121 September 2009

Things that go bump in the net

Chris

Email: chris@securityg33k.comTwitter: http://twitter.com/securityg33kwww: http://www.securityg33k.com/

bump

Slightly more random tweets: http://twitter.com/TheSuggmeister

221 September 2009

Who am I?

Chris

321 September 2009

421 September 2009

Why am I here?

Some numbers:• 85 million records lost in 20081

• Viruses top 1 million (April 2008) 2

• £328.4m UK Phone, internet and mail order fraud (Card-not-present fraud) in 20083.

• £169.8m Counterfeit (skimmed / cloned) fraud in 20083.

521 September 2009

And yet…

• The advice given to the average computer user remains roughly same– Install Anti-Virus (AV)– Make sure your firewall is turned on &

working– Chose good passwords– and don’t write them down– Regular software updates

• And it’s not working all that well

621 September 2009

What are we going to talk about?

• Introduction• Risks • Things to watch out for

1. Viruses

2. 419 & other scams

3. Phishing & Vishing

4. Evil Twins

5. Facebook– Loss & Theft

721 September 2009

Time Permitting

• Set up tips– Passwords– Installing / Setting up your PC– Setting up your router– Setting up wireless– Installing updates– Testing it all works– Keeping it secure-ish– Email Security– A word of physical security at home

Otherwise it’s available online at http://www.securityg33k.com/

821 September 2009

Introduction

921 September 2009

Where do you fit in?

Not Online

Online

I have nothing to hide

I take steps to protect my privacy

Worst

Best

Depends how you do it

Not as safe as you think

Most

Least MostTrust

Online presence

Online but not shopping / banking online

Online shopping/banking at trusted sites Facebook,

myspace, bebo, Twitter with

privacy controls

Facebook, myspace, bebo, Twitter without privacy controls

Limewire / Bit Torrent

Removed from electoral role, use aliases, PO-BOX for all mail, no

loyalty cards, use cash for every thing

Shopping with credit cards

Loyalty cards

Letting your cards go out of site

Blatant trust that your information will not be used against you at

some point

Online shopping anywhere

10

21 September 2009

“Remember, best block no be there”

Mr. Miyagi (Pat Morita)

Karate Kid II

11

21 September 2009

Not got anything to hide?

Do you really want anyone to know…• How much you paid for your house• Salary• School grades • Illnesses• Points on your license• Your family photos• When you’re going to be away on holiday?• Or when you’re down the pub

12

21 September 2009

Risks

13

21 September 2009

So you want to connect to the internet?

The Internet

14

21 September 2009

Before you do…

Vulnerabilities

Threats

Value

15

21 September 2009

Where do viruses come from?

16

21 September 2009

Speed

17

21 September 2009

So what?

18

21 September 2009

Most likely scenario

• Your PC will get clogged up• You’ll probably get a lot of pop-up’s, some

with porn.• It’ll be quit a challenge to do anything

worthwhile without getting redirected to somewhere else.

• Anything you type might be being forwarded to the bad guys.

• Your PC will be completely unpredictable. Those family photos?

19

21 September 2009

Worst case scenario

• Your bank account will be cleared out and it’ll take months to get it straightened out.

20

21 September 2009

Who are these bad people & what do

they want?

21

21 September 2009

22

21 September 2009

The bad guys & their motivations

Author

National Interest

Personal Gain

Personal Fame

Curiosity

Script-Kiddy HobbyistHacker

Expert Specialist

Vandal

Thief

Spy

Trespasser

Published with kind permission from Dave Aucsmith

Sr. Director. Microsoft Institute for Advanced Technology in Governments

23

21 September 2009

National Interest

Personal Gain

Personal Fame

Curiosity

HobbyistHacker

Expert SpecialistScript-Kiddy

Vandal

Spy

Trespasser

The bad guys & their motivations

Author

Tools created by experts now used by less skilled attackers and criminals

Thief

Published with kind permission from Dave Aucsmith

Sr. Director. Microsoft Institute for Advanced Technology in Governments

24

21 September 2009

National Interest

Personal Gain

Personal Fame

Curiosity

HobbyistHacker

Expert Specialist

Largest area by volume

Largest area by $ lost

Script-Kiddy

Largest segment by $ spent on defense

Fastest growing Segment = crime

AuthorVandal

Thief

Spy

Trespasser

The bad guys & their motivations

Published with kind permission from Dave Aucsmith

Sr. Director. Microsoft Institute for Advanced Technology in Governments

25

21 September 2009

Just how organized is organized crime?

Published with kind permission from Mikko Hypponen

Chief Research Officer. F-Secure Corporation

26

21 September 2009

A Market

Published with kind permission from Mikko Hypponen

Chief Research Officer. F-Secure Corporation

27

21 September 2009

Marketing

Play video

28

21 September 2009

Assuming you’ve followed the usual

set up advice(see end of presentation)

29

21 September 2009

Now things look a bit more like this…….

Vulnerabilities

Threats

Value

30

21 September 2009

That’s it, right?

31

21 September 2009

Wrong!

Things to watch out for…

32

21 September 2009

1. Anti-Virus doesn’t stop everything

33

21 September 2009

“Antivirus suites fail more often than not”

F-Secure Kaspersky McAfee Sunbelt SophosTrend Micro

Symantec

28% 18% 44% 26% 38% 34% 35%

Dr.Web AVG ESET F-Prot VirusBuster Norman

36% 31% 27% 23% 16% 23%

Average daily detection rate from 12/5/09 to 10/6/09

Source: http://www.cyveillance.com/web/docs/WP_CyberIntel_H1_2009.pdf

http://lastwatchdog.com/antivirus-suites-fail/

34

21 September 2009

Yeah, but how do they infect me?

(or how to viruses get around anti-

virus?)

35

21 September 2009

How do they do that?

Vulnerabilities

Threats

Value

36

21 September 2009

Popular Searches

37

21 September 2009

The old classic - Email attachments

Published with kind permission from Mikko Hypponen

Chief Research Officer. F-Secure Corporation

38

21 September 2009

Cute yet a little bit rubbish web sites…

Published with kind permission from Mikko Hypponen

Chief Research Officer. F-Secure Corporation

39

21 September 2009

How can I tell something bad has happened?

Maybe…. nothing

Or….

40

21 September 2009

Your computer is infected with 182 viruses – click here to fix

Source: Washingtonpost.com

41

21 September 2009

More scareware

Source: Washingtonpost.com

42

21 September 2009

Even more scareware

…looks convincing doesn’t it?Source: Washingtonpost.com

43

21 September 2009

What can I do?

1. Prevention…

• Buy & use the most up to date anti-virus you can.

• Use spyware software such as Malwarebytes.

• Don’t trust anti-virus alone.

• Mix up your browsing, maybe use Firefox?

• Do you really want to open that email attachment?

• Those cute eCards might not be so cute.

• Never, ever, click here to fix your virus issues.

• Take some time to read up how to set you computer up.

44

21 September 2009

If you do get a virus

2. Cure

• Disconnect from the internet – take your cable out.

• I’d power off.

• Reboot into safemode

• Run anti-virus (again).

• Download and run Malwarebytes Antimalware & Superantispyware

• Some good information to print out at:– http://www.bleepingcomputer.com/virus-removal/remove-windo

ws-police-pro

– http://www.dslreports.com/forum/cleanup

• Reinstall ? (boot and nuke first).

45

21 September 2009

2. Scams

46

21 September 2009

Nigerian 419 scamsGood Day,

My name is Dr William Monroe, a staff in the Private Clients Section of a well-known bank, here in London, England. One of our accounts, with holding balance of £15,000,000 (Fifteen Million Pounds Sterling) has been dormant and last operated three years ago. From my investigations and confirmation, the owner of the said account, a foreigner by name John Shumejda died on the 4th of January 2002 in a plane crash in Birmingham.

Since then, nobody has done anything as regards the claiming of this money, as he has no family member that has any knowledge as to the existence of either the account or the funds; and also Information from the National Immigration also states that he was single on entry into the UK.

I have decided to find a reliable foreign partner to deal with. I therefore propose to do business with you, standing in as the next of kin of these funds from the deceased and funds released to you after necessary processes have been followed.

This transaction is totally free of risk and troubles as the fund is legitimate and does not originate from drug, money laundry, terrorism or any other illegal act.

On your interest, let me hear from you URGENTLY.

Best Regards,Dr William Monroe Financial Analysis and Remittance Manager[Phone Number Removed

47

21 September 2009

Lonely?

48

21 September 2009

What can I do?

1. Prevention…• Ignore it.• Check it out on .

– http://www.snopes.com/– http://www.hoax-slayer.com/– http://www.419eater.com/

• If you have to wire money to someone you don’t know via WesternUnion or Moneygram be very suspicious.

49

21 September 2009

What can I do?

2. Cure• Contact your bank to stop transactions• Contact the police

50

21 September 2009

3. Phishing & Vishing

51

21 September 2009

Phishing Example

52

21 September 2009

Phishing Example

53

21 September 2009

Obvious Signs

• The link on the screen doesn’t match the link that you mouse over…

54

21 September 2009

How it should work

https://images.mybank.com/

https://www.mybank.com/

BANK

1

3

4

2

https://mybank.com/travel-international/g2/foreign-currency.asp

55

21 September 2009

XSS

https://images.mybank.com/

https://www.mybank.com/

1

3

5

2

https://mybank.com/item=.asp?id=%3scriptsomeotherstuff

http://badguy.com/

4BANK

& some bad stuff

56

21 September 2009

What can I do?

1. Prevention…• Run the latest browser versions, some

detect this kind of thing.• Don’t click links to banks, ebay, facebook

whatever from emails.• Type in the URL to your bank and

navigate to the page.• If a link looks suspicious, don’t click it.

57

21 September 2009

What can I do?

2. Cure• Contact your bank• Maybe contact the police

58

21 September 2009

Safer Online Purchases

• Credit card rather than debit card

59

21 September 2009

Vishing

“Hello, it’s Chris from MyBank. It seems that someone has attempted to use your card fraudulently…”

“…we just need to ask a few security questions to verify who you are”.

60

21 September 2009

What can I do?

1. Prevention…• Limit the amount of times you publish your

phone number.• Take down the fraud numbers for your bank

in advance – store them in your mobile.• Never phone back the number they provide

you without making sure it’s valid.• Speak to your bank about what they will

and will not ask you. Most will not request you full password

61

21 September 2009

What can I do?

2. Cure• Contact your bank on a number you verify.• Maybe contact the police

62

21 September 2009

4. The Evil Twin

63

21 September 2009

Not this Evil Twin

64

21 September 2009

Wireless - Be Aware of Evil Twins

BT Openzone

Free Public Wifi

65

21 September 2009

Wireless - Be Aware of Evil Twins

Good: BT Openzone

Evil: Free Public WiFi

The Internet

66

21 September 2009

What can I do?

1. Prevention…• Careful what you connect to. Make sure

you have the name right.• Perhaps not a good place to do your

banking.• Think about using TOR.

67

21 September 2009

What can I do?

2. Cure…• Assume everything you did was captured

by a bad-guy and act accordingly– Cancel bank transactions.– Change your passwords.

68

21 September 2009

5. Facebook

69

21 September 2009

Facebook Issues

70

21 September 2009

Who do you want to see your profile?

71

21 September 2009

What can I do?1. Prevention…• Use a different email address to your usual

one.• Don’t make your profile public.• Don’t publish address, phone details etc.• Maybe don’t publish your real date of birth.• Remember. If it’s published electronically,

the cat *IS* out of the bag. Think before you post

• Read and implement privacy settings

72

21 September 2009

What can I do?

73

21 September 2009

And finally…

• Those fun applications

74

21 September 2009

What can I do?

2. Cure• Change password etc.• See facebook help

75

21 September 2009

6. Theft

76

21 September 2009

What if someone steals my PC?

77

21 September 2009

What can I do?1. Prevention…• Be aware of the area. Generally don’t

leave it in the car.• Don’t ask someone to look after your

laptop while you go to the bathroom.• It’s valuable – treat it as such.• Encryption is freely available

– Truecrypt

• Backup often– External disks are inexpensive

78

21 September 2009

What can I do?

2. Cure…• Inform police• Inform your company / company security

departments.• If it’s not encrypted, change passwords to

everything.• If you used it for banking, inform the bank.

79

21 September 2009

And if we have time..

80

21 September 2009

Set up tips

81

21 September 2009

Bluetooth

• Don’t use a bluetooth keyboard

82

21 September 2009

A word on passwords

• Don’t think “they will never guess I’m using the word password”….

• …”They” are usually automated

83

21 September 2009

Some password tips

• UPPER and lowercase characters• Use some numbers (not just at the end)• Use some symbols ($#%_-+@ )• 14 or more characters• Passphrase “The Lazy Brown Fox”• Don’t use the same password for every

account• You could write them down (safe-ish-ly)

84

21 September 2009

85

21 September 2009

Initial PC install

• If it’s second hand - Wipe / Erase disks

• Clean Factory Install

• Use Strong Passwords

• Configure / Enable Firewall

• Install A/V from install CD’s (if you can)

• Latest versions with behaviour based rules

• Symantec (Norton), McAfee, Kaspersky, ESET.

86

21 September 2009

Configure router

• Don’t connect it to the internet until you’re ready

• Change default administrator account passwords. They’re well known.

• Set a strong password

• Disable things you don’t use

• Don’t start with wireless – just yet

87

21 September 2009

Configure wireless on the router

• Don’t use WEP

• Do use WPA or WPA2

• MAC filtering

• Consider using a random key generator, such as this one http://darkvoice.dyndns.org/wlankeygen, to generate the key

• Disable SSID broadcasting

• Non-Overlapping Channels 1, 5, 9, 13

• Switch off wireless when you’re not using it

88

21 September 2009

Install Updates

• Anti-Virus

• Windows Auto-Update

• Other

• Firefox

• iTunes

• Quicktime

89

21 September 2009

Test connection

https://www.grc.com/x/ne.dll?bh0bkyd2

90

21 September 2009 90

91

21 September 2009

92

21 September 2009

93

21 September 2009

Wrong

• You have to keep it secure– Auto updates– Routinely Check firewall is configured– Periodically Check AntiVirus logs– Reinstall completely periodically

• AV / Firewall doesn’t stop everything

• You need to be a little paranoid online. They REALLY are out to get you.

94

21 September 2009

Email Issues

• Name• How many accounts• settings

• Mostly clear text

• Web mail interaction also clear text

• So anyone can read it

95

21 September 2009

What can I do?

• Name• How many accounts• Settings

– Gmail – always https

96

21 September 2009

Final word on Home security

Buy and use• Decent Locks for doors & window• Shredders• Safes• Alarms

Neighbours

97

21 September 2009

98

21 September 2009

Risk

Risk is very unlikely to be 0. Ever.

99

21 September 2009

RISKRisk

Threat x VulnerabilityRisk = x Value

Countermeasures

100

21 September 2009

101

21 September 2009

Malware by OS

Operating Systembackdoors,

rootkitsviruses &

wormstrojans

OS/X 14 9 11

FreeBSD 33 10 0

Unix 76 118 3

SunOS/Solaris 99 17 3

Linux 942 136 88

Windows 501515 40188 1232798

102

21 September 2009

103

21 September 2009

Cost of Fraud in the UKCard Fraud Type – on UK issued

credit and debit cards2004 2005 2006 2007 2008 +/- (07/08)

Phone, internet and mail order fraud (Card-not-present fraud)

£150.8m £183.2m £212.7m £290.5m £328.4m +13%

Counterfeit (skimmed/cloned)fraud £129.7m £96.8m £98.6m £144.3m £169.8m +18%

Fraud on lost or stolen cards £114. 4m £89.0m £68.5m £56.2m £54.1m -4%

Card ID theft £36.9m £30.5m £31.9m £34.1m £47.4m +39%

Mail non-receipt £72.9m £40.0m £15.4 m £10.2m £10.2m   0%

http://www.apacs.org.uk/09_03_19.htm

104

21 September 2009

Records being lost all the timeDate Type Incident Records Organization05-09-2009 Hack customers credit card details lost from hacked server 52,000 Mitsubishi Corp

02-09-2009 Lost Laptop Missing laptop contains names, Social Security numbers and dates of birth of 38,000

38,000 Naval Hospital Pensacola

01-09-2009 Unknown A file containing students names and Social Security numbers reported missing

100 Bluegrass Community & Technical College

29-08-2009 Stolen Laptop Stolen laptops contain private and medical details of more than

7,000 Birmingham NHS (Trulife)

28-09-2009 Lost Tape Cuyahoga County officials are searching for a box that fell off a truck and contained personal information

300 Iron Mountain, Cuyahoga county, Ohio

28-08-2009 Disposal Document

Unknown number of employee records containing names, addresses, Social Security numbers and dates of birth thrown in trash

Unknown Fasco Machine Company

26-08-2009 Disposal Document

Employee files found in trash contained personal details including names and Social Security numbers

100 Guardsmark

25-08-2009 Disposal Document

Unknown number of confidential files dumped on street contained names and bank details

Unknown Worthing Borough Council

21-08-2009 Hack Hacked server exposes 20 years worth of students Social Security numbers

Unknown University of Massachusetts at Amherst (UMASS)

20-08-2009 Web Social Security numbers and some birth dates of 6,675 exposed through file transfer program

6,675 Boston University Army Reserver Officers Training Corp

20-08-2009 Disposal Document

Dumped medical files exposes 623 patients names, Social Security numbers, dates of birth and medical details

623 Prompt Med

19-08-2009 Hack Credit card numbers, expiration dates, and guest names on computer systems accessed without authorization

Unknown Radisson Hotels & Resorts

105

21 September 2009

Understanding the Landscape

Author

National Interest

Personal Gain

Personal Fame

Curiosity

Script-Kiddy HobbyistHacker

Expert Specialist

Vandal

Thief

Spy

Trespasser

Published with kind permission from Dave Aucsmith

Sr. Director. Microsoft Institute for Advanced Technology in Governments