1
00:00:04,460 --> 00:00:10,130
The next slide lists the consequences of a relatively recent attack of a global virus called Conficker

2
00:00:21,800 --> 00:00:26,820
We'll analyze the ways in which the virus can be fought in the next module of the seminar.

3
00:00:29,310 --> 00:00:34,080
For now I would only like to point out the conflict spreads things to the gullibility of the users.

4
00:00:35,870 --> 00:00:38,620
Once again it's an example of social engineering.

5
00:00:39,780 --> 00:00:43,980
The right hand side of the slide presents a window that popped up whenever a user connected a memory

6
00:00:43,980 --> 00:00:48,720
stick to a computer which was infected with Conficker.

7
00:00:48,830 --> 00:00:56,090
Is it really how the Windows Vista auto play window looks while the window contains a well-known message

8
00:00:56,090 --> 00:00:59,540
prompting the user to open the folder to view the files.

9
00:00:59,720 --> 00:01:04,780
The default option which the user knows and has selected many times before is highlighted as well.

10
00:01:07,760 --> 00:01:14,860
Please note however that the heading above this option says installer run the program the virus modified

11
00:01:14,860 --> 00:01:21,000
and auto run file which you can see in the upper right corner of the slide in order to use auto play

12
00:01:21,010 --> 00:01:22,800
to get users to run this code.

13
00:01:27,690 --> 00:01:34,010
The lesson Aereo we will discuss is an attack targeted at a specific service we want to elaborate on

14
00:01:34,010 --> 00:01:37,340
it because it's not an automated attack.

15
00:01:37,420 --> 00:01:39,460
It doesn't use a virus or an exploit

16
00:01:42,830 --> 00:01:43,900
for this kind of attack.

17
00:01:43,910 --> 00:01:49,700
The attacker needs only the information that the victim uses a certain version of the server created

18
00:01:49,700 --> 00:01:56,830
by such and such a company then the attacker sets up the very same version of an FPP server in his own

19
00:01:56,830 --> 00:02:00,500
computer.

20
00:02:00,520 --> 00:02:04,080
Initially the attacker will try to conduct the attack on his own server.

21
00:02:05,190 --> 00:02:08,670
This means that the future victim is oblivious to his actions.

22
00:02:10,080 --> 00:02:16,290
Also it will allow the attacker to analyze the server's responses in real time using a debugger or a

23
00:02:16,290 --> 00:02:19,640
program monitoring the activity of server processes.

24
00:02:21,620 --> 00:02:29,870
All this can allow the attacker to find a server air for example a buffer overflow air using his own

25
00:02:29,870 --> 00:02:33,020
copy of the software used by the victim.

26
00:02:33,270 --> 00:02:37,080
The attacker can prepare a specific attack.

27
00:02:37,300 --> 00:02:42,840
For example the attacker can create an exploit and test it on his own version of the server.

28
00:02:43,900 --> 00:02:48,260
Once the attack is tried out it can be reproduced on the victim's computer.

29
00:02:50,180 --> 00:02:53,370
In such cases the virus scanner will prove useless.

30
00:02:53,480 --> 00:02:58,880
It won't detect any viruses because the attack will be conducted with the use of an original program

31
00:02:58,880 --> 00:03:07,330
that doesn't appear in the scanners database.

32
00:03:07,370 --> 00:03:12,040
If the firewall is used as an application firewall it won't be much help either.

33
00:03:13,380 --> 00:03:17,960
Whether such a firewall detects the attack or not depends on how invasive the attack is.

34
00:03:18,700 --> 00:03:26,040
There is a great possibility that the firewall won't notice the attack even the correct configuration

35
00:03:26,040 --> 00:03:29,190
of the server won't prevent the attack from happening.

36
00:03:32,350 --> 00:03:36,590
Strictly following the producers instruction won't ensure security either.

37
00:03:37,550 --> 00:03:44,970
Because the attack exploits software bugs not configuration mistakes.

38
00:03:45,040 --> 00:03:50,140
The problem wasn't reported to the producer so it couldn't have had the chance to issue an update fixing

39
00:03:50,140 --> 00:03:50,940
that bug.

40
00:03:53,050 --> 00:04:00,000
However the probability of such an attack is substantially small although there are more and more threats

41
00:04:00,000 --> 00:04:01,070
out there.

42
00:04:01,110 --> 00:04:05,640
Defense in depth security model gives you the chance to detect an attack when you still have time to

43
00:04:05,640 --> 00:04:06,530
react.

44
00:04:07,710 --> 00:04:11,470
And even if the attack is successful its scope will be limited.

45
00:04:14,090 --> 00:04:20,480
It will allow you to limit the attack to a given server only and to prevent it from spreading to the

46
00:04:20,480 --> 00:04:23,840
whole computer system or the network the server is connected to

47
00:04:28,340 --> 00:04:29,720
thank you for your attention.