From the 23th to 28th of March, SANS together with INFIGO IS held the SEC 504 (Hacker Techniques, Exploits and Incident Handling) course in Zagreb, Croatia. SANS is the most trusted and by far the largest source for information security training, certification and research in the world.

This is the first time that a SANS course was held in Croatian.

The instructor was Bojan Ždrnja, an expert with more than ten years of experience in information security and an employee of Infigo IS.

SEC 504 is the most popular SANS course that provides experience in finding security vulnerabilities and flaws, discovering attacks and intrusions and protecting information systems to the attendants.

This course is aimed for information security specialists, general security practitioners, system administrators, security architects and anyone who will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

During five days, the students learned about various tools and attack methodologies employed by attackers. Finally, on the sixth day of the course, the students had an opportunity to test everything they learned in a Capture the Flag event, where they had to attack specially prepared servers simulating real environments.

After attending this course the students can also apply for the exam to earn the GIAC Certified Incident Handler (GCIH) certification.

Just one week after Microsoft released the MS09-002 security patch first exploits have been detected in the wild. Although attacks using these exploits were delivered to end users via Word documents, the vulnerability is present in Microsoft’s Internet Explorer 7 which means that web based, drive-by attacks can be expected very soon as well.

The version of the exploit currently used in the wild was analyzed by INFIGO IS’ researchers who confirmed that, as a result of a successful exploit, a Trojan horse is installed on the vulnerable machine. This Trojan horse collects sensitive personal information and sends it to a remote site.

INFIGO IS warns all clients that security patches for both operating systems and applications should be installed regularly.

More information about the attack can be found at the Internet Storm Center.

INFIGO IS researchers reverse engineered the worm and assisted numerous clients in cleaning and limiting the damage caused by the worm. It is estimated that there are tens of thousands of machines infected with the Conficker worm just in Croatia.

The analysis of the worm, as well as monitoring of activities of the worm on the global level, indicated that there are two main features of the worm that helped it spread rapidly, especially in corporate environments.

First, the worm is technically very sophisticated; it uses several infection vectors such as spreading over USB devices, network shares, as well as exploiting a vulnerability in Microsoft Windows operating systems and exploiting weak user passwords.

Second, a lot of issues with the Conficker worm were caused by organizations not regularly patching systems, installing anti-virus applications or requiring complex user passwords.

This incident indicated that information security in most organizations needs more commitment and investments into security technologies, as well as processes and policies.

Saša Ilić will give a seminar titled "ISO 27001 Security Management / Risk Management". The seminar covers ISO 27001 information security management system (ISMS) implementation process, as well as risk assessment and risk management processes.

Bojan Ždrnja will give a presentation titled "Security – current Internet attacks" in which he will analyze politically motivated attacks, including those on Estonian and Georgian governments. The presentation will also cover other attacks by hacktivists as well as attack methods and technologies previously used.

Infigo IS will be represented by Bojan Ždrnja, who will, on Wednesday, 22nd of October, give the presentation "Information risks and threats – Internet and new technologies". The presentation will be a part oft he "Information security and business continuity" track.

More information is available at the official conference web site.