Computer security, Internet privacy: What should we worry about? Sebastian Lopienski CERN Deputy...
Preview:
Citation preview
- Slide 1
- Computer security, Internet privacy: What should we worry
about? Sebastian Lopienski CERN Deputy Computer Security Officer
Polish Teachers Programme, October 2014
- Slide 2
- Disclaimer What follows are my opinions and not necessarily
those of CERN. Sebastian Lopienski 2
- Slide 3
- A cloud hack Digital life of a Wired journalist destroyed in
one hour:
(http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking)http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking
Amazon, Apple, Google, Twitter accounts compromised all Apple
devices wiped-out remotely 3 Sebastian Lopienski
- Slide 4
- A cloud hack How?? call Amazon and add a new credit card
needed: name, billing address, e-mail address call again, say you
lost password, and add a new e-mail needed: name, billing address,
current credit card reset password - get the new one to this new
e-mail address login and see all registered credit cards (last 4
digits) call Apple, say you lost password, and get a temp one
needed: name, billing address, last 4 digits of a credit card reset
Google password - new one sent to Apple e-mail (Apple e-mail was
registered as an alternate e-mail) reset Twitter password - new one
sent to Google e-mail (Google e-mail was linked to the Twitter
account) 4 Sebastian Lopienski
- Slide 5
- A cloud hack Multiple security flaws and issues: Interconnected
accounts Which one of your accounts is the weakest link? Our full
dependence on digital digital information, devices, cloud services
etc Very weak identity check procedures and often not even followed
correctly some procedures have changed as an outcome of this case
enable 2-step authentication (Google, LinkedIn, Apple, ) security
questions with answers often trivial to find (remember Sarah Palins
yahoo account hack in 2008?) 5 Sebastian Lopienski
- Slide 6
- 6 From http://www.bizarrocomics.com Sebastian Lopienski
- Slide 7
- E-mail account before e-bank account? 7 From
http://elie.im/blog/security/45-of-the-users-found-their-email-accounts-more-valuable-than-their-bank-accounts
Sebastian Lopienski
- Slide 8
- Passwords lost, or easy to guess Top 10 words used in passwords
password welcome qwerty monkey jesus love money freedom ninja
writer 8 From http://www.zdnet.com/the-top-10-passwords-from-
the-yahoo-hack-is-yours-one-of-them-7000000815/
- Slide 9
- Where we are? Outline 9 Sebastian Lopienski Where we are? Who
are they? What is ahead?
- Slide 10
- Vulnerabilities Sebastian Lopienski 10
- Slide 11
- Trying to sell a Yahoo XSS for 700$ Sebastian Lopienski 11
- Slide 12
- Selling a Command Execution vulnerability in MS Office for $20k
Sebastian Lopienski 12
- Slide 13
- Vulnerability market shift Finding vulnerabilities difficult,
time consuming Selling to vendors, or publishing (mid 2000s)
limited money - 1s-10s thousands$, e.g. Mozilla up to $3000, Google
up to $3133.7 vulnerabilities eventually patched (good!) Selling to
underground (late 2000s) busy and active black market more
profitable 10s-100s thousands of USD sometimes buyers are
governments or their contractors used in 0-day exploits (no patch)
13 researchers dont commit crime attackers dont need skills, just
money researchers dont commit crime attackers dont need skills,
just money Sebastian Lopienski
- Slide 14
- Botnets (networks of infected machines) 14 From
http://www.f-secure.com/weblog/archives/00002430.html Sebastian
Lopienski
- Slide 15
- Outline 15 Sebastian Lopienski Where we are? Who are they? What
is ahead?
- Slide 16
- Who are they? 16 criminals motivation: profit hacktivists
motivation: ideology, revenge governments motivation: control,
politics Sebastian Lopienski
- Slide 17
- Criminals Usual stuff: Identity theft Credit-card frauds
Malware targeting e-banking, e.g. Zeus, Gozi etc. Scareware, e.g.
fake AV, fake police warnings Ransomware : taking your data hostage
(soon: accounts?) Mobile malware, e.g. sending premium rate SMSes
Denial of Service (DoS) Spam etc. 17 Sebastian Lopienski
- Slide 18
- 2-in-1: Scare and demand ransom 18 From
http://www.zdnet.com/sopa-reincarnates-to-hold-your-computer-hostage-7000005684
SOPA is dead but still used by criminals to scare people Sebastian
Lopienski It pays off From symantec.com
- Slide 19
- Cyber criminals Thai police have arrested Algerian national
Hamza Bendelladj wanted by the FBI for allegedly operating the Zeus
botnet (e-banking malware) Sebastian Lopienski 19 From
http://www.bangkokpost.com
- Slide 20
- Gangsters Sebastian Lopienski 20 From krebsonsecurity.com A
hacker nicknamed vorVzakone, allegedly related to Gozi malware
- Slide 21
- employing mules Become a foreign agent in the US advertisement
Sebastian Lopienski 21 From krebsonsecurity.com
- Slide 22
- Hacktivists Attacking to protest, to pass the message etc. 22
Sebastian Lopienski
- Slide 23
- The Anonymous, LulzSec, many groups, varying agendas, from
ideologists to criminals Sebastian Lopienski 23
- Slide 24
- Do you know this guy? Sebastian Lopienski 24
- Slide 25
- Aaron Swartz A software developer, an open-access activist 2001
(aged just 14!): helped developing RSS 2002: working with Tim
Berners-Lee on semantic web 2008: released 20% of the Public Access
to Court Electronic Records (PACER) database of United States
federal court 2011: arrested for retrieving scientific articles
from JSTOR, believed in open access to results of publicly-funded
research, risked 35 years of prison / $1m fine sentence 2012:
campaigned against the SOPA 2013: committed suicide (because of the
ongoing criminal investigation?) Sebastian Lopienski 25
- Slide 26
- Google a freedom activist? https://www.google.com/takeaction/
Sebastian Lopienski 26 The same Google that outraged privacy
defenders with its new Privacy Policy
- Slide 27
- but governments? 27 Sebastian Lopienski
- Slide 28
- Spying on (some) citizens Network encryption? Infect computers
or go after services Syrian activists PCs infected with
Trojans/backdoors Tibetan rights activists often targeted Israel
demands e-mail passwords at borders German police infects criminals
PCs with Trojans/backdoors buying surveillance code and services
for 2M EURO (!) or developing in-house unfortunately, full of
security holes 28 From
http://www.f-secure.com/weblog/archives/00002423.html Sebastian
Lopienski
- Slide 29
- PRISM mass online surveillance program Sebastian Lopienski
29
- Slide 30
- Privacy vs. control If you are doing nothing wrong, then you
shouldnt worry if we watch you. If I am doing nothing wrong, then
you shouldnt be watching me! Cryptography/encryption (HTTPS) is
still a good defense Sebastian Lopienski 30
- Slide 31
- Agencies & contractors turning offensive 31 From F-Secure
Sebastian Lopienski
- Slide 32
- Agencies & contractors turning offensive Northrop Grumman
looks for "Cyber Software Engineer" for an Offensive Cyberspace
Operation mission" 32 From
http://www.f-secure.com/weblog/archives/00002372.html Sebastian
Lopienski
- Slide 33
- Stuxnet (the worm that targeted Iranian uranium-enriching
centrifuges, discovered 2010) Estimated development effort: 10
man-years Result: sabotage 30,000 Iranian computers infected, some
HW damage, nuclear program set back by ~2 years Cui bono? (New York
Times, June 2012: a joint US-Israel operation Olympic Games started
by Bush and accelerated by Obama) 33 Sebastian Lopienski
- Slide 34
- Outline 34 Sebastian Lopienski Where we are? Who are they? What
is ahead?
- Slide 35
- Does Stuxnet make us all more vulnerable? 35 Sebastian
Lopienski
http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12
- Slide 36
- Thank you 36 Sebastian Lopienski