Transcript Information Security Awareness

HISTORY OF CYBER-SECURITY
Surveillance State
 Information Warfare
 Cyber Crime
 Hacktivism
 Vandalism
 Experimentation

Cracker:
Computer-savvy
programmer creates
attack software
Script Kiddies:
Unsophisticated
computer users
execute programs
Hacker Bulletin Board
SQL Injection
Buffer overflow
Password Crackers
Password Dictionaries
Successful attacks!
Crazyman broke into …
CoolCat penetrated…
Malware package=$1K-2K
A virus attaches itself to a
program, file, or disk
 When executed, the virus
activates, replicates
 Malware Infection Rates:

○ Web: 1 in 566
Program
A
Extra Code
infects
○ E-mail: 1 in 196
○ 40% of data breaches
Program
B

Independent program sends copies of itself from computer to
computer across networks
To Joe
To Ann
To Bob
Email List:
[email protected]
[email protected]
[email protected]

Social engineering manipulates people into performing actions or divulging
confidential information.
29% of Breaches
Phone Call:
This is John,
the System
Admin. What
is your
password?
Transfer $ from
Nigeria
ABC Bank has a
problem with your
account
Watch this funny
video… see attached
You have a notice
from Facebook
The fake web page looks like the real thing
Extracts account information



An attacker pretends to be your final destination on the network.
The attacker may look like a strong WLAN access point.
1% of hacking attacks
After penetration, hacker
installs a rootkit
 Eliminates evidence of
break-in
 Modifies the operating
system

Rate of infection/malware
 Rootkit: 39%
 Backdoor: 66%
 Keystroke logger: 75%
HISTORY OF CYBER-SECURITY






Surveillance State
Information Warfare
Cyber Crime
Hacktivism
Vandalism
Experimentation
Anonymous
 Political causes, e.g.:
 Middle East Democracy
 WikiLeaks
 Mexican Miner’s rights

Bad ways, e.g.:
 Web defacement
 DDOS attacks on Visa,
MasterCard, MPAA
 Computer hacking

2% of external breaches




Cross international boundaries
Distributed Denial of Service: Attack web pages
$100 per 1000 infected computers
Command & Control: 51% of malware attacks
HISTORY OF CYBER-SECURITY






Surveillance State
Information Warfare
Cyber Crime
Hacktivism
Vandalism
Experimentation
Target: Finance, Retail, Food
 55% of external breaches
Cost of Credit Card Numbers:
 U.S.: $10
 European: $50
 Bulk: $1 or more
KEYSTROKE LOGGER




Silently tracks the
keys you enter
Sends credit card
info, password to the
criminal
You see unusual
charges on credit
card statement
75% of Malware
Trojan Horse: Masquerades as beneficial
program
 The Zeus Trojan: Infected millions of computers

 Mostly in the U.S. and often via Facebook
 2007 - today: top 5 malware problems
 Steals bank passwords and empties accounts
 Can impersonate a bank website
WAR DRIVING & HACKING

Gonzalez cracked and exposed over
170 million credit card numbers
 Stole from: Barnes & Noble, Boston Market,
OfficeMax, Sports Authority, TJ Maxx, Dave
& Buster’s, Marshall’s, Heartland Payment
Systems, 7-Eleven, and Hannaford Brothers

Sentenced to 20 years prison, 2009
 Followed by 3 years supervised release

2003 arrested & released: became
informant to Secret Service
ATM - POINT OF SALE:
CREDIT CARD FRAUD
Skimmers used at ATMs, gas
stations, stores.
 Skimmers make up 91% of
physical security attacks (35%)
 Skimmers match color of bank
ATMs

 Manufactured in bulk, by 3D
printers
Check for loose parts; hide PIN
 Gonzalez encode PINs onto
debit card magnetic strips

RANSOMWARE
You are infected. Buy antivirus.
 You’ve stored underage pornography.
Pay a fine or go to jail. -FBI
 CryptoLocker: Your disk has been
encrypted. Pay to decrypt.

 Pay in 72 hours or else…
 Backup can be corrupted – MS Shadow
 Swansea, Massachusetts Police paid $750
Pattern
Calculation
Result
Time to Guess
(2.6x1018/month)
Personal Info: interests, relatives
20
Manual 5 minutes
Social Engineering
1
Manual 2 minutes
80,000
< 1 second
American Dictionary
4 chars: lower case alpha
264
5x105
8 chars: lower case alpha
268
2x1011
8 chars: alpha
528
5x1013
8 chars: alphanumeric
628
2x1014
3.4 min.
8 chars alphanumeric +10
728
7x1014
12 min.
8 chars: all keyboard
958
7x1015
2 hours
12 chars: alphanumeric
6212
3x1021
96 years
12 chars: alphanumeric + 10
7212
2x1022
500 years
12 chars: all keyboard
9512
5x1023
16 chars: alphanumeric
6216
5x1028
HISTORY OF CYBER-SECURITY






Surveillance State
Information Warfare
Cyber Crime
Hacktivism
Vandalism
Experimentation
2010 Stuxnet worm,
 Developed by U.S.,
Israel
 Hit Iranian nuclear
power plants
 damaged nearly 1000
centrifuges
 nearly 1/5 of those in
service
 Iran attacked American
banks, oil companies
INFORMATION WARFARE

Next wars will be computer attacks to power,
water, financial systems, military systems, etc
 Cyberweapons are MUCH cheaper than military
 Causes as much damage
 High priority: Protecting utilities, infrastructure

New black market in 0-day attacks.
 Governments pay more > $150,000/bug
 Govts. include Israel, Britain, India, Russia, Brazil,
North Korea, Middle Eastern countries, U.S.
 New hacking firms openly publicize products
HISTORY OF CYBER-SECURITY






Surveillance State
Information Warfare
Cyber Crime
Hacktivism
Vandalism
Experimentation

21% external breaches:
State affiliated
 96% from China
CHINA – IPR THEFT
People’s Liberation Army targets
manufacturing, research, military aircraft
 NY Times fought off China for 4 months

 Who gave info on P.M. Wen Jiabo?
 45 mostly-new malware
 Attacked from 8 AM-midnight China time
 Stole all passwords; hacked 53 PCs

Discussed repeatedly at Pres. Level
 China says U.S. guilty (Snowden)
SNOWDEN RELEASES…

NSA has requested/manipulated:
 Water down encryption
 Install backdoors in software
 Collect communication data

Verizon, Google, Yahoo, Microsoft and
Facebook were coerced into …?
 Gag orders prevent companies from speaking
 Yahoo/Google: nearly 200 million records, Dec
2012
 Includes email metadata (headers) and content
LAVABIT
Provided secure email services…
including to Edgar Snowden
 FBI wanted Software, Private Key and
Passwords for ALL clients
 Ladar Levison: “I would strongly
recommend against anyone trusting
their private data to a company with
physical ties to the United States.”
 Effect: Buyers wary of products from
surveillance-state/info warfare countries

 Yes
 No
 Yes
 No
“The confidence that people have
in security is inversely proportional
to how much they know about it.”
-Roger Johnston

Symptoms:
 Antivirus software detects a problem
 Pop-ups suddenly appear (may sell security




software)
Disk space disappears
Files or transactions appear that should not be
there
System slows down to a crawl
Stolen laptop (1 in 10 stolen in laptop lifetime)
 Often not recognized

(Additional) Spyware symptoms:





Change to your browser homepage/start page
Searches end up on a strange site
Firewall turns off automatically
Lots of network activity while not particularly active
New icons, programs, favorites which you did not
add
 Frequent firewall alerts about unknown programs
trying to access the Internet
 Often not recognized
Anti-virus software detects malware and can
remove it before damage is done
 Install, keep anti-virus software updated
 Anti-virus is important but limited in capability


Do not open email attachments unless
 you expect the email with attachment
 you trust the sender

Do not click on links in emails unless
you are absolutely sure of their validity

Only visit and/or download software
from web pages you trust
USE A FIREWALL
Web Response
Illegal Dest IP Address
Web Request
Email
Response
SSH Connect Request
DNS Request
Ping Request
Illegal Source IP Address
Email Response
FTP request
Microsoft NetBIOS Name Service
Email Connect Request
Telnet Request
Web
Response



Microsoft regularly issues updates to fix security problems
Windows Update should automatically install updates.
Avoid logging in as administrator
Merry Christmas
Bad
Password
(Lengthen)
Merry Xmas
MerryChrisToYou
(Synonym)
(Intertwine
Letters)
(convert vowels
to numeric)
MerryJul
(Abbreviate)
MaryJul
MerChr2You
(Keypad shift
Right …. Up)
MXemrarsy
Good
Password
Glad*Jes*Birth
,rttuc,sd
M5rryXm1s
J3446sjqw
Mary*Jul
mErcHr2yOu
Combine 2 unrelated Mail + phone = m@!lf0n3
words
Abbreviate a phrase
My favorite color is blue=
Mfciblue
Music lyric
Deck the halls with boughs
of holly,
Fa la la la la la la la la la
Dthwboh,F9xl
Password Recommendations
Password length
Account lockout threshold
Account lockout duration
(clears lockout counter)
Screen saver time-out
Max. password age
Min. password age
Password history retention
Password complexity
requirements
PCI DSS vers. 3
[PCIv3]
7 characters
6 invalid attempts
30 minutes
CIS Microsoft
Windows 8 [CIS8]
14 characters
5 invalid attempts
15 minutes
15 minutes
90 days
Not specified
4
Numeric and
alphabetic
15 minutes
60 days
1 day
24
3 of 4: uppercase
alpha, lowercase
alpha, numeric,
punctuation



Always use secure browser to do online purchasing
Never use a Debit card on-line.
Frequently delete temp files, cookies, history, saved passwords etc.
https://
Symbol showing
enhanced security
Disappearing info: Malware,
ransomware, disk failure, …
 What information is important to you?
 Is your back-up:

Recent?
Off-site & Secure?
Process Documented?
Tested?
Encrypted?

Restricted data includes:
 Social Security Number
 Driver’s license # or state ID #
 Financial account number (credit/debit) and
access code/password
 DNA profile (Statute 939.74)
 Biometric data
In US, HIPAA protects:
 Health status, treatment, or payment

Thanks to:
UW Parkside: Sabbatical
Keep Safe!