Embed Size (px)
Citation preview
Protecting your self and your data in the cyber age
Stephen Cobb, CISSP
Security Researcher, ESET NA
Back then*: very few people cared about computer security
*Published 1991. Note that the publisher added “complete” to the title.
But now: we’re all computer users
*Go to StaySafeOnline.org for more about STOP | THINK | CONNECT
Our Agenda: Cybersecurity for all
• Answers to questions, such as:
– What are the risks of online banking?
– What about identity theft?
– Can hackers get to those home security cameras we just installed?
– How to properly secure home routers
– How to protect our children on social media such
as Facebook
• But first:
– Why is there so much cybercrime?
GLOBAL MARKET FOR:
STOLEN INFORMATION
CYBERCRIME SERVICES
CYBERCRIME TOOLS
This fuels a lot of cybercrime
Sadly, cybercrime pays
More than all the bank robberies that year
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
$-
$100
$200
$300
$400
$500
$600
$700
$800
$900
Mill
ions
Bank robbery vs. Internet fraud
Source: FBI/IC3. Note that bank robberies are declining in number and average loot per job. Fraud is clearly rising, these are not all the cases.
$ cyber fraudlosses
# of bank robberies
Sadly, the risks remain low
$100 million
There is now a “cyber” most wanted
Cybercrime has created an global market for information
How does cybercrime pay?
1. First, criminals steal information and sell it on the black market
• Low risk, high reward
2. Then different criminals buy the stolen data and commit fraud, e.g.
• Charge your accounts
• Get your tax refund
• Riskier than #1
• But still safer than robbing banks
Who are the players in these underground markets?
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)
BEWARE WORK AT HOME SCAMS!
Tools of the trade: point-n-click malware
• See the movie Blackhat?
• The bad guys used a RAT
• Remote Access Tool
• Here’s a RAT’s eye view of an
infected computer:
• access to your microphone,
webcam, files, passwords, and
everything else…
Your card data sold here
• Carding sites
• Sold as card “dumps”
• E.g. McDumpals
• A real website
• Priced by
– Freshness
– Balance
– Type
– Location
Thanks to krebsonsecurity.com for screenshots
They have sales
They run specials
They have refund policies
Not just credit card data
YOUR NAME, PHYSICAL ADDRESS, PHONE, EMAIL, EMPLOYER
YOUR DATE OF BIRTH,MEDICAL RECORD NUMBER,SOCIAL SECURITY NUMBER,DRIVER’S LICENSE DETAILS
YOUR INSURANCE PROVIDER,PLAN TYPE, PAYMENT INFO,CREDIT CARD, BANK ACCOUNT
PATIENT HISTORY, BLOOD TYPE,ALLERGIES, SYMPTOMS, MEDICAL CONDITIONS, PRESCRIPTIONS, GENETIC DATA
ELECTRONIC HEALTH RECORD L1: Basic personal: stolen to sell to spammers and for data mining, profiling, appending
L2: Non-public identifiers: sold for various kinds of identitytheft such as tax ID fraud
L3: Financial data: sold for financial fraud, billing scams, theft of funds
L4: Medical data: sold for usein medical ID fraud, billing fraud, drug and servicetheft and abuse
Electronic health records are targeted for general and medical ID theft
So, what are the risks and defensive measures for…
• Online banking
• Identity theft
• Internet cameras
• Home networks
• Social media
• And more…
*This is my dog, because about now we need some cheering up.
Risks of online banking?
• Relatively low risk, some benefits
• Improved tracking of transactions
• Account alerts
– Withdrawals
– Purchases
– Dollar limits
– Location limits
• But guard your credentials!
Watch where you use your cards
• Fringe websites
– Major source of infection
• Dodgy ATMs
– Skimmers
• Support scams
• Many others
*Published 1991. Note that the publisher added “complete” to the title.
How to protect against ID theft
• Recognize the different types of identity theft
– Payment card fraud
– New account fraud
– Tax identity fraud
• Guard your credentials
– Account numbers
– User names, passwords
Guard SSNs and account info
• Who has their Social Security Card on them right now? Why?
• Don’t give the number out unless you absolutely have to
• Put a Security Freeze on your children’s credit (before the bad guys do)
• Shred paper mail that shows SSN or bank account numbers
Password protect all your devices
• They often have access to a lot of your identity data
• Laptops, smartphones, tablets
• Don’t share devices
• Know how to lock/track devices
Run antivirus on all devices
• A good antivirus suite will not only block malicious files, but also
– Stop phishing, intercept badURLs, block inappropriate content
– Plus firewall,anti-theft,education
Can someone really hack our home security system and watch those cameras we just installed?
• If you connect them to the internet and don’t change the default password?
• Maybe!
• Research the model
• Google name + hacked
How to secure home routers
• Home routers are being targeted
• Make sure firmware is up-to-date
• Change the default password
• Hint: it may be “password”
• And anyone can find out that default
password…
Securiing home routers
• Use WPA encryption
• Don’t use WEP encryption
• Change the default SSID
• Hide the SSID
Social media risks?
• Scams, fake offers, fake people
• It can seem so real because our friends are there: we tend to trust social media
• But it may be abused by “friends”
• If you are a parent and/or guardian
– Have the social media conversation sooner rather than later
– Poor choices can lead to very bad outcomes
Staying safe on social media
• Monitor their accounts
• Review privacy & security settings
• Use a social media scanner
• “Think before you post”
– Good advice for all of us
Stay safe online!
• A website full of security tips and advice for everyone:
– www.StaySafeOnline.org
Use the web to stay up to date
• IdentityTheft.gov
• IdTheftCenter.org
• KrebsOnSecurity.com
• WeLiveSecurity.com
Thank you!
• www.WeLiveSecurity.com
• www.eset.com
