Karen McDowell, Ph.D., GCIH Information Security, Policy, and Records Office (ISPRO) karenm@virginia.edu June 2013 ANATOMY OF A HACK
Step 1: Do Reconnaissance Successful hackers are excellent researchers, diligent, and persistent They study our websites, our entries on social media, and other available information This stage is non-intrusive.
Step 2: Attract the Victim Send a spear-phishing email Trick the victim into clicking on a link and giving away their PII Attacker is usually interacting with the system within five minutes of person clicking on email
Step 3: Gain Control Install custom-made malicious software, exploiting a vulnerability* in the system Attempt to gain administrator credentials to go deeper into the network Establish one or more back doors to communicate with a command and control server (C&C) *Good reason to keep your computers and programs current and backed up!
Step 4: Exfiltrate Data & Conscript Exfiltrate intellectual property and/or your credentials to the C&C servers Conscript your computer for later use in other attacks like DDoS The theft of intellectual property in the US in the past year alone is measured in terabytes* of data
Overall: Cloak Source Hackers routinely penetrate major universities, routing attacks through them. Decentralized universities are porous and create perfect proxies. University employees are prime targets.
Where was the antivirus? Unfortunate that Symantec is taking a lot of heat for failing to detect NYT Antivirus is well known to be only a speed bump, yet you gotta have it. Hackers also use zero-day attacks*, which no antivirus can detect *attack that exploits a previously unknown vulnerability in a computer application
Crack passwords Hackers cracked and stole the corporate passwords for many Times employees Gained access to the personal computers of 53 employees, most of them outside The Times s newsroom Over 3-month period installed 45 pieces of custom malware
What did we learn? The Times wisely allowed the hack to go on for 3 months to learn the attackers methods and to prevent a return Good news! Companies under attack are taking the crucial step to pool their resources ú RSA Conference February 2013
Recent Major Attacks EMC s computer security unit RSA US Chamber of Commerce Wall Street Journal New York Times Apple & Microsoft Facebook & Twitter Federal Reserve Reuters & Sony Google
The RSA Hack: A Cautionary Tale The Human is the Weakest Link
Attack Vectors Spear phishing email messages Phone calls target you at home USB Sticks left lying around anywhere Weak passwords, vulnerable machines Drive-by-Downloads Coupon Bars (there has to be a better way to do this)
Iranian Elections & US Bank Attacks Dear User, Add an alternate email address to your account. You can use this to sign into your account, reset your password, and more Click on this link: https://accounts.google.com/b/0/editusrinfo
You Are a Target! Username & Passwords Email Harvestings Financial Extortion (Ransomware) Identity Hijacking Botnets Virtual Goods
How Can I Spear-Phish You? Let me count the ways! Average more than one a week Someone always responds All hackers need is one response
Notice the https://
30 Courtesy of Yale University
Wire Transfer Phish
Don t Be a Victim! Realize you are a target Know your adversary s tricks Take control of your online presence Forward to abuse@virginia.edu Just don t click on it Don t respond DELETE
What You Can Do! Check our Current Security Alerts & Warnings page and subscribe to the RSS Feed, or Follow us on Twitter, and/or Email abuse@virginia.edu for an answer or simply to report it. Delete the questionable email by all means!
Vishing, VOIP, Smishing, QRishing Telephone tech support scams Your account needs updating Register for free prizes! Your credit card has been deactivated
QR Codes and QRishing
Do You Wanna Be a Money Mule?
Money Mule Offer Flatters Me
Part II of the Same Offer
Password Guesser out.12920:join: Oct 21 14:36:33 Guessed akovacs (/usr1/bin/badpasswd in! maxwell.passwd) [morrison].ab8khkzfzkcc out.12920:join: Oct 21 14:36:33 Guessed dsummers (/usr1/bin/badpasswd in! maxwell.passwd) [w0mbat] /P8idUdpMO/6Q out.12920:join: Oct 21 14:36:33 Guessed crockett (/usr1/bin/badpasswd in! maxwell.passwd) [bxxxsxxx] 2ULXddBrRGI.I out.12920:join: Oct 21 14:36:33 Guessed jlucas (/usr1/bin/badpasswd in! maxwell.passwd) [stealth] 6KIIfIlFO0qP6 out.12920:join: Oct 21 14:36:33 Guessed cminton (/usr1/bin/badpasswd in! maxwell.passwd) [Faustus] 6hiuZITiFmlX.!
Courtesy of Indiana University
Passphrases are just words Easy to remember My son only calls me when he needs money (without spaces) If I won the lottery, I would quit working (w/o spaces) Avoid famous sayings or quotes, like ú Give me liberty or give me death", ú To be or not to be-25" ú Four score and seven years ago"
Not less than 20 Characters Mixed characters (number, letter, symbol) I hope you all are enjoying this conference in 2013! without quotes My son only contacts me when he wants money!! with or without spaces Can you 35 tell the difference between a phish and a fish?
Length or Complexity? Length is much more powerful. First letter of each word My Prius uses too much gas in the winter for the password MPu2m8it* Add 3-4 character extensions to this root passphrase, like BoA! or Wf#
Easy to Do
Skype Calls from Anyone?
Three Golden Rules Verify unsolicited communication. Maintain strong passwords. Create a different password from each account.
Hacks on Hacks Zappos and LinkedIn, etc. Hackers steal passwords, send you a spear-phishing message purporting to be from hacked company Click here to reset your password!
Hackers for Hire Pavel Vrublevsky Owner of Russian payments firm ChronoPay
Anything Can Be Spoofed http://www.spoofcard.com/ Allows users to call people while displaying a fake name Tor.com allows you to anonymize Wireless hot spots in hotel, airports, coffee shops, and other public places Firesheep, Kismet, other software lets anyone impersonate you
Defense-in-Depth on Mobile Verify SMS/text messages independently to avoid smishing Take initiative to update system and application software Know Remote wipe option 3/4G is safer than local wireless hotspots Disable or at least be aware of GPS and geotagging
Smishing GATEWAY BANK ALERT: Your card starting with 4138* has been DEACTIVATED. Please contact us at 804-414- 7700.
Android, Blackberry, iphone Passcode ú Enable at least 4 digits ú Don t use 1234, or 0000, 2580, 5555, etc. ú Exceeding the number of allowed password attempts deletes all data Auto-Lock ú Locks the screen after a pre-set time period of non-use (consider 30 minutes or less) ú Passcode-lock enhances auto-lock
Are Market Place Downloads Safe? Do not click Install before you review. Do you want this app to have so much access to your information? Think before you app!
Tips to Protect Mobile Devices Click with care many tempting offers duplicate the look and feel of legit sites Do not respond to security alerts or password request emails on your smart phone. They are usually fraudulent. Install an app security scanner on your phone or ipad
Mobile Phone Protection Lookout Mobile Security ú https://www.lookout.com/ McAfee Mobile Security ú https://www.mcafeemobilesecurity.com/ products/android.aspx Verizon Mobile Security ú http://www.verizon.com Vipre Mobile Security ú http://www.vipremobile.com/
Greatest Threat to Smart Phones? About 113 smartphones are stolen or lost every minute in the US, with many of the thefts turning violent. In 2012, 1.6 million Americans were victimized for their smartphones ú These crimes have led to severe injuries and the loss of life Secure Out Smartphones there is a technical solution a kill switch
iphone, ipad Security Settings iphone: General tab > Restrictions > Enable Restrictions > Select Enable "Ask to join networks function on iphone ipad: Enable Data Protection ú Settings > General > Passcode
Find my iphone/ipod/ipad Find my iphone requires Apple icloud account and recent device Add other, older devices, once an account is setup http://www.apple.com/icloud/features/ find-my-iphone.html
Android Security Settings Internet > More > Settings > Block Pop-up Windows and Clear Cache, Cookie data often. ú Uncheck Remember Form Data Enable Location and Remember Passwords Always browse with https:// if you login using any credentials
Wireless Network Tips Use WPA2 encryption on router Change the default SSID Change the default login and password Create strong passwords for all devices including printers Install an alternate DNS provider
Free Annual Credit Report Check your free annual credit report http://annualcreditreport.com Not freecreditreport.com Check personal data for accuracy You will not receive a credit score, unless you pay for it Don t use a Debit card online!
Unforgettable from Australia Stay One Click Ahead and Outsmart the Scammers
We are the Weakest Links http://www.securingthehuman.org/resources/ncsam
STOP.THINK.CONNECT stopthinkconnect.org