Pictures and presentation papers from Sparks #1

Sparks, monthly computer security conference, organised by Cyber Security Research Center from Romania – CCSIR, had its debut this week on Tuesday March 4, 2014 at TechHub Bucharest with almost 100 attendees and 2 awesome speakers.

Valentin Ilie, Software Research Engineer at Intel Romania broke the ice with a nice presentation called “Multiple Protocol Reverse Shell” where he talked about a new way of bypassing rules of a network infrastructure and after a ten minutes break Ionel Chirita, Application & Infrastructure Security Analyst at Electronic Arts had a discussion about “Choosing the Best Web App Security Scanner”.


You can find more pictures on our Facebook page.

About Sparks

Launched in the spring of 2014, on 19th of February, Sparks are a series of computer security conferences dedicated to both hobbyists and professionals from the INFOSEC. More details here.

CCSIR Supports DCOI – Tel Aviv, Israel

Cyber Security Research Center from Romania (CCSIR) is one of the partners of DCOI – Defensive Cyberspace Operations & Intelligence Conference, a cyber security conference that will take place in Tel Aviv, Israel on 8-9 April, 2014.

dcoi security conference

The event is organised by INSS or The Institute for National Security Studies which is an independent academic institute that studies key issues relating to Israel’s national security and Middle East affairs. Through its mixture of researchers with backgrounds in academia, the military, government, and public policy, INSS is able to contribute to the public debate and governmental deliberation of leading strategic issues and offer policy analysis and recommendations to decision makers and public leaders, policy analysts, and theoreticians, both in Israel and abroad. As part of its mission, it is committed to encourage new ways of thinking and expand the traditional contours of establishment analysis.

DCOI will is a two days event with over 30 high profile speakers such as Dr. Yuval Steinitz – Minister of Intelligence Israel, MG. (ret.) Amos Yadlin – Director of INSS, Paul De Souza – President of Cyber Security Forum Initiative (CSFI), Tony Cole – Vice President and Global Government CTO at FireEye and others.


Cyber Security Research Center from Romania (CCSIR) will be represented at the conference by Andrei Avădănei, the president of CCSIR organisation. He will talk about “Offensive Honeypots, IDS & IPS using Social Media and hackers tools”.

“One of the biggest challenges when you have an IT infrastructure with critical information from an economic perspective or one that manages classified information is to have a hands-on reaction in defending and preventing attacks. There are several types of organizations that work deeply in the field of identifying intruders but most of the time, it’s impossible due to different political reglementations of the cyber space. In any kind of attack, there is a time frame when the attackers are the most vulnerable and in this presentation I will introduce several perspectives along with examples of how we can fingerprint and counter-attack the intruder. I will discuss about honeypots, offensive approaches, social networks, APTs, malware and multi-layered counter-attacks.”, declared Andrei Avădănei.

How to register?

You can register for this conference directly on the website. The rate for Military/Government, Public Sector Rate is 400$ for both days and the Commercial Organisations Rate is 550$.

About Cyber Security Research Center from Romania

Cyber Security Research Center from Romania(CCSIR) is a Non-Governmental Organization with the sole purpose of promoting, supporting, implementation and coordination of security research in the information security field in Romania, as well as international actions with short, medium and long term partnerships in the information security arena.

Pentesting 101 – what you should know?

The big majority of attacks performed over the systems available via Internet are made in the application layer due to the easiness of launching an attack and the lack of app protection. For verifying the security of IT infrastructures an audit is carried out, but this action is insufficient in many situations in determining the ways an attacker can abuse and corrupt services or applications. Pentesting is the most efficient way of verifying the effectiveness of security measures because this will allow real time protection in case of an attack.

penetration-testing ccsir

The pentests should be made as much as possible before launching the application in a productive environment, after the functionality and efficiency has been tested, in order to identify early on the vulnerabilities that could lead to an information leak, blocking the access to the application or total corruption of the systems.

In order to make a pentest successful the next steps should be followed:

  • Planning and preparing
  • Collecting and analysing information
  • Detecting vulnerabilities
  • The actual attack against systems
  • Reporting and analysing vulnerabilities that were found
  • Cleaning applications and systems

Approaching the tested infrastructure can be made in many ways according to the client objective, the only thing that is different between them is the information received from the client. In this way we can make three kinds of tests:

  • Black box: simulate a real attack from outside based only on public information, with low aggressivity for detecting the sensibility and rate of detection by implemented security systems
  • Grey box: the pentester has limited information from the client and the rest also from public source
  • White box: the client offers inside information for the systems and application targeted or offers a copy of them, in a controlled environment, so the tests can be more aggressive and this way you can review each component even if they can be public accessed or not

A penetration test cannot offer you a complete overview over the system or network security, this being the main reason of tests made within a predefined period of time. The undiscovered vulnerabilities during the pentest or those that can appear after updates, the installation of a new software or reconfigurations of the system can lead to new security holes. This is the main reason that periodic pentests and security audits along with monitoring constantly are the most efficient ways to prevent security issues.

The efficiency of signature detection

It has been more than 20 years since the discovery of first efficient method for detecting and eliminating general threats or infections for regular computer users. This method uses signature detection, both in antivirus type software and in IPS systems (two resembling solutions but used in different environments).

The efficiency of signature detection

Old fashion signature protection

The biggest problem of antivirus software developing companies is convenience. Since the early 2000s there has been noticed a disturbing trend – all the companies measured the quality and efficiency of detecting viruses by the number of signatures they owned and apparently is still the same, although this software rather offers a fake feel of protection because you can’t protect a system from a new threat that doesn’t exist in their signature database.
Unfortunately, the number of signatures grows day by day increasing the resource usage (CPU, RAM, etc.) of the software even if they are trying to implement cloud solutions.

It’s interesting how nowadays, an era dominated by advanced technology, “the bad guys” have a big advantage over the security companies using well-known methods (see polymorphism) to bypass this old and outdated detection system. The time of those who created malware software for fame and respect in the underground world has passed and now became one of the most important ways of obtaining private information. This way the attackers may get substantial financial benefits. Some are building careers from malware software development and more, the majority of the attacks aren’t carried by one individual but by organized groups and sometimes by resourceful institutions.

signature detection

How IPS solutions protect your infrastructure, in numbers

Yet, I have bigger reserves in talking about IPS solutions manufacturers. Let’s take, for example, an IPS that gives 4500 signatures for protecting your network; from all of these signatures probably just about 20% are useful because it’s less likely to have this big number of solutions from companies like IBM, Sophos, Cisco, HP, Dell, Oracle, Symantec, AOL, etc. in one place (I read some names from the signature list). Theoretically they have cover most of the known problems and this is the reason why they give us this diversity. Now, from the ~1000 useful signatures, if you have a company with more than 3000 employees with high internet traffic, there are chances that only ~35% of that amount of signatures are usable. The danger of many signatures is marked as “critical” (60%), having an “High-performance impact” on the network and this is why they can’t even be placed in “Logging mode” because they will stop the system activity. The rest of 40% are marked like “Low-Medium performance impact” and they should reach first in “Logging mode”(because the information from the producer is not always 100% accurate) to see exactly the impact made on the network and after that you can put them in “Blocking mode”. So effectively how many of the 4500 signatures are really useful? Little to protect yourself in a real way and considering an investition of this type.

Case study

The future of online security stays in systems based on file behavior analysis, executed and observed in a controlled environment. I can give you an example from one of my personal research: from few thousands(~8000) of detections(only .exe files) for a period of 9 months by a firewall executing a behavior analysis, only ~17.5% were detected by antivirus software! And speaking of statistics, did you knew that 80% of Carberp infected computers ran daily updated antivirus software?


Of course this is a topic of bigger complexity, we can talk much more about it and get into deep branches of this field, but I only wanted to point your attention to this, in my opinion one of the biggest global issues right now.

How You Can Become a Member of CCSIR?

The membership role of the Cyber ​​Security Research Center from Romania is a special status obtained by the people who are involved in the organisation projects. All the members embrace our vision and have deep experience in the cyber security space, both offensive and defensive approaches.

become a member of ccsir

CCSIR Member Benefits

As a member you have some benefits, such as:

  • access to a group of highly technical people;
  • access to our internal research topics and discussions;
  • access to our network of information security specialists;
  • access to build and promote your security related projects through our international network;
  • financial, human, logistic and hardware resources to get your security related project done;
  • the ability to publish INFOSEC related articles to the community, both romanian and international one;
  • discounts or free access to different training programs, private and public meetings or conferences organised by CCSIR and partners

Still intereted

Find out more.


Cyber Security Research Center from Romania(CCSIR) is a Non-Governmental Organization with the sole purpose of promoting, supporting, implementation and coordination of security research in the information security field in Romania, as well as international actions with short, medium and long term partnerships in the information security arena.