Internet Safety

Transcript

1. Internet Safety Paul Halliday | Security Analyst | NSCC |

   Festival of Learning, May 2012 “Those who are incapable of committing great crimes do not readily suspect them in others” -- François de la Rochefoucauld

2. about me network security analyst with the college since 2004

   network security monitoring, risk analysis, awareness open source author and advocate

3. about this presentation usernames and passwords encryption and privacy threats

   – past, present and protection

4. strong passwords why are important

5. login + password =

6. in the news “Anonymous reveals 90k military email and password

   combos in the name of #Antisec” Source: http://betanews.com/2011/07/12/anonymous-reveals-90k-military-email-and-password-combos-in-the-name-of-antisec/

7. in the news Source: http://nakedsecurity.sophos.com/2011/06/21/lulzsec-anonymous-should-i-change-my-password/ “After LulzSec's recent spray of

   62,000 passwords, Twitter came alive with LulzSec hangers-on announcing the malevolent uses to which they'd quickly put the leaked data - such as sending a large pack of condoms to a random woman using someone else's money, or trying to break up relationships by posting fake information on Facebook”

8. in the news Source: http://www.geekwithlaptop.com/hacker-selling-facebook-accounts-online “Verisign’s iDefence has uncovered evidence

   that a hacker by the name of Kirllos is apparently selling a massive number of social networking accounts on an underground forum[...] According to iDefense, criminals could use the data to set up fraudulent bank accounts, money transfer scams and for stealing identities.”

9. How passwords are stored cleartext Papershoes password hash Xnffba7d25e042c0d367e471a9733 97ee7a16069cc

   2 points

10. How passwords are attacked Username Email Password crazydave656 [email protected] 0800fc577294c34e0b28ad2

    839435945 kittens [email protected] 8ee2027983915ec78acc450 27d874316 jackercrack [email protected] e2bbb098e9f3c4367dd612 1e90df7ab9 Pick an online service / or a device Pick an online service / or a device Computers are very effective at cracking passwords. Some are even capable of over 2 Billion attempts / second *

11. Unfortunately: Condition 7 Characters 8 Characters 9 Characters Numbers (0-9)

    Instant Instant Instant Full Alphabet (A-Z) 8 seconds 3.5 minutes 1.5 hours Mixed Alphabet (aA-zZ) 17 minutes 15 hours 32 days Mixed & Symbols 20 hours 83 days 10 years Sources: http://www.lockdown.co.uk/?pg=combi, http://en.wikipedia.org/wiki/Password_strength Others. Resilience to attack &

12. Rainbow Tables If you know the password constraints: And you

    also know the hashing mechanism: Then you can leverage rainbow tables!

13. Botnet distributed attack abcde1 abcde2 abcde8 abcde4 abcde3 abcde5 abcde6

    abcde7 Zeus?

14. most passwords are too short Psychology 101: Anything greater than

    7 characters will begin to challenge our memory Odds of forgetting Password Strength 7 characters a good password

15. So, what makes a strong password? This would be a

    great one! Actually, this one is pretty good too. Wow! We are on a roll. This one as well Passwords like these are good for very a long time

16. The Rules: DO use multiple Identities DO use big passwords

    (phrases!) DO regularly change passwords*** DON’T share among services DON’T give your passwords to people DON’T put them in an email DON’T store unencrypted sounds complicated, how do I keep track?

17. You could use a password manager KeePass KeePass

18. encryption why is important

19. While online, use encryption where appropriate HTTP:// Versus HTTPS://

20. how HTTPS:// works I would like to do some banking

    please OK, You will need this first What is my balance? French? German maybe? ??? $10.24 445Dffsw1 1234dd AKn455dga pr44sse

21. Certificate Authorities gmail.com ✔ Firefox Internet Explorer Chrome Opera CA’s

22. Certificate Warnings / Errors

23. encryption should always be used for Login Pages (with fallback)

    Banking Sites (never fallback)

24. identifying a secure connection Clear as mud

25. OK, but why is it important?

26. perceived model

27. a more accurate model artifact artifact artifact artifact artifact artifact

    magic in here!

28. man in the middle attack x WWW. .CA hotspots!

29. Source: https://www.eff.org/issues/nsa-spying

30. take all of this with a grain of salt

31. The CIA’s Facebook

32. Source: http://www.forbes.com/sites/tomiogeron/2012/05/03/facebook-seeking-ipo-with-market-cap-of-86-billion/

33. Market Caps (May 14 2012) Facebook 89 – 95 Billion

    Ford 37 Billion Honda 61 Billion McDonalds 93 Billion Sony 14 Billion Source: http://ca.finance.yahoo.com/

34. Mark Pincus Video

35. Mark Pincus: “I did every horrible thing in the book

    to just get revenue right away” Q1: 12 – 15% of Facebook revenue from Zynga

36. “I don’t f***ing want innovation. You’re not smarter than your

    competitor. Just copy what they do and do it until you get their numbers.” Mark Pincus:

37. http://arstechnica.com/gaming/2011/05/you-have-died-from-dysentery-zynga-sued-over-oregon-trail/

38. http://www.forbes.com/sites/insertcoin/2012/01/25/everything-wrong-with-zynga-in-one-image/

39. None

40. “We do not own or operate the applications or websites

    that you use through Facebook […]Whenever you connect with a Platform application or website, we will receive information from them, including information about actions you take.[…]” Wha? Context shift? Policy A? Policy B? Policy C?

41. What are they doing with all of that data? Source:

    http://arstechnica.com/tech-policy/news/2011/05/google-facebook-fight-california-do-not-track-law.ars

42. Bill classification Source: http://info.sen.ca.gov/pub/11-12/bill/sen/sb_0751-0800/sb_761_bill_20120201_status.html CURRENT BILL STATUS MEASURE : S.B.

    No. 761 AUTHOR(S) : Lowenthal. TOPIC : Computer spyware. +LAST AMENDED DATE : 05/10/2011

43. Concerns

44. Source: http://www.theregister.co.uk/2011/04/27/tomtom_customer_data_flap/ Leverage what you have

45. http://www.canada.com/teenagers+kicked+Conservative+party+rally/4564787/story.html Leverage

46. Source: http://ca.news.yahoo.com/blogs/right-click/employer-requesting-facebook-login-raises-privacy-concerns-171352409.html Don’t tell me who you are, SHOW M

    E

47. online threats why the awareness of is important

48. 30% to 60% Of computers are infected with some form

    of Malware

49. a very abridged history of threats PRESENT PAST threat to

    end user threat to company* evasiveness persistence

50. Crimeware Sold as kits Customizable Very low detection rate Command

    and Control Botnets 12+ million strong “The most pervasive banking Trojan evades detection by antivirus software most of the time, according to new research “ “The most pervasive banking Trojan evades detection by antivirus software most of the time, according to new research “

51. Mariposa (butterfly bot) “a 12M+ infected hosts botnet that managed

    to steal sensitive data from 800,000 users across 190 countries, some of which include Fortune 1000 companies and 40 major banks.” http://www.zdnet.com/blog/security/police-arrest-mariposa-botnet-masters-12m-hosts-compromised/5587

52. how do I get infected?

53. drive by downloads “Video of Michael Jackson last words! Turns

    out Elvis hated peanut butter” “Justin Bieber professes his love for an ocelot!” “Osama captured! See the execution LIVE!” “visiting a website, viewing an e-mail message or by clicking on a deceptive pop-up window”

54. what happens after infection Remote connection and control is available

    Keylogging facilities / session hijacking (for banking in particular) You join a team. Which will call upon you to: -Send spam! -Infect others! -Participate in denial of service attacks!

55. crapware

56. None

57. IF IT IS CUTE OR YOU FIND YOURSELF WITH AN

    IRRESITABLE URGE TO ‘CLICK ON IT’ THEN IT IS PROBABLY DANGEROUS!! IF IT IS CUTE OR YOU FIND YOURSELF WITH AN IRRESITABLE URGE TO ‘CLICK ON IT’ THEN IT IS PROBABLY DANGEROUS!!

58. how do I stay safe? 1) Keep your machine up

    to date 2) Keep Flash up to date 3) Keep Java up to date 4) Make sure your AV is up to date and perform regular full system scans***

59. Free Stuff KeePassX: Password manager (Free) http://www.keepassx.org Security Essentials: Antivirus

    Software (Free) http://www.microsoft.com/en-us/security_essentials/default.aspx Avast for MAC: Antivirus (Free) http://www.avast.com/free-antivirus-mac Malwarebytes: Malware software (Free) http://www.malwarebytes.org