Internet Safety
Paul Halliday | Security Analyst | NSCC | Festival of Learning, May 2012
“Those who are incapable of committing great crimes do not readily suspect them in others”
-- François de la Rochefoucauld
Slide 2
Slide 2 text
about
me
network security analyst with the college
since 2004
network security monitoring, risk analysis,
awareness
open source author and advocate
Slide 3
Slide 3 text
about
this presentation
usernames and passwords
encryption and privacy
threats – past, present and protection
Slide 4
Slide 4 text
strong passwords
why
are important
Slide 5
Slide 5 text
login + password =
Slide 6
Slide 6 text
in the news
“Anonymous reveals 90k military
email and password combos in the
name of #Antisec”
Source: http://betanews.com/2011/07/12/anonymous-reveals-90k-military-email-and-password-combos-in-the-name-of-antisec/
Slide 7
Slide 7 text
in the news
Source: http://nakedsecurity.sophos.com/2011/06/21/lulzsec-anonymous-should-i-change-my-password/
“After LulzSec's recent spray of 62,000 passwords,
Twitter came alive with LulzSec hangers-on
announcing the malevolent uses to which they'd
quickly put the leaked data - such as sending a
large pack of condoms to a random woman using
someone else's money, or trying to break up
relationships by posting fake information on
Facebook”
Slide 8
Slide 8 text
in the news
Source: http://www.geekwithlaptop.com/hacker-selling-facebook-accounts-online
“Verisign’s iDefence has uncovered evidence that a
hacker by the name of Kirllos is apparently selling a
massive number of social networking accounts on
an underground forum[...] According to iDefense,
criminals could use the data to set up fraudulent
bank accounts, money transfer scams and for
stealing identities.”
Slide 9
Slide 9 text
How passwords are stored
cleartext
Papershoes
password hash
Xnffba7d25e042c0d367e471a9733
97ee7a16069cc
2 points
Slide 10
Slide 10 text
How passwords are attacked
Username Email Password
crazydave656 [email protected] 0800fc577294c34e0b28ad2
839435945
kittens [email protected] 8ee2027983915ec78acc450
27d874316
jackercrack [email protected] e2bbb098e9f3c4367dd612
1e90df7ab9
Pick an online service /
or a device
Pick an online service /
or a device
Computers are very effective at cracking passwords. Some are
even capable of over 2 Billion attempts / second *
Slide 11
Slide 11 text
Unfortunately:
Condition 7 Characters 8 Characters 9 Characters
Numbers (0-9) Instant Instant Instant
Full Alphabet (A-Z) 8 seconds 3.5 minutes 1.5 hours
Mixed Alphabet (aA-zZ) 17 minutes 15 hours 32 days
Mixed & Symbols 20 hours 83 days 10 years
Sources: http://www.lockdown.co.uk/?pg=combi, http://en.wikipedia.org/wiki/Password_strength Others.
Resilience to attack
&
Slide 12
Slide 12 text
Rainbow Tables
If you know the password constraints:
And you also know the hashing mechanism:
Then you can leverage rainbow tables!
most passwords are too short
Psychology 101: Anything greater than 7
characters will begin to challenge our memory
Odds of forgetting
Password Strength
7 characters
a good
password
Slide 15
Slide 15 text
So, what makes a strong password?
This would be a great one!
Actually, this one is pretty good too.
Wow! We are on a roll. This one as well
Passwords like these are good for very a long time
Slide 16
Slide 16 text
The Rules:
DO use multiple Identities
DO use big passwords (phrases!)
DO regularly change passwords***
DON’T share among services
DON’T give your passwords to people
DON’T put them in an email
DON’T store unencrypted
sounds complicated, how do I keep track?
Slide 17
Slide 17 text
You could use a password manager
KeePass
KeePass
Slide 18
Slide 18 text
encryption
why
is important
Slide 19
Slide 19 text
While online, use encryption where appropriate
HTTP://
Versus
HTTPS://
Slide 20
Slide 20 text
how HTTPS:// works
I would like to do some banking please OK, You will need this first
What is my balance?
French?
German maybe?
???
$10.24
445Dffsw1
1234dd
AKn455dga
pr44sse
Slide 21
Slide 21 text
Certificate Authorities
gmail.com
✔
Firefox
Internet Explorer
Chrome
Opera
CA’s
Slide 22
Slide 22 text
Certificate Warnings / Errors
Slide 23
Slide 23 text
encryption
should always be used for
Login Pages (with fallback)
Banking Sites (never fallback)
Slide 24
Slide 24 text
identifying
a secure connection
Clear as mud
Slide 25
Slide 25 text
OK, but why is it important?
Slide 26
Slide 26 text
perceived model
Slide 27
Slide 27 text
a more accurate model
artifact
artifact
artifact
artifact
artifact
artifact
magic in here!
“We do not own or operate the applications or
websites that you use through Facebook
[…]Whenever you connect with a Platform
application or website, we will receive
information from them, including information
about actions you take.[…]”
Wha? Context shift?
Policy A? Policy B? Policy C?
Slide 41
Slide 41 text
What are they doing with all of
that data?
Source: http://arstechnica.com/tech-policy/news/2011/05/google-facebook-fight-california-do-not-track-law.ars
Slide 42
Slide 42 text
Bill classification
Source: http://info.sen.ca.gov/pub/11-12/bill/sen/sb_0751-0800/sb_761_bill_20120201_status.html
CURRENT BILL STATUS
MEASURE : S.B. No. 761
AUTHOR(S) : Lowenthal.
TOPIC : Computer spyware.
+LAST AMENDED DATE : 05/10/2011
Slide 43
Slide 43 text
Concerns
Slide 44
Slide 44 text
Source: http://www.theregister.co.uk/2011/04/27/tomtom_customer_data_flap/
Leverage what you have
Source: http://ca.news.yahoo.com/blogs/right-click/employer-requesting-facebook-login-raises-privacy-concerns-171352409.html
Don’t tell me who you are, SHOW
M
E
Slide 47
Slide 47 text
online threats
why the awareness of
is important
Slide 48
Slide 48 text
30% to 60%
Of computers are infected
with some form of Malware
Slide 49
Slide 49 text
a very abridged history of threats
PRESENT
PAST
threat to end user
threat to company*
evasiveness
persistence
Slide 50
Slide 50 text
Crimeware
Sold as kits
Customizable
Very low detection rate
Command and Control
Botnets 12+ million strong
“The most
pervasive banking
Trojan evades
detection by
antivirus software
most of the time,
according to new
research “
“The most
pervasive banking
Trojan evades
detection by
antivirus software
most of the time,
according to new
research “
Slide 51
Slide 51 text
Mariposa (butterfly bot)
“a 12M+ infected hosts botnet that managed to steal sensitive data from
800,000 users across 190 countries, some of which include Fortune 1000
companies and 40 major banks.”
http://www.zdnet.com/blog/security/police-arrest-mariposa-botnet-masters-12m-hosts-compromised/5587
Slide 52
Slide 52 text
how do I get infected?
Slide 53
Slide 53 text
drive by downloads
“Video of Michael Jackson last words! Turns out
Elvis hated peanut butter”
“Justin Bieber professes his love for an ocelot!”
“Osama captured! See the execution LIVE!”
“visiting a website, viewing an e-mail message or by clicking on a deceptive
pop-up window”
Slide 54
Slide 54 text
what happens
after infection
Remote connection and control is available
Keylogging facilities / session hijacking (for
banking in particular)
You join a team. Which will call upon you to:
-Send spam!
-Infect others!
-Participate in denial of service attacks!
Slide 55
Slide 55 text
crapware
Slide 56
Slide 56 text
No content
Slide 57
Slide 57 text
IF IT IS CUTE OR YOU FIND YOURSELF
WITH AN IRRESITABLE URGE TO
‘CLICK ON IT’ THEN IT IS PROBABLY
DANGEROUS!!
IF IT IS CUTE OR YOU FIND YOURSELF
WITH AN IRRESITABLE URGE TO
‘CLICK ON IT’ THEN IT IS PROBABLY
DANGEROUS!!
Slide 58
Slide 58 text
how do I stay safe?
1) Keep your machine up to date
2) Keep Flash up to date
3) Keep Java up to date
4) Make sure your AV is up to date and perform
regular full system scans***