Wheres the Risk? Oslo apparently.

Just back (well a few days ago) from the RISK 2008 conference in Oslo, Norway. Overall I really liked this conference, although I did not get to attend all of the talks due to my average (read: non-existant) command of the Norwegian language, so as such I limited myself to the talks of an English speaking variety.

The conference was held in the Norwegian national football stadium (real football, not the version with body armour and 40 ad breaks), so the hosts, Mnemonic, had gone for a football theme. All of the organisers were dressed in Referees jerseys; Going over time by 5 minutes saw you recieving a yellow card, and in extreme cases a red would see an early end to your conference.

The first speaker up was Marcus Ranum, who delivered an excellent and very entertaining talk about how we are stuck dealing with all of the mistakes of the past, and how we must be much more careful going forward. He also has an interesting read on his website about the "6 Dumbest Ideas in Computer Security". The only other English presenations for the day where by Peter Finnegan on Oracle Security/Lack there off, and by Sebastien Deleersnyder explaining what OWASP was all about.

That evening Mnemonic put on an excellent drinks reception, and a really nice dinner. There was also a very good comedian, at least all of the locals were laughing, although he did a sketch about going through airport customs that was mostly in English and was great. The night was good craic overall, and hats off to Mnemonic for organising it.

The 2nd day of the conference started with Joanna Rutkowska's talk on Virtual Machine malware. This was a talk that I was really looking forward to - unfortunately my own presentation was up next so I spent most of the time down the back going over that. The bits I caught were as interesting as ever. My own presentation on "Fighting web-based, profit-driven threats" sparked quite a few questions from the audience (joys of being the only AV Speaker), especially from the afore mentioned Joanna. Eventually the organisers called time on the questions, but the spirited debate continued during the break attracting a bit of a crowd.

Essentially a lot of people where saying that a) pattern matching is dead b) counting unique md5's as a measure of the rise in malware is pointless c) we should fix the OS, not build on it.

On A I mostly agree - pattern matching on its own is not capable of dealing with the current threat landscape, but when complemented with other technologies like Behaviour Based detection, Web Threat Protection and Data Leak Protection, suddenly we have a decent defense-in-depth model.

Regardless of the fact that the number of unique samples has gone through the roof, the fact is the number of individual variants is also on the rise. Everyone knows that is trivial to generate 10,000 copies of the same malware - but you still need to deal with each of them, and thats why the malware industry does it. Even if you have only one brand of bullet, firing 10K at the target instead of 1 makes it a lot more likely you are going to do some damage

In an ideal world fixing the OS is a big step. Proper process isolation, data permissions, etc go along way to helping secure a system but the majority of malware attacks are still aimed at the most vulnerable part of the system - the part between the keyboard and the chair.

Anyhow - the other English presentation of the day was a really interesting talk by PDP of Gnucitizen.com (if you don't already regularly read it, you should). He gave a very nice run down of attacks against Web 2.0 that was both entertaining and informative, and was tied with Marcus's presentation as far I was concerned for the best at the conference.

Anyhow back now to a place where beer does not cost €10, but that may all change as I head to CARO in Amsterdam later this week.

Full Program of the Event
Copy of the Slides from my presentation