Upload
posy-bryant
View
229
Download
0
Tags:
Embed Size (px)
Citation preview
2
Acknowledgement
In preparing the presentation slides and the demo, I received help from• Professor Simon Ou• Professor Gurdip Singh• Professor Eugene Vasserman
3
Agenda• Password cracking• Information gathering (reconnaissance)• Spoofed emails or phone calls• Threats through emails– phishing attack– other attacks
• Risks of swiping a credit card in an untrusted place • Security concerns associated with RFID tags
4
Password-based Security
• We use passwords everywhere– email accounts, bank accounts, social networking
sites, personal computers, and so on…
• What makes a good password– long but should be easy for you to remember– should be very difficult for the attacker to guess
5
Good or Bad Passwords?
7@Ack i love soccer07deserteagle chuck#01235lakers5 oliveoil7john1 eagle1900beethoven5th PTL!1g1M05Pizza [email protected] justin_bieber_sux!h.o.u.s.e {T@!4u2N9^}&$trongPassword WeRtheChamp10n!ILh2dW&%D@etF1 zeppelinIV
6
Password Cracking
• How long is good enough?– we can compute the password strength– use alphanumeric letters, big case, and small case– use special characters
• Dictionary attack– the attacker first tries a list of frequently used passwords– then, she may try all possible combinations (brute-force)
• Social engineering to aid in cracking– information gathering can work if, as an example, a family
member or pet’s name is used as the password– you may leak your secret while responding to a fake email or
phone call
7
Password Crackers Tools
• Hydra, Medusa – can crack network logon passwords (e.g. FTP,
HTTP, VNC, POP3)• Ophcrack – Pre-computed Rainbow tables can reduce cracking
time• Top 10 Password Crackers: – http://sectools.org/crackers.html
8
Information GatheringThe attacker can employ several techniques
1. Uses Internet search engines and social networks– collect names, address, login names, email addresses, host
machine’s names, etc.– automated tools available, e.g. theHarvester
2. Sends information requests via fake email or phone– and waits for response from a potential victim
3. Does dumpster diving
4. Buys information from the black market
9
TheHarvester: An Automated Miner• A tool for gathering e-mail accounts, user names and hostnames from
different public sources.
• It supports multiple sources: – Google, Bing, LinkedIn, etc.– Caution: the attacker can use all sources
• An example: – Using this tool a SPAMer can collect your email address (e.g. from
your public webpage)
• Anti-Harvesting methods– Address munging (e.g. instead of [email protected] publish “alice at abc dot com")– Using images to display part or all of an email address
10
Spoofed Email• Email system does NOT provide “sender
authentication”– in a spoofed email, the sender’s address is altered– receiving an email proves nothing about the actual
sender
• Spoofed email sending software is available– which is used in sending SPAM or phishing email
11
Let’s do a Hands-on Activity
• Note: there are some websites via which anybody can send a spoofed email to anybody
• Let’s test one of them to understand how easy it is for the attacker to send a fake message
• Caution: this activity is only for the testing purpose. It is a crime to send a phishing email.
12
Gmail Ways to Detect Email Spoofing• Sender Policy Framework (SPF) is an email
validation system– allows administrators of a domain D to specify
which hosts are allowed to send email from D– checks authorization of the sender’s IP addresses
using the DNS system• DomainKeys Identified Mail (DKIM) is a way
to digitally sign emails – verifies if the email was actually sent by a
particular domain D as claimed in the email.
13
How to Check the Authentication Information of a Message on Gmail
Acknowledgement: Gmail’s User Guide
14
Phone Caller Id Spoofing
• Makes a phone call appear to have come from any number the caller wishes
• Most common spoofing method is through the VoIP system
• Open source tools e.g. Asterisk, FreeSWITCH can be used for spoofing
15
Email Threats
• Security risks include – phishing scams– links (in body) or attachments have malware
• Nowadays these risks are high – bad guys can hire a SPAM sending botnet to
launch a large-scale attack– millions of valid email addresses are available for
sale in the underground black market
16
Phishing Attack: An Example Email
Subject: E-mail Security Alert!From: Kansas State University <[email protected]>Date: Tue, 18 Dec 2012 06:14:01 +0900 (JST)
Access to your e-mail account is about to expired.Please Click here
<http://sevenes.com/zboard/ksu/>
to restore access to your e-mail account.We apologise for any inconvenience and appreciate your understanding.
Regards, Kansas State University
Acknowledgement: K-State IT Security Threats Blog
18
More on the Phishing Attack
• Fake email messages apparently coming from a trusted person or institution (e.g. a bank) – trick people into passing secret information such as
passwords, credit card numbers and bank account numbers.
• A phishing email can have links to– fake login pages impersonating financial institutions– malware, virus, spyware, etc.
19
Countering Phishing Attack• Remember that the institution (e.g. your bank or KSU)
will never ask for your secret through emails• Be suspicious when you receive an email; know that
the email sender address can be spoofed • Avoid clicking any link in such emails – double check if the link URL name is fishy– visit only https links; do not proceed if you get a bogus
certificate warning• Do not respond to any such email; call them if unsure• Always use the latest versions of web browsers
20
How to Recognize a Fraudulent Email?
• Train yourself by studying several resources which are available on the KSU ITS website
• Some resource examples are– Anti-Phishing Working Group www.antiphishing.org
(http://www.antiphishing.org/resources/Educate-Your-Customers/)
– Looks Too Good To Be True www.lookstoogoodtobetrue.com
21
Examples of Phishing Scams
• Advance fee scam• Job offer scam• Nigerian scam• Beneficiary of a will scam• Over-paying (Craigslist) scam• Charitable donation scam• Facebook friend scam
Acknowledgement: K-State ITS
22
Spear Phishing
• A more targeted method of phishing– only known members of the targeted institution
receive the email
• Email addresses are acquired by– joining a mailing list– buying a list from a hacker– guessing email addresses based on the general
format e.g. [email protected]
23
Threats via Email Attachment• Email attachment may contain malware– worms, virus, Trojan horses, etc.– which can seriously damage your computer
• Do not open any suspicious attachment– it can trigger/execute the malware– just delete such emails
• Install an anti-virus software on your computer– ensure that it scans all attachments automatically
before you open them– Anti-virus “Trend Micro Security” is available to K-
staters
24
Risks of Swiping a Credit Card in an Untrusted Place
• An ATM skimmer can steal the card secret– later the bad guys collect the data from the skimmer device– difficult to detect: it blends in with the cash machine in form and color
• Typically two components build a skimmer– a device that fits over the card acceptance slot and steals the data stored on
the card’s magnetic stripe– a pinhole camera built into a false panel that thieves can fit above or beside
the PIN pad.
• Risk Mitigation– try to avoid using ATMs in unknown non-standard places– frequently check your credit card transactions and report fraud, if any
25
Basics of RFID Technology
• The tracking system has three components: – a scanning antenna– a RFID tag programmed with information– a transceiver to interpret the data
• A RFID tag can be read – from a distant place (up to 300 feet)– no need to be in the line of sight (unlike a barcode)
• RFID tags have NO batteries– so, it remains usable for long time
26
RFID Tags: Security and Privacy Concerns
• A thief with a scanner can activate the RFID tag and read its contents – example: if someone walks by your bag of books with a
"sniffer”, that person can get a complete list of books.
• Concern with RFID devices in a company badge – example: a RF field may make the RFID chip in the
badge spill the badge secret, allowing the thief access.