View
728
Download
0
Embed Size (px)
Citation preview
Protecting Your Identity Online
Protecting Yourself from Online Cyber-CriminalsPractical Tips and Tools
By: Jane Ginn, MRP, AITWith Guest Artist: Tony Carito
Sponsors:
1
Protecting Your Data & Online Identity
Scope of the ProblemThreat Vectors/ VulnerabilitiesGrowing Sophistication of Cybercriminal NetworksProtection/ Countermeasures
2
Scope of the Problem
The Industrialization of Cyber-Crime
3
Motivation of Cyber-Criminals
4
Origin of Attack 2011 DataSource: Trustwave Spider Labs
5
Location Info Can Be Deceptive
Tor Node Locations on February 27, 2013 Source: HackerTarget.com
6
Growth of Malware
Source: Panda Security
7
Types of MalwareSource: 2012 - Panda Security
Source: 2013 - Solutionary
8
How Data Are Lost or Compromised
Source: 2011 Ponemon Benchmark Study Sponsored by Symantec
9
What types of companies are being breached the most?What are the criminals after? Source:Trustwave 2013 Report
10
Source:Trustwave 2013 Report
11
Source:Trustwave 2013 Report
12
Source:Trustwave 2013 Report
13
Fraud Incidence Increasing
Source: Javelin 2013
14
The Use of Toolkits: ZeuS
Emerged in 2007Most prevalent malware toolkit in banking and financial services sectorMany variantsForm Botnets for exploiting innocent victimsToolkit goes for +(-) $4,000 on black market w/ many add-ons for $800 - $1,500 Most prevalent in countries that dont enforce cybercriminal activity
http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits
15
The Use of Toolkits: Spy Eye
16
What Are Botnets?
Source: McAfee 2011 Reporthttp://www.youtube.com/watch?v=l0y9RA6jrSY
17
Spam Down w/ Botnet Take-Downs
Source: M86 Security
18
DDoS Attackshttp://flowingdata.com/2013/05/30/ddos-attack-animation/
DDoS also deployed by: Low Orbit Ion Cannon (LOIC)Jan. 19, 2012 FBI, DOJ, US Copyright Office, Warner Brothers Music, MPAA, RIAA
19
http://globalsecuritymap.com/Interactive Map of Global Activity
20
Interview with a Black Hat HackerAudio recording adapted from an interview with a real hacker by Robert Hansen of White Hat Security
21
Dialogue of Interview Part 1Can you describe what you think your hacking related skills are?My personal expertise and area of knowledge is in social engineering. I think it is pretty obvious Im a black hat, so I social engineer to card. Another area of hacking is botnet building. What attracted you to the Black Hat way of life?Money. I found it funny how watching T.V. and typing on my laptop would earn me a hard workers monthly wage in a few hours. It was too easy in fact.Can you recall a tipping point at which you started considering yourself a Black Hat? Its difficult really. We never called ourselves Black Hats, I dont know, it was just too James Bond like.
22
Dialogue of Interview Part 2How many machines do you think you directly controlled at the peak of your Botnet activity?Erm, depends. I had two separate botnets (although some bots cross over). The DDoS botnet contained the bots which were public computers or computers that were in offices. Then there was my carding botnet, definitely the most valuable. The DDoS botnet has about 60-70k bots at the moment, most in the U.S. The carding botnet had a lot less at around 5-10k, most in Asia. How much money do you think you made, after expenses, per year, at the peak, doing Black Hat activities?I cant really go into specifics but when 9/11 happened we were making millions.
23
Dialogue of Interview Part 3How much do you think you made last year?Off the top of my head? Around about 400-500k. Last year was kind of s**t. People became wiser, patches became more frequent. This year we have 3/4 of that amount already.How easy is it for you to compromise a website?I like to watch the news; especially the financial side of it. Most of these websites have admins behind them who have no practical experience of being the bad guy and how the bad guys thinks. Which types of browsers tend to be the most vulnerable? If you asked me this a few years ago Id have said, almost 100% was Internet Explorer. That is hugely vulnerable, but now people have taken to the better, faster browsers such as Chrome and Firefox.
24
Dialogue of Interview Part 4Is there any line you personally never crossed as a Black Hat? I refuse to allow my botnet to be used to attack charities or soldier memorial pages. Apart from that its fair game.How do you perceive the owners of the websites you have compromised and the victims of the machines that your Botnets have infected?I kinda feel sorry for the people who become victims of fraud, although if youre stupid enough to click a link, you probably deserved it!
25
THREAT VECTORS/ VULNERABILITIESPoint-of-Sale (POS) SystemsRestaurants/Hotels/Retail ShopsGas Stations/Grocery StoresNetworks (Wired & Wireless)Home/Work/SchoolCoffee ShopsAirport Hot SpotsComputers/Laptops/Tablets/MobilesEmailWeb ApplicationsATM MachinesSocial Media & Social Engineering
26
Vulnerabilities:Point-of-Sale Systems
Why? Improperly Installed/Poorly Configured
Regulated by the Payment Card Industry (PCI) Data Security Standard (DSS)
27
Vulnerabilities:Networks (Wired & Wireless)All NetworksNo FirewallsFirewalls Using Out-of-Date SoftwareUse of Default Passwords on RoutersWirelessWireless Networks Configured without EncryptionWiredEasy physical access in buildings with wired networks
28
Vulnerabilities:Laptops/Tablets/Cell Phones/PDAsAll DevicesUse of Weak PasswordsUse of Same Passwords for all AccountsSharing of PasswordsSingle AuthenticationNo EncryptionNo Anti/Virus (A/V) ProgramsYes, Apple Products need A/V, too. Operating Systems & Applications Not PatchedInstallation of infected Apps400% increase in malware targeting smartphones in 2012Lost or Stolen Devices
Source: Kaspersky Labs
29
ATM Vulnerabilities
30
Vulnerabilities:Social Media & Social EngineeringOnline ExploitsUsing Social Media SitesPhishing (419 Attacks)Persuading victims to click on an infected link Too-Good-To-Be-True offersWeb Application AttacksMitM, MitB, MitS AttacksIn Person Social Engineering ExploitsDumpster divingInfected FLASH drive
Photo Source: DiegoFuego via Flickr
31
Help Desk BlameDramatization of how we take our frustration with cyber-criminals out on Help Desk personnel.
32
Growing Sophistication of Cybercrime Supply Chain
Mature MarketProduct SpecializationAutomation of OfferingsIntellectual Property Protection (Sophisticated Licensing)Inter-market CommunicationsExpertly designed eCommerce SitesUse of digital payment systems providing anonymityAffiliate Marketing SchemesMovement of Advanced Exploits to Mobile PlatformsZitMo & SpitMo
33
Online eCommerce Site
34
Affiliate Marketing Schemes
35
The Move Towards AutomationUse of crime-ware toolkitsImplements Automatic Transfer System (ATS) code in banking trojansEasy drag-and-drop functionalityUse of botnetsRental of botnet time using digital money
Malware-as-a-Service Business Model
36
Use of Money Mules:$45M Heist in 2013
February 19th, 20132,904 ATMs withdrawing $2.4M8 Money Mules arrested in NYLaw enforcement agencies in 17 other countries involved$24M withdrawn worldwide in global coordinated attackDemonstrated vulnerability of global banking systemUsed PrePaid MC & Visa CardsTargeted banks in Oman & UAEATMs hit on Manhattan in NYC
37
Interview with a Money MuleDramatization of one key part of the cyber-crime supply chain: Statement from money mule sitting in the jail house in the Eastern District of New York
United States attorney's office, Eastern District of New York
38
PROTECTION/ COUNTERMEASURESPoint-of-Sale (POS) SystemsNetworksComputers/Laptops/MobilesOnline BankingBrowsing & Online PurchasesATMseMail
39
Small business owners shouldTake audits seriouslyDo penetration testingEnsure wireless network is encryptedUse third-party contractor if unsure of checklist criteria Users should:Use credit card rather than debit card at unknown storesMonitor statements
Point-of-Sale (POS) System Security
40
Networks
Wired NetworksLimit physical accessSet-up logging and monitor logsControl access to computers and Ethernet outletsWireless NetworksUse WPA2 for encryptionVisit WiFi Alliance for approved productsUse 3rd-Party to set-up if necessary
41
Using Computers/Laptops/MobilesUse Strong PasswordsChange Passwords regularlyUse Different Passwords for Different SitesStore Passwords in a VaultPatch Operating Systems (OSs)Patch Applications Upgrade to more current versions of OSs when possible
42
Using Online Banking ServicesUse Product That Protects Data in Transit & In-StorageSome banks have Enterprise-Level products customers can downloadExample: Trusteer RapportIf You Use Mobile Online Banking:Make sure to have A/V protectionExample: Trusteer Mobile (Android)
43
Internet Browsing &Online Purchases https://
Internet BrowsingKeep browsers up-to-dateAvoid iffy sitesOnline PurchasesMake sure page where enter credit card is using Secure Socket Layer (SSL)
44
Avoid ATM Skimming FraudCheck for different color metals or uneven edgesUse ATMs at banks or inside stores rather than on the streetCover your hand when entering PIN
45
Email Protection Avoiding Spam & PhishingUse Blacklist/Whitelist featureSet up spam filter Set up alternate Email for occasional sites requiring registrationDont respond to 419 scamsRegister for Federal Trade Commission Scam Alerts Maintaining PrivacyGet Email on an Encrypted ServiceAvoid Registering on iffy websitesUse Browser Add-in of your Anti/Virus protection program
46
47
Social Media & Social Engineering
Social MediaTake care who you follow or friendMonitor sites blog for announcements of fraud attempts and exploitsSocial EngineeringMonitor FraudWatch InternationalDevelop healthy attitude of skepticism
48
HushmailRunbox.comSome Tools
Encrypted email
49
Avoid Becoming a Victim from the Industrialization of Cyber-Crime
50
RESOURCESIdentity TheftPrivacy Rights ClearinghouseElectronic Privacy Information CenterBanking FraudFederal Trade CommissionConsumer Financial Protection BureauPhishing IntelligenceFraudWatch InternationalDMARC.org
51
Q & AProtect Yourself Online
52