computer security, i nternet privacy: what should we worry about?

36
Computer security, Internet privacy: What should we worry about? Sebastian Lopienski CERN Deputy Computer Security Officer Polish Teachers Programme, October 2014

Upload: wing-clayton

Post on 02-Jan-2016

38 views

Category:

Documents


1 download

DESCRIPTION

Computer security, I nternet privacy: What should we worry about?. Sebastian Lopienski CERN Deputy Computer Security Officer Polish Teachers Programme, October 2014. Disclaimer. What follows are my opinions and not necessarily those of CERN. A cloud hack. - PowerPoint PPT Presentation

TRANSCRIPT

Diapositive 1

Computer security, Internet privacy:What should we worry about?Sebastian LopienskiCERN Deputy Computer Security Officer

Polish Teachers Programme, October 20141DisclaimerWhat follows are my opinions and not necessarily those of CERN.Sebastian Lopienski2A cloud hackDigital life of a Wired journalist destroyed in one hour:(http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking)Amazon, Apple, Google, Twitter accounts compromisedall Apple devices wiped-out remotely3

Sebastian LopienskiAlso:http://www.schneier.com/blog/archives/2012/08/yet_another_ris.htmlhttp://youtu.be/603bceogqfA

3A cloud hackHow??call Amazon and add a new credit card needed: name, billing address, e-mail addresscall again, say you lost password, and add a new e-mailneeded: name, billing address, current credit cardreset password - get the new one to this new e-mail addresslogin and see all registered credit cards (last 4 digits)call Apple, say you lost password, and get a temp oneneeded: name, billing address, last 4 digits of a credit cardreset Google password - new one sent to Apple e-mail(Apple e-mail was registered as an alternate e-mail)reset Twitter password - new one sent to Google e-mail(Google e-mail was linked to the Twitter account)4

Sebastian LopienskiInterlinked accounts, digiral life important, very weak identity check procedures4A cloud hackMultiple security flaws and issues:Interconnected accountsWhich one of your accounts is the weakest link?

Our full dependence on digitaldigital information, devices, cloud services etc

Very weak identity check procedures and often not even followed correctlysome procedures have changed as an outcome of this caseenable 2-step authentication (Google, LinkedIn, Apple, )security questions with answers often trivial to find(remember Sarah Palins yahoo account hack in 2008?)

5Sebastian Lopienskihttp://www.networkworld.com/news/2012/080812-apple-stops-password-resets-after-261496.html

56

From http://www.bizarrocomics.comSebastian LopienskiChildren warned name of first pet should contain 8 characters and a digitPopular pet names Rover, Cheryl and Kate could be a thing of the past. Banks are now advising parents to think carefully before naming their childs first pet. For security reasons, the chosen name should have at least eight characters, a capital letter and a digit. It should not be the same as the name of any previous pet, and must never be written down, especially on a collar as that is the first place anyone would look. Ideally, children should consider changing the name of their pet every 12 weeks.http://www.newsbiscuit.com/2012/06/08/children-warned-name-of-first-pet-should-contain-8-characters-and-a-digit/

6E-mail account before e-bank account?7

From http://elie.im/blog/security/45-of-the-users-found-their-email-accounts-more-valuable-than-their-bank-accountsSebastian LopienskiBTW, why people reply this way? Because they realise how important their e-mail account is, and how many other services/accounts depend on its security?Or rather because they believe banks will help them with any e-banking issue (and they are often right), while they are on their own with any e-mail account issues?

See also: http://www.schneier.com/blog/archives/2012/06/e-mail_accounts.html7Sebastian LopienskiPasswords lost, or easy to guessTop 10 words used in passwordspasswordwelcomeqwertymonkeyjesuslovemoneyfreedomninjawriter8From http://www.zdnet.com/the-top-10-passwords-from-the-yahoo-hack-is-yours-one-of-them-7000000815/http://ieeelog.com/http://www.zdnet.com/450000-user-passwords-leaked-in-yahoo-breach-7000000772http://www.zdnet.com/the-top-10-passwords-from-the-yahoo-hack-is-yours-one-of-them-7000000815/http://www.schneier.com/blog/archives/2012/10/keccak_is_sha-3.htmlhttp://codahale.com/how-to-safely-store-a-password/8Where we are?

Outline9Sebastian LopienskiWhere we are?Who are they?What is ahead?Whan next? / What to expect? / Where will this take us?

9

VulnerabilitiesSebastian Lopienski10

Trying to sell a Yahoo XSS for 700$

Sebastian Lopienski11http://krebsonsecurity.com/2012/11/yahoo-email-stealing-exploit-fetches-700/

The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users.11Selling a Command Execution vulnerability in MS Office for $20k

Sebastian Lopienski12

http://www.youtube.com/watch?v=pKhulHEFrR012Vulnerability market shiftFinding vulnerabilities difficult, time consumingSelling to vendors, or publishing (mid 2000s)limited money - 1s-10s thousands$, e.g. Mozilla up to $3000, Google up to $3133.7 vulnerabilities eventually patched (good!)Selling to underground (late 2000s)busy and active black marketmore profitable 10s-100s thousands of USDsometimes buyers are governments or their contractorsused in 0-day exploits (no patch)

13researchers dont commit crimeattackers dont need skills, just moneySebastian Lopienskihttp://googleonlinesecurity.blogspot.ch/2010/11/rewarding-web-application-security.htmlhttp://blog.chromium.org/2010/01/encouraging-more-chromium-security.htmlhttps://www.facebook.com/security/posts/238039389561434https://www.mozilla.org/security/bug-bounty.html

Another threat: a programmer in a software company now has an incentive to plant or leave a security bug, and sell it later

See also:https://www.owasp.org/images/b/b7/OWASP_BeNeLux_Day_2011_-_T._Zoller_-_Rise_of_the_Vulnerability_Market.pdfhttp://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-the-future-of-security/

13Botnets (networks of infected machines)14

From http://www.f-secure.com/weblog/archives/00002430.htmlSebastian LopienskiUS Court allowing Microsoft to take control over 3322.org, hosting 70k subdomains used for hosting malware (found out because some computers were sold with pre-installed Windows infected with Nitol malware) within hours, 35M (!) unique IP contacted these subdomains http://krebsonsecurity.com/2012/09/malware-dragnet-snags-millions-of-infected-pcs/BTW, some researchers and law enforcement agencies not happy of MS taking such unilateral actions

14

Outline15Sebastian LopienskiWhere we are?Who are they?What is ahead?Whan next? / What to expect? / Where will this take us?

15Who are they?16

criminals

motivation: profithacktivists

motivation: ideology,revengegovernments

motivation: control,politicsSebastian LopienskiCriminalsUsual stuff:Identity theftCredit-card fraudsMalware targeting e-banking, e.g. Zeus, Gozi etc.Scareware, e.g. fake AV, fake police warningsRansomware: taking your data hostage (soon: accounts?)Mobile malware, e.g. sending premium rate SMSesDenial of Service (DoS)Spametc.17

Sebastian LopienskiZeus + P2P -> GameOver infections -> bankshttp://www.f-secure.com/weblog/archives/00002424.htmlhttp://www.f-secure.com/weblog/archives/00002421.html

172-in-1: Scare and demand ransom18

From http://www.zdnet.com/sopa-reincarnates-to-hold-your-computer-hostage-7000005684SOPA is dead but still used by criminals to scare peopleSebastian Lopienski

It pays offFrom symantec.comhttp://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/18Cyber criminalsThai police have arrested Algerian national Hamza Bendelladj wanted by the FBI for allegedly operating the Zeus botnet (e-banking malware)Sebastian Lopienski19From http://www.bangkokpost.com

http://www.bangkokpost.com/news/security/329622/police-nab-suspect-wanted-for-hacking

Mr Bendelladj, who graduated in computer sciences in Algeria in 2008, has allegedly hacked private accounts in 217 banks and financial companies worldwide, amassing "huge amounts" in illicit earnings With just one transaction he could earn 10 to 20 million dollars He's been travelling the world flying first class and living a life of luxury.19GangstersSebastian Lopienski20

From krebsonsecurity.comA hacker nicknamed vorVzakone, allegedly related to Gozi malwarehttp://krebsonsecurity.com/2012/10/project-blitzkrieg-promises-more-aggressive-cyberheists-against-u-s-banks/

20 employing mulesBecome a foreign agent in the US advertisementSebastian Lopienski21

From krebsonsecurity.comhttp://krebsonsecurity.com/2012/11/online-service-offers-bank-robbers-for-hire/21HacktivistsAttacking to protest, to pass the message etc.22

Sebastian LopienskiThe Anonymous, LulzSec, many groups, varying agendas, from ideologists to criminalsSebastian Lopienski23

http://www.bbc.co.uk/programmes/b01p0h5v

23Do you know this guy?Sebastian Lopienski24

Aaron SwartzA software developer, an open-access activist2001 (aged just 14!): helped developing RSS2002: working with Tim Berners-Lee on semantic web2008: released 20% of the Public Access to Court Electronic Records (PACER) database of United States federal court2011: arrested for retrieving scientific articles from JSTOR,believed in open access to results of publicly-funded research,risked 35 years of prison / $1m fine sentence2012: campaigned against the SOPA2013: committed suicide (because of the ongoing criminal investigation?)Sebastian Lopienski25

http://en.wikipedia.org/wiki/Aaron_Swartzhttp://www.economist.com/blogs/babbage/2013/01/remembering-aaron-swartz?fsrc=scn/tw_ec/commons_man25Google a freedom activist?https://www.google.com/takeaction/

Sebastian Lopienski26

The same Google that outraged privacy defenders with its new Privacy Policybut governments?27

Sebastian LopienskiSpying on (some) citizensNetwork encryption? Infect computers or go after servicesSyrian activists PCs infected with Trojans/backdoorsTibetan rights activists often targeted

Israel demands e-mail passwords at borders

German police infects criminals PCs with Trojans/backdoorsbuying surveillance code and services for 2M EURO (!) or developing in-houseunfortunately, full of security holes28

From http://www.f-secure.com/weblog/archives/00002423.htmlSebastian LopienskiIsrael Demanding Passwords at the Borderhttp://www.theaustralian.com.au/australian-it/israel-steps-up-email-border-checks/story-e6frgakx-1226385584079Israel airport security demands access to tourists' private email accountsSeveral U.S. tourists report being asked by airport security personnel for access to their personal email accounts; Israel's Shin Bet security service says it acted within the law.Israel's Shin Bet security service has been demanding access to personal email accounts of visiting tourists with Arab names, according to the testimony of three U.S. citizens who were interrogated at Ben Gurion Airport and subsequently refused entry into Israel in May.http://www.haaretz.com/news/diplomacy-defense/israel-airport-security-demands-access-to-tourists-private-email-accounts.premium-1.434509

German infects criminal investigation suspects computers with Trojans/backdoorshttp://www.f-secure.com/weblog/archives/00002250.html

Syriahttp://www.f-secure.com/weblog/archives/00002356.html

cant wiretap connections because of encryption so either infects computers, or goes after your data in the cloud:http://papers.ssrn.com/sol3/papers.cfm?abstract_id=203887128PRISM mass online surveillance program

Sebastian Lopienski29

Privacy vs. controlIf you are doing nothing wrong, then you shouldnt worry if we watch you.

If I am doing nothing wrong, then you shouldnt be watching me!

Cryptography/encryption (HTTPS) is still a good defenseSebastian Lopienski30Agencies & contractors turning offensive31From F-SecureSebastian Lopienski

https://twitter.com/mikko/status/203414733804670976

31Agencies & contractors turning offensiveNorthrop Grumman looks for "Cyber Software Engineer" for an Offensive Cyberspace Operation mission"32From http://www.f-secure.com/weblog/archives/00002372.html

Sebastian Lopienskihttps://twitter.com/mikko/status/203414733804670976

32Stuxnet(the worm that targeted Iranian uranium-enriching centrifuges, discovered 2010)Estimated development effort:10 man-years

Result: sabotage30,000 Iranian computers infected, some HW damage, nuclear program set back by ~2 years

Cui bono? (New York Times, June 2012: a joint US-Israel operation Olympic Games started by Bush and accelerated by Obama)33Sebastian Lopienskihttp://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.htmlhttp://www.f-secure.com/weblog/archives/00002401.html

33

Outline34Sebastian LopienskiWhere we are?Who are they?What is ahead?Whan next? / What to expect? / Where will this take us?

34Does Stuxnet make us all more vulnerable?35

?Sebastian Lopienskihttp://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12

Was the world a safer place since WWII because of nuclear arms??35

Thank you36

Sebastian Lopienskihttp://www.zdnet.com/10-security-stories-that-shaped-2012-7000008576/36