On 25th November 2020 there was on-line conference dedicated to the trends in IT security – its 20th edition. The conference was organized by the Faculty of Applied Informatics at the Tomáš Baťa University in Zlín (UTB) in cooperation with Gordic, s.r.o. – a private company specialized in IT solutions.
A foreword was delivered by Jaromír Řezáč (Gordic) and Roman Jašek (Penetration laboratory of UTB) who welcomed around 90 participants. Jaromír Řezáč pointed out that the global pandemic highlighted the issue of cyber security and stressed that it become existential necessity. Fight with viruses (both biological and digital) and its mutations are characteristic for our age. In both processes are people key actors and also in both process they are most vulnerable. Mr. Řezáč, director general of Gordic, sees the solution in learning and education and this conference well served to the issue. However, he pointed out that cyber security education shall go to lower levels of education, also to high schools and in some degree also to primary schools. According to Roman Jašek Covid pandemic raised awareness among people about security risk which leads to greater responsibility. The opening debate was joined also by Jan Kramosil (KYBEZ) who presented KYBEZ platform. It is platform for effective cooperation between academia and commercial companies aimed at education, management and modern technologies especially in the area of information security including cyber security and defence.
David Malaník and Roman Jašek (Penetration laboratory of UTB) delivered interesting presentation about trends and visions in cyber security. Mr. Malaník pointed out that we all are targets as even mobile phones might be interesting for attackers. Attackers are limited only by tools – they just need money and time. Number of attacks is increasing every year – modern trend is attacking “internet of things”. As of 2019 there was 5200 data leaks (in total 8 billion records). For example Social Medial Profiles Data Leak had 4 billion records. Sociotechnics (phishing attack) is working well, especially due to home offices, ransomware is good “business model” and DOS/DDOS increased by hundreds of percent: more than 100Gbps attacks. In 2020 attack on Amazon led to 2,3 Tbps lose. Malware and phishing is well used during the Covid pandemic. Installation of 5G technologies is a challenge, because in 5G networks will be problem to track origin of the attack due to parallel links. This will have implication of investigation of security incidents. One of the trends is also Cloud jacking where customers lose their cloud or DeepFAKE – allowing AI to create audio-visual form of real person and change content of speech or behaviour. According to speakers the year 2021 will be very challenging year to do development of Blockchain, AI security, Autonomous things, 5G technologies, AI profiling of customers, attacks on remote endpoints (home offices) and machine learning poisoning. One may expect that AI will improve phishing methods and modify malware or even generate malware. However, on the other side AI might be also used for malware detection and detection of incidents in general.
Eliška Bartůšková and Jan Šlemr (Gordic) spoke about cyber attacks on the customers and solutions provided by Gordic. Mr. Šlemr pointed out that the biggest threat is unaware or uneducated user who makes mistakes. However, he also highlighted that companies are often doing mistakes in the security, for example when managers of the organization are connecting personal devices (laptops, mobile phones) into the network of the organization, making it more vulnerable. Companies are often target of spear phishing or just fail in update of actualization. Ms. Bartůšková spoke also basics of crisis management where companies have to investigate what happened. There shall be some response team dealing with problem hypothesis, analysing IT communication, dividing tasks, informing employees and meeting shall be accompanied by PR manager or a lawyer. She pointed out, that response team shall communicate with third parties including partners or NUKIB and later continue in analysis and investigation of cyber attack. This includes also filling registry of incidents and adopting recovery measures. Then both speakers presented solutions of Gordic in the form of a managerial tool – Cyber Security Audit which is in line with existing legislative, includes methodology of NUKIB, provides evidence and map of actives dependency and helps to identify threats and vulnerability. The presentation continue in highlighting basic security principles such as risk analysis, multifactor security (One time Passwords, SMS verification), encrypting of sensitive data, backup (rule 3-2-1 which says that you shall maintain at least 3 copies of your data, 2 copies stored at separate locations and 1 copy at an off-site location) and recovery testing. Another principle might be update and network monitoring, adoption of recovery plan and continuity plan, education of employees and crisis management.
Otto Havle (ELA Blockchain Services) delivered very interesting presentation about ELA Blockchain (Blockchain is a kind of distributed specialized database which allows to keep increasing number of records which are protected from being intervened from third parties or individual nods of peer-to-peer network). Dr. Havle pointed out, that despite Blockchain is well known for its use in the area of cryptocurrencies or booking services the special emphasis of ELA Blockchain is on the industry. He highlighted that in the Czech Republic there is increasing number of interested parties involving industry, state administration or attorneys who are using blockchain and there is good potential to sell ELA Blockchain to Asia. ELA Blockchain is unique, because it is distributed sequence opacite databases which allows to add various aspects of distribution and might be running on a selected linux server and might work as a public authority. In order to add transparency to the process the list of nods of ELA Blockchain is public and company is in the ongoing process of rectification by TÜV SÜD. According to Dr. Havle, ELA Blockchain is good opportunity for investment especially for cloud providers, attorney services based on Blockchain and due to the fact that the platform is ready initial investment might be minimal.
Jan Kincl (Penetration laboratory of UTB) spoke about the advanced methods of analysis of the mobile malware. At the beginning of his contribution Mr. Kincl presented mobile section of the penetration laboratory and its activities. These include analysis of mobile technologies and platforms, analysis of security applications and analysis of mobile malware, especially at the Android platform. The research of laboratory is focusing on distribution methods of mobile malware via fileshare servers, static analysis of mobile malware, methodology of analytical work with modern applications and detection of mobile malware using fuzzy sets. Regarding methods, they are using static analysis or dynamic analysis. Static analysis is a method of reverse engineering: application is decompiled and its individual parts analysed while application is not being activated. On the contrary within dynamic analysis the application is working on a testing device which is monitoring the application and generates inputs into the application. Several tools for static analysis were presented (APKTOOL, Dex3jar, JD-GUI, jadX and Android Studio (SDK Platform Tools) which were later used in practical demonstration made by Mr. Kincl who demonstrated his mastery in analysing malware.
Milan Oulehla and Jan Krňávek (Penetration laboratory of UTB) continued about the detection of mobile malware using fuzzy sets. During the introduction they mentioned that already in 2012 US Department of Homeland Security issued the report that Android is primary attack of mobile malware. Since then the situation is not different (today Android stands for approx. 75 %, iOS is around 25 %). According to data there is 10 thousand malicious applications every day, it means approx. one infected every 8 seconds. For example in 2019 SimBad malware was installed by 150 million users, Operation Sheep by 111 million users or Agent Smith by 25 million users. Then the presentation continued with introduction of APK packages – its advantages and disadvantages. Modern trend in the codes is to link illegitimate requests to legitimate requests. The logic of the fuzzy sets is based on determining, whether malware is part of the set (1) or is not part of the set (0). However, increasingly the exact result can not be determined as many application are not “fully clean” because the real status is somewhere between 1 and 0. determined. Degree of belongingness might be for example 0,7 (merely clean). Dr. Oulehla continued with the demonstration how to utilize the fuzzy sets in analysis by using conjunctions and other functions. Final part of the presentation was dedicated to the defence against repeated use of malware. He provided example of Anubis banking Trojan, which was used in 17,490 cases and now targets 188 legitimate banking and financial mobile applications. The case are also applications posting a fake reviews boosting a rating score for products.
Anežka Pejlová (Monet+) spoke about security and cryptographic innovation in banking. After the introduction of Monet+ services she introduced CASE – Client Authentication Smart Engine which aggregates login methods. She focused mainly on the issue of passwords, chip cards and mobile tokens. According to Ms. Pejlová a password is classical and wide acceptable method, which has high demands on users and relies on user trust. The problem is that users are choosing simple password or same passwords for various services and many servers are sending password by insecure ways for verification, which may lead to password theft. Monet+ offers OPAQUE protocol automatization which is based on encrypting password right by the client, not at the distant server. Their protocol is using Web Assembly technology, similarly as the BitCoin does, PRNG enhancement, Host Security Module and Argon2 (Key derivation function). Ms. Pejlová introduced also chip card which is one of the most secure methods and mobile tokens accessible via anonymous QR code (for example Smart key of ČSOB). This security verification is based on two level authentication. Very interesting part of presentation was dedicated to innovations in cryptography especially in relation to post-quantum cryptography.
Roman Jašek (Penetration laboratory of UTB) delivered presentation about password managery. Prof. Jašek spoke about how to choose a good password manager. In a daily practice user is confronted with many passwords and that is why they are using same password for several providers and when one is compromitted it might become real problem. When following standard recommendation about password variety (to use 12 character including capital letters, numbers and symbols, not containing words or word connections) to remember password might be real problem. For that purpose, is here a password manager which might be imagined as a protected space where all passwords are stored and encrypted (AES 256-bit, XChaCha20 256-bit). There shall be also some multi layered authentication access using SMS or even biometrics. The threat to password managers is phishing, keyloggery or breaching. For that reason, good password manager shall verify URL address and imprint it into the application forms which was set by the user. With keylogger it is more challenging as it is a spyware which is analysing pressed keys on a keyboard. Advanced keyloggers are able to use screens from the monitor or use a webcam to identify password. Commercial password managers often offer additional services, e. g. bigger space for upload) and thus price may vary from free services to extra paid services. However, 1 GB and multi-factor authenticating is standard, professor Jašek said. Among most advertised managers there are 1Password.com (on-line servers only), KeePassXC.org (open source) and Bitwarden.com which is appreciated by many users.
Then Roman Jašek delivered another presentation on personal resources: talent management in the area of experts on cyber security. The issue was that five years ago there were only limited number of absolvents in the IT related fields. The aim of the contribution was to present results in the education: the numbers of absolvents in BA and MA degrees and the level of competence of absolvents at the Faculty of applied informatics. At the faculty they are teaching Software engineering (BA) and Information technology (MA) with specialization on Software engineering and specialization on cyber security. There is also MA programme in the area of security management. Prof. Jašek stressed, that education is linked also to the law awareness which is necessary part of the absolvents‘ profile. Another opportunity is to study at the College of Logistics where students are taught by experts from KYBEZ.
Final presentation was delivered by Lukáš Kárálík (Penetration laboratory of UTB) who entitled the presentation: Malware easy, quick and “safe”. He shown, that to crate malware is quite easy. For example by using the tool AUTOIT which is freeware with detailed documentation and examples. One might simply use and copy pre-prepared scripts which are just in few clicks transformed into exe files. For example, there is “Shellter project” which is portable, compatible but resource closed for paying consumers. Shellter project is providing many functions for creating malware. Attacker may start from zero (which is hard to detect but requires skills), second option is to use generators of malware. This option is easily detectable but quick and easy. Moreover, it is also itself including malware. Another options how to create malware s MaaS (Malware-as-a-Service) or to hire professionals. Second part of the presentation was dedicated to practical demonstration how to create malware which is pretending to be pdf. file. The result was then sent to the detection, only few programmes were able to indicate malicious file.
The conference was followed by panel discussion.
One of the questions was asking about investigation and punishment of the attackers. According to speakers the problem is to find attacker, provide evidence, use correct argumentation and reach some compensation. To find attacker is problematic, because they might operate from a countries with absence of regulation or from a countries providing shelter to the attackers (according to ENISA up to 16 % of attacks are supported by states). Identifying attacker is problematic, because there are many international elements involved. Attacker is from one country, attacking from a different country via domain registered in a third country, part of a server in another country etc. Moreover, attackers use also lawyers and when attacker is identified in many cases the conflict is solved by agreement. However, to search for justice is extensively expensive, sometimes in millions. What can be helpful is law harmonization (Tallinn manual) and prevention. Jaromír Řezáč pointed out that even minimally expensive solutions may be effective, and it is not always about money. It is also positive when companies are having managers who recognizes IT prevention. Unfortunately, many managers do not see reward from the investment until serious incident occur. Another speaker added that it is also not about expensive hardware and software when skilled people are missing. The easiest way is to find expert who will train employees. Lastly, Mr. Řezáč pointed out that healthcare would benefit from cyber budgeting – certain fixation of resources to improve situation. However, the issue is very interesting also for insurance companies who often rely on IT permanent audit in the companies to prevent damages.