Online Security and Privacy Issues

Presented by ebusinessmantra at
Online Security and Privacy Issues
www.ebusinessmantra.com
Presented by ebusinessmantra at
ecommerce Conference at Umass Dartmouth, MA
April 19, 2013

Agenda
 (In)Security Landscape
 It’s all business
 What is your identity worth?
 How does it work on the web?
 Does it matter to SMB?
Problem
 Does it matter to SMB?
 Myths about security
 Vulnerability Exploits (Hacking 101) Demo
 SQL Injection, XSS, Google Hacking
 How do you minimize the risk?
 Security Tools - Demo
 Discussions
ProblemSolution

About ebusinessmantra
 WebApplication Security Consultants
 Assess and recommend security solutions
 Through partnerships, we offer:
 WebApplication Security Scanner
 WebApplication Firewalls
 WebApplication Firewalls
 Database Firewalls
 File Systems Monitoring
 Training and eLearning (in process)
 Customers: *.mil, *.gov, *edu , *.org, *.com
 Web Site Design and Development (past)

(In)Security Landscape
 Number of incidents of data breaches reaches new record in
2012

Web + Hacking
= 37% of all
incidents

Top 10 security breaches of 2012
 Wyndham Hotels – 600,000 credit cards #s stored in plain text, $10.5
billion in fraudulent transactions
 Yahoo – 400,000 passwords stored in plain text (SQL injection)
 Apple – 11 million Unique Device Identifiers - access user names, devices
names, cell phone numbers and addresses
 Global Payments – 1.5 million credit card numbers withTrack 2 data used
 Global Payments – 1.5 million credit card numbers withTrack 2 data used
to clone credit cards
 Ghostshell - Hactivist Group stole account information for 1.6 government
and contractors
 LinkedIn – 6.5 million (hashed) passwords – published on web
 Nationwide and Allied Insurance Co. – 1.1 million applicants’ info
 South Carolina DOR – 3.8 million tax records
 Zappos – 24 million customer data
 Government Sector – 94 million Personal Identifiable Information (PII)

In the news…

In the news...

Cybercrime is on the rise

Business of cybercrime
 Cybercrime is a highly organized, well run profitable business
 Hierarchal structure - specialists
 Programmer, Hackers, Distributors, Hosting Providers, Money
Mule, Cashiers,Tellers (FBI classification)
Mule, Cashiers,Tellers (FBI classification)

Extortion

Fraudulent tax returns
 Alabama: 1000 false returns for $1.7 million
 LA County: 65 false returns for $358,000
 Fort Lauderdale: 2000 false tax returns were filed from
10/2010 - 6/2012 for $11 million.

Your identity @ bargain price…
Fullz Info USAType A
package
# of records Price/record
Full Name
Email address + password
PhysicalAddress
Phone Number
1- 499 0.25
500 - 4999 0.22
5000 - 9999 0.18
Phone Number
DOB, SSN, DL Numbers
Bank Name,Account number
+ routing number
Employer's name + # years of
employment
10000 - 16499 0.16
Fullz Info USAType B package includes mother’s maiden name.
Web site claims to have 99 to 100% of people in US in their database and have most
upto date database.

Typical Offers on Black Market - Price List
Products Price
Credit card details $2 - $90
Physical credit cards $190 + cost of details
Card cloners $200 - $1000
Bank credentials $80 to $700 (with guaranteed balance)
Bank credentials $80 to $700 (with guaranteed balance)
Bank transfers and cashing checks from 10% to 40% of total
Online stores and pay platforms $80 - $1500 with guaranteed balance

 Pretty grim, sobering landscape!
 Notable web sites have been hacked (Govt.,
security firms, banks)
 Many are not reported and many more do not
know they are being hacked. Your web site might
know they are being hacked. Your web site might
have been hacked and you may be unaware of it.
 Organized crimes, blackmail/extortion,
defraud IRS
 High costs to remediate: $90 - $300 per
record, plus lost business, tangible and
intangible losses

How does it work on the web?
 Hackers exploit vulnerabilities in the code
 to steal data
 to make you, web site users, do things that you did not intend to
 to distribute and install malware, ransom-ware, in general, bad-
ware
ware
 Monitor your activities on the computer, web site and report data

We are Small Business, it does not matter
to us…
 S&M are most vulnerable because they don’t have resources that
large organizations have.
 Your site could be used to launch or distribute malware
Your site could be used to launch or distribute malware
 You may not think you are at risk – but actually you could be –
usingWordPress or some other platform which may be
vulnerable
 Google search for vulnerabilities inWordPress site.

We don’t have anything of value on our
web site…
 Even if you don’t believe you have anything of value on your website, it
could be used as a means for malicious acts. Here are some negative side-
effects:
 Credibility
 Block -Your business website could be blocked by your Internet service provider
or even Google, Bing, and other search engines.
 http://www.google.com/safebrowsing/diagnostic?site=domainname
 Blacklisting -Your email address or entire domain could be blacklisted by spam
filtering services.
 http://www.spamhaus.org: Track internet spam senders and spam services and provide real-time anti-
spam protection and to identify and pursue spammers worldwide
 Time and money - remediation

Myths about security
 We have SSL (https) on my web site
 Our network has firewalls
 Our site is password protected
 Our developers will deal with security
 Our developers will deal with security
 Our OS and software are upto date and patched
 These are essential but none of these protect your web site from
being hacked.

Are you chasing the mice or protecting the
cheese?

Web Application Model
• Attack passes as normal traffic through ports 80 & 443
• SSL, Network, OS securities cannot protect web applications

Vulnerability Exploits - Hacking 101
 Demo
 SQL Injection
 Cross Site Scripting
 Google Hacking

Injection Attack
 Very widely used by hackers and is one of the top 10
vulnerabilities in web applications
 SQL Injection Attack Demo

Cross Site Scripting Attack
 Another very frequently used attack method - Demo

Google hacking demo
 Have you Googled yourself or your business?
 Advance Google search –
 Demo
 inurl:admin intext:username=AND email=AND password= OR pass=
filetype:xls
filetype:xls
 "your password is" filetype:txt
 Tools that can do the search for you - demo

How do you minimize risk?
 Awareness
 All stakeholders must recognize the risks and work towards mitigation
 Culture within the organization, mandate from the management
 Examples – IT (network security), coders (perplexed), management (state of
denial), users (unsafe browsing, cool sites!)
 Develop security strategy
 Secure Coding Practices during SDLC
 Developers need to understand the threats; write secure code; follow
 Developers need to understand the threats; write secure code; follow
published guidelines
 Resource Intensive: time and $ - training, coding, testing
 QA
 During all stages of application development life cycle
 At regular intervals while in production
 Web Application Scanning, static code analysis
 Monitoring
 Web Application Scanning (demo)
 Web Application Firewall
 Database Firewall
 Compliance

Security Strategy
 Web Site Scanning
 Snapshot of vulnerabilities (new vulnerabilities), fix
vulnerabilities, and install patches
 Web Application Firewall
 Real time, continuous
 Set policies to alerts and/or block attacks
 Set policies to alerts and/or block attacks
 Virtual patch from scanning results
 Block traffic from certain region
 Data Protection
 Set policies to alert and/or block attacks
 (Prevent) Internal and external threats
 Secured Hosting

PCI Requirements for Credit Cards

OWASP Top 10 vulnerabilities – set by
worldwide security experts

Section 6 of PCI DSS

PCI DSS Requirements – web related

Security Tools
 WebApplication Scanner
 WebApplication Firewall
 Secured Hosting

Demo – Vulnerability Scanning

How can we help…
 Security Assessment
 Develop a strategy
 Implement strategy
 Training
 Training

Take away
 Web presence and doing business on web is essential
 Security should also be part of the web strategy
 Internal and external threats
 Develop a strategy for securing data
 Develop a strategy for securing data
 Take action
 Call us if you need help with securing your digital assests.

Discussions

References
 2012-DataBreachQuickView by Risk Based Security
 The Cyber Crime Black Market – by Panda Security
 Web Sites:
 http://www.crn.com/slide-shows/security/240144596/the-top-10-security-breaches-of-2012.htm
 http://www.esecurityplanet.com/network-security/salem-state-university-suffers-security-breach.html
 http://datalossdb.org/incident_highlights/58-nothing-is-certain-but-death-taxes-and-identity-theft
 http://www.securityweek.com/economic-update-cybercrime-economy-current-prices-black-market
http://www.sbnonline.com/2012/01/your-personally-identifiable-information-it%E2%80%99s-valuable-
 http://www.sbnonline.com/2012/01/your-personally-identifiable-information-it%E2%80%99s-valuable-
to-someone/
 http://it.toolbox.com/blogs/managing-infosec/google-hacking-master-list-28302
 http://stopbadware.org
 http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1761937/
 http://www.howcast.com/guides/593-How-to-Maintain-Internet-Security-and-Privacy
 http://www.ftc.gov/bcp/menus/consumer/tech/privacy.shtm
 http://www.whitehouse.gov/files/documents/cyber/National%20Cyber%20Security%20Alliance%20-
%20Harris+Online+Security+and+Privacy+Study.pdf

Resources
 OWASP www.owasp.org
 Dataloss www.dataloss.org
 Calculate your risk: https://databreachcalculator.com
 Ebusinessmantra www.ebusinessmantra.com
 Ebusinessmantra www.ebusinessmantra.com

Online Security and Privacy Issues

More Related Content

What's hot

Similar to Online Security and Privacy Issues

Recently uploaded

Online Security and Privacy Issues