More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (18)
Similar to protecting your digital personal life
Similar to protecting your digital personal life (20)
Recently uploaded
Recently uploaded (20)
protecting your digital personal life
- 1. 24 March 2017 Protecting your digital personal life Personal cybersecurity for high value targets
- 2. Protecting your digital personal life | Congressional Briefing What do hackers want? • Money • Banking • Identity • Intellectual Property • Market manipulation • Force Change • Popularity- bragging rights • Public opinion • Policy • Promote an ideology • Espionage • Compromise physical security • Types of hackers: • Researchers • Hacktivists • Anarchists • Criminals • Terrorists • Nation States
- 3. Protecting your digital personal life | Congressional Briefing What is a high value target ? • Celebrities • Athletes • Actors • Musicians • Politicians & Political Appointees • Local • State • National • High Net-Worth Individuals • High-Profile business executives • Family offices • Subject of more sophisticated attackers • Increased impact of compromise • In many cases, easier marks • lots of public info • broader network Why are you different?
- 4. Protecting your digital personal life | Congressional Briefing Colleen Bridges – Step 1: malicious email colleen.bridges@gmail.com
- 5. Protecting your digital personal life | Congressional Briefing Colleen Bridges – Step 2: email account take over colleen.bridges@gmail.com
- 6. Protecting your digital personal life | Congressional Briefing Colleen Bridges – Step 3: Pivot & Exploit
- 7. Protecting your digital personal life | Congressional Briefing Colleen Bridges - Results • Compromised information: • Email account • MyQ portal account – garage door and any other connected devices • Home address • …. • With this information he can: • Read, archive, and delete Colleen’s email • Pivot attack - send emails to Colleen’s friends, family, & colleagues to try to compromise their email accounts • Remotely monitor & control Colleen’s garage door • Physical compromise - theft or violence
- 8. Protecting your digital personal life | Congressional Briefing Joe Mandolo – Step 1: website compromise 1
- 9. Protecting your digital personal life | Congressional Briefing Joe Mandolo – Step 2: passwords for sale 1 2 10k Email, Full Name, Password Cache BTC 3.00000 BTC 0.00000 BTC 3.00000
- 10. Protecting your digital personal life | Congressional Briefing Joe Mandolo – Step 3: automate the hack 2 Username password
- 11. Protecting your digital personal life | Congressional Briefing Joe Mandolo – Step 4: exploit 1 2
- 12. Protecting your digital personal life | Congressional Briefing Joe Mandolo - Results • Compromised information: • Banking information • Email accounts • Intellectual property • Private conversations • …. • With this information she can: • Steal Joe’s money • Read, archive, and delete Joe’s email • Pivot attack - send emails to Joe’s friends, family, staff & colleagues to try to compromise their accounts • Blackmail or publicly embarrass Joe
- 13. Protecting your digital personal life | Congressional Briefing What do these scenarios have in common? • Both leverage some form of social engineering • Neither of them use sophisticated malware or exploit complex vulnerabilities • These scenarios are just examples - there are an infinite number of ways hackers can creatively compromise your security But, there is some good news • These attacks, and the vast majority like them, can be avoided through a combination of simple and effective security measures • Security is measured on a continuum • Important, old saw: you don’t have to outrun the bear • You can make it a lot harder on the hackers, and raise the cost of compromise
- 14. Protecting your digital personal life | Congressional Briefing So what can you do about it? Top ten list… 10. Avoid “open” networks – anyone can pretend to be Starbucks and get your phone to connect automatically 9. Use Encryption – documents, backups, communications (messaging, voice, email) 8. Update – always install the latest software and OS updates and patches (across all your devices) 7. Monitor your home network – there are a lot of attacks that antivirus won’t see 6. Back up. No. Really, backup! 5. Two factor anything you can – email, bank accounts, social media 4. Know what your clicking on – avoid links in emails, you can always type the URL into your web browser 3. Email attachments – only open attachments you are expecting from sources you trust 2. Password & security question hygiene – don’t reuse, don’t write it down, don’t memorize 1. Talk with your kids, family, staff (or boss) - Good security practices are like vaccinations – they work best when done by everyone – you need to surround yourself with healthy people Don’t go it alone – rely on the security community to help you (standards, guidance and best practices, and hiring experts)
Editor's Notes
- From the most banal to the most insidious, hackers are motivated by Money or Change. Hackers can be grouped into one of these types (roughly in order of badness & sophistication).
- Colleen Bridges receives an email from Google telling her that she may have been hacked and to click a link (to a google.com page) to see the suspicious activity. - She clicks on the link and gets a Google login screen. She enters her gmail address and password. - She sees the supposedly suspicious activity. It’s just her last login session. She ignores it. - The hacker who sent her the email now has her email password and access to her account.
- He logs in and changes her password, then enables two-factor authentication. He also looks at her recovery email address. As an aside, there’s a good chance the email he just got access to is the recovery address for the other one. Regardless, he can change the backup email and phone number Now Colleen is locked out of her email
- Now our hacker runs a script (basically a light-weight piece of custom software) that searches Colleen’s email for interesting information: sites she gets email from, shipping addresses, phone numbers, and usernames. First it hits a recent order from Macy’s which gives our hacker Colleen’s home address Next it hits the jackpot: He finds that Colleen uses a MyQ Internet-connected garage door opener He goes to the MyQ website and clicks “forgot password”. It sends a password reset email to her email address. He can now open and close her garage door over the Internet, and get notifications when the door opens and closes.
- Now our hacker runs a script (basically a light-weight piece of custom software) that searches Colleen’s email for interesting information: sites she gets email from, shipping addresses, phone numbers, and usernames. He hits the jackpot: He finds that Colleen uses a MyQ Internet-connected garage door opener. He goes to the MyQ website and clicks “forgot password”. It sends a password reset email to her email address. He can now open and close her garage door over the Internet, and get notifications when the door opens and closes.
- Joe Mandolo uses the same password for all of his accounts—email, banking, Amazon, everything else—but it’s a really strong password that no one would ever be able to guess. One of the sites where Joe used that password – oldschoolhats.com gets hacked, and all of the users’ usernames, passwords, and email addresses get stolen. Oldschoolhats.com has no idea how to protect passwords (e.g. allowing SQL injection, storing passwords in plaintext, or using unsalted hashes), so the hackers can read all the users’ passwords easily.
- A week later, a list of all of those usernames, passwords, and email addresses—10,000 of them—shows up on the black market, for sale to the highest bidder.
- Now our second hacker uses the list as input for a simple program he’s written: It takes those usernames, email addresses, and passwords, and tries using each combination of them to login to each of the 5,000 most popular websites in the world. It lets him know whenever it succeeds. Because Joe used the same password at oldschoolhats.com that he used at important websites, the hacker gets into many of joes accounts
- Now our hacker goes into “exploit” mode and starts to steal Joe’s money (draining his accounts to buy bit coin at different exchanges) and any compromising information from his email
- Because Joe used the same password at oldschoolhats.com that he used at important websites like his email and bank account, the hacker’s program gets into all of Joe’s accounts. With access to Joe’s Paypal, the hacker is able to spend money on Joe’s credit card and bank accounts. With access to Joe’s email, the hacker is able to send phishing emails to all of Joe’s friends—from Joe’s address—to try to trick them into giving up their passwords or sending the hacker money. The hacker also changes all of Joe’s passwords and the answers to his security questions, and adds two-factor authentication. Now Joe can’t even get back into his own accounts.
- Monitor your home network - as a high value target, antivirus is really insufficient Avoid ”open” networks… your phone is configured to automatically connect to your “trusted” network. Most people add commonly used networks (starbucks or att) Backup! This is the only way to defend against cryto attacks