A Security Perspective on “Phishing” and “Social

Networks”

Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for

non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is

given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires

written permission from the author. Videos and specific graphics presented are not for public distribution.

Session Guide Erwin “Chris” Louis Carrow IT Auditor, M.Div., MSIS, BM, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA,

LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!)

Board of Regents, University System of Georgia; Office of Internal Audit and Compliance

270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334

(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax

Email: erwin.carrow@usg.edu http://www.linkedin.com/in/thebishophttp://twitter.com/ecarrow

What I Do? Just a “Glorified Geek”

High level – IT Evaluations System Wide

General focus – Lack granularity of detail regarding day to day operations

Bottom line “It’s all about ME” (joke)!

Session AgendaKey Takeaways and Introductions

Basic Terminology, Context, & Methodology

Strategic Use of YOUR and OthersPersonal Information

What to Do to Be Safe / Limit Risk

Q&A

Key TakeawaysAt the end of this session you should be able to:

Understand the RISK with Phishing & Social Networks;

Understand the Motivation for Exploitation of YOUR or OTHERS PERSONAL INFORMATION

Identify & Assess Resources to Mitigate Associated RISK;

Apply Basic Precautions to Mitigate Potential LOSES;

Gone Phishing and Not Just Wishing -Videos Safe-guarding the Process

http://www.youtube.com/watch?v=UNanKfY5T9Aonline.gov/videos/overview.aspx

Types of Phishing http://www.onguard

Threats and the Facts Recent Email, Browser, & Web Site Exploits (this month!)

Yahoo, Hotmail, & Gmail – Oct 7, self propagating phishing scam; Oct 6, account username / password s illegally leaked

Google – Oct 13, Web Masters of compromised sites warned with detailed code samples found

Microsoft– Oct 14, Phishing attacks with Zeus Trojan targeting Outlook Webmail

Mozilla - Oct 16, disabled a Microsoft plug-in for Firefox Facebook, My Space, etc. – Oct 16, Twitter phishing login scams Browsers – Oct 1-5, IE, Chrome, Safari duped by bogus PayPal SSL

certificate of authority Peer to Peer downloads – Oct 12, Software piracy embeds malware Puppet Nets / Bot Nets: Trusted Major brand’s Web site - instead of

stealing customer records, the attacker installs malware that infects the computers of thousands of visitors to the site

Cyber Terrorism – Oct 9, Research points to new cyber terror tactics; Oct 13, Polish Government attack blamed on Russia (duh)!

Click fraud – Oct 23, Botnet click fraud at record high

More of the Same “Threats and the Facts” – But, What are the Results? Privacy Right Clearinghouse

Chronology of Data Breaches 2,500,000 since January 2005 that have been reported [www.privacyrights.org/ar/ChronDataBreaches.htm]

Ponemon –HRH 2008 Privacy Breach Index Survey (Sept 2008) Self evaluation of overall performance of organization: -- 9%

gave an “A” -- 31% gave a “B” -- 26% gave a ”C” -- 29% gave a “D” – 5% gave a “F” [www.HRH.com/privacy]

80 % believed their organizations experienced information system data breaches and loss of customer and personal information

50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other criminal activity;

36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31% 9 or more

Terminology, Context, & Who are the Key Players People – Good (solution oriented), Bad (problem producers),

and Indifferent (folks who don’t care /understand the problem)

Technology – Good (well managed), Bad (poorly managed), and Indifferent (don’t care or understand the problem)

Services – The Internet (Home, Work, or Public environment), and associated resources, e.g., ISP, FaceBook, Games, email, etc.

YOU – “Part of the S0lution” or “Part of the Problem,” e.g., a Recipient (“Poor Slob” that GOT HIT), Participant (inadvertently contributed either “for” or “against”), or Initiator (Johnny or Jill Hacker)?

Specific or Potential Risks – Phishing attempts, Social Network exploits, etc.

Basic Methodology for all -Terrorist or Criminal Exploitations Identify Social / Cultural “Normalcy” and associated “Common

Denominators” where potential gain or benefit may exist on Internet Email has become the primary “Means of Communication” Browser Based Culture and Community, e.g., On-line Gaming

(Entertainment), Banking (financial), Social Networks (Socialization) Exploit “Common Denominators” by …

Making it look like normal expected activity Browser based exploits – Social networks, social engineer, harvest information, or

capitalize on browser technology vulnerabilities Email based exploits – Phishing Browser, Email, and Web Site exploitation are all used in conjunction

Obscure and confuse the real with the Counterfeit! Their Objective …, is to recreate a Counterfeit “Normalcy” that

attracts and is utilized by YOU!!!! FOR ORGANIZATIONAL (Terrorist) or PERSONAL (Theft, Malice, or

Vendetta) GAIN

Response? Know Yourself – Know Your Enemy! The Art of War (Chinese: 孫子兵法; pinyin: Sūn Zǐ Bīng Fǎ) is a Chinese military treatisethat was written during the 6th century BC by Sun Tzu.

Two Possible not Recommended Responses to the Challenge

Freak Out: Embrace Hopelessness, Hide, Ignore, Deny, and Play Computer games until the Inevitable Occurs

Idealistic and Unrealistic: Do the “Don Quixote (To Dream the Impossible Dream and Fight the Impossible Fight)” - Wear yourself out Fighting Windmills by shooting at whatever pops its head out!

Third Approach “How do you Eat the Elephant standing in the corner, Instead of Avoiding it?” Take ONE BITE at a time by…

Assess the level of risk you are willing to incur

Strategize a response

Be deliberate and not apathetic or indifferent

Be practical / understand it is not just about you (or ME)

Be an advocate or part of a culture that supports secure practices

Test and monitor the process with identifiable outcomes

Know Yourself Profile – Who are YOU? Habits & Preferences

Vocation or Ad-Vocation

Social Outlets, What you do, & Who you Know

Financial Resources

Education & Military Duty

Government Affiliation

YOUR PERSONAL IDENTITY is based on what you share in your “Click!”

Know Your EnemyProfile - Who are They? Terrorist Foreign Governments Organized Crime Petty Thieves People trying to have

fun at your expense? People who don’t Like

you! All motivated by what

you have or what you can provide them, e.g., “Click”

The Internet is Bigger than Any Person or Government! No Boundaries,

Constantly Changing, & High Complexity

Political Alliances w/ Limitations

Governments Sponsored Terrorism and Hacking

Electronic Relationships w/ No Commitment

Values vary with Social Cultural Norms

Fallacy / Pitfall – YOU will evaluate acceptability by your own standards!

Risk Profile, Probability, & ImpactRisk “reality” is just a

“Click” away!

Am I important, and if so why?

Why would someone want me to “Click?”

If I commit to “Clicking,” what could be the outcome?

Is the “Click” cost to high?

How will the “Click” possibly impact others?

Campus “Life Cycle” of Security & Process Provisioning – Are YOU the Weakest Link?

What to Do to Be Safe…? Protect Yourself and Others?

Hardware – OS updates; Latest version of Browser / Email Clients and ensure they are patched; Dedicated systems per functional risk

Software – Anti-virus / Anti-Malware, Host level IDS –IPS, Security Browser Apps, Plug-in filters, etc. (buy from reputable vendor)

Head-ware, e.g., “Common Sense” that is not too common Don’t “Bank Online” (personal opinion and choice), limit on-line

purchases, etc. – every transaction has an associated risk! Don’t share personal identifiable information of any type or form

online without assessing the risk! Have fun, be cautious, and educate yourself regarding the risk Remember, once it is on the Internet “it belongs to everyone.” Is it

something you really wanted to share?

Thank You for Your Participation - Any Questions? Understand the “browser-based” Risk

and potential Phishing and Social Networking Scams that dominate “normalcy!”

Profile Your and Others Risk per the “Click” you take!

Take the necessary Precautions, Preventive measures, and Practice safe browsing!

Sources & Considerations Infected Web Sites -

http://www.computerworld.com/s/article/342457/Visitors_Under_Attack?taxonomyId=%2016

Mozilla & Microsoft - http://news.cnet.com/8301-30685_3-10377445-264.htmlhttp://www.infoworld.com/d/security-central/mozilla-plug-in-checker-boostssecurity

Anti Malware Tactic - http://www.scmagazineuk.com/Aggressive-tactics-used-in-new-distributionand-%20installation-of-fake-anti-virus-software/article/154886/

Outlook - http://www.networkworld.com/news/2009/101509-phishing-zeus-outlook.html

Twitter - http://www.mxlogic.com/securitynews/web-security/security-experts-warn-of-possible-id-theft-scam-on-twitter835.cfm

P2P Software - http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=220600367

Email - http://news.bbc.co.uk/2/hi/technology/8294714.stmhttp://crave.cnet.co.uk/software/0,39029471,49303832,00.htm

Browsers -http://www.theregister.co.uk/2009/10/05/fraudulent_paypay_certificate_published/

Google -http://www.theregister.co.uk/2009/10/13/google_webmaster_malware_notification/

Terrorism - http://www.theregister.co.uk/2009/10/13/poland_cyberattacks/http://www.internetnews.com/government/article.php/3843136/Cyber+Terrorism+Dem%20ands+New+Tactics+Study.htm

Click Fraud - http://www.theregister.co.uk/2009/10/23/botnet_generated_click_fraud/

Helpful Resources USGBOR Information Security Reporting Process

http://www.usg.edu/infosec/incident_management/ Twitter: http://twitter.com/usginfosec/

Internet Alert Dashboard To report cyber infrastructure incidents or to request information, please contact US-CERT at sos@us-cert.gov or visit their Website: http://www.us-cert.gov. Information on IT information sharing and analysis can be found at the IT ISAC (Information Sharing and Analysis Center) Website: https://www.it-isac.org/

US-CERT: us-cert.gov/cas/tips/st06-003.html StaySafeOnline: staysafeonline.info/practices/index.html CyberSmart.org:

www.ccybersmart.org/downloads/pdf/SocialNetworkGuide.pdf GetNetWise: www.getnetwise.org OnGuard Online: onguardonline.gov/socialnetworking_youth.html TechMission, Inc. Safe Families:

www.safefamilies.org/socialnetworking.php Join my FaceBook “Mafia War” Family (beware it is a social networking

experiment) http://www.facebook.com/TheBishopOfOZ