confidentiality, integrity, awareness what does it mean to you
TRANSCRIPT
Confidentiality, Integrity, Awareness
What Does It Mean To You
Why Learn About Security?
Good security standards follow the “90/10” rule. 10% Of All Security Safeguards Are Technical 90% Of All Security Safeguards Rely On YOU To
Follow Safe Practices. Having a lock on the door is 10% of security.
Remembering to lock the door, and making sure it is closed is 90%
10% Security Is Worthless Without YOU
Protect Your Data
1. Use Strong Passwords2. Pay Attention To Security3. Use eMail Safely4. Use The Internet Responsibly
When is a Password Secure?
The measure of security must then be "how many password requests can the automated program make per second". The actual number varies, but most web applications would not be capable of handling more than 100 sign-in requests per second.
This means it takes the following time to hack a simple password like "sun":
Brute-force: 3 minutes Common Word: 3 minutes Dictionary: 1 hour 20 minutes
Note: "sun" has 17,576 possible character combinations. 3 letters using the lowercase alphabet = 263
Passwords
sun is, of course a highly insecure password, but how much time is enough for a password to be secure?
a password that can be hacked in 1 minute is far too risky 10 minutes - still far too risky 1 hour - still not good enough 1 day - now we are getting somewhere. The probability that a person
will have a program running just to hack your account for an entire day is very little.
1 month - this is something that only a dedicated attacker would do. 1 year - now we are moving from practical risk to theoretical risk. If
you are NASA or CIA then it is unacceptable. For the rest of us, well - you do not have that kind of enemies, nor is your company data that interesting.
10 years - Now we are talking purely theoretical. A lifetime: 100 years - this is really the limit for most people. Who
cares about their password being hacked after they have died? Still it is nice to know that you use a password that is "secure for life"
Password Considerations
• Note: The examples below are based on 100 password request per second. The result is the approach that is the most effective way to hack that specific password - either being by the use of brute-force, common words or dictionary attacks.
• Most “modern” computers, if they have the password file locally, can parse as many as 125,000 passwords per second based on using high speed (solid state) drives, multiple core processors and reasonable (16GB) of memory.
Security
The Internet allows an attacker to do so from anywhere in the world.
Not being secure leads to risks such as identity theft, monetary loss, legal ramifications, and potentially loss of employment.
Use eMail Safely
Never open suspicious of unsolicited attachments
Avoid responding to SPAMNever provide credit card numbers,
passwords or personal information by eMail.Make sure you have an good anti-virus
software.
Use The Internet Responsibly
Don’t post sensitive information on message boards, chat rooms, or other insecure areas of the Internet
Don’t visit inappropriate Internet sitesBe aware of what you are clicking.Always use anti-virus softwareMake sure to apply system patches when
available.
Social Engineering
What Is Social Engineering?
Social Engineering
Because there is no “patch” for human stupidity.
“You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” -Kevin Mitnick
What is Social Engineering
Uses Psychological MethodsExploits human tendency to trustGoals are the Same as Hacking
Social Engineering Approaches
CarelessnessComfort ZoneHelpfulnessFear
Careless Approach
Victim is Careless Does not implement, use, or enforce proper
countermeasures
Used for Reconnaissance Looking for what is laying around
Dumpster Diving/Trashing Building/Password Theft Shoulder Surfing Password Harvesting Impersonation Direct Theft Smoking Zone
Dumpster Diving/Trashing
Huge amount of information in the trashMost of it does not seem to be a threatThe who, what and where of an
organizationKnowledge of internal systemsMaterials for greater authenticityIntelligence Agencies have done this for
years
Building/Password Theft
Requires physical accessLooking for passwords or other information
left out in the openLittle more information than dumpster diving
Password Harvesting
Internet or mail-in sweepstakesBased on the belief that people don’t change
their password over different accounts . Sadly, this is, for the most part true.
Impersonation
Could be anyone Tech Support Co-Worker Boss CEO User Maintenance Staff Delivery Driver
Generally Two Goals Asking for a password Building access - Careless Approach
Other Methods
Shoulder SurfingDirect Theft
Outside workplace Wallet, id badge, or purse stolen
Smoking Zone Attacker will sit out in the smoking area Piggy back into the office when users go back to work
Helpful Approach
People generally try to help even if they do not know who they are helping
Usually involves being in a position of obvious need
Attacker generally does not even ask for the help they receive
Piggybacking/Tailgating Troubled user
Piggybacking
Attacker will trail an employee entering the building
More Effective: Carry something large so they hold the door open for you Go in when a large group of employees are going in Crutches
Pretend to be unable to find door key
Troubled user
Calling organization numbers asking for help I’m new in IT and the boss is going to kill me. I don’t
need your password, but can you provide your username/log in name so I can verify you have the right IP?
Getting a username and asking to have a password reset
Calls up IT and says, I am kind of new and did something really stupid, I lost my password. Can you reset it for me, my username is xxxx.
Fear Approach
Usually draws from the other approachesPuts the user in a state of fear and anxietyVery aggressive
Conformity Importance Time Frame
Conformity
The user is the only one who has not helped out the attacker with this request in the past
I talked to Jan last week and she had no problem providing the information, why do you have to be so difficult?
Personal responsibility is diffusedUser gets justification for granting an attack.
Importance
Classic boss or director needs routine password reset
So would *you* like to explain to the vice president why *you* don’t think it would be a good idea to reset his password? I am absolutely sure he would be *thrilled* to hear just how important your job is.
Showing up from a utility after a natural occurrence (thunderstorm, tornado, etc.)
A semi-official looking “uniform” right after a small scale disaster can get you admittance anywhere. Check the back of the building for the phone carrier.
Hi, I am from Verizon, we are still having some line difficulties after the hurricane and think we have traced the issue to a loop in your circuit. I need access to your telecom rack.
Time Frame
Fictitious deadlineImpersonates payroll bookkeeper, proposal
coordinator Look, I have 15 minutes to get this taken care of or there
will be no paychecks this week.
Asks for password change
Advanced Attacks
Offering a Service Attacker contacts the user Uses viruses, worms, or Trojans User could be approached at home or at work Once infected, attacker collects needed information
Reverse Social Engineering Attacks puts themselves in a position of authority Users ask attacker for help and information Attacker takes information and asks for what they need
while fixing the problem for the user
What Does It Mean To You?
Internet Security
1. Use you to spread their worms and viruses.2. Install spyware programs on your computer so they
can monitor everything you do on the Internet.3. Alter your browser, forcing it to visit websites you
don't want to visit.4. Get your personal information so they can steal
your money and identity.
Hackers want to…
Goal 1 is usually about “FUN”Goals 2, 3 and 4 are usually about MONEY!
How You Get Hacked:
Via email attachments Trojan/viruses Trojan/worms
Via malicious websites Spyware Browser hijacking
Via email Phishing Pharming
Greeks bearing gifts…
TROJAN HORSES Gifts you want that contain things you don’t want…
A Trojan horse is a normal application, such as a game or self-displaying photo, that contains a hidden program – often a virus - that executes when the Trojan is executed.
Trojan horses are usually email attachments
VIRUSES
A program that attaches itself to another program so that it can reproduce without the victim’s knowledge Much like the common cold, it wants to spread – often
using the victim’s email address book as a source for new victims to whom it sends itself Viruses generally spread via email-attached Trojans or
embedded in illicitly downloaded software.
eMail Viruses
Open the attachment, enjoy your infection.
Antivirus 2010, 2011
Antivirus 2010 properties:• Changes browser settings• Shows commercial adverts• Connects itself to the Internet• Stays resident in background
It is distributed through online advertisements that are disguised as anti-virus scanners. If user clicks on such a banner, he or she is receives false reports about infections detected. Antivirus2010 tries to intimidate people by reporting nonexistent threats in order to get them interested in downloading this application.
The Internet Is Not A Virus Scanner
Tried to go to a Website and got redirected and warned that you had a virus?
More than likely the legitimate site you were going to was involved in DNS hijacking.
DNS hijacking, also known as DNS poisoning merely manipulates the numeric resolver to a new address.
WORMS
A specially written program that replicates itself Unlike a virus, it does not attach itself to other
programs Worms, in general are resource hogs; some have
bogged down major portions of the Internet Worms generally spread via server vulnerabilities (e.g.
buffer overflows) – not via email attached TrojansThe Blaster Worm infected multiple systems in the mid 2000s causing an overflow within Windows NT 5.x based systems (XP, 2003). It had no other use than to replicate and cease productivity.
Conflicker
Little is known about the use of conflicker other than it easily replicates to insecure machines and has multiple open ports.
It is assumed the usage is as a Zombie to be used in large scale DDOS attacks.
Viruses vs.Worms
In the final analysis, most people who are affected by a virus or worm could care less about the distinctions between them.
Most viruses and worms are launched into the Internet by attackers who have no particular target in mind
They just want to see what will happen – or they seek notoriety among their “colleagues”
Spyware
Spyware: Any software that covertly gathers user information. Monitors victim’s Internet activity and transmits that
information via the Internet to the hacker, who sells it. Often bundled as a hidden component of “free”
programs that are downloaded from the Internet
Symptoms: SLOW Web browsing PCs are often infested with 50 -1000 spyware
programs The more you surf, the more invested you become Real time protection is free and readily available
Spyware
RealPlayer tracks and “phoneshome” your listening habits
Kazaa - You are trusting infected users to share their music and files with you – enough said.
Comet Systems has over 160,000 customers to whom it sells the data collected by its spyware
Wild (Tangent) Games are “free” but you agree to a lot when you accept them!
Browser Hijacking
Symptoms: Your browser’s default start page is changed Porn and gambling links are added to your favorites
list Porn sites pop up on your screen
Goal: To force your browser – and entice you - to visit
websites whose owners pay the hacker for sending people to their sites
Spyware, browser hijacking, and phishing are all about MONEY!
Browser Hijacking
The malicious website makes changes to your computer via known vulnerabilities, for which patches exist
Sometimes, the changes are easily reversed More often, a “cleaner” tool is needed to fix things It’s often necessary to manually edit the Windows
registry Often, the hijacking software redoes the hacked settings
every time you reboot the computer
Phishing
Phishing: The act of sending an email that falsely claims to be from a bank or other E-commerce enterprise
The e-mail: Directs the user to visit a cloned website where they are asked to “update” personal information.
Goal: To trick the recipient into surrendering private information that will be used for identity theft.
Usernames/passwords; credit card, social security, and bank account numbers
Perpetrators: Increasingly used by organized crime syndicates, many based in central and eastern Europe. Those who have been arrested were young, American males.
A bad day phishin’, beats a good day workin’
• 2,000,000 emails are sent• 5% get to the end user – 100,000 (Anti-Phishing Working
Group)• 5% click on the phishing link – 5,000 (APWG)• 2% enter data into the phishing site –100 (FTC)• $1,200 from each person who enters data (FTC)• Potential reward: $120,000
In 2005 David Levi made over $360,000 from 160 people using an eBay Phishing scam
Phishing
From can easily be spoofed
Not a match
Images from Anti-Phishing Working Group’s Phishing Archive
Typical Phishing Site
Not https – not secure
An IP address, not a resolved name
Images from Anti-Phishing Working Group’s Phishing Archive
Typical Phishing Site
Images from Anti-Phishing Working Group’s Phishing Archive
Fake Site
Not https:No security lock
Images from Anti-Phishing Working Group’s Phishing Archive
Real Site
Images from Anti-Phishing Working Group’s Phishing Archive
Corporate Phishing/Spear Phishing
Spear-Phishing: Improved Target Selection
• Socially aware attacks Mine social relationships from public data Phishing email appears to arrive from someone known to
the victim Use spoofed identity of trusted organization to gain trust Urge victims to update or validate their account Threaten to terminate the account if the victims not reply Use gift or bonus as a bait Security promises
• Context-aware attacks “Your bid on eBay has won!” “The books on your Amazon wish list are on sale!”
Another Example
Images from Anti-Phishing Working Group’s Phishing Archive
But Wait!!
WHOIS 210.104.211.21:
Location: Korea, Republic Of
Even bigger problem:
I don’t have an account with US Bank!
Images from Anti-Phishing Working Group’s Phishing Archive
Pharming
How To Tell If An E-mail Message is Fraudulent
Here are a few phrases to look for if you think an e-mail message is a phishing scam.
• "Verify your account."Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail from anyone asking you to update your credit card information, do not respond: this is a phishing scam.
• "If you don't respond within 48 hours, your account will be closed."These messages convey a sense of urgency so that you'll respond immediately without thinking. Phishing e-mail might even claim that your response is required because your account might have been compromised.
Continued
• "Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.
• "Click the link below to gain access to your account."HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site.