1

A Few Miscellaneous Topics on Security

Sankar Roy

2

Acknowledgement

In preparing the presentation slides and the demo, I received help from• Professor Simon Ou• Professor Gurdip Singh• Professor Eugene Vasserman

3

Agenda• Password cracking• Information gathering (reconnaissance)• Spoofed emails or phone calls• Threats through emails– phishing attack– other attacks

• Risks of swiping a credit card in an untrusted place • Security concerns associated with RFID tags

4

Password-based Security

• We use passwords everywhere– email accounts, bank accounts, social networking

sites, personal computers, and so on…

• What makes a good password– long but should be easy for you to remember– should be very difficult for the attacker to guess

5

Good or Bad Passwords?7@Ack i love soccer07deserteagle chuck#01235lakers5 oliveoil7john1 eagle1900beethoven5th PTL!1g1M05Pizza qwerty123dhx@yahoo.com justin_bieber_sux!h.o.u.s.e {T@!4u2N9^}&$trongPassword WeRtheChamp10n!ILh2dW&%D@etF1 zeppelinIV

6

Password Cracking• How long is good enough?

– we can compute the password strength– use alphanumeric letters, big case, and small case– use special characters

• Dictionary attack– the attacker first tries a list of frequently used passwords– then, she may try all possible combinations (brute-force)

• Social engineering to aid in cracking– information gathering can work if, as an example, a family

member or pet’s name is used as the password– you may leak your secret while responding to a fake email or

phone call

7

Password Crackers Tools

• Hydra, Medusa – can crack network logon passwords (e.g. FTP,

HTTP, VNC, POP3)• Ophcrack – Pre-computed Rainbow tables can reduce cracking

time• Top 10 Password Crackers: – http://sectools.org/crackers.html

8

Information GatheringThe attacker can employ several techniques

1. Uses Internet search engines and social networks– collect names, address, login names, email addresses, host machine’s

names, etc.– automated tools available, e.g. theHarvester

2. Sends information requests via fake email or phone– and waits for response from a potential victim

3. Does dumpster diving

4. Buys information from the black market

9

TheHarvester: An Automated Miner• A tool for gathering e-mail accounts, user names and hostnames from

different public sources.

• It supports multiple sources: – Google, Bing, LinkedIn, etc.– Caution: the attacker can use all sources

• An example: – Using this tool a SPAMer can collect your email address (e.g. from your

public webpage)

• Anti-Harvesting methods– Address munging (e.g. instead of alice@abc.com publish “alice at abc dot com")– Using images to display part or all of an email address

10

Spoofed Email• Email system does NOT provide “sender

authentication”– in a spoofed email, the sender’s address is altered– receiving an email proves nothing about the actual

sender

• Spoofed email sending software is available– which is used in sending SPAM or phishing email

11

Let’s do a Hands-on Activity

• Note: there are some websites via which anybody can send a spoofed email to anybody

• Let’s test one of them to understand how easy it is for the attacker to send a fake message

• Caution: this activity is only for the testing purpose. It is a crime to send a phishing email.

12

Gmail Ways to Detect Email Spoofing• Sender Policy Framework (SPF) is an email

validation system– allows administrators of a domain D to specify

which hosts are allowed to send email from D– checks authorization of the sender’s IP addresses

using the DNS system• DomainKeys Identified Mail (DKIM) is a way

to digitally sign emails – verifies if the email was actually sent by a

particular domain D as claimed in the email.

13

How to Check the Authentication Information of a Message on Gmail

Acknowledgement: Gmail’s User Guide

14

Phone Caller Id Spoofing

• Makes a phone call appear to have come from any number the caller wishes

• Most common spoofing method is through the VoIP system

• Open source tools e.g. Asterisk, FreeSWITCH can be used for spoofing

15

Email Threats

• Security risks include – phishing scams– links (in body) or attachments have malware

• Nowadays these risks are high – bad guys can hire a SPAM sending botnet to

launch a large-scale attack– millions of valid email addresses are available for

sale in the underground black market

16

Phishing Attack: An Example EmailSubject: E-mail Security Alert!From: Kansas State University <notifications@ksu.edu>Date: Tue, 18 Dec 2012 06:14:01 +0900 (JST)

Access to your e-mail account is about to expired.Please Click here

<http://sevenes.com/zboard/ksu/>

to restore access to your e-mail account.We apologise for any inconvenience and appreciate your understanding.

Regards, Kansas State University

Acknowledgement: K-State IT Security Threats Blog

17

Phishing Attack: Another Example

Acknowledgement: FraudWatchInternational.com

18

More on the Phishing Attack

• Fake email messages apparently coming from a trusted person or institution (e.g. a bank) – trick people into passing secret information such as

passwords, credit card numbers and bank account numbers.

• A phishing email can have links to– fake login pages impersonating financial institutions– malware, virus, spyware, etc.

19

Countering Phishing Attack• Remember that the institution (e.g. your bank or KSU)

will never ask for your secret through emails• Be suspicious when you receive an email; know that

the email sender address can be spoofed • Avoid clicking any link in such emails – double check if the link URL name is fishy– visit only https links; do not proceed if you get a bogus

certificate warning• Do not respond to any such email; call them if unsure• Always use the latest versions of web browsers

20

How to Recognize a Fraudulent Email?

• Train yourself by studying several resources which are available on the KSU ITS website

• Some resource examples are– Anti-Phishing Working Group www.antiphishing.org

(http://www.antiphishing.org/resources/Educate-Your-Customers/)

– Looks Too Good To Be True www.lookstoogoodtobetrue.com

21

Examples of Phishing Scams

• Advance fee scam• Job offer scam• Nigerian scam• Beneficiary of a will scam• Over-paying (Craigslist) scam• Charitable donation scam• Facebook friend scam

Acknowledgement: K-State ITS

22

Spear Phishing

• A more targeted method of phishing– only known members of the targeted institution

receive the email

• Email addresses are acquired by– joining a mailing list– buying a list from a hacker– guessing email addresses based on the general

format e.g. abc123@k-state.edu

23

Threats via Email Attachment• Email attachment may contain malware– worms, virus, Trojan horses, etc.– which can seriously damage your computer

• Do not open any suspicious attachment– it can trigger/execute the malware– just delete such emails

• Install an anti-virus software on your computer– ensure that it scans all attachments automatically before

you open them– Anti-virus “Trend Micro Security” is available to K-staters

24

Risks of Swiping a Credit Card in an Untrusted Place

• An ATM skimmer can steal the card secret– later the bad guys collect the data from the skimmer device– difficult to detect: it blends in with the cash machine in form and color

• Typically two components build a skimmer– a device that fits over the card acceptance slot and steals the data stored on the

card’s magnetic stripe– a pinhole camera built into a false panel that thieves can fit above or beside the

PIN pad.

• Risk Mitigation– try to avoid using ATMs in unknown non-standard places– frequently check your credit card transactions and report fraud, if any

25

Basics of RFID Technology

• The tracking system has three components: – a scanning antenna– a RFID tag programmed with information– a transceiver to interpret the data

• A RFID tag can be read – from a distant place (up to 300 feet)– no need to be in the line of sight (unlike a barcode)

• RFID tags have NO batteries– so, it remains usable for long time

26

RFID Tags: Security and Privacy Concerns

• A thief with a scanner can activate the RFID tag and read its contents – example: if someone walks by your bag of books with a

"sniffer”, that person can get a complete list of books.

• Concern with RFID devices in a company badge – example: a RF field may make the RFID chip in the

badge spill the badge secret, allowing the thief access.

27

Summary

• We discussed a few common security issues.• We presented the standard countermeasures to

mitigate the risks• This was the last class of CIS 490• Thanks a lot for your time and cooperation