The Counter eCrime Operations Summit VII (CeCOS VII) engages questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the electronic-crime threat every day.

The annual event, organized by the Anti-Phishing Working Group (APWG) is this time held in Buenos Aires, Argentina.

The last week of 2012 marked the 29th installment of the Chaos Communication Congress. Organized by the Chaos Computer Club (CCC), the congress is an annual conference on technology and its impact on society. Although the scope may look quite loose, both lectures and workshops typically revolve around privacy, freedom of information, data security and other hacking issues. Needless to say, it has always been a great success; huge, considering that black-hat sized events here in Europe are not that common. Take, for instance, the fact that this year the congress had to be held in Hamburg, as Berlin could not offer a congress center fit enough to host more than 6000 attendees. Trust me, this number was not an exaggeration at all!

I admit my expectations were quite high: after four long years of scientific symposia going back to more technical venues was indeed putting my brain in hunger-mode. However, having experienced what it means organizing events for medium sized scientific conferences, I was honestly puzzled about turning a huge building such as the Congress Center of Hamburg in a functional place ready to host lectures, workshops, and hack spaces. Boy I was wrong to be worried about it. The event lasted 4 whole days (from the 27th to the 30th) with an impeccable organization: not only were all lectures and workshops flawlessly organized, streamed, and chaired; but also all open spaces were collectivized and used for all kind of hacking purposes, from playing CTF to entry-level courses on the Arduino platform.

The speakers on the other hand could take advantage of extremely well-sized rooms, with the most important talks having available an auditorium able to host more than 2000 people. Nevertheless, I have to say I was forced to learn one thing pretty fast: if you are interested in a topic, and that topic happens to be quite a hot one, well, be ready to get to the room at least 15 minutes before show-time; seriously, being on time never worked; any room, regardless of the capacity, was liable to get full. Believe me, I was really thankful for the flawless streaming infrastructure (watching a talk on my laptop that was taking place just few meters away was indeed paradoxical :) ).

The first day's line up was respectable. The keynote was given by Jacob Appelbaum, known for his contributions to "The Tor Project", and also former spokesperson for WikiLeaks. After the usual introductions, he explained the reasons of this year's congress' zeitgeist "Not My Department". We all have heard this sentence at least once in our lives; usually uttered to belittle other people's arguments, it has always been used as an example of a closed mindset at work. Jacob's point was that this attitude is even more detrimental in an inter-connected world. What is the use of a privacy-preserving bill if our data flows through the routers of oppressive governments potentially assembling huge data sets about our lives? A new level of awareness is therefore suggested.

These days Passwords^12 is taking place in Oslo - a conference only dedicated to passwords and pin codes. With temperatures around -15 degrees (Celsius) outside, in the conference rooms of the University in Oslo, Department of Informatics, talks by well known security experts are given.

Every day you use passwords. While logging on to your computer, smartphone or tablet, accessing your emails or your social network site and also for online banking and online shopping. Recent database breaches of user logins show that there is a high demand for more security in this area. During these days talks and discussions only care about this.

On 20th and 21st of August we had our 2nd Latin American Security Analyst Summit here in Quito, Ecuador.

It was not a closed-door event; we had guests from 13 countries of the region including our panelists from law enforcement agencies who work every day in the fight against cybercrime:

Emerson Wendt from the civil police of Brazil @EmersonWendt
Segundo Mansilla from the Police of investigations of Chile @s_mansilla
Fausto Estrella from Cyber police of Jalisco, Mexico
Santiago Acurio from Catholic University of Ecuador / Lawyer and Doctor of cybercrime Jurisprudence.

Probably the two most important security conferences in the world are held in Las Vegas during the same week, gathering more than 15,000 attendees and offering dozens of talks. Even if you are here, you will find a situation where you want to attend 2 or 3 talks at the same time, or the frustration of attending one talk only to find there is no room left for you in the next one you wanted to attend.

So I thought it would be useful, whether you were in Las Vegas or not, to highlight the most relevant things that happened there during these 2 weeks, in my opinion:

BlackHat USA may have been wrapped up for the year but DEFCON is in full swing. I didn't stay around for DEFCON though, which means I finally have some time to reflect on BlackHat.

This year featured the first time Apple presented at BlackHat, about iOS security. While the presentation lacked the details usually seen in BH talks it definitely showed Apple is trying to open up. Being (more) communicative is vital to doing security response right.

This is of particular importance for Apple as there were quite a few talks focusing on Apple's security. Ranging from attacks on iOS to Mac-oriented EFI rootkits.

Dan Geer's fantastic Keynote Speech kicked off Day 2 of SOURCE Conference Boston this morning. The talk itself was heady and complex, something to keep up with. Notable talks also were Jeremey Westerman's "Covering *aaS - Cloud Security Case Studies for SaaS, PaaS and IaaS", and Dan Rosenberg's "Android Modding for the Security Practitioner".

"The internet will never be as free as it is this morning." Dan Geer is one of the best, sharpest computing/network security speakers around. His talk descended from a high-level, lengthy, example-laden description of most every developed nation's dependency on the internet: "Dependence with respect to the internet is transitive, dependence on television is not...We are at the point where it may no longer be possible to live your life without having a critical dependence on the Internet, even if you live at the end of a dirt road but still occasionally buy nails or gasoline." And, he wound through multiple examples of failures in US systems to provide fallback options. He talked about his little local bank, whom he wrote a letter to close down the auto-created online account he wouldn't use. They, as an exception, closed it down immediately. His 401k account administrator Fidelity Investments, on the other hand, would not accept customer instructions from him in writing. The company continues to send him mailed marketing content of all kinds in writing at the address from which he sends his letters. Their auditors apparently approve of Fidelity's rejection of customer-initiated hand-written delivered communications, instead, accepting email/online chat messaging or instructions over the phone. This discussion made its way through systems design, unified field theory, and fault tolerance, eventually landing on key points that intrusion prevention is agreed not to be a workable model, instead, the elegance of "intrusion tolerance" must be built into systems, and countries and organizations that cannot build tolerance into their systems are not sustainable. Favorite quotes: "forget the banks, it is the internet that is too big to fail", "Is there room for those who choose simply to not participate in the internet?", "HTML5 is Turing complete. HTML4 is not", and "Should we preserve a manual means? Preserving fallback is prudent if not essential."

Jeremy Westerman's "Covering *aaS - Cloud Security Case Studies..." presented several design cases for Universities and other organizations. The single most important point to learn from this talk is that API key management is unfortunately not handled with as much urgency and awareness as private SSL keys for large organizations. This API key, in the context of multiple, popular single sign-on (SSO) solutions in use at large universities, is the key to tens of thousands, if not hundreds of thousands, of email accounts. Similar API key schemes are implemented on IaaS solutions like the Xen supported Amazon EC2 environment and VMWare vCloud Teramark environments. Without appropriate awareness, developers are storing that key in improper locations like the hard drive of the sign-on machine, or the developers themselves are storing keys on their development system hard drives in non-obvious places, emailing/"dropboxing" them around to each other and then simply transferring the API keys to the production environment, instead of re-issuing production API keys. It is practically imperative that these keys are taken out of the hands of developers. These loose handling practices are bad news - viral code like Sality and other viral code and worms previously high in our prevention stats have maintained functionality to steal FTP and web admin account passwords in order to silently host malicious code, encrypted or otherwise, on legitimate web sites without the owner's knowledge. In other words, developers have been effective and weak targets in the past for credential theft, enabling silent site compromise and malicious use. Most schools don't want that - I remember one unfortunate notification at a small Arts college, where the web admin really didn't want to believe that the encrypted blob of data hosted on his school's web server was a viral payload updating other students' infected systems, located there because his credentials were Sality-stolen after trying to run cracked software distributed over a P2P network. Anyway, it happens and it can be planned for and prevented.

It's the end of 2011 as we know it, and Microsoft feels fine finishing out the year with a handful of out-of-band holiday patches. This round is important not because the vulnerabilities directly impact massive numbers of customers and their online behavior on Windows laptops, tablets, and workstations, but because ASP.NET maintains vulnerable code enabling easy DoS of hosting websites, authentication bypass techniques, and stealth redirections to other websites (most dangerously those sites hosting phish and hosting client side exploits and spyware). All of this could curdle your eggnog in the coldest of weather.

In the beginning there were only malware and machines to be infected, with no money in the middle - only a will to get “fame” by coding. A few years ago this situation changed drastically and today the cybercrime ecosystem is much more complicated, including as much as 7 key elements. This starts with the coders, who only develop the malware, then sell it to other criminals while offering service support. The criminals who buy it distribute it among other cybercriminals and money mules.

What’s the problem here? In general the AV industry still fights the same way as 15 or more years ago. We detect more amounts of advanced malware yet more appears every day. It’s like cutting a weed but leaving the root - it just grows up again and again...

Hello, David Jacoby here checking in from sunny Barcelona where I'm attending the annual Virus Bulletin conference.

I'm sitting here reviewing all the presentations from yesterday, and it just hit me, this is actually my first time at this conference. Previously I have only attended security conferences in the style of Black Hat, Defcon, HITB and others. The content is very different, and also the presentation styles. To be honest, I had no idea what to expect, but so far it's been really refreshing and educational.

It's been a blast to meet meet fellow researchers from the same industry and just to get a face to the people behind the e-mail addresses. If you are at Virus Bulletin and reading this, do not hesitate to find me!

So, it's currently day two, and so far so good. Yesterday I saw about eight presentations, mostly in the technical track, but today I'm mostly visiting the corporate tracks. I think its a good mixture to get information from both tracks. The only problem with two tracks is choosing which one you want to attend.