Computer Security, Vulnerabilities, and Privacy 2001

Download Report

Transcript Computer Security, Vulnerabilities, and Privacy 2001 

Bob Koepke
Network Security Manager - Electronic Systems
Raytheon Company
February 2001
February 2001
Bob Koepke
2
Approaching the Risk
Your goal should be…
 Risk Management
 NOT: Risk avoidance
February 2001
Bob Koepke
3
Education as a Defense
 Many exploits are not very technical
 Memorizing “Chapter & Verse” generic
technical guidelines:
- Is not enough to defend against threats
- Will keep you constantly behind the
threat “power curve”
 You must learn:
- To spot new vulnerabilities
- To change your mode of thinking
February 2001
Bob Koepke
4
Internet “Consumer Services”
ISPs, websites, e-mail, anonymizers, online stores,
gambling / pornography sites, etc.
 Service Privacy Policy
(look for one, but don’t trust it blindly)
 Cookies – there are worse things on the net
(http://www.cookiecentral.com)
 “Free” Services:
- ISP
- E-Mail
- Web Space
- Free Long Distance Services Via the Internet
 Encryption – for sensitive personal information
(But what do they do with the information once they have it?)
February 2001
Bob Koepke
5
Amazon.com Consumer Data
Privacy Statement Excerpt:
“Business Transfers: As we continue to
develop our business, we might sell or buy
stores or assets. In such transactions,
customer information generally is one of the
transferred business assets. Also, in the
unlikely event that Amazon.com, Inc., or
substantially all of its assets are acquired,
customer information will of course be one
of the transferred assets.”
February 2001
Bob Koepke
6
Internet Transaction Security
 Data passing via encrypted paths normally
do not have significant risk.
 What happens to the data at and past the
destination can be a risk.
 The human factor is usually a greater risk
than the technology factor.
February 2001
Bob Koepke
7
Risk Levels for Encrypted
Internet Transactions
February 2001
Bob Koepke
8
Website Visitor Tracking
(not all-inclusive)
 Your IP address (ISP, city, state, employer, etc.)
 Browser info: O/S, Version, Screen Size, Preference Settings, etc.
 Cookies (read & written)
 Locations that you visit on their website
 The website where you came from prior to their website
(aka: referrer site)
 Number of web pages visited prior
 Plug-ins installed (midi, ShockWave, RealPlayer, etc.)
 Limited hardware configuration (i.e., soundcard)
 Anything else you might have volunteered!
February 2001
Bob Koepke
9
Home Computers
 DSL, Cable Modem, or Dialup
(always on + higher speed connection = more risk)
 Antivirus software installed & current?
 Firewall installed, current, and configured?
- BlackIce (www.networkice.com) - $40 (/year)
- ZoneAlarm (www.zonelabs.com) – free*
- Hardware firewall
 Latest O/S Patches (i.e., http://www.microsoft.com)
February 2001
Bob Koepke
10
Internet Connectivity
February 2001
Bob Koepke
11
Port Scans & Probes
SubSeven Trojan Query
(http://subseven.slak.org)
Back-Orifice Trojan Query
This is from a DIAL-UP connection !!!
February 2001
Bob Koepke
12
Home Network
February 2001
Bob Koepke
13
The BLUETOOTH trademarks are owned by
Telefonaktiebolaget L M Ericsson, Sweden
February 2001
Bob Koepke
14
 Effortless instant wireless connections between
various electronic devices. Range = 10 meters.
 Desktop Computers, Laptop Computers, Printers,
Cameras, Cell phones, PDAs, Pagers ………...
 Cost to implement BlueTooth
in a product is low
 Security risk is high, especially in classified areas
February 2001
Bob Koepke
15
 You may not be able to tell if a device has
the Bluetooth chip!
 OEM computer equipment companies may
not be know their products have Bluetooth
capabilities!
 There’s no easy security solution !
February 2001
Bob Koepke
16
Bluetooth’s FAQ on Security
“Are transmissions secure in a business and
home environment?”
“Bluetooth wireless technology has built-in
sufficient encryption and authentication and is
thus very secure in any environment. In
addition a frequency-hopping scheme with
1600 hops/sec is employed. All of this, together
with an automatic output power adaption to
reduce the range exactly to requirement, makes
the system extremely difficult to eavesdrop.”
February 2001
Bob Koepke
17
Bluetooth Module
Reference:
February 2001
http://www.bluetooth.com
Bob Koepke
18
Know Your Adversary
9 Hacker/Perpetrator Subtypes
(derived from Infosecurity Magazine July 2000)
 EXPLORERS:
Curious individuals who commit
violations in the process of learning,
generally without malicious intent,
unaware they are violating company
policies or laws
February 2001
Bob Koepke
20
9 Hacker/Perpetrator Subtypes
(continued)
(derived from Infosecurity Magazine July 2000)
 SAMARITANS:
Individuals who ignore policies or
laws to hack into systems to fix
problems or accomplish assignments,
believing their efforts to be more
efficient than following laws or
approved procedures
February 2001
Bob Koepke
21
9 Hacker/Perpetrator Subtypes
(continued)
(derived from Infosecurity Magazine July 2000)
 HACKERS (Black Hat) /
CRACKERS:
Individuals who have a prior history of
unauthorized system penetration
February 2001
Bob Koepke
22
9 Hacker/Perpetrator Subtypes
(continued)
(derived from Infosecurity Magazine July 2000)
 GOLDEN PARACHUTERS:
Individuals that install logic bombs or
other devices to serve as job insurance.
(They defuse the logic bombs in
exchange for severance considerations)
February 2001
Bob Koepke
23
9 Hacker/Perpetrator Subtypes
(continued)
(derived from Infosecurity Magazine July 2000)
 MACHIAVELLIANS:
Individuals that engage in acts of
sabotage, espionage or other
malicious activity to advance their
own agenda
February 2001
Bob Koepke
24
9 Hacker/Perpetrator Subtypes
(continued)
(derived from Infosecurity Magazine July 2000)
 EXCEPTIONS:
“Entitled” individuals who feel they
are special and deserving of special
recognition, because of their selfperceived talents or suffering, believe
themselves above the rules or law
February 2001
Bob Koepke
25
9 Hacker/Perpetrator Subtypes
(continued)
(derived from Infosecurity Magazine July 2000)
 PROPRIETORS:
Act as though they “own” the system
they are entrusted with and will do
anything to protect their control and
power over this territory
February 2001
Bob Koepke
26
9 Hacker/Perpetrator Subtypes
(continued)
(derived from Infosecurity Magazine July 2000)
 AVENGERS:
Classic disgruntled individuals, who
act out of revenge for perceived
wrongs done to themselves
February 2001
Bob Koepke
27
9 Hacker/Perpetrator Subtypes
(continued)
(derived from Infosecurity Magazine July 2000)
 CAREER THIEVES:
Individuals who penetrate systems
solely to commit theft, fraud,
embezzlement or other illegal acts
February 2001
Bob Koepke
28
It is estimated that 80%
of the security threat is from
“insiders”
February 2001
Bob Koepke
29
Advice (all are important!)
 Do not provide your full and/or real personal






information …
Get Hotmail (or similar) account(s) for untrusted
sources
Do not respond to unsolicited e-mail
Do not post to Internet newsgroups with your
real e-mail address or name.
Update your antivirus software at least weekly!
Scan regularly!
Get firewall software on your home PC(s). Keep
it updated & tight!
Download files & programs only from known
trusted sources
February 2001
Bob Koepke
30
Advice (continued)
 Do not share passwords or PINs between




accounts.
Dialup ISPs anonymously (*67)
On-Line Credit Card Use:
1. Encrypted Session & Encryption
Certificate Valid For That Merchant
2. Known & Trusted Web Sites Only
Be careful of “typo look-alike” sites !!!
Do not use your work computer for
anything you want to keep private
February 2001
Bob Koepke
31
Advice (continued)
 Do not keep your computer “live on the net”
when not in use
 Keep your home phone number unlisted with a
strict need-to-know
(Avoid giving it to ANY businesses online or in-person !)
 Make certain your business has a proxying
firewall with NO ports open
 Make certain your business uses strong dialup
authentication
February 2001
Bob Koepke
32
Strong .vs. Weak Authentication
(WHAT’S THE DIFFERENCE?)
ATM
CARD
+ PIN =
ACCOUNT
NUMBER
& PIN =
USER ID & PASSWORD =
+ PIN =
February 2001
Bob Koepke
ACCESS
ACCESS
33
Strong Authentication - (Businesses)
 A.k.a.: Two-factor Authentication
 Something you have + Something you know
 One Time Passwords
http://www.rsasecurity.com/products/securid
February 2001
Bob Koepke
34
Web Site Security SSL Certificate
• Proof of Identity
• Proof of Point-To-Point Encryption
• More info on SSL: http://www.verisign.com
February 2001
Bob Koepke
35
Privacy Compromised for Profit
 Recently some online data-gathering
companies will pay you to give up your
private information.
 They rationalize that most of your privacy is
gone anyway, so why not give up the rest
for a small fee? !!!!
 Example:
February 2001
http://www.zimtu.com
Bob Koepke
36
Web Educational Resources
 http://www.cert.org
 https://infosec.navy.mil
 http://www.privacy.net
 http://www.somarsoft.com
 http://www.2600.com
 http://www.atstake.com
(formerly www.l0pht.com / Heavy Industries)
 http://www.securitysoftwaretech.com
February 2001
Bob Koepke
37
L0phtCrack
 $100/node-locked license (15 day trial-ware)
 NT Password Sniffer & Cracker combined in one
user-friendly package.
 An example company had a policy requiring
passwords longer than 8 characters, with at least
one upper case character plus a numeric or symbol
character.
 L0phtCrack cracked 90% of the passwords in
under 48 hours on a Pentium II/300.
 18% of the passwords were cracked in under 10
minutes.
 The Administrator and most of the Domain Admin
passwords were cracked.
February 2001
Bob Koepke
38
Hardcopy Educational Resources
 Hacking Exposed:
Network Security Secrets and Solutions
by George Kurtz
 Secrets and Lies:
Digital Security in a Networked World
by Bruce Schneier
 Digital Evidence and Computer Crime
by Eoghan Casey
 2600 Magazine
February 2001
Bob Koepke
39
Last Pieces of Advice:
 There is no 100% perfect solution…
 Technology changes…
 What’s safe today, may not be safe tomorrow…
 Don’t give-up...
 Use a good plan of risk
management
Know Your Adversary !!!
EDUCATE YOURSELF !!!
Sleep well !
February 2001
Bob Koepke
40