Security Awareness - Network Security Office
Download
Report
Transcript Security Awareness - Network Security Office
Security Awareness:
Security Tips for Protecting Ourselves Online
Wednesday, February 10th, 2010
Brian Allen
[email protected]
Network Security Analyst,
Washington University in St. Louis
http://nso.wustl.edu/presentations/
Let’s Talk About…
•
•
•
•
•
•
•
•
Zeus (And Other Bots That Steal Money)
Home Wireless Router Security:
Facebook/Social Network Security:
Password Security:
AV Products:
Laptop Security:
Browsing with Firefox Addons:
Online Banking:
Three Notable Zeus Attacks in the Past Year
• Bullitt County, Kentucky: July 2009 -$415,000
•
•
http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html
http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html
• Western Beaver School District, PA Jan 2009 -$219,000
•
http://www.courier-journal.com/blogs/bullitt/2009/07/bullitt-not-alone-in-online-thefts.html
• Duanesburg Central School District, NY: Jan 2010
-$3Million
•
http://www.duanesburg.org/news/0910/cybercrime.htm
How Zeus Works
1. Hackers send phishing emails with a link to
download the zeus bot to the victim’s computer
2. The zeus bot has a keylogger which captures the
victim’s bank credentials
3. The criminal logs in to bank's website using that
information, and transfers money to the
"Customer Service Specialist" AKA Money Mule
4. The Mule then receives instructions on how to
wire the money internationally, keeping a
generation commission (money stolen from
someone else's bank account!) for themselves
Zeus Facts
• 3.6 Million bots in the US as of Sep 2009
•
http://www.networkworld.com/news/2009/072209-botnets.html
• For Computers with up-to-date AV, 55% still
were infected by Zeus
•
http://www.trusteer.com/files/Zeus_and_Antivirus.pdf
• Sold on the Underground Economy and Used
by Criminal Organizations
What Can Zeus Do?
• The majority of the time a keylogger is
activated
• Replace the web form on a search page to ask
for additional information:
• card numbers, pin numbers, SSNs, answers to security
questions, etc.
• Real-time screenshots can be taken from
infected machines
• It can “phone home” and update itself
ZEUS Website/Phish Examples
#1 Way To Prevent Infection
• Do Not Click On Suspicious Links and
Attachments In Emails
• If there are questions about a particular email,
ask first.
Tokens Are Not Perfect
• Zeus can create a direct connection between the infected
computer and the attacker’s, allowing the bad guys to log in to
the victim's bank account using the victim's own Internet
connection.
• Many online banks will check to see whether the customer's
Internet address is coming from a location already associated
with the customer's user name and password, or at least from
a geographic location that is close to where the customer
lives. By connecting through the victim's PC or Internet
connection, the bad guys can avoid raising any suspicions.
Requiring Two People is not Perfect
•
•
•
•
•
•
- The attackers somehow got the Zeus Trojan on the county treasurer's PC, and
used it to steal the username and password the treasurer needed to access e-mail
and the county's bank account.
- The attackers then logged into the county's bank account by tunneling through
the treasurer's Internet connection.
- Once logged in, the criminals changed the judge's password, as well as e-mail
address tied to the judge's account, so that any future notifications about onetime passphrases would be sent to an e-mail address the attackers controlled.
- They then created several fictitious employees of the county (these were the 25
real-life, co-conspirators hired by the attackers to receive the stolen funds), and
created a batch of wire transfers to those individuals to be approved.
- The crooks then logged into the county's bank account using the judge's
credentials and a computer outside of the state of Kentucky. When the bank's
security system failed to recognize the profile of the PC, the bank sent an e-mail
with the challenge passphrase to an e-mail address the attackers controlled.
- The attackers then retrieved the passphrase from the e-mail, and logged in again
with the judge's new credentials and the one-time passphrase. Once logged in, the
crooks were able to approve the batch of wire transfers.
Note the NY Attack Started on a Fri
• On Friday, Dec. 18, an unauthorized electronic
transfer of $1,862,400 was made from a
Duanesburg Central School District NBT Bank
account to an overseas bank.
.
Letter Sent Out After NY Attack
http://www.duanesburg.org/news/0910/communityltr010510.pd
•
•
•
•
•
•
•
•
•
January 5, 2010
Dear Parents and Community Members,
The Duanesburg Central School District announced today that it is working closely with the Federal Bureau
of Investigation and New York State Police to investigate unauthorized electronic transfers of school district
funds from its NBT Bank account. The district first learned of the fraudulent activity on Tuesday, Dec. 22,
when contacted by an NBT bank representative, questioning the validity of a request for an electronic
transfer of funds to multiple overseas accounts that day. Upon confirming with the district that the transfer
was not authorized, the bank immediately cancelled the pending transaction, which totaled approximately
$759,000. After further review, it was discovered that an additional $3 million in unauthorized electronic
transfers to various overseas banks had already been executed over the previous two business days,
between December 18-21. Both district officials and the bank immediately contacted the FBI, which opened
an investigation along with state police.
To date, $2.5 million of the stolen funds have been recovered by NBT Bank, working with several overseas
financial institutions.
Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the
money has been recovered. However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are
committed to doing everything in our power to recover the remaining funds.
To prevent any district bank accounts from being further compromised, the district closed all of its bank
accounts and established new ones with restricted online access. The district is cooperating fully with the
ongoing investigation by the FBI and New York State Police. Additional details may be found on the district
Web site at www.duanesburg.org. As soon as more information becomes available, it will be posted on the
Web site.
Sincerely,
Christine Crowley
Superintendent
Questions So Far?
Facebook Privacy Settings
pics1
Twitter Users Are Targets Too
Twitter Phish 1 of 2
Twitter Phish 2 of 2
Password Topics
Parents’ Password Cracked On First Try
The Onion News Feb 27, 2002
• REDONDO BEACH, CA – Nick Berrigan, 14,
successfully hacked into his parents’ AOL account on
the first try Tuesday, correctly guessing that “Digby”
was their password. “They actually used the dog’s
name,” said Berrigan, deactivating the parental
controls on his AOL account.
• Experts advise parents to secure Internet accounts
with any password besides the name of a family pet
Free Password Managers
1. Password Safe: www.schneier.com/passsafe.html
– Bruce Schneier’s Project
2.KeePass: keepass.info
3. LastPass: lastpass.com
- Firefox Plugin
4.Mac KeyChain:
5.PassPack: www.passpack.com
– An online password manager
Commercial Password
Managers
●
●
1Password - 1passwd.com
● Keeps track of all web passwords, automates
sign-in, guards from identity theft for $39.95
Roboform - www.roboform.com
● $29.95 for the Professional version
Some Key Threats to
Passwords
●
Brute force or dictionary attacks
●
Keystroke loggers
●
Social engineering/Phishing
Three KeePass Features
1. Require two factor authentication to access
your keepass database
KeePass – Opening the Database
KeePass – The Main Interface
KeePass – Individual Entry
A Few KeePass Features
1. Require two factor authentication to access
your keepass database
2. Drag and drop username and passwords into
forms
Drag & Drop
A Few KeePass Features
1. Require two factor authentication to access
your keepass database
2. Drag and drop username and passwords into
forms
3. Autotype username and passwords into
forms – a bit advanced
Some Solutions
●
●
●
You really need two factor authentication to protect the
password database
Don't trust any machine other than your own to enter a
password that protects anything sensitive
Using a machine you don’t trust? Carry a Live CD of
your favorite version of linux and boot off that
Long Password Expirations
Can Be Good
1.
2.
Prevention of brute force password theft
primarily comes from having strong
passwords, not from regularly changed
passwords
Strong passwords are more likely to be
remembered if they are not changed
often
Extra Long Password
Expirations Could Be Bad
●
We assume users will share their
passwords:
●
●
●
●
●
with Students
with Staff
with Friends
with Family, etc.
Putting a ceiling on the life of a password
will keep these from lasting forever
Antivirus
• I look for:
– the fastest
– update themselves automatically
– have an easy to use interface
•
•
•
•
Symantec Endpoint
AVG = http://free.avg.com
AntiVir = http://www.free-av.com
Avast = http://www.avast.com
Symantec Endpoint (Symantec 11)
From CNET.com Editor Reviews
AVG Popularity:
* Total downloads 227,792,675
* Downloads last week 1,737,919
AntiVir Popularity:
* Total downloads 61,994,231
* Downloads last week 905,902
Avast Popularity:
* Total downloads 60,978,532
* Downloads last week 737,028
AVG Interface
AVG Will Check Every Email
Avira Interface
AVAST Interface
Home Wireless Router Tips
•
•
•
•
•
•
Change Default Password
Firewall is on by Default
WPA2, not WPA or WEP
MAC Address Filtering
Leave SSID on
No personal info in SSID like Smith_Family
Change The Default Password
Firewall Is On By Default
WPA2
MAC Address Filtering
Home Wireless Router Tips
•
•
•
•
•
•
Change Default Password
Firewall is on by Default
WPA2, not WPA or WEP
MAC Address Filtering
Leave SSID on
No personal info in SSID like Smith_Family
Laptop Tracking
Software/Encryption
Key Questions to Consider
• How hard is it to disable or remove the software?
• Who will have access to the collected data?
– A department?
– The company?
– Individuals?
• What type of data is collected?
• How many laptops are lost or stolen every year?
LoJack Pros
• Very difficult to disable
• Asset tracking
• The company, only with the user’s permission
can log in to:
– Take pictures
– Erase the hard drive
• Will work with police to recover the laptop
LoJack Bios Compatibility
Asus
Dell
Gammatech
Getac
Gateway
General Dynamics
HP
Fujitsu
Lenovo (IBM
Thinkpad)
Motion Computing
Panasonic
Toshiba
LoJack Cons
• Bios compatibility does not include Macintosh
– 40% student machines are Macs
• Most Expensive - $49 per laptop
• The company can get access into laptops,
although it is only to be initiated by the owner
after it is reported stolen
Laptop/USB Encryption
• USB Hardware Encryption – IronKey $$$
• Laptop/USB Encryption – TrueCrypt (Free!)
FireFox Addon: AdBlock Plus
The Top Firefox Addon (By Far)
Without AdBlock Plus
With AdBlock Plus
Online Banking Tips
• Never type your bank url into a browser
• Or click on a url that looks like your bank
• Always let Google find it for you
– Should be the first link
MINT.COM - Discussion
Trends, Transactions, Etc.
Is It Safe?
• They Say:
– Mint does not require any personally identifiable
information
– Sensitive numbers are not sent to or stored by
Mint.com
– Mint provides a strictly “read only” view of your
transaction information
– VeriSign Security Seal
Thank You!
Brian Allen
[email protected]
http://nso.wustl.edu