Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Internet Safety

paulh
May 01, 2012

Internet Safety

Internet Safety. Festival of Learning. May 2012

paulh

May 01, 2012
Tweet

More Decks by paulh

Other Decks in Technology

Transcript

  1. Internet Safety Paul Halliday | Security Analyst | NSCC |

    Festival of Learning, May 2012 “Those who are incapable of committing great crimes do not readily suspect them in others” -- François de la Rochefoucauld
  2. about me network security analyst with the college since 2004

    network security monitoring, risk analysis, awareness open source author and advocate
  3. in the news “Anonymous reveals 90k military email and password

    combos in the name of #Antisec” Source: http://betanews.com/2011/07/12/anonymous-reveals-90k-military-email-and-password-combos-in-the-name-of-antisec/
  4. in the news Source: http://nakedsecurity.sophos.com/2011/06/21/lulzsec-anonymous-should-i-change-my-password/ “After LulzSec's recent spray of

    62,000 passwords, Twitter came alive with LulzSec hangers-on announcing the malevolent uses to which they'd quickly put the leaked data - such as sending a large pack of condoms to a random woman using someone else's money, or trying to break up relationships by posting fake information on Facebook”
  5. in the news Source: http://www.geekwithlaptop.com/hacker-selling-facebook-accounts-online “Verisign’s iDefence has uncovered evidence

    that a hacker by the name of Kirllos is apparently selling a massive number of social networking accounts on an underground forum[...] According to iDefense, criminals could use the data to set up fraudulent bank accounts, money transfer scams and for stealing identities.”
  6. How passwords are attacked Username Email Password crazydave656 [email protected] 0800fc577294c34e0b28ad2

    839435945 kittens [email protected] 8ee2027983915ec78acc450 27d874316 jackercrack [email protected] e2bbb098e9f3c4367dd612 1e90df7ab9 Pick an online service / or a device Pick an online service / or a device Computers are very effective at cracking passwords. Some are even capable of over 2 Billion attempts / second *
  7. Unfortunately: Condition 7 Characters 8 Characters 9 Characters Numbers (0-9)

    Instant Instant Instant Full Alphabet (A-Z) 8 seconds 3.5 minutes 1.5 hours Mixed Alphabet (aA-zZ) 17 minutes 15 hours 32 days Mixed & Symbols 20 hours 83 days 10 years Sources: http://www.lockdown.co.uk/?pg=combi, http://en.wikipedia.org/wiki/Password_strength Others. Resilience to attack &
  8. Rainbow Tables If you know the password constraints: And you

    also know the hashing mechanism: Then you can leverage rainbow tables!
  9. most passwords are too short Psychology 101: Anything greater than

    7 characters will begin to challenge our memory Odds of forgetting Password Strength 7 characters a good password
  10. So, what makes a strong password? This would be a

    great one! Actually, this one is pretty good too. Wow! We are on a roll. This one as well Passwords like these are good for very a long time
  11. The Rules: DO use multiple Identities DO use big passwords

    (phrases!) DO regularly change passwords*** DON’T share among services DON’T give your passwords to people DON’T put them in an email DON’T store unencrypted sounds complicated, how do I keep track?
  12. how HTTPS:// works I would like to do some banking

    please OK, You will need this first What is my balance? French? German maybe? ??? $10.24 445Dffsw1 1234dd AKn455dga pr44sse
  13. Market Caps (May 14 2012) Facebook 89 – 95 Billion

    Ford 37 Billion Honda 61 Billion McDonalds 93 Billion Sony 14 Billion Source: http://ca.finance.yahoo.com/
  14. Mark Pincus: “I did every horrible thing in the book

    to just get revenue right away” Q1: 12 – 15% of Facebook revenue from Zynga
  15. “I don’t f***ing want innovation. You’re not smarter than your

    competitor. Just copy what they do and do it until you get their numbers.” Mark Pincus:
  16. “We do not own or operate the applications or websites

    that you use through Facebook […]Whenever you connect with a Platform application or website, we will receive information from them, including information about actions you take.[…]” Wha? Context shift? Policy A? Policy B? Policy C?
  17. What are they doing with all of that data? Source:

    http://arstechnica.com/tech-policy/news/2011/05/google-facebook-fight-california-do-not-track-law.ars
  18. a very abridged history of threats PRESENT PAST threat to

    end user threat to company* evasiveness persistence
  19. Crimeware Sold as kits Customizable Very low detection rate Command

    and Control Botnets 12+ million strong “The most pervasive banking Trojan evades detection by antivirus software most of the time, according to new research “ “The most pervasive banking Trojan evades detection by antivirus software most of the time, according to new research “
  20. Mariposa (butterfly bot) “a 12M+ infected hosts botnet that managed

    to steal sensitive data from 800,000 users across 190 countries, some of which include Fortune 1000 companies and 40 major banks.” http://www.zdnet.com/blog/security/police-arrest-mariposa-botnet-masters-12m-hosts-compromised/5587
  21. drive by downloads “Video of Michael Jackson last words! Turns

    out Elvis hated peanut butter” “Justin Bieber professes his love for an ocelot!” “Osama captured! See the execution LIVE!” “visiting a website, viewing an e-mail message or by clicking on a deceptive pop-up window”
  22. what happens after infection Remote connection and control is available

    Keylogging facilities / session hijacking (for banking in particular) You join a team. Which will call upon you to: -Send spam! -Infect others! -Participate in denial of service attacks!
  23. IF IT IS CUTE OR YOU FIND YOURSELF WITH AN

    IRRESITABLE URGE TO ‘CLICK ON IT’ THEN IT IS PROBABLY DANGEROUS!! IF IT IS CUTE OR YOU FIND YOURSELF WITH AN IRRESITABLE URGE TO ‘CLICK ON IT’ THEN IT IS PROBABLY DANGEROUS!!
  24. how do I stay safe? 1) Keep your machine up

    to date 2) Keep Flash up to date 3) Keep Java up to date 4) Make sure your AV is up to date and perform regular full system scans***
  25. Free Stuff KeePassX: Password manager (Free) http://www.keepassx.org Security Essentials: Antivirus

    Software (Free) http://www.microsoft.com/en-us/security_essentials/default.aspx Avast for MAC: Antivirus (Free) http://www.avast.com/free-antivirus-mac Malwarebytes: Malware software (Free) http://www.malwarebytes.org