Protecting Your Identity Online

Protecting Yourself from Online Cyber-CriminalsPractical Tips and Tools

By: Jane Ginn, MRP, AITWith Guest Artist: Tony Carito

Sponsors:

1

Protecting Your Data & Online Identity

Scope of the ProblemThreat Vectors/ VulnerabilitiesGrowing Sophistication of Cybercriminal NetworksProtection/ Countermeasures

2

Scope of the Problem

The Industrialization of Cyber-Crime

3

Motivation of Cyber-Criminals

4

Origin of Attack 2011 DataSource: Trustwave Spider Labs

5

Location Info Can Be Deceptive

Tor Node Locations on February 27, 2013 Source: HackerTarget.com

6

Growth of Malware

Source: Panda Security

7

Types of MalwareSource: 2012 - Panda Security

Source: 2013 - Solutionary

8

How Data Are Lost or Compromised

Source: 2011 Ponemon Benchmark Study Sponsored by Symantec

9

What types of companies are being breached the most?What are the criminals after? Source:Trustwave 2013 Report

10

Source:Trustwave 2013 Report

11

Source:Trustwave 2013 Report

12

Source:Trustwave 2013 Report

13

Fraud Incidence Increasing

Source: Javelin 2013

14

The Use of Toolkits: ZeuS

Emerged in 2007Most prevalent malware toolkit in banking and financial services sectorMany variantsForm Botnets for exploiting innocent victimsToolkit goes for +(-) $4,000 on black market w/ many add-ons for $800 - $1,500 Most prevalent in countries that dont enforce cybercriminal activity

http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits

15

The Use of Toolkits: Spy Eye

16

What Are Botnets?

Source: McAfee 2011 Reporthttp://www.youtube.com/watch?v=l0y9RA6jrSY

17

Spam Down w/ Botnet Take-Downs

Source: M86 Security

18

DDoS Attackshttp://flowingdata.com/2013/05/30/ddos-attack-animation/

DDoS also deployed by: Low Orbit Ion Cannon (LOIC)Jan. 19, 2012 FBI, DOJ, US Copyright Office, Warner Brothers Music, MPAA, RIAA

19

http://globalsecuritymap.com/Interactive Map of Global Activity

20

Interview with a Black Hat HackerAudio recording adapted from an interview with a real hacker by Robert Hansen of White Hat Security

21

Dialogue of Interview Part 1Can you describe what you think your hacking related skills are?My personal expertise and area of knowledge is in social engineering. I think it is pretty obvious Im a black hat, so I social engineer to card. Another area of hacking is botnet building. What attracted you to the Black Hat way of life?Money. I found it funny how watching T.V. and typing on my laptop would earn me a hard workers monthly wage in a few hours. It was too easy in fact.Can you recall a tipping point at which you started considering yourself a Black Hat? Its difficult really. We never called ourselves Black Hats, I dont know, it was just too James Bond like.

22

Dialogue of Interview Part 2How many machines do you think you directly controlled at the peak of your Botnet activity?Erm, depends. I had two separate botnets (although some bots cross over). The DDoS botnet contained the bots which were public computers or computers that were in offices. Then there was my carding botnet, definitely the most valuable. The DDoS botnet has about 60-70k bots at the moment, most in the U.S. The carding botnet had a lot less at around 5-10k, most in Asia. How much money do you think you made, after expenses, per year, at the peak, doing Black Hat activities?I cant really go into specifics but when 9/11 happened we were making millions.

23

Dialogue of Interview Part 3How much do you think you made last year?Off the top of my head? Around about 400-500k. Last year was kind of s**t. People became wiser, patches became more frequent. This year we have 3/4 of that amount already.How easy is it for you to compromise a website?I like to watch the news; especially the financial side of it. Most of these websites have admins behind them who have no practical experience of being the bad guy and how the bad guys thinks. Which types of browsers tend to be the most vulnerable? If you asked me this a few years ago Id have said, almost 100% was Internet Explorer. That is hugely vulnerable, but now people have taken to the better, faster browsers such as Chrome and Firefox.

24

Dialogue of Interview Part 4Is there any line you personally never crossed as a Black Hat? I refuse to allow my botnet to be used to attack charities or soldier memorial pages. Apart from that its fair game.How do you perceive the owners of the websites you have compromised and the victims of the machines that your Botnets have infected?I kinda feel sorry for the people who become victims of fraud, although if youre stupid enough to click a link, you probably deserved it!

25

THREAT VECTORS/ VULNERABILITIESPoint-of-Sale (POS) SystemsRestaurants/Hotels/Retail ShopsGas Stations/Grocery StoresNetworks (Wired & Wireless)Home/Work/SchoolCoffee ShopsAirport Hot SpotsComputers/Laptops/Tablets/MobilesEmailWeb ApplicationsATM MachinesSocial Media & Social Engineering

26

Vulnerabilities:Point-of-Sale Systems

Why? Improperly Installed/Poorly Configured

Regulated by the Payment Card Industry (PCI) Data Security Standard (DSS)

27

Vulnerabilities:Networks (Wired & Wireless)All NetworksNo FirewallsFirewalls Using Out-of-Date SoftwareUse of Default Passwords on RoutersWirelessWireless Networks Configured without EncryptionWiredEasy physical access in buildings with wired networks

28

Vulnerabilities:Laptops/Tablets/Cell Phones/PDAsAll DevicesUse of Weak PasswordsUse of Same Passwords for all AccountsSharing of PasswordsSingle AuthenticationNo EncryptionNo Anti/Virus (A/V) ProgramsYes, Apple Products need A/V, too. Operating Systems & Applications Not PatchedInstallation of infected Apps400% increase in malware targeting smartphones in 2012Lost or Stolen Devices

Source: Kaspersky Labs

29

ATM Vulnerabilities

30

Vulnerabilities:Social Media & Social EngineeringOnline ExploitsUsing Social Media SitesPhishing (419 Attacks)Persuading victims to click on an infected link Too-Good-To-Be-True offersWeb Application AttacksMitM, MitB, MitS AttacksIn Person Social Engineering ExploitsDumpster divingInfected FLASH drive

Photo Source: DiegoFuego via Flickr

31

Help Desk BlameDramatization of how we take our frustration with cyber-criminals out on Help Desk personnel.

32

Growing Sophistication of Cybercrime Supply Chain

Mature MarketProduct SpecializationAutomation of OfferingsIntellectual Property Protection (Sophisticated Licensing)Inter-market CommunicationsExpertly designed eCommerce SitesUse of digital payment systems providing anonymityAffiliate Marketing SchemesMovement of Advanced Exploits to Mobile PlatformsZitMo & SpitMo

33

Online eCommerce Site

34

Affiliate Marketing Schemes

35

The Move Towards AutomationUse of crime-ware toolkitsImplements Automatic Transfer System (ATS) code in banking trojansEasy drag-and-drop functionalityUse of botnetsRental of botnet time using digital money

Malware-as-a-Service Business Model

36

Use of Money Mules:$45M Heist in 2013

February 19th, 20132,904 ATMs withdrawing $2.4M8 Money Mules arrested in NYLaw enforcement agencies in 17 other countries involved$24M withdrawn worldwide in global coordinated attackDemonstrated vulnerability of global banking systemUsed PrePaid MC & Visa CardsTargeted banks in Oman & UAEATMs hit on Manhattan in NYC

37

Interview with a Money MuleDramatization of one key part of the cyber-crime supply chain: Statement from money mule sitting in the jail house in the Eastern District of New York

United States attorney's office, Eastern District of New York

38

PROTECTION/ COUNTERMEASURESPoint-of-Sale (POS) SystemsNetworksComputers/Laptops/MobilesOnline BankingBrowsing & Online PurchasesATMseMail

39

Small business owners shouldTake audits seriouslyDo penetration testingEnsure wireless network is encryptedUse third-party contractor if unsure of checklist criteria Users should:Use credit card rather than debit card at unknown storesMonitor statements

Point-of-Sale (POS) System Security

40

Networks

Wired NetworksLimit physical accessSet-up logging and monitor logsControl access to computers and Ethernet outletsWireless NetworksUse WPA2 for encryptionVisit WiFi Alliance for approved productsUse 3rd-Party to set-up if necessary

41

Using Computers/Laptops/MobilesUse Strong PasswordsChange Passwords regularlyUse Different Passwords for Different SitesStore Passwords in a VaultPatch Operating Systems (OSs)Patch Applications Upgrade to more current versions of OSs when possible

42

Using Online Banking ServicesUse Product That Protects Data in Transit & In-StorageSome banks have Enterprise-Level products customers can downloadExample: Trusteer RapportIf You Use Mobile Online Banking:Make sure to have A/V protectionExample: Trusteer Mobile (Android)

43

Internet Browsing &Online Purchases https://

Internet BrowsingKeep browsers up-to-dateAvoid iffy sitesOnline PurchasesMake sure page where enter credit card is using Secure Socket Layer (SSL)

44

Avoid ATM Skimming FraudCheck for different color metals or uneven edgesUse ATMs at banks or inside stores rather than on the streetCover your hand when entering PIN

45

Email Protection Avoiding Spam & PhishingUse Blacklist/Whitelist featureSet up spam filter Set up alternate Email for occasional sites requiring registrationDont respond to 419 scamsRegister for Federal Trade Commission Scam Alerts Maintaining PrivacyGet Email on an Encrypted ServiceAvoid Registering on iffy websitesUse Browser Add-in of your Anti/Virus protection program

46

47

Social Media & Social Engineering

Social MediaTake care who you follow or friendMonitor sites blog for announcements of fraud attempts and exploitsSocial EngineeringMonitor FraudWatch InternationalDevelop healthy attitude of skepticism

48

HushmailRunbox.comSome Tools

Encrypted email

49

Avoid Becoming a Victim from the Industrialization of Cyber-Crime

50

RESOURCESIdentity TheftPrivacy Rights ClearinghouseElectronic Privacy Information CenterBanking FraudFederal Trade CommissionConsumer Financial Protection BureauPhishing IntelligenceFraudWatch InternationalDMARC.org

51

Q & AProtect Yourself Online

52