NAU Summer Seminar Series - Protect Yourself from Cybercrime


Published on

Presentation by Jane Ginn on how to protect data from the acts of online cyber-criminals. She covers the industrialization of cyber-crime, the use of botnets and DDoS attacks, and vulnerabilities and threat vectors. Finally, she provides a list of countermeasures people can take to protect themselves.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

NAU Summer Seminar Series - Protect Yourself from Cybercrime

  1. 1. Protecting Yourself from Online Cyber-Criminals Practical Tips and Tools By: Jane Ginn, MRP, AIT With Guest Artist: Tony Carito Sponsors:
  2. 2. Protecting Your Data & Online Identity •Scope of the Problem •Threat Vectors/ Vulnerabilities • Growing Sophistication of Cybercriminal Networks •Protection/ Countermeasures
  3. 3. Scope of the Problem The Industrialization of Cyber-Crime
  4. 4. Motivation of Cyber-Criminals
  5. 5. Origin of Attack – 2011 Data Source: Trustwave – Spider Labs
  6. 6. Location Info Can Be Deceptive Tor Node Locations on February 27, 2013 Source:
  7. 7. Growth of Malware Source: Panda Security
  8. 8. Types of Malware Source: 2012 - Panda Security Source: 2013 - Solutionary
  9. 9. How Data Are Lost or Compromised Source: 2011 Ponemon Benchmark Study – Sponsored by Symantec
  10. 10. What types of companies are being breached the most? What are the criminals after? Source: Trustwave 2013 Report
  11. 11. Source: Trustwave 2013 Report
  12. 12. Source: Trustwave 2013 Report
  13. 13. Source: Trustwave 2013 Report
  14. 14. Fraud Incidence Increasing Source: Javelin 2013
  15. 15. The Use of Toolkits: ZeuS  Emerged in 2007  Most prevalent malware toolkit in banking and financial services sector  Many variants  Form „Botnets‟ for exploiting innocent victims  Toolkit goes for +(-) $4,000 on black market w/ many add-ons for $800 - $1,500  Most prevalent in countries that don‟t enforce cybercriminal activity underground-crimeware-toolkits
  16. 16. The Use of Toolkits: Spy Eye
  17. 17. What Are Botnets? Source: McAfee 2011 Report
  18. 18. Spam Down w/ Botnet Take-Downs Source: M86 Security
  19. 19. DDoS Attacks DDoS also deployed by: Low Orbit Ion Cannon (LOIC) • Jan. 19, 2012 – FBI, DOJ, US Copyright Office, Warner Brothers Music, MPAA, RIAA
  20. 20. Interactive Map of Global Activity
  21. 21. Interview with a Black Hat Hacker Audio recording adapted from an interview with a real hacker by Robert Hansen of White Hat Security
  22. 22. Dialogue of Interview – Part 1 Can you describe what you think your hacking related skills are? My personal expertise and area of knowledge is in social engineering. I think it is pretty obvious I‟m a black hat, so I social engineer to “card”. Another area of hacking is botnet building. What attracted you to the Black Hat way of life? Money. I found it funny how watching T.V. and typing on my laptop would earn me a hard worker‟s monthly wage in a few hours. It was too easy in fact. Can you recall a tipping point at which you started considering yourself a Black Hat? It‟s difficult really. We never called ourselves Black Hats, I don‟t know, it was just too James Bond like.
  23. 23. Dialogue of Interview – Part 2 How many machines do you think you directly controlled at the peak of your Botnet activity? Erm, depends. I had two separate botnets (although some bots cross over). The DDoS botnet contained the bots which were public computers or computers that were in offices. Then there was my carding botnet, definitely the most valuable. The DDoS botnet has about 60-70k bots at the moment, most in the U.S. The carding botnet had a lot less at around 5-10k, most in Asia. How much money do you think you made, after expenses, per year, at the peak, doing Black Hat activities? I can‟t really go into specifics but when 9/11 happened we were making millions.
  24. 24. Dialogue of Interview – Part 3 How much do you think you made last year? Off the top of my head? Around about 400-500k. Last year was kind of s**t. People became wiser, patches became more frequent. This year we have 3/4 of that amount already. How easy is it for you to compromise a website? I like to watch the news; especially the financial side of it. Most of these websites have admins behind them who have no practical experience of being the bad guy and how the bad guys thinks. Which types of browsers tend to be the most vulnerable? If you asked me this a few years ago I‟d have said, almost 100% was Internet Explorer. That is hugely vulnerable, but now people have taken to the better, faster browsers such as Chrome and Firefox.
  25. 25. Dialogue of Interview – Part 4 Is there any line you personally never crossed as a Black Hat? I refuse to allow my botnet to be used to attack charities or soldier memorial pages. Apart from that it‟s fair game. How do you perceive the owners of the websites you have compromised and the victims of the machines that your Botnets have infected? I kind‟a feel sorry for the people who become victims of fraud, although if you‟re stupid enough to click a link, you probably deserved it!
  26. 26. THREAT VECTORS/ VULNERABILITIES  Point-of-Sale (POS) Systems  Restaurants/Hotels/Retail Shops  Gas Stations/Grocery Stores  Networks (Wired & Wireless)  Home/Work/School  Coffee Shops  Airport Hot Spots  Computers/Laptops/Tablets/Mobiles  Email  Web Applications  ATM Machines  Social Media & Social Engineering
  27. 27. Vulnerabilities: Point-of-Sale Systems o Why? Improperly Installed/Poorly Configured o Regulated by the Payment Card Industry (PCI) Data Security Standard (DSS)
  28. 28. Vulnerabilities: Networks (Wired & Wireless)  All Networks  No Firewalls  Firewalls Using Out-of-Date Software  Use of Default Passwords on Routers  Wireless  Wireless Networks Configured without Encryption  Wired  Easy physical access in buildings with wired networks
  29. 29. Vulnerabilities: Laptops/Tablets/Cell Phones/PDAs  All Devices  Use of Weak Passwords  Use of Same Passwords for all Accounts  Sharing of Passwords  Single Authentication  No Encryption  No Anti/Virus (A/V) Programs  Yes, Apple Products need A/V, too.  Operating Systems & Applications Not Patched  Installation of infected Apps400% increase in malware targeting smartphones in 2012  Lost or Stolen Devices Source: Kaspersky Labs
  30. 30. ATM Vulnerabilities
  31. 31. Vulnerabilities: Social Media & Social Engineering  Online Exploits  Using Social Media Sites  Phishing (419 Attacks)  Persuading victims to click on an infected link  Too-Good-To-Be-True offers  Web Application Attacks  MitM, MitB, MitS Attacks  In Person Social Engineering Exploits  Dumpster diving  Infected FLASH drive Photo Source: DiegoFuego via Flickr
  32. 32. Help Desk Blame Dramatization of how we take our frustration with cyber-criminals out on Help Desk personnel….
  33. 33. Growing Sophistication of Cybercrime Supply Chain  Mature Market  Product Specialization  Automation of Offerings  Intellectual Property Protection (Sophisticated Licensing)  Inter-market Communications  Expertly designed eCommerce Sites  Use of digital payment systems providing anonymity  Affiliate Marketing Schemes  Movement of Advanced Exploits to Mobile Platforms  ZitMo & SpitMo
  34. 34. Online eCommerce Site
  35. 35. Affiliate Marketing Schemes
  36. 36. The Move Towards Automation  Use of crime-ware toolkits  Implements Automatic Transfer System (ATS) code in banking trojans  Easy drag-and-drop functionality  Use of botnets  Rental of botnet time using digital money Malware-as-a-Service Business Model
  37. 37. Use of Money Mules: $45M Heist in 2013  February 19th, 2013  2,904 ATM‟s withdrawing $2.4M  8 „Money Mules‟ arrested in NY  Law enforcement agencies in 17 other countries involved  $24M withdrawn worldwide in global coordinated attack  Demonstrated vulnerability of global banking system  Used PrePaid MC & Visa Cards  Targeted banks in Oman & UAE ATMs hit on Manhattan in NYC
  38. 38. Interview with a Money Mule Dramatization of one key part of the cyber-crime supply chain: Statement from money mule sitting in the jail house in the Eastern District of New York United States attorney's office, Eastern District of New York
  39. 39. PROTECTION/ COUNTERMEASURES  Point-of-Sale (POS) Systems  Networks  Computers/Laptops/Mobiles  Online Banking  Browsing & Online Purchases  ATMs  eMail
  40. 40. o Small business owners should  Take audits seriously  Do penetration testing  Ensure wireless network is encrypted  Use third-party contractor if unsure of checklist criteria o Users should:  Use credit card rather than debit card at unknown stores  Monitor statements Point-of-Sale (POS) System Security
  41. 41. Networks  Wired Networks  Limit physical access  Set-up logging and monitor logs  Control access to computers and Ethernet outlets  Wireless Networks  Use WPA2 for encryption  Visit WiFi Alliance for approved products  Use 3rd-Party to set-up if necessary
  42. 42. Using Computers/Laptops/Mobiles o Use Strong Passwords  Change Passwords regularly  Use Different Passwords for Different Sites o Store Passwords in a Vault o Patch Operating Systems (OSs) o Patch Applications o Upgrade to more current versions of OSs when possible
  43. 43. Using Online Banking Services  Use Product That Protects Data in Transit & In-Storage  Some banks have Enterprise-Level products customers can download • Example: Trusteer Rapport  If You Use Mobile Online Banking:  Make sure to have A/V protection • Example: Trusteer Mobile (Android)
  44. 44. Internet Browsing & Online Purchases https://  Internet Browsing  Keep browsers up-to-date  Avoid “iffy” sites  Online Purchases  Make sure page where enter credit card is using Secure Socket Layer (SSL)
  45. 45. Avoid ATM Skimming Fraud  Check for different color metals or uneven edges  Use ATMs at banks or inside stores rather than on the street  Cover your hand when entering PIN
  46. 46. Email Protection  Avoiding Spam & Phishing  Use Blacklist/Whitelist feature  Set up spam filter  Set up alternate Email for occasional sites requiring registration  Don‟t respond to 419 scams  Register for Federal Trade Commission Scam Alerts  Maintaining Privacy  Get Email on an Encrypted Service  Avoid Registering on „iffy‟ websites  Use Browser Add-in of your Anti/Virus protection program
  47. 47. Social Media & Social Engineering  Social Media  Take care who you “follow” or “friend”  Monitor site‟s blog for announcements of fraud attempts and exploits  Social Engineering  Monitor FraudWatch International  Develop healthy attitude of skepticism
  48. 48. • Hushmail • Some Tools • Secunia PSI • SQLmapPC Scans • Trusteer Rapport • Kaspersky Internet Security 2013 • Bitdefender Total Security 2013 • Symantec 360 Banking Trust • PrivateWiFi • Enterprise VPNs WiFi Security Encrypted email
  49. 49. Avoid Becoming a Victim from the Industrialization of Cyber-Crime
  50. 50. RESOURCES  Identity Theft  Privacy Rights Clearinghouse  Electronic Privacy Information Center  Banking Fraud  Federal Trade Commission  Consumer Financial Protection Bureau  Phishing Intelligence  FraudWatch International 
  51. 51. Q & A Protect Yourself Online