly thrown a wrench into the wildly unpopular vulnerability sales marketplace by substantially increasing the scope and the amount of money paid to researchers disclosing bugs to Microsoft’s bug bounty program.

In his typical fashion, Chris Soghoian of the American Civil Liberties Union didn’t pull any punches in his keynote on the impact and legacy of the revelations made public by former NSA contractor Edward Snowden. Soghoian gave a very pro-Snowden, anti-government surveillance talk to a crowd, the majority of whom, seemed to rest on the other end of the spectrum.

Far less contentiously, Steve Adegbite of Wells Fargo stressed the importance of risk management in his talk. Adegbite made the case that a solid risk assessment plan is perhaps the most important aspect of an organization’s security posture. “Your risk model is never going to always work,” he said, arguing that risk models should be planned to fail.

From here, Kaspersky Researchers Vitaly Kamluk and Sergey Belov along with Cubica Labs’ Anibal Sacco demonstrated a potentially devastating attack that could remotely wipe all the data from victim machines. Belov uncovered the vulnerability that enabled this exploit in a mysterious piece of software living on his wife’s computer. And not just anywhere in his wife’s computer, but in an underlying system of it, called BIOS, whose task is essentially to initiate PC-startup. The program – called Computrace – acted suspiciously like a piece of malware, injecting new processes, deploying anti-debugging protections for and obfuscating itself, and displaying an advanced resilience to removal. Oddly, the program is legitimate. Its intended use is to track lost computers, which, Kamluk noted, sounds beneficial. But Belov didn’t turn it on and his wife didn’t turn it on, which suggests that it could potentially be enabled on millions of machines all over the world, yet unknowingly to their respective owners. This – of course – could mean that millions of users are susceptible to an attack that could remotely wipe all the data off their computers if an attacker manages to compromise that user’s internet connection. Of course, remote wipe is not that interesting to attackers nowadays, however, any other kind of remote exploit is possible using Absolute Computrace vulnerability.

Cryptography expert and security industry legend, Bruce Schneier took to the stage in a fireside chat with Baroness Pauline Neville-Jones, former UK Minister of State for Security and Counter Terrorism. The pair had a lively debate about whether national security-focused government surveillance can exist in the age of the Internet without harming civil liberties. Schneier, who has been a foremost vocal critic of blanket surveillance and terrorism fear-mongering before that, echoed the almost universally held sentiment that precision surveillance for targeted law enforcement operations seeking to investigate bad actors is a good thing. However he also argued that blanket surveillance is unpalatable and bad for everyone. He went on to say that terrorism – the concept generally used to justify unlimited spying – is a rounding error of risk. To which Baroness Neville-Jones replied: when people’s lives are at risk, that’s not just a rounding error.

Eugene Kaspersky joined Baroness Neville-Jones, Latha Reddy, the former Deputy National Security Adviser of India, and Jae Woo Lee of Dongguk University and the Cyber Forensic Professional Association in Seoul Korea to discuss the woeful state of security in the realm of critical infrastructure.

“There are only two things that wake me up at night,” Kaspersky said, “critical infrastructure insecurity and turbulence.”

The panel was moderated by former Obama administration cybersecurity coordinator, Howard Schmidt, who asked the panel what can be done about serious security problems in systems that control vital elements of society like water plants and street grids:

“Pray,” said Kaspersky, who only appeared to be half-joking.

Check back soon for our day two coverage of the event.