The DeepSec IDSC is an annual European two-day in-depth conference on computer, network, and application security. DeepSec IDSC 2011 was held on November 17th and 18th 2011 at the Imperial Riding School, Vienna.

Hermes Li, security researcher at Websense Security Labs™, was speaking on Friday November 18th, the second day of the conference. He talked about an online game trojan framework from China's underground market, the source code of which he has analyzed outside of his main research at Websense. The deep analysis included the trojan's underground market, module components, prediction solution etc.

The slides from Hermes Li's talk An online game trojan framework from the China underground market can be downloaded here.

Websense Security Labs will continue its focus on all threats, and keep innovating on defense technology.

Last week, some members from the Websense Security Labs™ had a busy week because they attended the Pacsec 2011 and AVAR 2011 conferences.

The Pacsec 2011 conference was held in Tokyo, and addresses the increasing importance of information security in Japan. Many well-known figures in the international security industry got together with leading Japanese researchers to share best practices and technology.

The AVAR 2011 conference was held in Hong Kong, and has a reputation in the Asia Pacific IT industry as being the leading industry conference on anti malware technologies and threats. This conference is not relevant only for virus researchers, but also for corporate IT professionals who have a business and technical need to secure their system, and for those who wish to have a safe and secure computing environment and be protected against Internet threats.

Ulysses Wang and Nick Guo from Websense delivered the presentation "A New Approach to Automated JavaScript De-obfuscation" at Pacsec 2011. They presented the latest research project in Labs (which was about Javascript De-obfuscation), and showed a demo of the de-obfuscate engine with high performance. Good coverage was shown at the conference. Other researchers from different parts of the world also gave excellent presentations.

Xue Yang and Elson Lai from Websense delivered the presentation "Dissection of exploit kits" at AVAR 2011. The team at Websense Security Labs have been tracking exploit kits threats for long time. In this presentation, they showed the analysis statistics of the top 10 exploit kits (based on the Lab research findings), and used some typical exploit kits as examples by highlighting their key features and differences. They also compared the exploit kits with current APT (Advanced Persistent Threat) attacks from several aspects. Furthermore, they dived deep into protection mechanisms that are often used by exploit kits in an attempt to evade detection. They concluded the presentation by giving predictions on what Websense sees as emerging trends in exploit kit development, and gave viable solutions to these developments.

Websense Security Labs™ will continue its focus on all threats, and keep innovating on defense technology. 

I returned this past weekend from SOURCE Boston, where I presented the new features and architecture of Fireshark v2.

I have had the opportunity to speak at many conferences before, but this was my first time doing so in my university town of Boston (Northeastern), and my first time speaking at SOURCE. SOURCE has conference locations in Seattle, Barcelona, and Boston, and attempts to bring security experts together to create a very positive mix of business needs and technology expertise. Boston is a bustling city with a number of technology companies and top universities. The location alone is worth the visit.

That aside, I was impressed with some of the presentations I saw. Here are a few worth mentioning, which are available online at http://www.sourceconference.com/boston/speakers_2011.asp:
 

• On The Use of Prediction Markets in Information Security - Dan Geer, Alex Hutton, Greg Shannon
• The Exploit Intelligence Project - Dan Guido, iSEC Partners (great talk!) 
• Incursion - From Internet To SCADA, Critical Systems Compromise Case Studies in Pictures - Val Smith, Attack Research, and Chris, SecureDNA 
• Fuel for pwnage: Exploit kits - Vicente Diaz and Jorge Mieres, Kaspersky Lab
• Reverse Engineering Flash Files with SWFREtools - Sebastian Porst (Flash analysis tool released!)
• Reversing Obfuscation - Adam Meyers, SRA International
• Streamline Incident Types for Efficient Incident Response - Predrag Zivic and Mike Lecky, Canadian Tire (really interesting talk on identify tracking)
• Network Stream Hacking with Mallory - Raj Umadas, Jeremy Allen, The Intrepidus Group (Mallory is a tool worth checking out!)
• Adding another level of hell to reverse engineering - Ben Agre, Raytheon (Something as reverse engineers that we'll have to become acustomed to more and more: used junk code!)

and finally...

My presentation: Fireshark v2 - An Analysis Toolkit for Malicious Web Sites - Stephan Chenette, Principal Security Researcher, Websense Labs (to be publicly available on or before May 5)

(Figure 1: Stephan Chenette introducing Fireshark v2, an analysis tool kit for malicious websites)

I want to thank Stacy Thayer,  SOURCE founder, the SOURCE advisory board and all attendees.

(Figure 2: SOURCE founder, Stacy Thayer)

Although not an exhaustive list of upcoming security conferences, here are a few of the conferences taking place this summer and into 2011 that we recommend. Many of our researchers are speaking at these conferences, so plan on seeing some of their talks. They will give you a glimpse into various research projects being worked on inside our labs.

   -- this symbol indicates that we'll be speaking at the conference

June

EUSecWest

When: Jun 16 – 17, 2010
Where: Leidseplein, Amsterdam, Netherlands

Presentation: DarunGrim - A Tool for Binary Diffing and Automatic Vulnerabilities Pattern Matching
Websense Security Labs Researcher: Jeongwook (Matt) Oh

SyScan Singapore

When: Jun 17 – 18, 2010
Where: Singapore

Presentation: An RIA Security Solution - Flash and PDF Threat Handler
Websense Security Labs Researchers: Ulysses Wang & Hermes Lei Li

July

RECon

When: Jul 9 – 11, 2010
Where: DoubleTree Plaza Montreal, Montreal, Canada

Presentation: Using Fireshark to analyze a malicious Web attack
Websense Security Labs Researcher: Stephan Chenette

The Next HOPE

When: Jul 16 – 18, 2010
Where: Hotel Pennsylvania, New York, NY, USA

BlackHat USA

When: Jul 24 – 29, 2010
Where: Caesars Palace, Las Vegas, Nevada, USA

Presentation: ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically
Websense Security Labs Researcher: Jeongwook (Matt) Oh

BSides Las Vegas

When: Jul 28 – 29, 2010
Where: Las Vegas, Nevada, USA

DEFCON 18

When: Jul 29 – Aug 1, 2010
Where: Riviera, Las Vegas, Nevada, USA

Presentation: ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically
Websense Security Labs Researcher: Jeongwook (Matt) Oh

August

SyScan Taipei

When: Aug 19 – 20, 2010
Where: Taipei, Taiwan

September

SOURCE Barcelona

When: Sep 21 – 22, 2010
Where: Museu Nacional D’art de Catalunya, Barcelona, Spain

BRUCON 2010

When: Sep 24 – 25, 2010
Where: The Surfhouse, Brussels, Belgium

Presentation: Fireshark - Linking the Malicious Web (NG)
Websense Security Labs Researcher: Stephan Chenette

SyScan Vietnam

When: Sep 25 – 26, 2010
Where: Ho Chi Minh City, Vietnam

Virus Bulletin

When: September 29 - October, 1 2010
Where: Vancouver, BC, Canada

Presentation: P0isoning the social web
Websense CTO: Dan Hubbard

Presentation: Categorizing the entire web with autonomous system numbers
Websense CTO: Dan Hubbard & Websense Security Labs Researcher: Saeed Abu-Nimeh

October

MaLWARE 2010

When: October 20-21, 2010
Where: Grand Hotel De La Reine, Nancy, France

November

PACSEC

When: November 10-11, 2010
Where: Aoyama Diamond Hall in Tokyo, Japan

December

RUXCON 2010

When: Dec 4 – 5, 2010
Where: Royal Melbourne Institute of Technology (RMIT), Melbourne, Australia

Dan Hubbard, myself, our awesome event managers, and the rest of the Websense crew have arrived home after attending and presenting at RSA 2010 in San Francisco. It was another successful year as the conference was very well attended and the presentations were quite informative.

Figure 1: Stephan Chenette's FireShark RSA Talk

Figure 2: Dan Hubbards's Threats to Cloud Computing RSA Talk

I presented the details of a Web security Firefox plugin that I will soon be releasing open sourced called FireShark. The plugin helps in visualizing various Web attacks such as mass URL injection attacks like Gumblar, Beladen, or Nine-ball. I have to personally thank Wladimir Palant, who you should know from his development effort on a plugin called AdBlock plus. Wladimir was instrumental in offering tips to Firefox plugin writing. Thanks Wladimir!

Essentially FireShark is a local plugin that, when used in a clustering architecture, can become a very powerful mechanism in visualizing the malicious Web. In my presentation, I shared several real-life scenarios of compromised Web sites. On one occasion, FireShark mapped out one particular malicious community that later, when operation b49 was exposed, uncovered that many of the hosts involved were also Waledac spamming domains. FireShark made it easy to see that these domains were responsible for acting as control points, redirecting users from legitimate compromised Web sites to landing pages serving rogue antivirus. More so, FireShark's post processing mechanism could conduct analysis on compromised machines, intermediary machines and the final landing pages, so that not one piece of information was left unknown. This includes the original source code, the de-obfuscated source code (final DOM view), and any window prompt or malware that the user is optionally asked to download and install. This is useful for one Web site, but FireShark does this for millions of sites every day. By correlating all the data, FireShark is able to take the normalized data and link various previously assumed unrelated attacks.

Figure 3: A Web site that was compromised and part of a small malicious community, graphed with GraphViz from FireShark output

Figure 4: Stephan Chenette (me) speaking at RSA

I sat down with Rob Lemos in an interview while at RSA; so if you're interested in knowing more about FireShark until it's released, you can read the article here.

Days before my presentation, Dan Hubbard co-presented with researchers from ZScaler outlining some of the current top cloud computing threats. Dan's presentation as well as all presentations given at the Cloud Security Alliance conference at RSA can be found here.

Here are a few images of the conference. If you were there, you know that our Websense booth was not easy to miss; it was probably the largest and most impressive booth I've ever seen.

Principal Security Researcher: Stephan Chenette 

I'm glad to announce that I will be presenting Defensio at StartupCamp Toronto this coming Thursday.

If you're interested in discussing spam, business or just life in general, please do not hesitate to get in touch!

Last night, Carl and I had the opportunity to present a short demo of the Defensio spam filtering service at DemocampMontreal3. It was fun, and we received a lot of great feedback from the local community.

Best of all were some of the discussion questions that came at the end of the presentation. For the benefit of all you who were too busy to attend (what could be more important than Democamp!?) or not in Montreal (we'll forgive you for that) I'd like to run through some of the more important questions that were asked, and our silky-smooth responses:

Q: Some bloggers have turned off comments because of spam, others have turned off comments due to a philosophical belief, espoused by Dave Winer, Joel Spolsky (among others), that comments should not actually be part of the blogosphere. Where do you stand on this?

A: Well, we vehemently believe that comments should be part of the conversation on the Web, for many reasons:

• Comment threads, while sometimes childish and petty, are more often valuable sources of insight beyond the original blog post.
• Commenting on your own blog in response to another post, is often not the right venue - especially for short comments -- and would often be completely out of context for your blog's readership.
• Allowing only trackbacks does not immunize you from spam -- in fact, much of the worst comment spam is in pingback/trackback form.

Most importantly, we think closing comments generally dampens conversation, which is fundamentally bad for freedom of expression and the overall thought exchange process that blogs are so wonderful at enabling.

Q: How quickly will your filter learn?

A: We can't provide precise numbers, but we can say that filter performance will continue to improve over time and that respectable results should be seen after a week or two of use.

Q: Isn't spam only a problem for the largest blogs out there?

A: While spam is definitely a bigger problem for the most influential blogs, it is decidedly an annoyance that MOST moderately successful bloggers face. Based on the initial interest that has been expressed in our service, we think this view is vindicated.

Q: What can you tell us about how your filter works?

A: Nothing, sorry.

Q: Will you buy everyone free beer because you used slides in your presentation?

A: No. Learn to love slides.