Interviews from The Underground Economy Conference – Part 1
When we used to run events, the biggest one ever was The Underground Economy (UE) which was took place at the Council of Europe in Strasbourg, France. With restrictions being lifted, we look forward to starting our annual event series again, starting with The Underground Economy. It’s a 3-day event in early November 2021 at the same location – watch for updates and announcements on DNB!
During the last UE, we picked some of our favorite people and they graciously agreed to duck out of whatever case study they had come to see, and instead chatted with our own Jacomo Piccolini.
We grilled them on some pertinent points, and they gave us some intriguing tales. We’re sharing them pretty much verbatim, with their permission and our sincere thanks!
WHAT WE ASKED…
What drew you into the Information Security Industry?
Who are your biggest influencers in Information Security?
What would you say is the most significant security event to happen within the last five years? And why?
Q: What drew you into the Information Security Industry?
A: “I worked as a developer – well – To rewind back in time, when I was very young – I don’t know how old I was – I “hacked” those Commodore 64s in our computer lab at school and I figured out there were some codes you could do to get to the scoring section when the teachers would give you tests, where you could see what the answers were. One day I figured out the pattern they were using to type in – so if I typed this password in, I could get to the answers for the test. I got in trouble for it and then down the road I realized that a lot of these programs were written in Basic and I could look at the code and learn what the answers. My teachers weren’t really sure what was going on, so I got kicked out of the computer lab, but that was the start of my career. Years later, I became a developer, not really security focused, but I got drawn into the security aspect of things, it really entertained me more than anything, and it’s still something I like doing.”
Elliot Anderson – Elliot is a developer at Shadow Dragon. He leads trainings, as well as a lot of other things. Shadow Dragon is not a huge company, so Elliot wears a lot of hats. Elliot has been in the information technology and cyber security world for almost 20 years. He has been doing this a long time and loves doing it. https://www.linkedin.com/in/lemmingrush/ @lemmingrush
A: “I think it was the early 1990s, when I was responsible for system administration of the information system at my office building, covering several floors of a big building. There was an attack called IP Spoofing, which is when attackers use somebody else’s IP address to attack others while hiding who they are. At that time Cisco IOS version 9 did not have a way to prevent spoofed IPs coming into our network. So, we, the system administrators, had to suddenly think about how to protect our network without effective counter measures from vendors. It is now called the Zero Day vulnerability but there was no such word for it then. This was the first Zero Day vulnerability I experienced, and it is what brought me into the information security field.”
Shin Adachi – Shin has been doing information security and system administration for decades. He works mainly in incident response and gives advice to other incident responders around the globe. Shin is based in Silicon Valley, California, while majority of his teams are based in Tokyo. https://www.linkedin.com/in/shin1adachi/ @s_adachi
A: “I completely backed into the information security business. In my student days, I was into very technical computer science stuff, doing small computer databases, and I did some time series modeling packages. Then through a huge series of coincidences in the early 1990s, I wrote a book called the Internet for Dummies which turned out to be a big bestseller much to everyone’s surprise. At that point, getting onto the Internet was really hard, I mean half of the book was about how to get connected, what shape your connectors should be, what kind of wires to use, and the other half was, well, here’s how email works and here’s this weird thing called the web. So, one of the things I did was to put an email address in the book where readers could test out emailing. firstname.lastname@example.org was my address at the time, and I had a little robot which would write back and say, “yes, your mail worked”, and then I would have the email address of somebody who read my book and I could send them a note when there were updates or new books. But in the mid-1990s, along with the mail from the readers, I started to get a lot of spam. It seemed like a lot of spam, and I got even more spam, so at that point I was thinking, “well, gee, this spam stuff is bad, we should get rid of it, how hard could it be to get rid of spam?” So that was twenty-three years ago, since spam has migrated. It used to be some small-scale people selling junk and now it’s gotten totally integrated with all of the other threats that we think about here, with malware and account takeover, you know it’s a gateway to all sorts of stuff. So, basically it started with some unwanted email and now I’m deep into all of the details of all the security issues that we talk about at UE.”
John Levine portrait, IETF 96 at Intercontinental Hotel, Berlin, Germany.
John Levine – John is the the president of CAUCE North America, which is a grassroots anti-spam organization. He is also a member of the ICANN stability and security advisory committee. John is a senior technical advisor for MAAWG and is on the board of the Internet Society, and manages to manage to get a little bit work done between all those things… https://www.linkedin.com/in/johnlevine @spamvikktim
A: “To answer this question, let me use my own time machine to return to 20 years ago. Passionate about technology I started my professional career as a System Administrator for some years, happy with this initial decision I continued exploring the rest of the layers as system engineer, as security analyst, and finally as an Operations and Cybersecurity manager for more than 10 years. Following that path was like a progressive zoom out providing the necessary skills and knowledge to go forward with a full position in the information security field. A world of continuous learning and challenges… currently without limits.”
Jordi Guiljarro – Jordi is from Barcelona and has been working in the security field as field manager in the research allocation network of Catalonia. https://www.linkedin.com/in/jordiguijarro/ @jordiguijarro @cloudadms
Q: Who are your biggest influencers in Information Security?
A: “When I think about that question, I have to start with networking. So, if you studied networks, you probably need to understand about protocols and how everything works. With the books that Stevens wrote about computer networks, it was a big influence for me, covering the network part as well. From network, I went into security so that’s it for me. Also, Steven Northcutt from SANS Institute, his book about IDS was an eye opener, and again there was a lot of networking in there and because I already had the knowledge about networks, you could really match the things together, so probably these two or three people.”
Pedro Bueno – Pedro is a Brazilian who has been working is Cybersecurity for around 20 years. In the past 10 years, Pedro has done work in the financial sector as well. https://www.linkedin.com/in/pedrobueno/
A: “I’m influenced and inspired by many people, some of whom are also my friends and colleagues in the industry. Choosing just a few names would not do justice to everyone, but if I were to take one name it would be Mikko Hyppönen, chief research officer at F-Secure. The work he has been doing over the decades has been very inspiring.”
Vicky Ray – Vicky is a principal researcher for the Unit 42 team of Palo Alto Networks. Vicky manages the Asia Pacific region on all threat intel initiatives for Palo Alto Networks. Having a large part of work in Asia Pacific involves collaborating with both public and private sectors. https://www.linkedin.com/in/vickray @0xVK
Q: What would you say is the most significant security event to happen within the last five years? And why?
A: “I would say Stuxnet and Wannacry were two of the most important gamechangers in cybercrime and cyber security. The first one is Stuxnet because it’s about espionage and things that have been happening for the last 40 years. They were done with technology. The state actors have been working these kinds of campaigns and people just opened their eyes and realized what was happening out there. Wannacry showed everyone that systems are vulnerable and it’s quite easy to whip on an exploit and it affected the whole world. Both of these incidents really changed the minds of industry makers and forced them to keep more interest in cyber security. They started investing in that and creating new traditions, new platforms, and new communities. People really started thinking about these issues.”
César Lorenzana – César is from Spain; he works for the Guardia Civil in the Cyber Crime Central Unit. He has been there for the last 15 years fighting against cyber-crime.
A: “I would say Conficker, which was eleven years ago. It started in 2008 and we still see infections today. I think Conficker was a milestone in our abilities as security community to identify, respond, and work together to address that significant threat. So, first of all Conficker, for those who don’t know, exploited what we call a worm-able vulnerability in Windows meaning it was a vulnerability that allowed to run unauthenticated code on a remote computer with no user intervention. In other words, someone can develop a worm that will replicate through Windows computers and affect many millions of computers in short time. Conficker was not only significant but also Microsoft was using a very creative or innovative approach back then managed to identify exploits very, very early when there’s someone just playing with them. There were very few exploit attempts out there. The way that I managed to do that is by analyzing crash reports and looking for a stack traces that looked different from any other known vulnerabilities and exploits. So, back in the summer of 2008, the team at Microsoft, found two pressure points that didn’t look similar at all to anything that was known back then. When they started looking into it, that’s when they found the vulnerability in Windows so that allows Microsoft to proactively prepare for that event by obviously a preferred patch but also prepared proactive communication to the general public, the security vendors, and anyone that had to take an action. When we released the patch in October 2008, I was one of the bloggers back then urging people to start the patch because we knew how severe exploitation in unpatched environments can be. So, that’s one aspect. The second aspect which is interesting about Conficker was that it was a milestone in the collaboration across the industry. I want to highlight especially in the Conficker work group that was formed back then with people across the industry from many different organizations….many very capable people. You can see the list on online I think on the web page for that work group. It still exists. We had weekly meetings. We talked about the telemetry we have about things we can do to respond to potential evolutions of the malware. And here’s just one example, one of the brands of Conficker used a DGA algorithm (domain generation algorithm) and what that means is that every day the malware would generate a new domain name and they would register the domain name that day and the malware would start connecting to that domain. Every day they used a different domain. The cyber attackers did that to make it almost impossible to takedown those domains because every day they use a different one. We had smart security researchers that managed to decrypt that algorithm, so we knew every day what domain was going to be used the next day. So, what the workgroup did was to sinkhole those domains and by doing that we had two benefits. First of all, the malware of course couldn’t get commands or updates from their service because Microsoft owned them, and the attacker couldn’t control them. Secondly, we could collect telemetry about the prevalence of the malware because those infected machines were connecting to the domain. That helped us understand the areas where the worms started spreading and where to take this. So, that’s a great example of how we can work together as a community to change information and take creative or innovative approaches to disrupt cybercrime to some extent.”
Ziv Mador – Ziv Mador, is the VP of Security Research at TrustWave. Ziv has been in this business for over 20 years, leading a global security research team with many intelligent people. https://www.linkedin.com/in/ziv-mador-a9bab2/
A: “What was the most significant cyber security incident for me? First of all, I don’t like incidents, because they keep me awake and stressed, so I must say I prefer ‘peace’ time. But the one incident that I would remember, I think for a long time, if not forever, would be in 2017 the WannaCry. Now, I’ll try to explain why. At ENISA, we support the national CSIRTs and the whole European CERT community, thus the incident response capabilities in Europe. We try to provide active support whenever it’s needed, and basically in 2016 there was, by the European Commission, introduced the first policy framework for cyber security in the European Union. It’s called the network information security directive (NISD). Just to make the long story short, one of the mandatory actions that comes from this directive was to establish an operational group of national CSIRTs in the European Union that would be in the position to handle better, or let’s say to improve, the cross-border incident response in the EU. ENISA was tasked to do the secretariat and support the operational work. That was August 2016 and then the first milestone was that by February 2017, the established group was formalized. So, you can imagine that the first time in at least European incident response history, there was not a bottom-up approach, but it was pushed by policy and politics that took top-down approach to establish this group – so it was not easy. We had a first formal meeting in February, it was not a typical CSIRT comfortable-trusted environment. Everyone was a bit unsure because of the new approach. Then in May WannaCry happened. I remember it was Friday, nice weekend ahead, and then I got a phone call that the WannaCry was happening, and it was a large-scale issue and basically that we should help to engage the new group. So, you can imagine, we had only three to four months of supporting the group, but by then far from fully operational. Such group with top-down approach, you really need to spend time to setup up terms of our operations, rules. We didn’t have even a special operating procedure in place, but still we saw it as opportunity, something like a wake-up call for others to start taking things seriously. So, it was a tough weekend. Some member states that we know where CSIRTs are more active were really in the boat with us. Together we managed to engage the group, and I have to say, or I must say, that really after these five days this was the eye opener for a lot of people on different decision-making levels in Europe. Since then, the group was kind of recognized and supported by the local management, politics, and got more attention. And I must say that I’m enjoying the work now. We have been now supporting the group for two years on daily basis, and yep something that I didn’t believe to be honest at the beginning, could really work operationally since it was set up top-down, is actually proving that having the right people in that group and getting us to contribute into something on top of your ordinary duty produces some good results.”
Andrea Dufkova – Andrea works for ENISA, the European Union Agency for Cybersecurity. She is Czech by nationality and lives in Lamia, Greece but her job takes her all over Europe.