Andy Malone, MVP, MCT CEO / Trainer / Consultant Quality Training (Scotland) Ltd & Dive Deeper Technology Events EMEA SIA330
Download ReportTranscript Andy Malone, MVP, MCT CEO / Trainer / Consultant Quality Training (Scotland) Ltd & Dive Deeper Technology Events EMEA SIA330
Andy Malone, MVP, MCT CEO / Trainer / Consultant Quality Training (Scotland) Ltd & Dive Deeper Technology Events EMEA SIA330 The Disclaimer! In attending this session you agree that any software demonstrated comes absolutely with NO WARRANTY. Use entirely at your own risk. Microsoft Corporation, Quality Training (Scotland) Ltd, Dive Deeper Technology Events EMEA & the other 3rd party vendors whose software is demonstrated as part of this session are not responsible for any subsequent loss or damage whatsoever...You have been warned! This Session Covers! The Top 10 security nightmares Covert information gathering techniques How it’s done! - identity theft Tools the bad guy use Hiding your tracks Possible solutions The need to know principle Conclusions and Q&A The Top 10 Security Nightmares 1. Physical 2. Human Error 3. Malfunction 4. Malware 5. Spoofing 6. Scanning 7. Eavesdropping 8. Scavenging 9. Spamming 10. Out of Band! How Severe is the Threat? Professional Cyber Criminals & Terrorists Disgruntled Employees Competitors Hacktivists Script Kiddies (Advertises Actions) T H R E A T Problem: Identifying the Threat Uneducated Employees Disgruntled Employees Competitors Hackers Foreign Governments Problem: It’s the way we’ve always done it! Problem: Unorganized Response What should I do? Who should I call? Should I shut the system down? Should I run the virus cleaner? Should I trust my Anti-virus quarantine? Should I re-image the system? Problem: Reliance on Technology! Quest for a silver bullet Many business decisions are market driven Marketing + Architecture = Marchitecture Many solutions are event driven People can be Your Greatest or Weakest Asset! If You Look Hard Enough Bad Security is Everywhere! Places! No Seriously! The Hotel Intrusion Employees on the Road: The Soft Target! Free, er Room Service! The Office Intrusion Organized Security…Er! Badges: Instant Credibility Free Floor Plans! Get on the Inside with a Job! Too much Information Office Security Tips Ensure Employees are Security Aware Adopt an “Acceptable Use” Policy in terms of IT, Email, Internet etc Ensure Employees are Security Vetted Wear ID Badges Question Visitors – “Offer Help” Secure all Entrances & Exits Know Emergency Procedures Secure your Valuables Laptops, Phones, Keys, IDs Etc Consequences of Poor Security: Brett Kingstone Nexus Lighting! “What took us $10 million and 10 years to develop, they were able to do for $1.4 million in six months”Brett Kingstone http://people.forbes.com/profile/brett-m-kingstone/57603 http://www.gss.co.uk/news/article/5613/Cyberthieves_mine_onl ine_for_corporate_data_nuggets/?highlight=Finjan Hacker 101 Target Selection & Information Gathering Hacker 101: Target Selection Person Identity Theft Revenge Invasion of Privacy Company Trade Secrets Hostile Takeover Industrial Espionage Government Military Coup Political Corruption Bribery Country Destabilisation My Name is John Davidson! The ID Theft Hustle No it Really is! My Qualifications John Davidson John Davidson My Life! John Davidson Xx xxxxxxx xxx, Stockport, xxx xxx UK Email Address: [email protected] Or [email protected] Phone: 079 3705 9862 Mother's maiden name: Smith Birthday: June 16, 1965 Social Security Number: TP 41 79 92 B Visa: 4485 4037 3695 59xx Expires: 2/2011 Passport: GB 4017783 What About a Blog then!... Live.com Are You LinkedIn.... John is Now! So Who are You? Information required: Social Security Number Full name Birth date Address Possibly Drivers license number Sources Doctor Accountant Lawyer School place of work Hotels health insurance carrier many others 5 Pages of Heaven! Aka a Resume Once you get someone's resume' you know all about the person You can search for it ...or... You can get people to send it to you Recruitment is easy: Post a job ad and wait for people to send their life story You can even specify which types of people...:) “Looking for nuclear scientist/engineer with experience in Uranium enrichment and military background. Earn top dollar, 401K plan, dental coverage, 25days leave. Flexi time. Apply within...” A Growing Problem • Revealed: 8 Million Victims in the Worlds Biggest Cyber Heist! – Best Western Hotels. (Aug 08) – Russian Gangs involved. Details offered for sale on underground website. (www.cuxxxx0.ru) • 10,000 Criminal Records Go Missing on Memory Stick! (July 08) • Fasthosts UK ISP – 50,000 Websites Hacked. (Nov 07) • ID Theft costs the UK economy £1.6bn Per Year* • UK Child Support Agency: 25 Million Records Missing. MI5 ordered to recover data. • Bank of India etc... *Sunday Times How it's Done - Identity Theft You are Unique...Keep it that Way! Check your credit score regularly Don't reveal too much personal information, especially on on-line forums & social networking groups. Watch out for shoulder surfers. Learn to ask questions...”Why you need this information, How will it be used. Be aware of your privacy rights. Make use of new encryption technologies Lets do Some Damage! Corporate ID Theft Employee Stupidity (UK Dept work & Pensions 25 Million records LOST because of a mistake... Fraudulent use of business identity "account takeover" fraud that hijacks a clean identity for illicit trading UK Companies House – does not validate any data provided Spoof emails and “phishing“, “Spear Phishing” Corporate Governance implications UK's Turnbull Report (internal controls) Tools the Bad Guys Use! Google hacking! Google Hacking Various usernames and passwords (both encrypted and in plain text) Internal documents Internal site statistics Intranet access Database access Open Webcams VNC Connections Mail server access And much more Google Hacking Examples! Site:com filetype:xls "Accounts" site:gov.uk filetype:xls users site:gov.uk filetype:doc staff site:gov.uk filetype:ini WS_FTP PWD site:gyhs.co.uk "index of /" password.txt site:co.uk "index of /" +passwd site:dk +hotel filetype:xls site:com +password filetype:xls Inurl:admin users passwords inurl:admin intitle:index.of "Microsoft-IIS/5.0 Server at" intitle:index.of How it’s done - Google Hacking Don’t Get Google Hacked! Keep sensitive information off the internet Be careful how you write your scripts and access your databases Use robots.txt to let Google know what parts of your website it is ok to index. Specify which parts of the website are “off bounds” Ensure directory rights on your web server are in order Monitor your site for common errors “Google hack” your own website Data Mining: Paterva Maltego 2 Data Mining with Paterva, Maltego 2 Data Mining with BidiBlah Hacking #102 Hide your Tracks! Hiding Data - Steganography! Steganography: The art of storing information in such a way that the existence of the information is hidden To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. The duck flies at midnight. Tame uncle Sam Simple but effective when done well How it’s Done - Steganography What the Bad Guys Use! Undetectable and Unbreakable Encryption! Creates a virtual encrypted disk within a file and mounts it as a real disk. Encrypts an entire partition or storage device such as USB flash drive or hard drive. Encryption is automatic, real-time (onthe-fly) and transparent. Provides two levels of plausible deniability, in case an adversary forces you to reveal the password: Hidden volume (steganography) and hidden operating system. No TrueCrypt volume can be identified (volumes cannot be distinguished from random data). Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS. Uncovering Secrets & Lies The Compliance Gorilla! When the focus is only on compliance, the organization's overall security posture suffers by focusing solely on systems. The network pieces are "compliant" but what about the internetworking of these systems? The result of this problem is indefensible networks. Pro-Active Cybercrime Prevention Tips Learn to Identify Threats Monitoring Staff & Ensure Corporate Awareness Reward Corporate Loyalty Internal & External Legislation Anonymiser Services Right Management Software Make use of Cryptography Use good o’l fashioned Cash The Need to Know Principle! Keeping up Appearances! Although I don't know the overall network security posture of the airport, this didn't look good Good security is simply appearing to be secure The military teach that the appearance of a hard target can deter attacks. Developments Biometric Passports , DNA Identity Solutions Cloud Data centre Solutions Credit Cards with Biometrics Project Goldeneye / Goldfinger! Identity Cards Cut the myriad of means to prove identity Proposed new criminal offence of "identity fraud" Civil liberties arguments Criminalize legitimate anonymity? National Criminal Intelligence Service Conclusions! The Top 10 security nightmares Covert information gathering techniques How it’s done! - identity theft Tools the bad guys use Hiding your tracks Possible solutions The need to know principle Conclusions & Q&A Thanks for Attending! Andy Malone MVP, MCT CEO / Consultant Quality Training (Scotland) Ltd & Dive Deeper Technology Events EMEA [email protected] Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.