However, there is one kind of crime which may exist in the future - computer crime. Instead of mugging people in the streets or robbing houses, tomorrow's criminal may try to steal money from banks and other organizations by using a computer. … it is very difficult to carry out a successful robbery by computer. Many computers have secret codes to prevent anyone but their owners from operating them. As computers are used more and more, it is likely that computer crime will become increasingly difficult to carry out.
They are different, you can feel secure if you’re not, and you can be secure even if you don’t feel it.
I’m going to make you feel insecure, even if you’re not. My goal today is not to make you leave here screaming. But, you should leave here and make some changes.
It boils down to 3 types of bad guys.Criminals, Activists, Government Agents
They are everywhere. They are where you are.Social Networks,Search Engines, Advertising, Email, Web Sites, Web Servers, Home Computers, Mobile Devices
so what are we talking about here? Viruses? Worms? Trojeans?Backdoors? Scareware? Rootkits? Malware? Exploits? We are talkingabout malicios code that takes advantage of software vulnerabilitiesto infect, dirupt or take control of a computer without consent, andusually, without knowledge. These exploits target vulnerabilities inthe OS, the web browser, various appplicates or anything elseinstalled on a computer. These exploits almost always targeted againstknown vulnerabilities that have already been patched by the maker ofthe software. They frequently target java, Adobe Flash and PDF Reader,and the windows OS. Many of these exploits are now spread throughinfected websites, mail, and social media. All these pieces add up—a great lesson to teach people who don’t tend to think outside of their little niche in the organisation. “When you’re thinking with a hacker mindset, the takeaway you get is there’s a little issue here, and there, and over there, and that a+b+c adds up,” Cheyne said. “Most computer users are all too aware of the threat of viruses and worms infecting their machines, but according to security research firm BitDefender different types of malware may now be infecting each other to create a new breed of security risk. Dubbed "Frankenmalware," the hybrids are created when a virus infects a machine that has already been compromised by a worm. The virus attaches itself to executable files on the host system — including the worm — and when the latter spreads it carries the virus along with it. BitDefender claims it analyzed a sample of 10 million pieces of malware and discovered 40,000 different examples of the new breed. Code from the Virtob virus, for example, was found inside both the OnlineGames and Mydoom worms.Finding attacks will only get harder.Smarter, Stealthier, Sneakier Malware Stuxnet. Duqu. Advanced persistent threats. Ever-evolving versions of Zeus and other malware. Malware is not only spreading, it's getting smarter. And sneakier. For most enterprises, it's difficult just to keep up with the newest and most sophisticated attacks, let alone stop them. As more and more tools are introduced they are perfected and this makes it easier for all bad guys to get more victims.
They are after most of the things you’d expect, and some you might not...PINs, Passwords, Credit Cards, Bank Accounts, Computers, Usernames, Contact Lists, Emails, Phone Numbers
You might say to yourself you’re not a target because you’re only on The Facebook or The Twitter...
Personal information is the currency of the underground economy. It'sliterally what cybercriminals trade in. Hackers who obtain this datacan sell it to a variety of buyers, including identity thieves,organized crime rings, spammers and botnet operators, who use the datato make even more money.A name or email address is worth anywhere from fractions of a cent to$1 per record, depending on the quality and freshness of the data,information security experts say.That may not sound like a windfall, but when you multiply it bymillions of records, it quickly adds up. Take the Zappos breach as anexample: If hackers in fact obtained data on 24 million customers,even if they sell only 5 million email addresses at five cents apop—cha-ching—they've just made $250,000 off of one hack.Botnet operators make even more money. Say you own a botnet thatconsists of 100,000 computers. You may rent it out to spammers for$1,000 per hour, says Stu Sjouwerman, founder and CEO of KnowB4, aprovider of Internet security awareness training based in Clearwater,Fla. If you rent or buy the 24 million records from Zappos' so thatyou can then send malware to those email addresses, even if only 20percent of recipients get infected with your malware that takescontrol of their computer, you've still grown your botnet by about 5million computers with very little work, he adds."Now you can charge $5,000 an hour instead of $1,000 per hour for 5million bots that start sending spam," says Sjouwerman. "These guysmake money hand over fist." Of course, their illegal activity alsomeans criminal charges, jail time and financial restitution.http://www.cio.com/article/698820/Are_You_at_Risk_What_Cybercriminals_Do_With_Your_Personal_Data_ Print Article Close WindowFrom: www.cio.comAre You at Risk? What Cybercriminals Do With Your Personal Data– Meridith Levinson, CIO
It's also important to know that, ultimately, there is no such thing as a secure computer. Nothing we do can make things 100% safe. We can just make things safer than they were before. All of the security work we do is about reducing risk. It's about knowing what we're up against. We want to reduce the possible frequency of loss (by securing things as much as possible, given our resources) AND we want to reduce the potential magnitude of loss (by limiting what can be lost as much as possible).To help set the stage for success we should keep in mind 2 things. "Any lock can be picked", and people are the weakest link in security chain. First, people:People choose bad passwords, we write them down, we share them, we reuse them,People email things we shouldn'tPeople post things on twitter or Facebook.People click on links without knowing what's behind them.People don't update our computers and programs.People plug in USB drives w/o knowing where they came from.Of course, we all want our computers to work. We don't want to worry about all this security. We just want things to be safe. We have better things to do. We do insecure things because we're tired and busy. We write down passwords because our brains are full. We have better things to do than update our computers and programs. It's not (only) because people are lazy. It's because every layer of security we add causes more work for them. Much of this advice, many of these things we want them to do just costs too much in terms of a daily burden when so few of them will really be harmed by evil doers. There is generally low motivation and poor understanding of why this could be important. People choose the easiest and quickest way to get things and hope for the best. So even though we have better security than ever before, there are also more ways to defeat it than ever before. To make matters worse, we are now in the era of "steal everything." We all have something a hacker is interested in stealing. And to make things even worse, barriers to this particular type of theft are lower than ever.Frequently, hacking requires little training or knowledge or investment of time. Hackers have moved beyond banks and are now stealing more mundane things that you have. These are all worth money, or can be used to cause trouble and spread malware. There are bad guys who will pay for email passwords, Facebook logins, trojaned PCs, game logins, nearly anything you have. Our libraries are no exception. They become targets because of what we have inside our ILSs, our public access machines, the OPAC, the databases and more.
Unplugged, de-networked, and locked in a closet. Then they could still pick the lock.So, what can you do?
Don’t reuse.Don’t make them weak.
Passwords are like gum:Best When Fresh, Should Be Used Once, Should Not Be Shared, Make A Mess When Left Lying Around, Easy To StealNativeIntelligence.com
Choosing A Good PasswordSo, it turns out a key to a strong password isn’t its obscurity but its complexity — things that make it less likely to be guessed by an automated password cracker. However, making a good complex password means knowing a bit about how passwords get broken.Passwords don't necessarily need to be hard. Pick a good memorization strategy, pick a good password, and you'll be on your way to being more secure.Choose NON obvious, NON dictionary passwords. If we assume someone has time to just sit and guess your password on a system, they will check common passwords first, then they check a dictionary. Since they don't know your passwords, they look for the easiest guesses first. Given enough time, and if they are persistent enough, they will just start throwing every possible combination of letters, and then numbers, and then letters and numbers, and so on. So after using things that aren't common, the most important thing is length. There's no different between a simple long password as a complex long one as far as guessing goes. So start with an easy to remember password, then pad it with something else easy to remember. So get your own password and pad it. But don't just use Password1 as this is easily guessed, and don't pad by easily guessed numbers. The password plus padding shouldn't be easily guessed or obvious. E.g. most common (therefore easily guessed) padding is done by adding a 1,2,3,4 at the end of some word. This increase in length and complexity defends against Brute Forcing. We get protection by adding more digits because they need to guess every possible combination of everything up to that length, each digit adds A LOT of time required. If you use special characters and upper/lower case you add even more time because they know most passwords are all lower case numbers. Some places will allow the use of spaces in your password, which gives you the opportunity to use a pass phrase e.g. Correct Horse Battery Staple.Simple Things Make a Good Strong PasswordAt least 1 UppercaseAt least 1 LowercaseAt least 1 Number (And don't put those numbers on the end)At least 1 Something else (*%$@!-+=)Make it as long as you canAre complex passwords better? Well, maybe. Longer passwords are better, no doubt. If we knew exactly what each password was defending against, we would know what kind of password to choose. You have no idea how your passwords are stored or shared. Given enough time any captured password can be broken. Remember, we don't know HOW people are going to get your password. Given enough time and resources any password can be guessed. BUT, that is no excuse to not use a good password, because chances are good no one will have the time and resources to crack a good password.One more random piece of password changing advice, if you break up with someone who knew your passwords, change them all.
A very brief discussion on which OS might be safest, or at least how using Apple or Linux makes you MORE safe... NOT safe.
Here's a curiousity that's developing in modern browser security: The security of a given browser is dominated by how much effort it puts into other peoples' problems.This may sound absurd at first but we're heading towards a world where the main browsers will have (with a few notable exceptions):This may sound absurd at first but we're heading towards a world where the main browsers will have (with a few notable exceptions): Rapid autoupdate to fix security issues.Some form of sandboxing.A long history of fuzzing and security research.These factors, combined with an ever more balanced distribution of browser usage, are making it uneconomical for mass malware to go after the browsers themselves.Enter plug-insPlug-ins are an attractive target because some of them have drastically more market share than even the most popular browser. And a lot of plug-ins haven't received the same security attention that browsers have over the past years.The traditional view in security is to look after your own house and let others look after theirs. But is this conscionable in a world where -- as a browser vendor -- you have the power to defend users from other peoples' bugs?As a robust illustrative point, a lot of security professionals recently noticed some interesting exploit kit data, showing a big difference in exploitation success between Chrome (~0%) and IE / Firefox (~15%).The particular exploits successfully targeted are largely old, fixed plug-in bugs in Java, Flash and Reader. So why the big difference between browsers?The answer is largely the investment Chrome's security team has made in defending against other peoples' problems, with initiatives such as: Blocking out-of-date plug-ins by default and encouraging the user to update.Blocking lesser-used plug-ins (such as Java, RealPlayer, Shockwave etc). by default.Having the Flash plug-in bundled such that it is autoupdated using Chrome's fast autoupdate strategy (this is why Chrome probably has the best Flash security story).The inclusion of a lightweight and reasonably sandboxed default PDF viewer (not all sandboxes are created equal!)The Open Type Sanitizer, which defends against a subset of Windows kernel bugs and Freetype bugs. Chrome often autoupdates OTS faster than e.g. Microsoft / Apple / Linux vendors fix the underlying bug.Certificate public key pinning. This new technology defends against the generally gnarly SSL Certificate Authority problem, and caught a serious CA compromise being abused in Iran last year.In conclusion, some of the biggest browser security wins over the past couple of years have come from browser vendors defending against other peoples' problems. So I repeat the hypothesis:The security of a given browser is dominated by how much effort it puts into other peoples' problemsFunny world we live in.
The ones thing ALL those browsers have in common is plugins. Especially anything from Adobe. That’s why bad guys are targeting Flash and Acrobat Reader. They are ubiquitous, and notoriously easy to hack and notorious for 0Days.
“Getting rid of swine flu”
Fans Spinning WildlyPrograms start unexpectedlyYour firewall yells at youOdd emails FROM youFreezesYour browser behaves funnySudden slownessChange in behaviorOdd sounds or beeps Random PopupsUnwelcome images Disappearing files Random error messages
Some tips on social media
You might say to yourself, oh, we’re just a library, no one will come after us, we have nothing worth taking.
A conclusion reinforced by evidence accrued in the aforementioned Verizon report and the following summation by Marc Spitler, a Verizon security analyst: "Very often, the companies breached had no firewalls, had ports open to the Internet or used default or easily guessable passwords." In other words, easy-to-find, easy-to-learn and easy-to-exploit weak passwords. Victims were not ‘chosen’ because they were large, important or had financial data. They were simply the easiest targets.“Every year that we study threat actions leading to data breaches, the story is the same; most victims aren’t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them.”And here’s the same thing in different wording:“The latest round of evidence leads us to the same conclusion as before: your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old.”And of course, I like this one because it highlights Automated Vulnerability Assessment:“SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. It is no secret that attackers are moving up the stack and targeting the application layer. Why don’t our defenses follow suit? As with everything else, put out the fires first: even lightweight web application scanning and testing would have found many of the problems that led to major breaches in the past year.”Basically, your organization already has the security solution that it needs; you’re just not using it.
As you’ve now seen, it takes very very little skill to be a bad guy now.Mae West
Why Security Is HardThough it is easy, that is, so man of the holes we miss are easy to fill, it’s hard to get it all right.IT Security isn't always easy. When it comes to securing your IT resources it's very easy to make a mistake, or overlook something small. In every library it feels like there are a million things to worry about. It's NOT only the fools who are getting hacked, it's everyone and anyone. The best of us miss things and make mistakes that can lead to security breaches. Most libraries don't have the money, time, or people to secure even the small number of resources they have. Larger libraries may be able to afford to spend more time/money on security, but then they also have more things to secure. Unfortunately, security doesn't scale up very easily. This doesn't mean you should give up and hope for the best! Everyone in your library has some small part to play in keeping things secure. We can talk all day about how we should integrate security into our daily routine more, and how vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics or security aren't overly favorable. The costs are very low for the bad guys, and very high for those of us trying make things more secure.The malware your computers are subject to now is very sophisticated. It's highly evolved and many times will be able to run totally undetected. It has automated installers, updaters, and a sophisticated command and control center that puts every infected machine to good use. It's easy for the writers of these tools to stay one step ahead of those who work to keep us safe. It's very easy for your computers to spy on your users, or become part of a botnet used to cause trouble anywhere in the world.
Force Attacker PerfectionI will fully admit that I sometimes finding myself parroting standard industry tropes. For example, I can’t recall how many times I’ve said in presentations and interviews:The defender needs to be perfect all the time. The attacker only needs to succeed once.And yes, it’s totally true. But we spend so much time harping on it that we forget how we can turn that same dynamic to our advantage.If all the attacker cares about is getting in once, that’s true. If we only focus on stopping that first attack, it’s still true. But what if we shift our goal to detection and containment? Then we open up some opportunities.As defenders, the more barriers and monitors we put in place, the more we demand perfection from attackers. Look at all those great heist movies like Ocean’s 11 – the thieves have to pass all sorts of hurdles on the way in, while inside, and on the way out to get away with the loot.We can do the same thing with compartmentalization and extensive alert-based monitoring. More monitored internal barriers are more things an attacker needs to slip past to win. Technically it’s defense in depth, but we all know that term has turned into an excuse to buy more useless crap, mostly on the perimeter, as opposed to increasing internal barriers.I am not saying it’s easy. Especially since you need alert-based monitors so you aren’t looking at everything by hand. And let’s be honest – although a SIEM is supposed to fill this role (at least the alerting one) almost no one can get SIEM to work that way without spending more than they wasted on their 7-year ERP project. But I’m an analyst so I get to spout out general philosophical stuff from time to time in hopes of inspiring new ideas. (Or annoy you with my mendacity).Stop wishing for new black boxes. Just drop more barriers, with more monitoring, creating more places for attackers to trip up.—Rich
Ignoring it and thinking you're safeNot PreparingNot Training
Don’t worry about Anonymous or APT Agents, worry about bots and scanners, automated tools that look for easy targets. By doing SOMETHING, by doing ANYTHING you’ll be ahead of the game. Make sure you pull down all the low hanging fruit those automated scans are looking for.
PACs give me the same feeling I get when I go into a hospital. I assume they are covered with flesh eating bacteria or MERSA or something awful.
Train The Security Mindset Train The Hacker’s Mindset
Some people see a lock. Others see a challenge.
Same: Keep things updated,Passwords,Different: Limit logins,Logs,Watch for file changes (IDS),Firewall,Kill unneeded processes
Use Good PasswordsBe ParanoidKeep Everything Updated
2. Who do I need to worry about? http://www.flickr.com/photos/12273378@N00/2547546709/Intro