Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Primer


Published on


Published in: Technology
  • Be the first to comment

Security Primer

  1. 1. Social Engineering & Security PrimerAKA “People are bastard covered bastards with bastard-filling.”
  2. 2. Hacking, Cracking, Phishing, Zombies - OMGWTFSRSLY?Hacker: someone who breaks into computer networks forlegitimate or illegitimate reasons. (This definition has changedover time and still means a few different things.)Cracker: someone who reverse-engineers computer software forthe purpose of embedding spyware/malware or working aroundcommercial licenses (“Warez”).Phishing: attempting to acquire information such as usernames,passwords and credit card details by masquerading as atrustworthy entity in an electronic communication.
  3. 3. WARNING!The word “hacker” does not inherently imply illegal or unethicalbehavior. The negative connotation came years later, as “hacker”originated as a positive term for people who kick ass at computersand/or coding.Hackers get very upset when this word is misused.Very. Upset.
  4. 4. MaliciousHacking HasGrown UpYears ago, hacking wasoften done for just fun andbragging rights.Today, hacking is a lucrativeindustry often backed byorganized crime.LOTS of $$$ to be madestealing identities, creditcard info, etc.
  5. 5. Why HackersHackTo steal/sell identities,credit card numbers,corporate secrets, militarysecretsFun, Excitement and/orNotorietyPolitical (“Hacktivism”)RevengeBlackhat SEO
  6. 6. White Hat vs Black HatWhite Hat: The Good Guys.Grey Hat: The (Mostly) GoodGuysBlack Hat: The Bad GuysThis is over-simplified, ofcourse, but you get the gist,
  7. 7. VirusSelf-replicating program thatinfects a system withoutauthorization.They can install keyloggers,download, delete or alterfiles, render a systemunusable or worse.Travels from computer tocomputer.(No, they cannot spread tohumans. Yet.)
  8. 8. WormSimilar to a virus, but can self-replicate without humaninteraction.Takes advantage of networktransport protocols - can sendthousands of copies of itself.
  9. 9. Worm Example A worm sends a copy of itself to everyone in your e-mail address book. The worm then replicates and sends itself out to everyone listed in each of the recipient’s address book. And so on, and so on.
  10. 10. Trojan HorseMasquerades as useful softwaresuch as anti-virus, video codecs,browser plugins, etc.Victims are tricked into openingTrojan Horse files because theyappear to be receiving legitimatesoftware or files from a legitimatesource.
  11. 11. Macs are NOT Immune Trojans frequently appear as fake video codec downloads,rogue anti-virus (“scareware”),and attachments in emails such as phony receipts.
  12. 12. EmailAttachmentsSpoofed emails that containmalware attachmentsfrequently appear to come fromAmazon.Com, PayPal, E-Bay,iTunes, and Banks.They often use the scare tacticthat the recipient’s account hasbeen suspended orcompromised.
  13. 13. Botnets (AKA “Zombie Armies”) Infected computers become part of a controlled “army” of infected machines. They can be used to send SPAM, viruses, or to initiate a DDoS (Distributed Denial of Service) attack on a website or network that can cause the website or network to stop responding altogether.
  14. 14. PhishingPhishing attacks attempt totrick users into entering theirlogin/credit card/SS#/etc intoa fake version of a legitimatesite so the sensitive data canbe saved and used later bythe attacker.Many phishing attacksoriginate from e-mails andcan be VERY convincing.
  15. 15. What’s thePoint?Phishers capture logininformation even for non-financial sites because theyknow thatMANY PEOPLE RE-USETHE SAME LOGINS FORMULTIPLE WEBSITES.*cough*Gawker*cough*
  16. 16. PlatformAgnosticSince Phishing scams takeadvantage of vulnerabilities in thehuman condition instead ofvulnerabilities in technology, ALLusers are at risk, whether they areon Mac, PC, Linux, etc.same password for email +forgotten password request=access to hijack any account
  17. 17. SSLDifferent browsers indicate thatyour connection is secure(encrypted) in different ways.Becoming familiar with how eachbrowser indicates a healthy SSLconnection will help you avoidbeing fooled.NOTE: Just because an SSLconnection is legit, that doesn’tmean the site is. Be skeptical.
  18. 18. Phishing &SmartphonesSmartphone users areparticularly vulnerable tophishing attacks because thebrowser takes up the wholescreen, and doesn’t provideas much information about apage as a desktop browser.This makes it easier to trickusers into thinking the site isreal.
  19. 19. Case Study: Stanley Mark Rifkin In 1978, a computer tech stole $10.2 million dollars from Security Pacific Bank using only social engineering. Talked his way into room where daily wire transfer security code was posted and memorized it. Called the bank, impersonating an authorized employee and requested a transfer of $10.2 million to his swiss bank account. Because he was able to talk his way into learning the daily code, the transfer went through without a hitch. The woman who performed the transfer thanked him before hanging up.
  20. 20. “Social Engineering”?The act of manipulating people into performing actions ordivulging confidential information, rather than by breaking in orusing technical cracking techniques.Trickery or deception for the purpose of information gathering,fraud, or computer system access.In most cases the attacker never comes face-to-face with thevictim.Social Engineering attacks are commonly executed over thephone or through email.
  21. 21. 419 ScamsNigerian Bank Scams (also called419 scams after the section ofNigerian law it violates) are a typeof advance-fee“Message number 419” by MCFrontalot
  22. 22. Things to Watch For“Hi, I’m having a problem using the XYZ website. It’s not workingin my browser. I’m using IE7, what browser are you using?”Attacker can then target the attack based on vulnerabilities inthe browser.“I’m having a problem using the website. Let me send you a linkto the page I’m having trouble with.” Link contains malware/phishing payload.“This is John Smith from XYZ Software Vendor. There was acritical security patch released that we need you to install or youare at risk of massive data loss.”
  23. 23. Good HabitsShred ALL paper documents that contain intellectual property,financial or account information. Every time.If someone you do not recognize claims to be a newsuperintendent or maintenance worker, call downstairs toconfirm before letting them in.If someone calls or walks in claiming to be a representative orworker from a company but you do not know them personally,call the company to confirm their identity and meeting.
  24. 24. PAY ATTENTIONAn attacker targets users of a by finding people who post on theforums.The attacker sends them an email claiming a new feature orcompromised account, directing them, which they own. Note the missingthird “l”.Victim clicks and is phished, hijacked or tricked intodownloading malware.
  25. 25. Case Study: Video Rental ShopAttacker Tom calls Jennifer at XYZ Video, claiming to be themanager of a different branch, asking if they have a copy of avideo they can’t find.Tom does this repeatedly over several weeks, building up arapport with Jennifer and establishing the pretext.Tom then calls saying he has a customer of Jennifer’s shop thatforgot his membership and credit card but would like to rentfrom Tom’s store. Jennifer provides that information to Tom tobe helpful.
  26. 26. Attackers Will Research Their TargetsAfter looking up the domain name records of a website, anattacker knows that someone named James Li is the technicalcontact. Tom calls James.“Hi, this is Bob Dickins from LuckyRegister. We have detectedfraudulent activity on your account and we need you to resetyour password.”Vacation messages in email and voicemail can alert an attackerthat you are out of town, giving them information that may helpthem sound legitimate to other people in the company
  27. 27. USB KeysA very easy and oftensuccessful attack is to leave apoisoned USB key out wherepeople can find it.Who doesn’t want a free USBdrive?The poisoned USB key infectsthe computer or entire networkonce it’s plugged in.
  28. 28. Social Media - Make sure your profiles are locked down so only friends can see your information - Turn OFF geotagging on images in your Smartphone.
  29. 29. Location ServicesBe careful using location servicessuch as Foursquare, FacebookPlaces, etc if your social mediaaccounts are open to anyone.
  30. 30. GawkerPasswords 307: trustno1 303: baseball 302: gizmodo2516: 123456 300: whatever2188: password 297: superman1205: 12345678 276: 1234567696: qwerty 266: sunshine498: abc123 266: iloveyou459: 12345 262: fuckyou441: monkey 256: starwars413: 111111 255: shadow385: consumer 241: princess376: letmein 234: cheese351: 1234318: dragon
  31. 31. ALL Passwords Are CrackableUsing an eight-core Xeon-powered system, Duo Security brute-forced 400,000 password hashes of the 1.3 million stolen fromGawker, cracking the first 200,000 in under an hour.15 of the accounts for which it had cracked password encryptionbelonged to people working at NASA, nine were assigned tousers employed by Congress, and six belonged to employees ofthe Department of Homeland Security.2009 RockYou hack: “123456" was the most common passwordin the collection posted on the Web by hackers, followed by"12345," "123456789," "password" and "iloveyou"
  32. 32. There is NO Excuse for ShittyPasswords Anymore1Password and LastPass both allow you to: generate long, highly random passwords that are unique to each website you log into store the passwords in a database and auto-fill sync that database across your iphone, ipad, other computers, etc.
  33. 33. Password TipsDont use only letters or only numbers.Dont use names of spouses, children, girlfriends/boyfriends orpetsDont use phone numbers, Social Security numbers or birthdates.Dont use the same word as your log-in, or any variation of it.Dont use any word that can be found in the dictionary — evenforeign words. Dont use passwords with double letters or numbers.
  34. 34. Password TipsUse the first letters of the words in a favorite line of poetry or averse of song. "Hail, hail the lucky ones, I refer to those in love"becomes "H,hTL0,IR2t1L."EVERY SINGLE WEBSITE you have an account with should use adifferent password. You have no idea how secure their websitesare, so you should assume they are not secure at all.
  35. 35. Passwords are likeunderwear - they shouldnever be shared withfriends and should bechanged often!
  36. 36. Alison L. Gianottosnipe@snipe.nethttp://www.snipe.net