This session is sponsored by Fortinet.
Chair: Frances Burton, security services group manager, Jisc.
Cybersecurity has long been an area of activity for those responsible for providing, protecting and supporting digital services in research and education, but recent events have focused public and media attention on the scale of the threat.
Our security thread at this year’s conference is picking up on some of these themes and we have sessions covering a number of cybersecurity areas. There will be presentations on organisation experiences of email phishing and the results of our RPZ trial. Accreditation of services is being requested more often by project funders and will have a case study presentation on experience of obtaining ISO27001.
Running order of talks:
11:30-11:55 - RPZ trial
Speaker: Peter Dorey, Spamhaus
11:55-12:20 - Addressing the skills shortage in cybersecurity
Speaker: Debbie Tunstall, Cyber Security Challenge.
12:20-12:45 - Institutional issues with Bitcoin
Speaker: Jethro Perkins, London School of Economics and Political Science (LSE).
2. Please switch your mobile phones to silent
19:30
No fire alarms scheduled. In the event of an
alarm, please follow directions of NCC staff
Dinner (now full)
Entrance via Goldsmith Street
16:30 -
17:30
Birds of a feather sessions
15:20 -
16:00 Lightning talks
3. University of Kent and Spamhaus
Response Policy Zone Trial
David Hayling - University of Kent
Peter Dorey - Spamhaus Technology
5. RPZ Response Policy Zone
• Basically ‘real time blocking lists’ for DNS lookups
• Developed by ISC
• In BIND since ver 9.8
• Load a zone from <some-source>
• Full transfer (AXFR)
• Incremental (IXFR)
• DNS server check RPZ zone for each resolve request
• If negative then resolve name as normal
• If positive then return a pre-configured IP address (‘walled garden’), or
return ‘non-existent domain’ (NXDOMAIN)
simples
12. ‘Normal levels’ of malware – spring term – the ‘New Normal’
RPZ | David Hayling
13. Don’t just take RPZ’s word for it …
• Suricata Intrusion Detection System
• Log file analysis by Splunk
RPZ | David Hayling
14. Don’t just take RPZ’s word for it …
• Suricata Intrusion Detection System
• Log file analysis by Splunk
RPZ | David Hayling
15. RPZ Response Policy Zone - issues
• Load a zone from <some-source>
• Incremental (IXFR) after long gap causes BIND to ’barth’
• Full transfer (AXFR)
• False positives
• No reports
• but …blocking Twitter isn’t popular
• Whitelists
• Blacklists
• Google DNS (et al)
• Should we block?
• or redirect the query to local DNS
• or do nothing
RPZ | David Hayling
16. RPZ Response Policy Zone
“The greatest improvement in our malware defense,
in one easy step”
RPZ | David Hayling
Networks Team, Server Infrastructure Team, and
Operations
https://blogs.kent.ac.uk/unseenit/?s=rpz
With thanks to Matthew Trump
18. RPZ Trial12/04/2017
Spamhaus Technology
» What we do
90% of the world’s email
traffic is spam…still
100 spam operations in North
America and Europe account
for 80% of spam
Protecting 3 billion mailboxes world-wide
22. RPZ Trial12/04/2017
» How it works
Response Policy Zones
DNS resolver
DNS root server
DNS .com TLD
DNS example.com
23. RPZ Trial12/04/2017
Response Policy Zones
DNS resolver
DNS root server
DNS .com TLD
DNS example.com
» How it works
» Distribution via IXFR
•8 Core CPU with at least a 2.4 gHz clock speed
•8 GB of RAM
•Servers should be bare metal - not virtualized
28. Addressing the skills shortage
in Cyber Security
DebbieTunstall,Cyber Security challenge
29. Debbie Tunstall
Education Team Manager - Cyber Security
Challenge UK
Ensuring We Have The Cyber Skills for Tomorrow
12 April 2017
30. Cyber Security
Cyber security has become prominent in recent years,
moving from a back-office ‘techie’ activity to an
industry that is at the heart of Britain’s business
success and its protection from major online criminals
and terrorists.
31. Current Picture
»The eight annual (ISC2) Global Workforce Survey
predicts there will be a shortage of
1.8 million Information Security
Professionals by 2022
»The Government will invest £1.9 billion in a
National Cyber Security Strategy to ensure
government, businesses, law enforcement and UK
citizens have the right skills and knowledge
34. Why is there a skills shortage?
• Profession is relatively new
• Understanding of the nature of the jobs is poor
• The pathways into it are ill defined
• Lacking diversity: we recruit from half the
population -7% women
• Our education system was not delivering for us.
Peter Clarke, Nov 2015
Masterclass winner
Ben Jackson (18), Nov 2016
Masterclass winner
35. The world is your oyster
»The UK cyber security industry contributes
over £17 billion to the UK economy
» Tens of thousands of home-grown experts are
working to protect UK businesses
»Globally, the rise in online crime is outpacing
the supply of cyber defenders
»Exports of UK cyber products and services are
growing by over 15% a year
36. Employers Need You!
Attributes:
Quick thinkers
Strong communicators
Have an inquisitive and analytical mind
Problem solvers
Good at thinking outside the box
Creative – can stay one step ahead
37. Introduction to Cyber Security Challenge UK
Cyber Security Challenge UK was set up to support
the National Cyber Security Strategy and to help
address the critical skills gap
A not-for-profit organisation attracting
government and commercial sponsorship
Over 80 Sponsors of all sizes
Cyber Education and
Skills: High on the list of
UK Governmental
Priorities
38. What is on Offer
From The Challenge ?
Competitions for all – National and
European
University Competitions
Schools Competitions – Cyber Games
CyberCenturion
Online Gaming – PoD – MMOGE Cyphinx
Toolkits
Virtuals
Cyber Camps
Face-to-Face learning and competitions
Masterclass and Finals
Prizes
Mentoring
Careers
Alumni Group - Whitehatters
2015 Schools Final
Winners at
Cheltenham
Science Festival
40. Education - Universities
• FE – HE - Universities
• Insight Camps
• Capture the Flags
• Careers Events
Kane Small – Greenwich Camp
The Cyber Security Challenge camp was such an
enlightening event and the amount of information that I
absorbed in just three days was phenomenal. Before the
event I had no idea I even wanted to pursue a career in
Cyber Security, but after the event I literally didn't know
why I hadn't looked into the field sooner! Having industry
experts attend and provide such rich and engaging talks,
not only about their own experiences but the threats that
exist now and are constantly evolving and adapting, was
an absolute eye-opener. I really would encourage anyone
who is interested in cyber security even in the slightest to
attend, you will not regret it for a second!
41. Education - Universities
Jessica Williams – Development Camp, Student
Ambassador, Masterclass Finalist, European Team,
speaker.
Cyber Security gave me the opportunity to attend loads of cyber
networking events. I meet many prospective employers and ended up
getting loads of interviews and eventually my job at BT, this was all
before I'd even finished my degree. I also got to work with the National
Grid on my final year project.
I had so much fun meeting all these great people, its also given me a
great bit of PR that I'm still getting contacted about! Cyber Security
Challenge gave me the confidence to do all these things, really
recognised my achievements even when sometimes my university
didn't.
Cyber Security Challenge has literally changed my life.
42. Education – Career
Transitioners My first experience of the
Cyber Security Challenge UK
came at the end of a 6 year
career in the Royal Marines.
Looking for a career change
and with zero technical
background, the challenge
gave me hands on
experience into an exciting
and challenging industry.
Tim Carrington,
Masterclass Finalist,
European Team,
Whitehatters
47. “It started with a phish...”
Or, how we got
USED for Bitcoin
Jethro Perkins
Information Security Manager, LSE
48. It was 15.52 on a Friday afternoon...
• ...and I was due to go on holiday the next day
• I was contacted by the (physical) Security Office
• Someone thinks they’ve been hacked
• “[John], below, claims his computer was hacked
when he corresponded with someone purporting
to be from LSE. It would seem that the
perpetrator was using LSE website/credentials (or
is he LSE).”
49. We have a problem...
• Victim suspected:
– he had fallen for an elaborate scam perpetrated by
“Professor Zhai”
• (who is in no way a criminal mastermind from a film)
– Prof Zhai claimed to the victim he was researching bitcoin
exchanges…
– …but was really hacking bitcoin exchanges…
– …using malware packaged as GoToMeeting binaries…
– Downloaded from learningresources.lse.ac.uk
50. Uh oh…
• We don’t have a Professor Howard Zhai
• But we do have a postgraduate student in another
Department with the referenced email address
• We don’t use (or distribute) GoToMeeting binaries
• What the hell is learningresources.lse.ac.uk?
– Is it some fake resource lurking on our network?
– Or a cunning redirect to something somewhere else?
51. We’ve been hacked! – Oh, wait...
• Is this a scam being run by a postgrad student masquerading as a professor?
• Or is it a compromised account being used for nefarious purposes?
• (Or is it an evil genius from a film trying to take over the universe?)
• We disable the account
– Was this a mistake?
– Did it alert the attacker?
• Is learningresources.lse.ac.uk a real thing?
• Turns out it is. How has it been hacked?
• Turns out – it hasn’t
• Anyone can create an account and upload stuff
• This is its function by design
• <headdesk>
52. Learningresources.lse.ac.uk
• Built long ago for lecturers to be able to upload and share resources
• Before formal Project reviews and Solution Design Authorities existed – so no
identification of the potential issue in the functionality
• Little used, but not decommissioned because “there’s some good stuff on it”
• It was patched
• We guessed pretty quickly that the upload facility had been abused, but we
couldn’t be sure...
• So we spent quite a lot of time trying to work out whether someone had root
privileges...
• ...and if so, then we would have a bigger problem on our hands
• At the same time, the attacker realised something was up (the disabled AD
account?) and deleted all their stuff from the server
– as we were looking at it
53. Learningresources.lse.ac.uk II
• In the end, we took all three related servers down for the weekend, just to
play it safe
• Learningresources was never switched back on again
• There was no indication of compromise
• They just used learningresources as it was meant to be used (kind of)
• We checked the firewall logs for any hint of the attacker going after other
targets
– It took a long time, as our logs are huge
– And our SIEM capabilities are, ahem, *not perfect*
• They had been sniffing around other departmental systems – we alerted
the administrators
54. What had happened
• “It started with a phish...”
• Two compromised postgraduate accounts
• Were they spear-phished, or were the accounts
just bought from a pool?
– (interestingly, later, one of the students reset his
password to the one that was compromised and his
account started sending out spam – indicating maybe
the latter)
55. Making a Professor of Economics
• Being a Professor of Economics is easy
• You need:
– a phished account
– Learningresources.lse.ac.uk
– A nice fake CV you can upload to it
• You give the account a name that fits the email account
• Then you can email bitcoin exchanges asking for them to participate in your classes
• You can direct them to your fake CV on the ambiguously-named learningresources.lse.ac.uk
– Authentic, huh?
• And chat with your buddy on the other compromised @lse.ac.uk address, for added
authenticity
• If asked why you’re not on the LSE website, you say you’re new, and it’s only updated in
September, ready for the new year
56. Talking to the Bitcoin exchanges
• “Professor Zhai” contacted several
• Same story each time:
• “We pay special attention to the development of digital
currencies and Blockchain technology, and we consider
that these technologies can have a significant impact
on the development of the world economy. Our
University is interested in cooperation with people who
can share some practical experience in this area.”
57. Next...
• For anyone who fell for this, the next stage was:
• “We regularly run webinars with directors of major companies,
government experts and entertainers. Students and teachers can
ask any questions online and discuss burning issues in the field of
digital currencies”
• This was followed up with a Skype conversation
• And then Bitcoin exchanges log into the “lecture” using...
• ...You guessed it...
• ...the malware hosted on learningresources.lse.ac.uk, masquerading
as GoToMeeting
58. Next II
• “Professor Zhai” then claims there have been some technical issues,
and he’ll get back in contact when these have been resolved
• Meanwhile, the malware is hunting around for whatever it is
hunting around for, and is talking back to a server in France
• He tries to string the exchanges along for as long as possible, to give
the attackers a chance to try what they’ve got
• Some get a bit angry and give up.
• Only one realises the game and has the presence of mind to get in
contact with us
59. Mopping up
• We contacted all of the Bitcoin exchanges
“Professor Zhai” had emailed, in order to let
them know it was fake
• We hardened the remaining servers that ran the
same system as learningresources
• No more creating user accounts, logging in and
uploading any old thing!
60. What we learned
• Authenticity is hard – faking it is easy
• A victim who’s willing to help makes all the difference to an investigation
• Everything still starts with a phish. All it took were two careless postgraduate students
• The attackers took the easiest route in - forgotten legacy services
• The scam was elaborate and carefully planned, but...
• …the only sophisticated technical aspect was the malware
– (and that was probably purchased)
– (and we don’t know if it actually worked)
• The rest was achieved by a combination of social engineering and opportunism
• LSE press releases and “chatty” website information give attackers plenty of “insider information”
• …which they relentlessly leverage
• Don’t go on holiday
V1.0
To change the footer on every slide:
1. On the menu go to Insert > Header and Footer…
2. Select the Footer checkbox and enter the footer text in the accompanying text box
3. Click “Apply to All”
This
It is clear from films and TV that cyber security experts are becoming high-profile and highly valued. From CSI: Cyber to James Bond’s sidekick ‘Q’, cyber security is portrayed as an exciting, innovative and cutting-edge career.
This glamorous film image is not that far from real life! Every day there are attacks, from major corporate hacks to the theft of people’s credit cards and personal data. In 2016, cyber-attack victims have ranged from the UK rail network to the campaign team behind Hillary Clinton’s bid to become US President , while over 100 million 02, Twitter, Yahoo, Hotmail and Gmail customers have seen their private data leaked online.
Spectre – the first Bond film to really focus on Cyber Security
The basics of computer security are not taught in schools or covered in many of university computer science courses even, although there is work underway to address that. But still is it enough?
Discuss – in true exam question style…….. are we doing enough as a nation? do we mostly agree with that statement? Yes, but has education moved on?
Anyone name that film?
Indeed and the script was also hacked from the studio!
The eight annual (ISC2) Global Workforce Survey predicts there will be a shortage of
1.8 million Information Security Professionals by 2022.
The lack of well trained professional workforce poses a dire threat to Uk businesses and the pace of technological change (which we all know moves at eye watering speeds also exacerbates the issue
It is an immature profession, the jobs are ill defined and not well understood. They are not the same as the jobs 10 years ago.
Careers officers and those advising people making career decisions are only now starting to learn what these jobs are. Things are improving STEM, e-skills and others now have more data. The nature of the jobs is really NOT understood. In particular the fact that they are varied and not purely geeky.
We do need people with strong technical skills but we also need people with interpersonal skills who can persuade boards, have the broad knowledge to comprehend the nature of the risks, and understand the human factor. The very best have all these attributes but we work in teams.
Professionals will tell you they got jobs by serendipity. This is not the way to get a pipeline of people for the future. In medicine or law the pathways to different jobs are very clear. This is not the case in cyber security. There are a number of doors in but the paths are unclear;
Recruiting from a little over half the population. Only 10% are women. There isn’t a cyber security skills male gene, there is no good reason why women are not coming into these jobs. We have to address the cultural issues that have brought about this situation. We are building the data available on our website about jobs and have a special page for women in cyber and examples of female role models. We need our ed system to do more
I took part in a Masterclass event hosted by QinetiQ in November 2015, this then gave me the confidence to take my first professional certification (OSCP), all whilst doing a degree in Computer Science (at the time as a first year, currently in my second year).
This then led onto gaining an internship at MWR Infosec, an opportunity that I would not have had without the contacts I made during the masterclass.
I more recently competed in the European Cyber Security Challenge through CSCUK, the experience itself was brilliant, and gave me another chance to develop my current skills and look at where I need to improve.
Due to all of these opportunities, I'm now in an extremely strong position for future employment, I'm regularly contacted by recruiters in industry who are always impressed by my experience, which is pretty much all down to the challenge.
Put simply, the Cyber Security Challenge has allowed me to have an extremely successful transition to civilian life, and has pretty much set me up for a lifelong career. I am basically now in a position where I'm not even slightly worried about getting work after university (something that not many students can say confidently).