computer security, i nternet privacy: what should we worry about?
DESCRIPTION
Computer security, I nternet privacy: What should we worry about?. Sebastian Lopienski CERN Deputy Computer Security Officer Polish Teachers Programme, October 2014. Disclaimer. What follows are my opinions and not necessarily those of CERN. A cloud hack. - PowerPoint PPT PresentationTRANSCRIPT
Diapositive 1
Computer security, Internet privacy:What should we worry about?Sebastian LopienskiCERN Deputy Computer Security Officer
Polish Teachers Programme, October 20141DisclaimerWhat follows are my opinions and not necessarily those of CERN.Sebastian Lopienski2A cloud hackDigital life of a Wired journalist destroyed in one hour:(http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking)Amazon, Apple, Google, Twitter accounts compromisedall Apple devices wiped-out remotely3
Sebastian LopienskiAlso:http://www.schneier.com/blog/archives/2012/08/yet_another_ris.htmlhttp://youtu.be/603bceogqfA
3A cloud hackHow??call Amazon and add a new credit card needed: name, billing address, e-mail addresscall again, say you lost password, and add a new e-mailneeded: name, billing address, current credit cardreset password - get the new one to this new e-mail addresslogin and see all registered credit cards (last 4 digits)call Apple, say you lost password, and get a temp oneneeded: name, billing address, last 4 digits of a credit cardreset Google password - new one sent to Apple e-mail(Apple e-mail was registered as an alternate e-mail)reset Twitter password - new one sent to Google e-mail(Google e-mail was linked to the Twitter account)4
Sebastian LopienskiInterlinked accounts, digiral life important, very weak identity check procedures4A cloud hackMultiple security flaws and issues:Interconnected accountsWhich one of your accounts is the weakest link?
Our full dependence on digitaldigital information, devices, cloud services etc
Very weak identity check procedures and often not even followed correctlysome procedures have changed as an outcome of this caseenable 2-step authentication (Google, LinkedIn, Apple, )security questions with answers often trivial to find(remember Sarah Palins yahoo account hack in 2008?)
5Sebastian Lopienskihttp://www.networkworld.com/news/2012/080812-apple-stops-password-resets-after-261496.html
56
From http://www.bizarrocomics.comSebastian LopienskiChildren warned name of first pet should contain 8 characters and a digitPopular pet names Rover, Cheryl and Kate could be a thing of the past. Banks are now advising parents to think carefully before naming their childs first pet. For security reasons, the chosen name should have at least eight characters, a capital letter and a digit. It should not be the same as the name of any previous pet, and must never be written down, especially on a collar as that is the first place anyone would look. Ideally, children should consider changing the name of their pet every 12 weeks.http://www.newsbiscuit.com/2012/06/08/children-warned-name-of-first-pet-should-contain-8-characters-and-a-digit/
6E-mail account before e-bank account?7
From http://elie.im/blog/security/45-of-the-users-found-their-email-accounts-more-valuable-than-their-bank-accountsSebastian LopienskiBTW, why people reply this way? Because they realise how important their e-mail account is, and how many other services/accounts depend on its security?Or rather because they believe banks will help them with any e-banking issue (and they are often right), while they are on their own with any e-mail account issues?
See also: http://www.schneier.com/blog/archives/2012/06/e-mail_accounts.html7Sebastian LopienskiPasswords lost, or easy to guessTop 10 words used in passwordspasswordwelcomeqwertymonkeyjesuslovemoneyfreedomninjawriter8From http://www.zdnet.com/the-top-10-passwords-from-the-yahoo-hack-is-yours-one-of-them-7000000815/http://ieeelog.com/http://www.zdnet.com/450000-user-passwords-leaked-in-yahoo-breach-7000000772http://www.zdnet.com/the-top-10-passwords-from-the-yahoo-hack-is-yours-one-of-them-7000000815/http://www.schneier.com/blog/archives/2012/10/keccak_is_sha-3.htmlhttp://codahale.com/how-to-safely-store-a-password/8Where we are?
Outline9Sebastian LopienskiWhere we are?Who are they?What is ahead?Whan next? / What to expect? / Where will this take us?
9
VulnerabilitiesSebastian Lopienski10
Trying to sell a Yahoo XSS for 700$
Sebastian Lopienski11http://krebsonsecurity.com/2012/11/yahoo-email-stealing-exploit-fetches-700/
The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users.11Selling a Command Execution vulnerability in MS Office for $20k
Sebastian Lopienski12
http://www.youtube.com/watch?v=pKhulHEFrR012Vulnerability market shiftFinding vulnerabilities difficult, time consumingSelling to vendors, or publishing (mid 2000s)limited money - 1s-10s thousands$, e.g. Mozilla up to $3000, Google up to $3133.7 vulnerabilities eventually patched (good!)Selling to underground (late 2000s)busy and active black marketmore profitable 10s-100s thousands of USDsometimes buyers are governments or their contractorsused in 0-day exploits (no patch)
13researchers dont commit crimeattackers dont need skills, just moneySebastian Lopienskihttp://googleonlinesecurity.blogspot.ch/2010/11/rewarding-web-application-security.htmlhttp://blog.chromium.org/2010/01/encouraging-more-chromium-security.htmlhttps://www.facebook.com/security/posts/238039389561434https://www.mozilla.org/security/bug-bounty.html
Another threat: a programmer in a software company now has an incentive to plant or leave a security bug, and sell it later
See also:https://www.owasp.org/images/b/b7/OWASP_BeNeLux_Day_2011_-_T._Zoller_-_Rise_of_the_Vulnerability_Market.pdfhttp://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-the-future-of-security/
13Botnets (networks of infected machines)14
From http://www.f-secure.com/weblog/archives/00002430.htmlSebastian LopienskiUS Court allowing Microsoft to take control over 3322.org, hosting 70k subdomains used for hosting malware (found out because some computers were sold with pre-installed Windows infected with Nitol malware) within hours, 35M (!) unique IP contacted these subdomains http://krebsonsecurity.com/2012/09/malware-dragnet-snags-millions-of-infected-pcs/BTW, some researchers and law enforcement agencies not happy of MS taking such unilateral actions
14
Outline15Sebastian LopienskiWhere we are?Who are they?What is ahead?Whan next? / What to expect? / Where will this take us?
15Who are they?16
criminals
motivation: profithacktivists
motivation: ideology,revengegovernments
motivation: control,politicsSebastian LopienskiCriminalsUsual stuff:Identity theftCredit-card fraudsMalware targeting e-banking, e.g. Zeus, Gozi etc.Scareware, e.g. fake AV, fake police warningsRansomware: taking your data hostage (soon: accounts?)Mobile malware, e.g. sending premium rate SMSesDenial of Service (DoS)Spametc.17
Sebastian LopienskiZeus + P2P -> GameOver infections -> bankshttp://www.f-secure.com/weblog/archives/00002424.htmlhttp://www.f-secure.com/weblog/archives/00002421.html
172-in-1: Scare and demand ransom18
From http://www.zdnet.com/sopa-reincarnates-to-hold-your-computer-hostage-7000005684SOPA is dead but still used by criminals to scare peopleSebastian Lopienski
It pays offFrom symantec.comhttp://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/18Cyber criminalsThai police have arrested Algerian national Hamza Bendelladj wanted by the FBI for allegedly operating the Zeus botnet (e-banking malware)Sebastian Lopienski19From http://www.bangkokpost.com
http://www.bangkokpost.com/news/security/329622/police-nab-suspect-wanted-for-hacking
Mr Bendelladj, who graduated in computer sciences in Algeria in 2008, has allegedly hacked private accounts in 217 banks and financial companies worldwide, amassing "huge amounts" in illicit earnings With just one transaction he could earn 10 to 20 million dollars He's been travelling the world flying first class and living a life of luxury.19GangstersSebastian Lopienski20
From krebsonsecurity.comA hacker nicknamed vorVzakone, allegedly related to Gozi malwarehttp://krebsonsecurity.com/2012/10/project-blitzkrieg-promises-more-aggressive-cyberheists-against-u-s-banks/
20 employing mulesBecome a foreign agent in the US advertisementSebastian Lopienski21
From krebsonsecurity.comhttp://krebsonsecurity.com/2012/11/online-service-offers-bank-robbers-for-hire/21HacktivistsAttacking to protest, to pass the message etc.22
Sebastian LopienskiThe Anonymous, LulzSec, many groups, varying agendas, from ideologists to criminalsSebastian Lopienski23
http://www.bbc.co.uk/programmes/b01p0h5v
23Do you know this guy?Sebastian Lopienski24
Aaron SwartzA software developer, an open-access activist2001 (aged just 14!): helped developing RSS2002: working with Tim Berners-Lee on semantic web2008: released 20% of the Public Access to Court Electronic Records (PACER) database of United States federal court2011: arrested for retrieving scientific articles from JSTOR,believed in open access to results of publicly-funded research,risked 35 years of prison / $1m fine sentence2012: campaigned against the SOPA2013: committed suicide (because of the ongoing criminal investigation?)Sebastian Lopienski25
http://en.wikipedia.org/wiki/Aaron_Swartzhttp://www.economist.com/blogs/babbage/2013/01/remembering-aaron-swartz?fsrc=scn/tw_ec/commons_man25Google a freedom activist?https://www.google.com/takeaction/
Sebastian Lopienski26
The same Google that outraged privacy defenders with its new Privacy Policybut governments?27
Sebastian LopienskiSpying on (some) citizensNetwork encryption? Infect computers or go after servicesSyrian activists PCs infected with Trojans/backdoorsTibetan rights activists often targeted
Israel demands e-mail passwords at borders
German police infects criminals PCs with Trojans/backdoorsbuying surveillance code and services for 2M EURO (!) or developing in-houseunfortunately, full of security holes28
From http://www.f-secure.com/weblog/archives/00002423.htmlSebastian LopienskiIsrael Demanding Passwords at the Borderhttp://www.theaustralian.com.au/australian-it/israel-steps-up-email-border-checks/story-e6frgakx-1226385584079Israel airport security demands access to tourists' private email accountsSeveral U.S. tourists report being asked by airport security personnel for access to their personal email accounts; Israel's Shin Bet security service says it acted within the law.Israel's Shin Bet security service has been demanding access to personal email accounts of visiting tourists with Arab names, according to the testimony of three U.S. citizens who were interrogated at Ben Gurion Airport and subsequently refused entry into Israel in May.http://www.haaretz.com/news/diplomacy-defense/israel-airport-security-demands-access-to-tourists-private-email-accounts.premium-1.434509
German infects criminal investigation suspects computers with Trojans/backdoorshttp://www.f-secure.com/weblog/archives/00002250.html
Syriahttp://www.f-secure.com/weblog/archives/00002356.html
cant wiretap connections because of encryption so either infects computers, or goes after your data in the cloud:http://papers.ssrn.com/sol3/papers.cfm?abstract_id=203887128PRISM mass online surveillance program
Sebastian Lopienski29
Privacy vs. controlIf you are doing nothing wrong, then you shouldnt worry if we watch you.
If I am doing nothing wrong, then you shouldnt be watching me!
Cryptography/encryption (HTTPS) is still a good defenseSebastian Lopienski30Agencies & contractors turning offensive31From F-SecureSebastian Lopienski
https://twitter.com/mikko/status/203414733804670976
31Agencies & contractors turning offensiveNorthrop Grumman looks for "Cyber Software Engineer" for an Offensive Cyberspace Operation mission"32From http://www.f-secure.com/weblog/archives/00002372.html
Sebastian Lopienskihttps://twitter.com/mikko/status/203414733804670976
32Stuxnet(the worm that targeted Iranian uranium-enriching centrifuges, discovered 2010)Estimated development effort:10 man-years
Result: sabotage30,000 Iranian computers infected, some HW damage, nuclear program set back by ~2 years
Cui bono? (New York Times, June 2012: a joint US-Israel operation Olympic Games started by Bush and accelerated by Obama)33Sebastian Lopienskihttp://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.htmlhttp://www.f-secure.com/weblog/archives/00002401.html
33
Outline34Sebastian LopienskiWhere we are?Who are they?What is ahead?Whan next? / What to expect? / Where will this take us?
34Does Stuxnet make us all more vulnerable?35
?Sebastian Lopienskihttp://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12
Was the world a safer place since WWII because of nuclear arms??35
Thank you36
Sebastian Lopienskihttp://www.zdnet.com/10-security-stories-that-shaped-2012-7000008576/36