CyberAttack -- Whose side is your computer on?

Cyber attack
Whose Side is Your Computer On?
Jim Isaak – STEM4All
2015: 4/27-5/24 OLLI Concord 1-2:30 PM
Week 2 3 4 5
http://is.gd/Cyberattackshttp://is.gd/Cyberattacks

Based on feedback
Basics with definitions first … help folks to absorb
Computer terminology
PLEASE – ASK! ---
You are not the only one who doesn’t get them
There is a lot of Jargon
You won’t really get it the first time
You are not expected to be experts in related fields
(And even if you are, some of this stuff is new)

http://is.gd/Cyberattacks
Has Syllabus/Outline for class
With hot links to a number of resources
• Including videos (mostly “free”) and
• Pointers to authoritative sources and
• To tools that are useful
This presentation is available from the site
Note that <Local> links to video clips used in class
The second link will be to online-versions

Anthem Record Theft - Jan 2015
80 Million customer records – SS#’s (etc) in the clear
Key risk is identity theft, and secondary is abuse of insurance (to
buy medications, pay for services)
You can put an initial fraud alert on your credit bureau records
for 90 days “free” , call one they will contact others
(get your free credit report if you have not done so recently)
Can renew after 90 days
Equifax 1-800-525-6285
Experian 1-888-397-3742
TransUnion 1-800-680-7289
http://www.consumer.ftc.gov/articles/0275-place-fraud-alert

Cybersecurity for The Common Man
(or woman)
Bad actors are out there
They want your computer
Why? How? Who?
We will look at the context of some of these questions
-- Yes that fellow from “Nigeria” wants your money
-- Yes those folks from <to be disclosed> want to use
your computer to attack:
the United States, Iran, Amazon, Google, et al

An overview
Of the concepts of cybersecurity
is it a virus or a worm (and do you care?)
Phishing for your identify
Spoofing is not just a Halloween prank
And some examples
Did President Regan destroy the Soviet Pipeline?
Who destroyed Iranian nuclear facilities and how?
And some suggestions on how to detect/avoid
becoming a victim or a zombie!!

A Few Quick Things:
Make sure your operating system & APP “updates” are
actually “Up to date” (that’s why the call them that)
Make sure you have a firewall turned on
Make sure you have AntiVirus software – that it is up to
date – and have it do a scan or full scan soon!
Beware of “short emails” that just have a link – even
from friends (they have been hacked)
You do not have a friend in Nigeria who wants to help
you with his fortune, (or a friend/ relative/
granddaughter stuck in some foreign city who needs
bail ….)

1: CONCEPTS
WSJ Malware Glossary

What makes computers and
networks vulnerable?
Re-purposing – Programmable devices
Computers are defined as ‘programmable devices’
A set of instructions can make it do many different things The same
memory is used for data and instructions And can be targeted for
revision/rewrite
Complexity
Computer Programs contain millions of instructions
Often programmers do not handle exceptions
Or they don’t consider “abuse” opportunities
Clones
Many systems are identical hardware & os
Networked --- can pass “infection” from one to another

Who and why?
“Kids” to show they can do it – “Script kiddies”
back in the 80’s this was “new”
Or “Hacktivists” sending a “message”
Criminals – blackmail (if you don’t … we will …)
Grand theft – from Banks, etc.
Credit Card info (calling cards, etc.)
Con artists (if you would be so kind as to give me
your bank account number and …)
Nation States –
We could use the plans for the F22
Or all of the potential oil sites, or …
Why not terrorists? (No blood on the front page?)

from http://hackmageddon.com/
2014 Motivations (based on 1000 significant attacks)

And who are the targets

What do we call them?
Hackers
In some circles this is an honorific, reflecting mastery
of “making things work” from scratch
Used in computing, but also “maker” labs etc.
Crackers
The “hacker” term for folks who do bad things
hacking
White-hat – Good Guys
Black-hat – Bad Guys
DefCon – A conference of anonymous, pay in cash at
the door folks – hat colors vary

Example of computer source code
piece of “Basic” codePrivate Sub Start_Btn_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)
Handles Start_Btn.Click
Dim target_Path As String
Dim count As Integer = 0
target_Path = ""
FileNameLst.Items.Clear()
DateTargets.Items.Clear()
Try
Application.DoEvents()
target_Path = FolderBrowserDialog1.SelectedPath
If FolderBrowserDialog1.ShowDialog() Then
If target_Path = FolderBrowserDialog1.SelectedPath Then Exit Try
target_Path = FolderBrowserDialog1.SelectedPath
FolderBrowserDialog1.Dispose()
Me.Text = target_Path
'get a list of all jpg file names
For Each foundImage As String In My.Computer.FileSystem.GetFiles(target_Path)
If foundImage.EndsWith(".JPG", StringComparison.CurrentCultureIgnoreCase)
Then Me.FileNameLst.Items.Add(foundImage)
Next

Example of Assembly codege Code

Example of Machine Language
Load a value into register 8, taken from the memory
cell 68 cells after the location listed in register 3:
[ op | rs | rt | address/immediate]
35 3 8 68 decimal
100011 00011 01000 00000 00001 000100 binary
The sophisticated “Cracker”/”Hacker” works at this level
--- understanding what the code is doing, and
modifying it to do something different
This stuff may be harder than Rocket Science

2012
400+ million individuals in victims of cyber crimes
2/3 of US individuals in their lifetime
Threat to IP by nation states
speed & volume of what can be taken to market
$600 billion in losses; thousands of jobs (if…)
Threat to military targets/operations
Disruption of communications
Threat to infrastructure – Cyber-physical

Malware 1
Virus – A bit of machine code that is designed to insert
it’s self into existing code on your computer
(an “infected file”)
“signatures” are snippets of code that indicate a virus
Worm – a program that tries to infect other computers
using your computer
Trojan horse
A program that seems “OK” but carries malware
Scripts – higher level programming elements that are
executed by your browser (or other tools)
Rootkit – a virus infecting the very basic level of your
system so it is hard to detect and eliminate

Malware 2
Adware – causes ads to appear typically unwelcome
ones, but may also track your use of the system
pop-up (on top of your browser)
pop-under (window hidden below your browser)
Bot, Botnet, Zombie
A computer (yours??) taken over with a virus (often a
root kit) that is controlled from a remote site
You can “rent” a million systems to do your bidding
spyware, keystroke logging
Malware on your system may watch what you do
keystroke logging allows capture of passwords
Identify Theft

Malware 3
Spoofing
Fake name
Fake email address
Fake IP Address
Fake URL/Domain…
SPAM – is unsolicited email (ads..)
But:
Phishing – seeks to get you to disclose key
information --- “Hi, I’m Jane from Credit Card …”
Often appears to be from a bank, or major vendor
Downloaders – web site that stuffs files onto your
computer when you are not looking – may use
scripting…

A Phishing Expedition?

Another “FedEx” attack

Email Attack
Email warning signsEmail warning signs
No SubjectNo Subject
Just has a URL, no explanationJust has a URL, no explanation
Odd Domain targetsOdd Domain targets
Key Alert: “PHP” (executable file)Key Alert: “PHP” (executable file)
John indicates someone accessed his Yahoo acctJohn indicates someone accessed his Yahoo acct
I got three copies, but sent to three different emailI got three copies, but sent to three different email
accounts of mineaccounts of mine

A Phishing we will go
Odd title: “WU”Odd title: “WU”
Bad grammar : funds is availableBad grammar : funds is available
Sent from unexpected country: “.uy”Sent from unexpected country: “.uy”
Not a language I’d expect – Oddly URL is “accurate”Not a language I’d expect – Oddly URL is “accurate”

Infection Detection

Lenovo’s Superfish (Bloatware)
The software tried to pop up useful alternative shopping results for
images. But in order to work on HTTPS-encrypted sites,
Superfish made use of a nasty (and horribly implemented)
"SSL hijacker" from Komodia, which installed a self-signed root
certificate that basically allowed anyone to issue
totally fake security certificates for any encrypted connection,
enabling very easy man-in-the-middle attacks. Among the
many, many, many stupid things about the way Komodia
worked, was that it used the same certificate on each
installation of Superfish, and it had an easily cracked password:
"komodia" which was true on apparently every product that
used Komodia. And researchers have discovered that a whole
bunch of products use Komodia, putting a ton of people at risk.
People have discovered at least 12 products that make use of
Komodia. [March 2015]

Methods
Social Engineering – via email
“hi I’m representing the estate of …”
“Please reply to receive your free….”
“I seem to have lost your … please get back to me”
“Hi, I’m Jane Doe, Vice President at <your bank>..”
But also
Leave a USB “thumbdrive”, or SD card in a coffee shop
Call up and ask for George
Tail gate into a facility
Date someone “inside”
Hoaxes- Pretends to warn you of a virus, or infection
Gets you to download Trojan horse “fix”

The Good stuff
Firewall – sits between your computer and the bad guys
Limits what can come in
Limits what goes out
Patches, updates
It is a pain when Microsoft/Apple triggers a download
followed by an install sequence ….
But, often this is to patch a security hole
Tools on your system
Anti virus scan; malware scan; adware scan
real time browser and email monitoring
Encryption - public/private keys – VPN
Sites with “HTTPS” are safer than sites with “HTTP”
Microsoft “defender” etc. is one tool from folks with a high
incentive to cover their liabilities

Day zero attacks
approximately 12 of 12 million attacks are Day Zero
each year - valued at $50k-500k
This means that “out of date” software is a primary
target (patches and updates!!)
There are folks all over the world watching for a
really “new” attack … US Government, Security
Vendors, white-hat hackers, major corporations
and of course bad guys

CYBERATTACK 2 THE
HISTORY

Phone Phreaking
In Band signaling – 2600 Hertz to get control
Blind youth with perfect pitch & control
Capt. Crunch whistle
Blue Box technology – “The Woz”
“Hackers” – conventions with anonymous & Masks
Social engineering
Inspired Steve Wozniack – founder of Apple
Discovery Channel Documentary
The Secret History of Hacking (on YouTube)

History – KGB & Star Wars
<local 12min>
“The Cuckoos Egg" - Cliff Stoll and the KGB
- 75 cent error – 1986
- watched to observe “code insertion” and changing
of the accounting log
- Reported to “authorities”
Lawrence Livermore links to Starwars program
- Traced back to MITRE corp in Virginia
- Traced back to German University “Student”
- Funded by KGB!
Cliff is an interesting character, see his video on
Ted.com “18 minutes with an agile mind”

Robert Morris - 1988 Internet Worm
Used known entry points:
“-Debug” in email
overflow in “Finger” program
on system dictionary to break passwords
on system listing of neighboring ‘trusted’ systems
email propagation though user lists
No actual “damage” – a “proof of concept”
that got out of control
Irony: Robert Morris Sr. worked at NSA at the time

Rand Reports
Cyberwarfare scenario circa 1995 <no longer available>
Sequence of events
Including airliner attack (control system)
Wall Street attack
With
Nation States potentially involved
Terrorists
US Dissidents
and an outbreak of war in the middle east

Love Bug --
2000 LOVE-LETTER-FOR-YOU.txt.vbs
10’s of millions of infected computers
Billions of dollars of damage
Not illegal in Philippines where it was created
forwarded itself to first 50 folks on your Outlook email
list
YOU.txt.vbs --- .txt is a harmless “text file” extension
YOU.txt.vbs --- VBS is a potentially harmful executable
Windows defaults to “not show” known extensions

Kevin Milkinick
“Notorious” for breaking into Digital & other Computers
Often used default passwords (field service access)
Or easily broken codes
Looking for money – banks, industry
transfer to other accounts
Served a number of years in jail
Was not allowed access to computers
Fought restrictions after release
Now a computer security consultant

Oil data 2007 to 2009 --
Chinese “University” sources broke into the major US
Oil Firms
Downloaded data about the potential value of various
oil fields explored but not acquired, and
recommended acquisition bids
China subsequently bid to various countries for rights to
high value oil fields
Projected loss: billions of dollars of value &
access to key oil reserves

Upping the ante
Aurora proof of concept – 2007
(4 Minutes, CNN video)
“Standard” US (& other) Power station
Modem link to backup generator
Power cycled unit on/off --- “out of spec”

Car Hacking
Many modern cars have computers that “talk to the
world” (On-star) or added-on (Verizon Telematics
deal with Insurance Companies, “InDrive”) – and
computers that talk to your car (accelerator, breaks)
and these talk to each other, and may talk with
strangers.
(Didn’t your mother warn you about this?)
http://www.cbsnews.com/news/car-hacked-on-60-minutes/
Preview- DARPA Dan.mp4
My Insurance Co asserts “it is not hackable”

Why hack a car?
Forbes article pushback
It is very difficult
There isn’t repeatable money in it
Time, expertise and motive
Murder – hard to detect
Blackmail – what will my Insurance Co CEO do when
they get that call? (2,000 of your cars…..)
Terrorists – massive loss of car control will get blood on
the front page ….

War Stories
2013 probe of 3.7 billion systems (MIT Tech Review)
surfaces 310 million vulnerable
Bot scan of "entire" net in 2012
http://en.wikipedia.org/wiki/Carna_Botnet
• 1.3 billion IP addresses identified
• Used 420,000 devices (perhaps even your computer)
The Internet of Things will expand the number of
targets by thousands – most of which will be boring,
some of which will have 20+ year lifespans

CYBERATTACK 3 WAR!
Nation States

Cyber warfare (ouch)
A problem of definition … with possible major impact
<local> (TED-ed video Defining Cyberwarfare - 3 min)
<local>“Cyberthreat”
(French with subtitles from ParisTEDx – 9min- Guy…)
Key points:
• Cyberwarfare has an imbalance –favoring attack
• “Reciprocal threats of surprise attack”
• NSA reported to be suggesting pre-emptive attacks
(not just cyber) if anticipating a cyber attack

Farewell Dosier
- 1986 Pipeline destruction
<DC Myth or real …(affirmed in TEDxParis talk)>
CIA found out Soviets were seeking sensor/control
units for a trans- Siberian pipeline
They provided units (indirectly) with a “timeout”
A number of explosions destroyed the pipeline
(NORAD thought it was a missile launch)
Contributed to economic collapse of Soviet Union
(along with Starwars Hoax, Solidarity and the Pope)

PROMIS
US DoD funded software to identify persons of interest
(oddly similar to FBI “Case File” fiasco in 2003)
Developed by exGovernment folks with a transition
from a “public domain” program to “copyright”
controlled program (leading to lawsuits)
Variants seemed to find their way to Isreal
But then perhaps, Trojan horse variants, to other
countries (Soviets, Iran, et al)

Desert Storm 1990-94
Telephone repair team may have sabotaged Iraqi
communications systems
U.S. Special forces “upgraded” SAM anti-aircraft
batteries via stealth or social engineering
Fiber optic link across desert was compromised
Side observation – tank commanders downloaded
software updates for PC’s via cell phones in field
GPS accuracy was ‘shifted’ for non-military use

Information in warfare
5th
domain (land, sea, air, space, cyber)
Cyber is 3rd
major transition of war
Industrialization, Nuclear power, Cyber
Terrorist organizations
& Rogue States
To Rogue actors
(Pubic health model
coordination)

Estonia
April 27, 2007
Denial of service attacks on many areas of Estonian
Commerce
Banks
TV stations
Government agencies
Apparently from sources in Russia in response to
moving a memorial to Soviet troops

Georgia
5 August 2008, three days before Georgia launched its
invasion of South Ossetia,
• the websites for OSInform News Agency and
OSRadio were hacked--content was replaced by a
feed to the Alania TV
• Parliament of Georgia and Georgian Ministry of
Foreign Affairs websites to be replaced by images
comparing Georgian president Mikheil Saakashvili to
Adolf Hitler
• Other attacks involved denials of service to
numerous Georgian and Azerbaijani websites
(Wikipedia)

Shockwave - “We were warned”
CNN/Bipartisan Institute Shockwave 2010
or Bipartisian Policy Institute Official Site
“Simulation” (war game) with some fairly recent
“Relevant” participants over a 4 hour period on CNN

Shockwave YouTube set
• Intro part 1 -- “March madness bot attack”
• Part 2: -- quarantine cell phones,
• Part 3: -- impacting internet
• Part 4: -- Russian servers
• Part 5: -- persons of interest in Sudan
• Part 6: -- power out
• Part 7: -- Federal authorities (power priorities)
• Part 8: -- Legal/liabilities,
• Part 9: -- conclusions, summary
Only a subset of the entire program sequencehttp://is.gd/Cyberattackshttp://is.gd/Cyberattacks

Stuxnet
June 2009-July 2010 –
Wikipedia, Wired detectives, 2013 update
“The Real Story of Stuxnet” (IEEE Spectrum)
<Local> Langer TED Talk (11 min)

Stuxnet 1
The Human Factor - "always a weak link" –
thumb drive (replication vector as well)
valid signed certificate - public/private key encryption
This is non-trivial
appeared to involve industrial espionage -
stealing info from Siemens PLC controllers
in-memory ghost DLL file
report to systems in Malaysia and Denmark, and
provided for "updates"
(re-directed to "sinkhole" –
identified 100,000+ systems in dozens of countries)

Stuxnet 2
four zero day exploits - deeply hidden
[Symantic doing deep analysis in a "3 level secure
lab" similar to bio-hazard controls]
("crackme" games - reverse engineering code --
what does this do?)
contains a "genealogical tree" of infections –
led to 5 systems in Iran
table drive code -- how long it should spread, # of
systems to infect, end-date: July 12, 2012
Intercepted and changed control commands,
disabled exception detection & alarms

Stuxnet 3
First occurrence of using a strictly digital attack to
destroy physical property
Two weeks after reporting PLC sabotage objectives,
the systems in Iran stopped reporting
Precision targeting for a specific facility/configuration
Patience -- then running a bit out of spec, and back to
normal -- excessive wear, resulting in premature
failure
Inoculation value - prevents infection of previously
flagged (registry) systems

Stuxnet 4
"In the end, Stuxnet’s creators invested years and perhaps
hundreds of thousands of dollars in an attack that was derailed
by a single rebooting PC, a trio of naive researchers who knew
nothing about centrifuges, and a brash-talking German who
didn’t even have an internet connection at home." Wired
May have had 2005 and 2007 precursors
"Acts that kill or injure persons or destroy or damage objects are
unambiguously uses of force” and likely violate international
law, according to the Tallinn Manual on the International Law
Applicable to Cyber Warfare, a study produced by a group of
independent legal experts at the request of NATO’s
Cooperative Cyber Defense Center of Excellence in Estonia."
Wired 2013

Stuxnet – the gift that keeps on giving
Flame – spy on activities (undetected precursor)
Bluetooth “rifle” connection from 2km away
Spoofed as a Windows 7 update
(Certificate counterfeit)
Duqu – designed to steal information from industrial
control systems
Gauss – steal files, credentials, targeting Lebanese
bank credentials
All found by Kaspersky in follow-up on Stuxnet

CYBERATTACK 4
PROTECTION
You are here!

Passwords
Passwords – over-abused
“What is the value of this protection?”
for you or is it their marketing?
have a “don’t care” password (but use with care)
For serious stuff: 8+ characters, mix numbers and
punctuation, etc.
(some sites encrypt user names as well)
Don’t re-use your really important passwords!
Financial, Health, email (too many insights here)

Passwords– the challenge
With modern Graphics Processors (3,000+ parallel
computers on a chip, $1000) it is possible to “break”
dictionary word codes (100k words) in 1/10000th
of a
second. – 8 number/letter strings in 4 days
75 days for 8 characters with punctuation
Hilarie Orman suggests
• pass phrases: “worldinhishands”
• Random words: “correct horse battery staple house”
• Mangled phrases: “scoRe4&7annos”
She also discovered that her “basal ganglia” typos
yielded passwords she did not know but could
reproduce – just typing fast.
Quantum Computing can void all bets

Biometrics,
Biometrics include:
• Fingerprint scanning
• Retinal scan
• Face recognition
• Voice recognition
Germany’s “Chaos Computer Club” used a High-Def
camera photo of a politician at a public event and
extracted a fingerprint image that might be sufficient
for ID access
Social Engineering – bio systems “back off”, or angry
“customer” calls may result in unauthorized access
And of course– you can change your password, have
you tried to change your fingerprints?

Tokens
• USB stick with critical key
• Secondary access key
• Shared secrets: Mother’s maiden name, first pet, etc.
• SMS/Cell phone “one time key” … but:

Tools you want to use:
Firewall – watches & locks the doors in and out
16,000 doors in, 16,000 doors out (more on some)
Virus protection – scans and quarantines problem files
Microsoft security essentials (Windows Defender)
Email/browser (Internet) scanning
For viruses in downloads, for abnormal site activities
Spyware/Malware/adware detection

Backup
There are “automatic backup” operations – to a
physical device, to the cloud (e.g. Google Drive)
This is good protection against device failure
---
However, not against ransomware, or some other
viruses (that will impact both your primary and your
backup systems)

A ransom-ware resistant backup
Identify what files you REALLY need to keep
(you can reinstall most software after reinstalling your operating
system)
My candidates include: Photographs (digital ones are hard to replace); music
(pain to copy back on the system from original media, and financial data
(Quicken…)) …
For these items I suggest a 3-copy strategy
(of course a copy of all photos to write-once CD/DVD can be an excellent
quasi-permanent solution)
For example with a set of (3) 16GB memory sticks:
a) run your anti-virus and malware software
b) Insert oldest copy thumb drive and copy selected
files to this device (easiest if they are in folders)
C) Do this once a month, so you have 1mo/2mo/3mo
old backups (REMOVED from device)

Who you goin’a trust?
Walt Mossberg, prev. with WSJ.
http://allthingsd.com/author/walt/
Consumer Reports periodic evaluation of tools
June 2013 issue
PC Mag
http://www.pcmag.com/article2/0,2817,2372370,00.asp

Antivirus
PC Mag preferences (2013)
Free: AVG AntiVirus Free or Adaware AntiVirus
Paid: Bitdefender, Webroot SecureAnywhere Antivirus
or Kaspersky Anti-Virus
Consumer reports (6/2013):
Free: Avast and Avira
Paid: Gdata, ESET, F-Secure, Kaspersky, Avira

April 2014 Antidote Anecdote
Wife’s XP system got “The Memo” (XP support ends April 9
– no updates, no virus updates, expect trouble)
So, I updated and ran Windows Security Essentials
• “no problems found” (most recent update)
Installed AVAST “Free”
• Quick Run – one problem found
• Boot Run – 11 problems found
Installed Malwarebytes
• Circa 50 or so files and registry entries found
• (mysearchdial, myspeeddial, installon, rightstuff)

2013
PC
Mag
eval

PC Mag
anti
Malware
evaluation

Mobile
Lookout and Avast suggested by Mossberg
Keep your Blue Tooth off when not needed
http://allthingsd.com/20121220/beware-of-malware-
mobile-security-apps-to-safeguard-your-phone/
Mobile is the target for 2015 (IBM Projection)
[Wearable’s for 2016 – 7 Billion Cell Phones (14)
expecting 60 Billion wearable's in 2017 …
Glass, Fitness, Earphone/mics, Cameras, ….]

Turn off things you don’t need
3rd
party cookies (“mother may I”)
Images in email
Scripting
And Turn on things you may need to know
Beware of files with names like:
“Important.txt.exe”
the dual extension is a form of spoofing

What does your browser know?
IP address
What site you came from
Operating environment (OS, plugins, extensions, device)
Cookies
“The Method”
SPAM (hire a SPAM-bot net)
Direct to website (Looks “good”, has exploit kit)
(kit detects versions of your tools, browser, Flash, OS, etc. –
picks a known weakness & injects …)
Downloader installed – which installs selected things
(Cryptolocker, DDOS, etc.)

Cookies
An identifier stored though your browser to maintain
page to page continuity
Contains “URL”, “timeout”, “identifier”
Any mult-page transaction requires one
Set (at least) when you log into a site
Can span logins (welcome back)
3rd
party cookies (Doubleclick.com) etc
“tracking pixel/images”
Moving to a permanent user ID in Windows 8, iPhone,
etc. (may be able to turn it off)

http://browserspy.dk/
TestResultIP Address72.71.205.187
Hostnamepool-72-71-205-187.cncdnh.fast01.
myfairpoint.netCountryUS - United StatesRegion
City: Bedford
Postal Code: 03110
Latitude: 42.9396
Longitude: -71.5353
Long IP number1212665275
==================
Windows Media Player unique ID
And more

And be careful of what you do
Social media is neat, but …
Facebook ID tied to “Like” bugs –
Movement to share login ID’s (and data)
Classic question: what ID should I use for ???
Assume your emails, postings, etc. are recorded
[Corporate and governmental]
Assume your search paths, words, downloads etc. are
monitored [corporate and governmental]
Advertising, profiling (private or governmental)
Check Apps for privileges they request

Is your camera taking pictures…
Q:
I was surprised to see updates for some of my favorite apps say they can
access my camera to take pictures or video at any time without my
permission. Can they really take pictures or video from my camera?
A:
I wouldn’t use any app that could trigger the camera without your
knowledge or at least implied consent each time. An app might
legitimately be using the camera for tasks like scanning bar codes or
business cards. But even so, it should be obvious and allow you to
decide what to do. And if the app is one that should never need the
camera, but says it wants to do so, don’t use it.
Apple says it flags and rejects apps that use the camera without stating
that the camera is part of the app’s functionality. Google doesn’t curate
apps in advance and apps’ disclosures are generally stated all at once
in a dense page at download.
http://allthingsd.com/20131022/sneaky-apps-and-quiet-
tv-watching/?refcat=reviews

If things don’t seem right
Force a security/malware scan
(more than one tool may be wise)
Re-boot system
You can re-boot in “Safe Mode”
Holding down F8 while system starts
(Options: start with or without internet)
Folks like the GeekSquad have CDs they can use to
boot your system from CD to purge rootkits, etc.
Avira has tools for recovering if PC is dead, there is
also a thumbdrive tool that may help
Avast has “Boot version” you can run

Concepts

Heartbleed Bug 2014
Is a vulnerability at the server side of the net
Until that side is fixed, your password/etc are at risk
Suggested response:
Sort your sites: critial ($/health), at risk (CC, bank info),
Don’ t care (none of above, only have login to know
who you are)
Identify 1-2 password transitions for each class of sites
- apply approach 1 now (I suggest before May 1)
- apply approach 2 in 2-3 months (July)
Some changes you make “now” are still subject to
“discovery” ergo the two step changes

Encryption (encoding …)
Substitution codes such as:
send money => tfme.npofz
Single pad encryption – convert using text from some
arbitrary source, just once. If recipient has source,
then decrypt is easy
Public/Private key
keys involve products of two large prime numbers
(factoring primes is a key to breaking encryption)

Public/Private key encryption
Alice encrypts with her private key,
anyone can decrypt with her public key
John encrypts with Alice’s public key,
Only Alice can decrypt
Alice encrypts with her private key, then John’s
public key, only John can decrypt, and can use
Alice’s public key to confirm it is from Alice
“Certificate revocation” needed to declare
compromised private keys

2014 attacks
Target
JP Morgan/Chase
Home Depot
Sony
Mostly after Credit Card data
Sold as “dumps” ($1/card from good sources)
China supplier now willing to sell beyond China
2015: Anthem, Hilton Honors,

Sony … “The Interview”
Not a “financial target” – political motivation
Obtained:
Corporate records (personnel – who gets paid what
and Heath care records)
Email archives (what does ??? Say about ???)
Actual “movie” files (ripe to rip)
Full list does not yet appear to be available
Companies don’t “get it” – hesitant to invest in quality
software, security procedures, 360 degree programs
[who cares about us??]

Steganography
Hiding messages by subtle manipulation of text,
images, video, music, etc.
Example from Sam Houston Univ:
"A study of religion must include the use of the shrines
important to the religious practice. One should also
consider how money is collected to support the religion.
Every drop of knowledge must be scrutinized.“
Extra spaces can be inserted to select words:
"A study of religion must include the  use  of  the
shrines  important to the religious practice. One should
also consider how  money is collected to support the
religion. Every  drop  of knowledge must be scrutinized.“
In a picture or video you can make subtle changes to an image where
both parties hold the master for comparison …

CYBERATTACK 5 NEWS
Nation States

IBM Webinar: 2015 projections
• Mobile Exploit kits (buy a phone cracker)
• Frameworks & Services (we will infect software for
you – like that “free” version of Angry Birds …)
• Mobile Device Takeovers (Porta-zombies)
• Apple Pay (and other “payment” systems)
• Mobile Malware
• Biometric hacking (imitation, data base)
• EMV (chip & pin) credit cards => CNP attacks
(Card not present –oh gee, I forgot my Pin)
• Health Care attacks (CC @$1, Health record @
$30)
• Charge medications, services (“here is the bill for your baby”)

Anonymous
Outgrowth of 4chan – “BBS” community
Internet freedom – no censorship
<local> 2008 Scientology msg 3min
Physical Presence (world wide, hundreds)
Wikileaks – Mastercard/Amazon/PayPal
Arab Spring
Care packages (Ham radios, modems, …)
Relaying tweets, Facebook updates, etc.
All Channels – in the streets, dial in
denial of service, theft of data, …

Whats New(s) … recent events
NSA Data Center meltdown
– Oct. 8th
2013 WSJ report
10 failures in last 13 months
“Chronic electronic surges”
Destroying $100,000’s of machinery
And delayed operations by 1+ years
New Buffdale Utah site
Snowden Impact – bad guys know more about risks

Steganographic smuggling
IEEE Spectrum Nov 2013- “4 New Ways to Smuggle
Messages Across the Internet”
By: Wojciech Mazurczyk, Krzysztof Szczypiorski & Józef Lubacz
BitTorrent – control sequence of servers used
Skype – “empty packets” (voice pauses)
Goggle suggest – “man in the middle” adding entries
WiFi packet padding – using pad bits

Tor
(previously TOR, an acronym for The Onion Router) is
free software for enabling online anonymity. Tor directs Internet
traffic through a free, worldwide, volunteer network consisting
of more than four thousand relays[6] to conceal a user's
location or usage from anyone conducting network surveillance
or traffic analysis.
From wikipedia
Tor encryption devices/routers available for under $100
–plug in (and slow down) for increased privacy
(but beware of cookies, etc. that can still track you)

Related considerations
Cryptocurrencies [SSIT Google Hangout to YouTube]
Bitcoin –anonymity and the net
• “like cash” – not traceable
• Nice for privacy
• Real nice for criminal activities
The Internet of Things (IoT)
Your car, your House (lock, security, heater…)
(now consider ransom-ware attack – oh you want to
start your car? Unlock your house? …)

Bit Coin (thanks to IEEE Spectrum)

RFID
Radio Frequency Identifier Chip
“EZ Pass”
Mobile card “on the fly” (other credit cards)
US Passports
Car Keys
Hotel pass keys, Access/ID Cardkeys
Embedded in Clothes/price tag/unpaid alert
Embedded in pets
Amal Graafstra’s hands

Operation Shady RAT
“ networks were compromised by remote access tools
— or RATs.These tools have legitimate uses for
system administrators — give someone the ability to
access a computer from across the country. In this
case, however, they were secretly placed on the
target systems, hidden from the eyes of users and
administrators, and were used to rifle through
confidential files for useful information. It’s not for
nothing that McAfee is calling this Operation Shady
RAT.”
http://allthingsd.com/20110803/operation-shady-rat-the-
biggest-hacking-attack-ever/

Prevention and path forward
How you get infected and what to do? <local>
TED presentation (18 min) – James Lyne
Hire the hackers (TED 18min) <local>
Profiles examples of hackers
Vaccination is a public health concern, not just a private
issue --- that is, using a firewall and anti-virus
protection are important for everyone, not just your
own system.
If you are not part of the solution
you are part of the problem

Questions, answers, discussion, challenges
If you are not paranoid, you are not paying attention.

CyberAttack -- Whose side is your computer on?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to CyberAttack -- Whose side is your computer on?

Similar to CyberAttack -- Whose side is your computer on? (20)

More from Jim Isaak

More from Jim Isaak (8)

Recently uploaded

Recently uploaded (20)

CyberAttack -- Whose side is your computer on?

Editor's Notes