Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Identity Theft
Rob Forsyth
Managing Director, Sophos, Asia Pacific
“On the Internet, nobody knows you’re a dog”
5th July 1993
The New Yorker
Overview – Identity Theft
• Some background
• Has legislation helped?
• Examples of attacks and the implications for an individual or company
• What vulnerabilities can be created and what impact can these have?
• What defences can be deployed to defeat this form of attack?
• Where will this problem go next?
History
• Identity theft as a specific IT term first appeared in the 1990s
• This lead to the US Identity Theft and Assumption Deterrence Act 1998
• Now it can occur much more anonymously than ever before
• Now the attack can be made from a greater distance
• It can build over time rather than just be a one off attack
• It can have a greater impact then ever before
ID theft costs Australia $5b a year**source The Australian Institute of Criminology
Methods - some old and some new
•Dumpster Diving
•Changing Your Address
•"Old-Fashioned" Stealing
•Installation of Trojan Horses (trojans) on to your computer
•Phishing and spear-phishing
Australian Legislation
• Cybercrime Act 2001
• Criminal Code Amendment (Theft, Fraud, Bribery & Related Offences) Act 2000
• Financial Transaction Reports Act 1998
• The Spam Act 2003
• State based Crimes Acts - various years
• The NSW Crimes Act 1900
• The NSW Crimes Amendment (Computer Offences) Act 2001
In common language – most legislation protects against fraud
So, we are well protected by the Law, but it still happens
Please note that these following companies were innocent victims, and no adverse implied implication
Some examples, there are a number of different messages
NOTM – September 2006
• National Online Talent Management agency
• IT theft may have been tied to recruitment of child porn
• Company appears to have closed
Coca Cola – August 2006
• Poor grammar and muddled dialogue a clue
• Campaign to recruit mules or for future spear phishing
• Very short lived campaign with ‘disposal’ email contacts
• International Brand – Hong Kong focus
• Advanced fee fraud?
• Seeking mules?
Microsoft - March 2007
• A banner ad was served on MSN sites and Windows Live Messenger• "SystemDoctor 2006" ran scripts that popped up a security warning
directing people to install a registry scanner that was itself malware
Defence requires web visibility to identify block the high risk links, script and malware detection to block malicious downloads and call home protection to block malware from updating and reporting its activity
Troy Inc. March 2007
• Complete rip-off of a legitimate site
• Offered employment
• “Just download an application”
• Attacks the vulnerable and desperate
• May not have been for identity theft
• Hundreds of these attacks each day
Troy Inc.
Three website examples
• Visa
• Westpac
• Avis
Please note that these following companies were innocent victims, and no adverse implied implication
The URL is proceeded by numbers -everything after that is irrelevant
The URL is misspelt - note that the keyboard can also be used by phishers
The URL is HTTP and not HTTPS and no padlock.
Too much information is being sought
Newer or future challenges – will ID theft follow?
• Spam (defined by the Spam Act and the following would be covered)
• Spasms (spam over SMS)
• Spim (spam over instant messaging)
• Spit (spam over IP telephony)
Further reading at <www.theregister.co.uk>
•Illinois couple sued for sending 5 million
spam cell phone messages
Image spam
• Has moved through various file types
Real fears for the ‘newbie's’
So what’s the impact if a trojan is installed?
Many of these attacks will download a trojan horse to the victims computer
Vulnerabilities that can be created
• Phishing - user name and password or just information
• Bank, eBay, PayPal, on-line gaming, your CV etc.
• Ransomware
• Botnet or ‘zombification’ to carry out other attacks• Security reduction for future attack
• Rogue webserver (porn server)
• Webcam control
• Infection of your employer's network
• Become a person of interest to the police
Risks are not always obvious or immediate
What should we do about this?
What defences can be deployed to defeat this?
• Endpoint anti-malware software• Combined protection covering viruses, worms, Trojans,
spyware, adware + unwanted applications
• Functioning endpoint firewall
• Gateway email protection
• Gateway web protection
• OS and anti-malware correctly patched
• Network Access Control (NAC)
Defense in depth
Education is much of the answer
Knowledge and access to information is the best defense
Sensible online behavior reinforced by a good IT / HR policy
Some final thoughts
Security threat report 2007 – some ‘highlights’
• Malware authors continuing to deliver more focused attacks
• Explosive growth of web-based downloaders to spy on users
• New mass-mailing worm, Stratio had over 1000 unique variants
• Most spam continuing to be relayed by poorly protected computers
Further reading at <www.sophos.com>
Where will this problem go next?
• More of the same issues but 'better' and faster
• They will follow the money
• Chase new vulnerabilities
• New technologies like IM and VoIP
• Mobile devices2005 2006
Identity Theft
Rob Forsyth
Managing Director, Sophos, Asia Pacific