Cybersecurity for the non-technical

Protecting your self and your
data in the cyber age
Stephen Cobb, CISSP
Security Researcher, ESET NA

Back then*: very few people cared about
computer security
*Published 1991. Note that the publisher added “complete” to the title.

But now: we’re all computer users
*Go to StaySafeOnline.org for more about STOP | THINK | CONNECT

Our Agenda: Cybersecurity for all
• Answers to questions, such as:
– What are the risks of online banking?
– What about identity theft?
– Can hackers get to those home security cameras
we just installed?
– How to properly secure home routers
– How to protect our children on social media such
as Facebook
• But first:
– Why is there so much cybercrime?

GLOBAL MARKET FOR:
STOLEN INFORMATION
CYBERCRIME SERVICES
CYBERCRIME TOOLS

This fuels a lot of cybercrime

Sadly, cybercrime pays
More than
all the bank
robberies
that year

0
1000
2000
3000
4000
5000
6000
7000
8000
9000
$-
$100
$200
$300
$400
$500
$600
$700
$800
$900
Millions
Bank robbery vs. Internet fraud
Source: FBI/IC3. Note that bank robberies are declining in number and
average loot per job. Fraud is clearly rising, these are not all the cases.
$ cyber fraud
losses
# of bank robberies

Sadly, the risks remain low
$100million

Thereisnowa“cyber”
mostwanted

Cybercrime has created an global
market for information

How does cybercrime pay?
1. First, criminals steal information and sell it
on the black market
• Low risk, high reward
2. Then different criminals buy the stolen
data and commit fraud, e.g.
• Charge your accounts
• Get your tax refund
• Riskier than #1
• But still safer than robbing banks

Who are the players in these underground
markets?
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)
BEWARE WORK
AT HOME SCAMS!

Tools of the trade: point-n-click malware

• See the movie Blackhat?
• The bad guys used a RAT
• Remote Access Tool
• Here’s a RAT’s eye view of an
infected computer:
• access to your microphone,
webcam, files, passwords, and
everything else…

Your card data sold here
• Carding sites
• Sold as card “dumps”
• E.g. McDumpals
• A real website
• Priced by
– Freshness
– Balance
– Type
– Location

Thanks to krebsonsecurity.com for screenshots

Theyhavesales
Theyrun
specials
Theyhave
refund
policies

YOUR NAME, PHYSICAL ADDRESS,
PHONE, EMAIL, EMPLOYER
YOUR DATE OF BIRTH,
MEDICAL RECORD NUMBER,
SOCIAL SECURITY NUMBER,
DRIVER’S LICENSE DETAILS
YOUR INSURANCE PROVIDER,
PLAN TYPE, PAYMENT INFO,
CREDIT CARD, BANK ACCOUNT
PATIENT HISTORY, BLOOD TYPE,
ALLERGIES, SYMPTOMS, MEDICAL
CONDITIONS, PRESCRIPTIONS,
GENETIC DATA
ELECTRONIC HEALTH RECORD L1: Basic personal: stolen to
sell to spammers and for data
mining, profiling, appending
L2: Non-public identifiers: sold
for various kinds of identity
theft such as tax ID fraud
L3: Financial data: sold for
financial fraud, billing scams,
theft of funds
L4: Medical data: sold for use
in medical ID fraud, billing
fraud, drug and service
theft and abuse
Electronic health records are targeted for
general and medical ID theft

So, what are the risks and defensive
measures for…
• Online banking
• Identity theft
• Internet cameras
• Home networks
• Social media
• And more…
*This is my dog, because about now we need some cheering up.

Risks of online banking?
• Relatively low risk, some benefits
• Improved tracking of transactions
• Account alerts
– Withdrawals
– Purchases
– Dollar limits
– Location limits
• But guard your credentials!

Watch where you use your cards
• Fringe websites
– Major source of infection
• Dodgy ATMs
– Skimmers
• Support scams
• Many others
*Published 1991. Note that the publisher added “complete” to the title.

How to protect against ID theft
• Recognize the different types
of identity theft
– Payment card fraud
– New account fraud
– Tax identity fraud
• Guard your credentials
– Account numbers
– User names, passwords

Guard SSNs and account info
• Who has their Social Security Card on
them right now? Why?
• Don’t give the number out unless you
absolutely have to
• Put a Security Freeze on your children’s
credit (before the bad guys do)
• Shred paper mail that shows SSN or bank
account numbers

Password protect all your devices
• They often have access to a lot of your
identity data
• Laptops, smartphones, tablets
• Don’t share devices
• Know how to
lock/track devices

Run antivirus on all devices
• A good antivirus suite will not only block
malicious files, but also
– Stop phishing, intercept bad
URLs, block
inappropriate
content
– Plus firewall,
anti-theft,
education

Can someone really hack our home
security system and watch those cameras
we just installed?
• If you connect them to the internet and
don’t change the default password?
• Maybe!
• Research the model
• Google name + hacked

How to secure home routers
• Home routers are being targeted
• Make sure firmware is up-to-date
• Change the default password
• Hint: it may be “password”
• And anyone can find out that default
password…

Securiing home routers
• Use WPA encryption
• Don’t use WEP encryption
• Change the default SSID
• Hide the SSID

Social media risks?
• Scams, fake offers, fake people
• It can seem so real because our friends
are there: we tend to trust social media
• But it may be abused by “friends”
• If you are a parent
and/or guardian
– Have the social
media conversation
sooner rather than later
– Poor choices can lead
to very bad outcomes

Staying safe on social media
• Monitor their accounts
• Review privacy & security settings
• Use a social media scanner
• “Think before you post”
– Good advice for all of us

Stay safe online!
• A website full of security tips and advice
for everyone:
– www.StaySafeOnline.org

Use the web to stay up to date
• IdentityTheft.gov
• IdTheftCenter.org
• KrebsOnSecurity.com
• WeLiveSecurity.com

Thank you!
• www.WeLiveSecurity.com
• www.eset.com

Cybersecurity for the non-technical

In this document