Karen McDowell, Ph.D., GCIH Information Security, Policy, and Records Office (ISPRO) karenm@virginia.edu June 2013 ANATOMY OF A HACK

Similar documents
AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Malware & Botnets. Botnets

The SMB Cyber Security Survival Guide

Tahoe Tech Group serves as your technology partner with a focus on providing cost effective and long term solutions.

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

Best Practices Guide to Electronic Banking

10 Quick Tips to Mobile Security

Detailed Description about course module wise:

It s 2 o clock: Who Has Your Data? Josh Krueger Chief Technology Officer Integrity Technology Solutions

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

MOBILE DEVICE SECURITY

Protecting your Data, Devices, and Digital Life in a BYOD World: A Security Primer GLENDA ROTVOLD AND SANDY BRAATHEN NBEA APRIL 2, 2015

Protecting your business from fraud

Cyber Security. Maintaining Your Identity on the Net

Understanding Security Threats in the Cyber World. Beth Chancellor, Chief Information Security Officer

Cybercrime and Identity Theft: Awareness and Protection 2015 HLC Conference

2016 Digital Safety Class UNDERSTAND YOUR RISKS AND STAY TOTALLY SECURE JESSE ROBERTSON, TECH 4 LIFE

Certified Secure Computer User

How To Help Protect Yourself From Identity Theft

Chapter 15: Computer and Network Security

ecommercial SAT ecommercial Security Awareness Training Version 3.0

Smart Ideas for Smartphone Security

Online Banking Fraud Prevention Recommendations and Best Practices

The following information was provided by SANS and discusses IT Security Awareness. It was last updated in 2015.

Certified Secure Computer User

Identity Theft: A Growing Problem. presented by Melissa Elson Agency Liaison Office of Privacy Protection - Bureau of Consumer Protection

INFOCOMM SEC RITY. is INCOMPLETE WITHOUT. Be aware, responsible. secure!

GUIDE TO PROTECTING YOUR BUSINESS

Visa CREDIT Card General Guidelines

Fraud Prevention Tips

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

How to Identify Phishing s

Deter, Detect, Defend

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Tips for Banking Online Safely

Business ebanking Fraud Prevention Best Practices

Basic Security Considerations for and Web Browsing

FRAUD PROTECTION AND ONLINE SAFETY 2015 EDITION

OVERVIEW. 1. Cyber Crime Unit organization. 2. Legal framework. 3. Identity theft modus operandi. 4. How to avoid online identity theft

Infocomm Sec rity is incomplete without U Be aware,

Reliance Bank Fraud Prevention Best Practices

Cyber Security. Securing Your Mobile and Online Banking Transactions

Frequently Asked Questions

Don t Click That Link and other security tips. Laura Perry Jennifer Speegle Mike Trice

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

National Cyber Security Month 2015: Daily Security Awareness Tips

Spring Hill State Bank Mobile Banking FAQs

Mobile Iron User Guide

CSUF Tech Day Security Awareness Overview Dale Coddington, Information Security Office

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

From Data Breaches and Information Hacks, to Unsecure Computing - Know Your Defense

Internet threats: steps to security for your small business

Identity Theft and Online Security

NATIONAL CYBER SECURITY AWARENESS MONTH

Almost 400 million people 1 fall victim to cybercrime every year.

Online Banking Risks efraud: Hands off my Account!

STOP. THINK. CONNECT. Online Safety Quiz

Online Security Tips

TMCEC CYBER SECURITY TRAINING

Welcome to the Protecting Your Identity. Training Module

Marlon R Clarke, Ph. D., CISSP, CISM Director Network Operations and Services, NSU

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark

Learn to protect yourself from Identity Theft. First National Bank can help.

Airnet-Student is a new and improved wireless network that is being made available to all Staffordshire University students.

7 Simple Smartphone Privacy Tips:

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

Banking at the speed of your life. Online. Mobile. Superior. Safe.

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Protection from Fraud and Identity Theft

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

Introduction to Cyber Security

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Why you need. McAfee. Multi Acess PARTNER SERVICES

Retail/Consumer Client. Internet Banking Awareness and Education Program

Tips For Job Seekers

Why is a strong password important?

Keep Hackers Guessing: Protecting Corporate Information While On The Go

It may look like this all has to do with your password, but that s not the only factor to worry about.

Students Mobile Messaging Registration & Configuration

Computer Security Awareness at Home. Presented By Gavin Worden

Windows Operating Systems. Basic Security

Protecting Yourself Against Identity Theft. Identity theft is a serious. What is Identity Theft?

Welcome To The L.R.F.H.S. Computer Group Wednesday 27 th November 2013

Fraud Information and Security

Protect yourself online

Securing your Mobile Environment. Mark Villinski Kaspersky Lab Jeremy Clough Gorham Savings Bank

Computer Security Self-Test: Questions & Scenarios

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

How To Deal With A Converged Threat From A Cloud And Mobile Device To A Business Or A Customer'S Computer Or Network To A Cloud Device

How to stay safe online

Information Security Field Guide to Identifying Phishing and Scams

Marble & MobileIron Mobile App Risk Mitigation

platforms Android BlackBerry OS ios Windows Phone NOTE: apps But not all apps are safe! malware essential

SECTOR 2015 Malware Activity in Mobile Networks Kevin McNamee (Alcatel-Lucent)

Mobile Banking Questions and Answers

Computer Security Literacy

The Hidden Dangers of Public WiFi

Enterprise Mobile Threat Report

Transcription:

Karen McDowell, Ph.D., GCIH Information Security, Policy, and Records Office (ISPRO) karenm@virginia.edu June 2013 ANATOMY OF A HACK

Step 1: Do Reconnaissance Successful hackers are excellent researchers, diligent, and persistent They study our websites, our entries on social media, and other available information This stage is non-intrusive.

Step 2: Attract the Victim Send a spear-phishing email Trick the victim into clicking on a link and giving away their PII Attacker is usually interacting with the system within five minutes of person clicking on email

Step 3: Gain Control Install custom-made malicious software, exploiting a vulnerability* in the system Attempt to gain administrator credentials to go deeper into the network Establish one or more back doors to communicate with a command and control server (C&C) *Good reason to keep your computers and programs current and backed up!

Step 4: Exfiltrate Data & Conscript Exfiltrate intellectual property and/or your credentials to the C&C servers Conscript your computer for later use in other attacks like DDoS The theft of intellectual property in the US in the past year alone is measured in terabytes* of data

Overall: Cloak Source Hackers routinely penetrate major universities, routing attacks through them. Decentralized universities are porous and create perfect proxies. University employees are prime targets.

Where was the antivirus? Unfortunate that Symantec is taking a lot of heat for failing to detect NYT Antivirus is well known to be only a speed bump, yet you gotta have it. Hackers also use zero-day attacks*, which no antivirus can detect *attack that exploits a previously unknown vulnerability in a computer application

Crack passwords Hackers cracked and stole the corporate passwords for many Times employees Gained access to the personal computers of 53 employees, most of them outside The Times s newsroom Over 3-month period installed 45 pieces of custom malware

What did we learn? The Times wisely allowed the hack to go on for 3 months to learn the attackers methods and to prevent a return Good news! Companies under attack are taking the crucial step to pool their resources ú RSA Conference February 2013

Recent Major Attacks EMC s computer security unit RSA US Chamber of Commerce Wall Street Journal New York Times Apple & Microsoft Facebook & Twitter Federal Reserve Reuters & Sony Google

The RSA Hack: A Cautionary Tale The Human is the Weakest Link

Attack Vectors Spear phishing email messages Phone calls target you at home USB Sticks left lying around anywhere Weak passwords, vulnerable machines Drive-by-Downloads Coupon Bars (there has to be a better way to do this)

Iranian Elections & US Bank Attacks Dear User, Add an alternate email address to your account. You can use this to sign into your account, reset your password, and more Click on this link: https://accounts.google.com/b/0/editusrinfo

You Are a Target! Username & Passwords Email Harvestings Financial Extortion (Ransomware) Identity Hijacking Botnets Virtual Goods

How Can I Spear-Phish You? Let me count the ways! Average more than one a week Someone always responds All hackers need is one response

Notice the https://

30 Courtesy of Yale University

Wire Transfer Phish

Don t Be a Victim! Realize you are a target Know your adversary s tricks Take control of your online presence Forward to abuse@virginia.edu Just don t click on it Don t respond DELETE

What You Can Do! Check our Current Security Alerts & Warnings page and subscribe to the RSS Feed, or Follow us on Twitter, and/or Email abuse@virginia.edu for an answer or simply to report it. Delete the questionable email by all means!

Vishing, VOIP, Smishing, QRishing Telephone tech support scams Your account needs updating Register for free prizes! Your credit card has been deactivated

QR Codes and QRishing

Do You Wanna Be a Money Mule?

Money Mule Offer Flatters Me

Part II of the Same Offer

Password Guesser out.12920:join: Oct 21 14:36:33 Guessed akovacs (/usr1/bin/badpasswd in! maxwell.passwd) [morrison].ab8khkzfzkcc out.12920:join: Oct 21 14:36:33 Guessed dsummers (/usr1/bin/badpasswd in! maxwell.passwd) [w0mbat] /P8idUdpMO/6Q out.12920:join: Oct 21 14:36:33 Guessed crockett (/usr1/bin/badpasswd in! maxwell.passwd) [bxxxsxxx] 2ULXddBrRGI.I out.12920:join: Oct 21 14:36:33 Guessed jlucas (/usr1/bin/badpasswd in! maxwell.passwd) [stealth] 6KIIfIlFO0qP6 out.12920:join: Oct 21 14:36:33 Guessed cminton (/usr1/bin/badpasswd in! maxwell.passwd) [Faustus] 6hiuZITiFmlX.!

Courtesy of Indiana University

Passphrases are just words Easy to remember My son only calls me when he needs money (without spaces) If I won the lottery, I would quit working (w/o spaces) Avoid famous sayings or quotes, like ú Give me liberty or give me death", ú To be or not to be-25" ú Four score and seven years ago"

Not less than 20 Characters Mixed characters (number, letter, symbol) I hope you all are enjoying this conference in 2013! without quotes My son only contacts me when he wants money!! with or without spaces Can you 35 tell the difference between a phish and a fish?

Length or Complexity? Length is much more powerful. First letter of each word My Prius uses too much gas in the winter for the password MPu2m8it* Add 3-4 character extensions to this root passphrase, like BoA! or Wf#

Easy to Do

Skype Calls from Anyone?

Three Golden Rules Verify unsolicited communication. Maintain strong passwords. Create a different password from each account.

Hacks on Hacks Zappos and LinkedIn, etc. Hackers steal passwords, send you a spear-phishing message purporting to be from hacked company Click here to reset your password!

Hackers for Hire Pavel Vrublevsky Owner of Russian payments firm ChronoPay

Anything Can Be Spoofed http://www.spoofcard.com/ Allows users to call people while displaying a fake name Tor.com allows you to anonymize Wireless hot spots in hotel, airports, coffee shops, and other public places Firesheep, Kismet, other software lets anyone impersonate you

Defense-in-Depth on Mobile Verify SMS/text messages independently to avoid smishing Take initiative to update system and application software Know Remote wipe option 3/4G is safer than local wireless hotspots Disable or at least be aware of GPS and geotagging

Smishing GATEWAY BANK ALERT: Your card starting with 4138* has been DEACTIVATED. Please contact us at 804-414- 7700.

Android, Blackberry, iphone Passcode ú Enable at least 4 digits ú Don t use 1234, or 0000, 2580, 5555, etc. ú Exceeding the number of allowed password attempts deletes all data Auto-Lock ú Locks the screen after a pre-set time period of non-use (consider 30 minutes or less) ú Passcode-lock enhances auto-lock

Are Market Place Downloads Safe? Do not click Install before you review. Do you want this app to have so much access to your information? Think before you app!

Tips to Protect Mobile Devices Click with care many tempting offers duplicate the look and feel of legit sites Do not respond to security alerts or password request emails on your smart phone. They are usually fraudulent. Install an app security scanner on your phone or ipad

Mobile Phone Protection Lookout Mobile Security ú https://www.lookout.com/ McAfee Mobile Security ú https://www.mcafeemobilesecurity.com/ products/android.aspx Verizon Mobile Security ú http://www.verizon.com Vipre Mobile Security ú http://www.vipremobile.com/

Greatest Threat to Smart Phones? About 113 smartphones are stolen or lost every minute in the US, with many of the thefts turning violent. In 2012, 1.6 million Americans were victimized for their smartphones ú These crimes have led to severe injuries and the loss of life Secure Out Smartphones there is a technical solution a kill switch

iphone, ipad Security Settings iphone: General tab > Restrictions > Enable Restrictions > Select Enable "Ask to join networks function on iphone ipad: Enable Data Protection ú Settings > General > Passcode

Find my iphone/ipod/ipad Find my iphone requires Apple icloud account and recent device Add other, older devices, once an account is setup http://www.apple.com/icloud/features/ find-my-iphone.html

Android Security Settings Internet > More > Settings > Block Pop-up Windows and Clear Cache, Cookie data often. ú Uncheck Remember Form Data Enable Location and Remember Passwords Always browse with https:// if you login using any credentials

Wireless Network Tips Use WPA2 encryption on router Change the default SSID Change the default login and password Create strong passwords for all devices including printers Install an alternate DNS provider

Free Annual Credit Report Check your free annual credit report http://annualcreditreport.com Not freecreditreport.com Check personal data for accuracy You will not receive a credit score, unless you pay for it Don t use a Debit card online!

Unforgettable from Australia Stay One Click Ahead and Outsmart the Scammers

We are the Weakest Links http://www.securingthehuman.org/resources/ncsam

STOP.THINK.CONNECT stopthinkconnect.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information