View
213
Download
0
Category
Tags:
Preview:
Citation preview
121 September 2009
Things that go bump in the net
Chris
Email: chris@securityg33k.comTwitter: http://twitter.com/securityg33kwww: http://www.securityg33k.com/
bump
Slightly more random tweets: http://twitter.com/TheSuggmeister
221 September 2009
Who am I?
Chris
321 September 2009
421 September 2009
Why am I here?
Some numbers:• 85 million records lost in 20081
• Viruses top 1 million (April 2008) 2
• £328.4m UK Phone, internet and mail order fraud (Card-not-present fraud) in 20083.
• £169.8m Counterfeit (skimmed / cloned) fraud in 20083.
521 September 2009
And yet…
• The advice given to the average computer user remains roughly same– Install Anti-Virus (AV)– Make sure your firewall is turned on &
working– Chose good passwords– and don’t write them down– Regular software updates
• And it’s not working all that well
621 September 2009
What are we going to talk about?
• Introduction• Risks • Things to watch out for
1. Viruses
2. 419 & other scams
3. Phishing & Vishing
4. Evil Twins
5. Facebook– Loss & Theft
721 September 2009
Time Permitting
• Set up tips– Passwords– Installing / Setting up your PC– Setting up your router– Setting up wireless– Installing updates– Testing it all works– Keeping it secure-ish– Email Security– A word of physical security at home
Otherwise it’s available online at http://www.securityg33k.com/
821 September 2009
Introduction
921 September 2009
Where do you fit in?
Not Online
Online
I have nothing to hide
I take steps to protect my privacy
Worst
Best
Depends how you do it
Not as safe as you think
Most
Least MostTrust
Online presence
Online but not shopping / banking online
Online shopping/banking at trusted sites Facebook,
myspace, bebo, Twitter with
privacy controls
Facebook, myspace, bebo, Twitter without privacy controls
Limewire / Bit Torrent
Removed from electoral role, use aliases, PO-BOX for all mail, no
loyalty cards, use cash for every thing
Shopping with credit cards
Loyalty cards
Letting your cards go out of site
Blatant trust that your information will not be used against you at
some point
Online shopping anywhere
10
21 September 2009
“Remember, best block no be there”
Mr. Miyagi (Pat Morita)
Karate Kid II
11
21 September 2009
Not got anything to hide?
Do you really want anyone to know…• How much you paid for your house• Salary• School grades • Illnesses• Points on your license• Your family photos• When you’re going to be away on holiday?• Or when you’re down the pub
12
21 September 2009
Risks
13
21 September 2009
So you want to connect to the internet?
The Internet
14
21 September 2009
Before you do…
Vulnerabilities
Threats
Value
15
21 September 2009
Where do viruses come from?
16
21 September 2009
Speed
17
21 September 2009
So what?
18
21 September 2009
Most likely scenario
• Your PC will get clogged up• You’ll probably get a lot of pop-up’s, some
with porn.• It’ll be quit a challenge to do anything
worthwhile without getting redirected to somewhere else.
• Anything you type might be being forwarded to the bad guys.
• Your PC will be completely unpredictable. Those family photos?
19
21 September 2009
Worst case scenario
• Your bank account will be cleared out and it’ll take months to get it straightened out.
20
21 September 2009
Who are these bad people & what do
they want?
21
21 September 2009
22
21 September 2009
The bad guys & their motivations
Author
National Interest
Personal Gain
Personal Fame
Curiosity
Script-Kiddy HobbyistHacker
Expert Specialist
Vandal
Thief
Spy
Trespasser
Published with kind permission from Dave Aucsmith
Sr. Director. Microsoft Institute for Advanced Technology in Governments
23
21 September 2009
National Interest
Personal Gain
Personal Fame
Curiosity
HobbyistHacker
Expert SpecialistScript-Kiddy
Vandal
Spy
Trespasser
The bad guys & their motivations
Author
Tools created by experts now used by less skilled attackers and criminals
Thief
Published with kind permission from Dave Aucsmith
Sr. Director. Microsoft Institute for Advanced Technology in Governments
24
21 September 2009
National Interest
Personal Gain
Personal Fame
Curiosity
HobbyistHacker
Expert Specialist
Largest area by volume
Largest area by $ lost
Script-Kiddy
Largest segment by $ spent on defense
Fastest growing Segment = crime
AuthorVandal
Thief
Spy
Trespasser
The bad guys & their motivations
Published with kind permission from Dave Aucsmith
Sr. Director. Microsoft Institute for Advanced Technology in Governments
25
21 September 2009
Just how organized is organized crime?
Published with kind permission from Mikko Hypponen
Chief Research Officer. F-Secure Corporation
26
21 September 2009
A Market
Published with kind permission from Mikko Hypponen
Chief Research Officer. F-Secure Corporation
27
21 September 2009
Marketing
Play video
28
21 September 2009
Assuming you’ve followed the usual
set up advice(see end of presentation)
29
21 September 2009
Now things look a bit more like this…….
Vulnerabilities
Threats
Value
30
21 September 2009
That’s it, right?
31
21 September 2009
Wrong!
Things to watch out for…
32
21 September 2009
1. Anti-Virus doesn’t stop everything
33
21 September 2009
“Antivirus suites fail more often than not”
F-Secure Kaspersky McAfee Sunbelt SophosTrend Micro
Symantec
28% 18% 44% 26% 38% 34% 35%
Dr.Web AVG ESET F-Prot VirusBuster Norman
36% 31% 27% 23% 16% 23%
Average daily detection rate from 12/5/09 to 10/6/09
Source: http://www.cyveillance.com/web/docs/WP_CyberIntel_H1_2009.pdf
http://lastwatchdog.com/antivirus-suites-fail/
34
21 September 2009
Yeah, but how do they infect me?
(or how to viruses get around anti-
virus?)
35
21 September 2009
How do they do that?
Vulnerabilities
Threats
Value
36
21 September 2009
Popular Searches
37
21 September 2009
The old classic - Email attachments
Published with kind permission from Mikko Hypponen
Chief Research Officer. F-Secure Corporation
38
21 September 2009
Cute yet a little bit rubbish web sites…
Published with kind permission from Mikko Hypponen
Chief Research Officer. F-Secure Corporation
39
21 September 2009
How can I tell something bad has happened?
Maybe…. nothing
Or….
40
21 September 2009
Your computer is infected with 182 viruses – click here to fix
Source: Washingtonpost.com
41
21 September 2009
More scareware
Source: Washingtonpost.com
42
21 September 2009
Even more scareware
…looks convincing doesn’t it?Source: Washingtonpost.com
43
21 September 2009
What can I do?
1. Prevention…
• Buy & use the most up to date anti-virus you can.
• Use spyware software such as Malwarebytes.
• Don’t trust anti-virus alone.
• Mix up your browsing, maybe use Firefox?
• Do you really want to open that email attachment?
• Those cute eCards might not be so cute.
• Never, ever, click here to fix your virus issues.
• Take some time to read up how to set you computer up.
44
21 September 2009
If you do get a virus
2. Cure
• Disconnect from the internet – take your cable out.
• I’d power off.
• Reboot into safemode
• Run anti-virus (again).
• Download and run Malwarebytes Antimalware & Superantispyware
• Some good information to print out at:– http://www.bleepingcomputer.com/virus-removal/remove-windo
ws-police-pro
– http://www.dslreports.com/forum/cleanup
• Reinstall ? (boot and nuke first).
45
21 September 2009
2. Scams
46
21 September 2009
Nigerian 419 scamsGood Day,
My name is Dr William Monroe, a staff in the Private Clients Section of a well-known bank, here in London, England. One of our accounts, with holding balance of £15,000,000 (Fifteen Million Pounds Sterling) has been dormant and last operated three years ago. From my investigations and confirmation, the owner of the said account, a foreigner by name John Shumejda died on the 4th of January 2002 in a plane crash in Birmingham.
Since then, nobody has done anything as regards the claiming of this money, as he has no family member that has any knowledge as to the existence of either the account or the funds; and also Information from the National Immigration also states that he was single on entry into the UK.
I have decided to find a reliable foreign partner to deal with. I therefore propose to do business with you, standing in as the next of kin of these funds from the deceased and funds released to you after necessary processes have been followed.
This transaction is totally free of risk and troubles as the fund is legitimate and does not originate from drug, money laundry, terrorism or any other illegal act.
On your interest, let me hear from you URGENTLY.
Best Regards,Dr William Monroe Financial Analysis and Remittance Manager[Phone Number Removed
47
21 September 2009
Lonely?
48
21 September 2009
What can I do?
1. Prevention…• Ignore it.• Check it out on .
– http://www.snopes.com/– http://www.hoax-slayer.com/– http://www.419eater.com/
• If you have to wire money to someone you don’t know via WesternUnion or Moneygram be very suspicious.
49
21 September 2009
What can I do?
2. Cure• Contact your bank to stop transactions• Contact the police
50
21 September 2009
3. Phishing & Vishing
51
21 September 2009
Phishing Example
52
21 September 2009
Phishing Example
53
21 September 2009
Obvious Signs
• The link on the screen doesn’t match the link that you mouse over…
54
21 September 2009
How it should work
https://images.mybank.com/
https://www.mybank.com/
BANK
1
3
4
2
https://mybank.com/travel-international/g2/foreign-currency.asp
55
21 September 2009
XSS
https://images.mybank.com/
https://www.mybank.com/
1
3
5
2
https://mybank.com/item=.asp?id=%3scriptsomeotherstuff
http://badguy.com/
4BANK
& some bad stuff
56
21 September 2009
What can I do?
1. Prevention…• Run the latest browser versions, some
detect this kind of thing.• Don’t click links to banks, ebay, facebook
whatever from emails.• Type in the URL to your bank and
navigate to the page.• If a link looks suspicious, don’t click it.
57
21 September 2009
What can I do?
2. Cure• Contact your bank• Maybe contact the police
58
21 September 2009
Safer Online Purchases
• Credit card rather than debit card
59
21 September 2009
Vishing
“Hello, it’s Chris from MyBank. It seems that someone has attempted to use your card fraudulently…”
“…we just need to ask a few security questions to verify who you are”.
60
21 September 2009
What can I do?
1. Prevention…• Limit the amount of times you publish your
phone number.• Take down the fraud numbers for your bank
in advance – store them in your mobile.• Never phone back the number they provide
you without making sure it’s valid.• Speak to your bank about what they will
and will not ask you. Most will not request you full password
61
21 September 2009
What can I do?
2. Cure• Contact your bank on a number you verify.• Maybe contact the police
62
21 September 2009
4. The Evil Twin
63
21 September 2009
Not this Evil Twin
64
21 September 2009
Wireless - Be Aware of Evil Twins
BT Openzone
Free Public Wifi
65
21 September 2009
Wireless - Be Aware of Evil Twins
Good: BT Openzone
Evil: Free Public WiFi
The Internet
66
21 September 2009
What can I do?
1. Prevention…• Careful what you connect to. Make sure
you have the name right.• Perhaps not a good place to do your
banking.• Think about using TOR.
67
21 September 2009
What can I do?
2. Cure…• Assume everything you did was captured
by a bad-guy and act accordingly– Cancel bank transactions.– Change your passwords.
68
21 September 2009
5. Facebook
69
21 September 2009
Facebook Issues
70
21 September 2009
Who do you want to see your profile?
71
21 September 2009
What can I do?1. Prevention…• Use a different email address to your usual
one.• Don’t make your profile public.• Don’t publish address, phone details etc.• Maybe don’t publish your real date of birth.• Remember. If it’s published electronically,
the cat *IS* out of the bag. Think before you post
• Read and implement privacy settings
72
21 September 2009
What can I do?
73
21 September 2009
And finally…
• Those fun applications
74
21 September 2009
What can I do?
2. Cure• Change password etc.• See facebook help
75
21 September 2009
6. Theft
76
21 September 2009
What if someone steals my PC?
77
21 September 2009
What can I do?1. Prevention…• Be aware of the area. Generally don’t
leave it in the car.• Don’t ask someone to look after your
laptop while you go to the bathroom.• It’s valuable – treat it as such.• Encryption is freely available
– Truecrypt
• Backup often– External disks are inexpensive
78
21 September 2009
What can I do?
2. Cure…• Inform police• Inform your company / company security
departments.• If it’s not encrypted, change passwords to
everything.• If you used it for banking, inform the bank.
79
21 September 2009
And if we have time..
80
21 September 2009
Set up tips
81
21 September 2009
Bluetooth
• Don’t use a bluetooth keyboard
82
21 September 2009
A word on passwords
• Don’t think “they will never guess I’m using the word password”….
• …”They” are usually automated
83
21 September 2009
Some password tips
• UPPER and lowercase characters• Use some numbers (not just at the end)• Use some symbols ($#%_-+@ )• 14 or more characters• Passphrase “The Lazy Brown Fox”• Don’t use the same password for every
account• You could write them down (safe-ish-ly)
84
21 September 2009
85
21 September 2009
Initial PC install
• If it’s second hand - Wipe / Erase disks
• Clean Factory Install
• Use Strong Passwords
• Configure / Enable Firewall
• Install A/V from install CD’s (if you can)
• Latest versions with behaviour based rules
• Symantec (Norton), McAfee, Kaspersky, ESET.
86
21 September 2009
Configure router
• Don’t connect it to the internet until you’re ready
• Change default administrator account passwords. They’re well known.
• Set a strong password
• Disable things you don’t use
• Don’t start with wireless – just yet
87
21 September 2009
Configure wireless on the router
• Don’t use WEP
• Do use WPA or WPA2
• MAC filtering
• Consider using a random key generator, such as this one http://darkvoice.dyndns.org/wlankeygen, to generate the key
• Disable SSID broadcasting
• Non-Overlapping Channels 1, 5, 9, 13
• Switch off wireless when you’re not using it
88
21 September 2009
Install Updates
• Anti-Virus
• Windows Auto-Update
• Other
• Firefox
• iTunes
• Quicktime
89
21 September 2009
Test connection
https://www.grc.com/x/ne.dll?bh0bkyd2
90
21 September 2009 90
91
21 September 2009
92
21 September 2009
93
21 September 2009
Wrong
• You have to keep it secure– Auto updates– Routinely Check firewall is configured– Periodically Check AntiVirus logs– Reinstall completely periodically
• AV / Firewall doesn’t stop everything
• You need to be a little paranoid online. They REALLY are out to get you.
94
21 September 2009
Email Issues
• Name• How many accounts• settings
• Mostly clear text
• Web mail interaction also clear text
• So anyone can read it
95
21 September 2009
What can I do?
• Name• How many accounts• Settings
– Gmail – always https
96
21 September 2009
Final word on Home security
Buy and use• Decent Locks for doors & window• Shredders• Safes• Alarms
Neighbours
97
21 September 2009
98
21 September 2009
Risk
Risk is very unlikely to be 0. Ever.
99
21 September 2009
RISKRisk
Threat x VulnerabilityRisk = x Value
Countermeasures
100
21 September 2009
101
21 September 2009
Malware by OS
Operating Systembackdoors,
rootkitsviruses &
wormstrojans
OS/X 14 9 11
FreeBSD 33 10 0
Unix 76 118 3
SunOS/Solaris 99 17 3
Linux 942 136 88
Windows 501515 40188 1232798
102
21 September 2009
103
21 September 2009
Cost of Fraud in the UKCard Fraud Type – on UK issued
credit and debit cards2004 2005 2006 2007 2008 +/- (07/08)
Phone, internet and mail order fraud (Card-not-present fraud)
£150.8m £183.2m £212.7m £290.5m £328.4m +13%
Counterfeit (skimmed/cloned)fraud £129.7m £96.8m £98.6m £144.3m £169.8m +18%
Fraud on lost or stolen cards £114. 4m £89.0m £68.5m £56.2m £54.1m -4%
Card ID theft £36.9m £30.5m £31.9m £34.1m £47.4m +39%
Mail non-receipt £72.9m £40.0m £15.4 m £10.2m £10.2m 0%
http://www.apacs.org.uk/09_03_19.htm
104
21 September 2009
Records being lost all the timeDate Type Incident Records Organization05-09-2009 Hack customers credit card details lost from hacked server 52,000 Mitsubishi Corp
02-09-2009 Lost Laptop Missing laptop contains names, Social Security numbers and dates of birth of 38,000
38,000 Naval Hospital Pensacola
01-09-2009 Unknown A file containing students names and Social Security numbers reported missing
100 Bluegrass Community & Technical College
29-08-2009 Stolen Laptop Stolen laptops contain private and medical details of more than
7,000 Birmingham NHS (Trulife)
28-09-2009 Lost Tape Cuyahoga County officials are searching for a box that fell off a truck and contained personal information
300 Iron Mountain, Cuyahoga county, Ohio
28-08-2009 Disposal Document
Unknown number of employee records containing names, addresses, Social Security numbers and dates of birth thrown in trash
Unknown Fasco Machine Company
26-08-2009 Disposal Document
Employee files found in trash contained personal details including names and Social Security numbers
100 Guardsmark
25-08-2009 Disposal Document
Unknown number of confidential files dumped on street contained names and bank details
Unknown Worthing Borough Council
21-08-2009 Hack Hacked server exposes 20 years worth of students Social Security numbers
Unknown University of Massachusetts at Amherst (UMASS)
20-08-2009 Web Social Security numbers and some birth dates of 6,675 exposed through file transfer program
6,675 Boston University Army Reserver Officers Training Corp
20-08-2009 Disposal Document
Dumped medical files exposes 623 patients names, Social Security numbers, dates of birth and medical details
623 Prompt Med
19-08-2009 Hack Credit card numbers, expiration dates, and guest names on computer systems accessed without authorization
Unknown Radisson Hotels & Resorts
105
21 September 2009
Understanding the Landscape
Author
National Interest
Personal Gain
Personal Fame
Curiosity
Script-Kiddy HobbyistHacker
Expert Specialist
Vandal
Thief
Spy
Trespasser
Published with kind permission from Dave Aucsmith
Sr. Director. Microsoft Institute for Advanced Technology in Governments
Recommended