Community Security Awareness Training

Community Security Awareness Training Barbara Endicott-Popovsky, Ivan Orton, Kirk Bailey, Deb Frincke, Member, IEEE West Point 1

About the authors.. Barbara Endicott-Popovsky, Lecturer, Seattle University; Ivan Orton, JD, Senior Deputy Prosecuting Attorney with the Fraud Division of the King County Prosecutor's Office in Seattle Kirk Bailey, Chief Information Security Officer, City of Seattle Deb Frincke, Ph.D., Chief Scientist Cybersecurity, Pacific Northwest National Laboratory and Professor (on leave), Computer Science Dept., University of Idaho West Point 2

Agora. Forum for airing current issues of concern among IA professionals Meets quarterly in the Northwest Solves problems of unintended consequences from proliferation of digital infrastructure accessing insecure public networks West Point 3

Recent Achievements State legislative change regarding cyber stalking, a fast growing Internet crime Responding to a case involving a City of Seattle employee, Agora undertook a two-year project of tracking down, and assisting in, the eventual prosecution of the stalker Became the impetus behind some of the first cyber-stalking legislation in the nation West Point 4

Current Focus Vulnerability of personal and private information in Internet accessible systems Bring attention to improving network & data mgmt Influence helpful legislative change West Point 5

The Problem West Point 6

Widespread Community Problem: Identity Theft Growing problem Affects govt/business infrastructure and individuals 1 in 20 Americans an identity theft victim last year Hundreds of millions of dollars impact to U.S. economy (FTC report) Most institutions cover direct consumer losses Consumers cover coping charges avg. $1000/incident West Point 7 Credit restoration cost

Agora Solution: Create security awareness event demonstrating: accessibility of personal/private information thru public networks how little skill is needed to acquire it. Design experiential learning: a Google-Hacking Contest Invite Business and govt. leaders, and the press Enthuse community leaders about exploring possible solutions West Point 8

Google-hacking Google-hacking commonly refers to obtaining anything exploitable, including usernames, passwords, credit card numbers and other personal identifiable information using the search engine, Google. West Point 9

Why Google Hacking? Search engines can be effective hacking tools Google selected for its wide familiarity Requires little or no programming skills knowledge of a minimal list of Google operators and how to concatenate a Google string. Google hacking info readily available search for "Google hacking" on Google itself! http://johnny.ihackstuff.com/ first 3 chapters of Google Hacking by Johnny Long few hours of online practice West Point 10

Poorly Configured and Administered Systems at Fault Uneducated folks putting content on the web they think is hidden from the world Example: Directory indexing that exposes file paths and useful files Requires more thoughtfully configured networks: Keep private, sensitive info beyond web crawlers Understand how web crawlers/search engines work West Point 11

The Solution West Point 12

Community Security Awareness Training Event Purpose: raise community's consciousness about the vulnerability of sensitive information to compromise on systems linked to public network Vehicle: Google Hacking Contest Sponsored by: the Agora and Seattle U March 4, 2005 Seattle, Washington Public invited IA professionals Attorney General, State of Washington Business leaders West Point 13 Faculty, students

Reference: NIST Special Publication 800-50 Recognizes the "people factor" is the weakest link. Standard for developing and implementing security awareness training All IS users be made aware of their roles and responsibilities in maintaining security. Any awareness event should be: designed for the intended audience, built around a message and desired outcomes gain attention. West Point 14

NIST Guidelines for Security Awareness Event NIST Guidelines Designed for specific audience Built around a message Built around desired outcomes User awareness of roles / responsibilities Google Hacking Event Attributes Business and community leaders in Seattle "Alarming vulnerability of public and private information to compromise on public networks" Gain attention Influence legislation Event summation focused on roles and responsibilities regarding identity theft West Point 15

AGORA S Google Hacking Contest Rules Rule #1: Information Protection All contest participants must be VERY CAREFUL to manage and protect any sensitive information they discover Rule #2: Required Gear for Competitors Teams must bring their own 'stuff ' to play and also at least one standard-size (8½ x 11 ) notepad West Point 16

AGORA S Google Hacking Contest Rules (cont d.) Rule #3: Respect Host s Network Access provided by host, Seattle U, for the contest only Rule #4: Judging Each team assigned a Contest Judge to validate their results West Point 17

AGORA S Google Hacking Contest Rules (cont d.) Rule #5: Time allowed 45 minutes only Rule #6: Scoring Based on score card (follows) West Point 18

Google Hacking Score Card Personally Identifiable Information Name and Social Security Number (SSN) together Name, SSN, Date of Birth (DOB) together Name, Credit Card number (CCN#) together Name, CCN#, Exp. Date, 3-digit security code (CID#) together Name, Bank Account # or Brokerage Account # Name, Bank Account # or Brokerage Account # Name, Bank Account Number and PIN Add l data asso d w/ ea CCN# & SSN #(e.g. address, phone) Name, password, related online account identifier to anything Bonus points for anything above associated with Wa St Citizen Points + an additional 500-point bonus was offered for the "Most Sensitive Document 1 pt 2 pts 1 pt 2 pts 3 pts 1 pt 3 pts 0.5 pt 5 pts 10 pts West Point 19

Successful Hacking Approach Limit # of pages to search Narrow searches Concatenate Boolean and advanced operators into queries Yield results West Point 20

Useful Advanced Operators Advanced Operator InTitle InURL Cache Filetype Numrange Purpose Restricts search to pages with specified word in its title Restricts search to pages with specified word in its URL Shows the version of a page in Google's cache Searches can be restricted to filetype. (The xls and mbd filetypes are particularly useful.) Searches for results within a given numerical range West Point 21

Example Query Strings allintitle: restricted filetype:doc site:gov Searches for pages with all of the following in the title: 'restricted,'.doc files on.gov sites. intitle:"index of" members OR accounts Searches for pages with "index of" in the titles and either member or accounts lists. allintitle: "index of/root" Searches for pages with index of/root in the title. Results in 1490 pages that can be mined for information. allinurl:auth_user_file.txt Searches for pages with lists of user names and passwords allinurl: admin mdb Searches for pages with administrator's access databases containing usernames, passwords and other sensitive information West Point 22

The Contest 8 Teams 3 student teams 5 from industry and the professions 8 12 Members each 300 community members observed West Point 23

The Results West Point 24

Results (Partial List) Credit card numbers of military personnel A million SSN s of recent immigrants, their tax records and addresses Names, birth dates, SSN s, race and religion of deceased military personnel Names, credit card numbers, birth dates and home Ph No s of 388 Americans who ordered pornographic movies from a Brazilian web site Over one hundred million death certificates with SSN s, dates of birth and city of last residence Highly personal information of two individuals, their security clearance level. One was an expert in virology investigations and the other a responder to nuclear emergencies Personal information about people on terrorist watch lists West Point 25

Winners! 1 st Prize: 190 million points Team of lawyers and computer security experts Found Db with SSN s of millions of dead people 2 nd Prize: 13 million points Team of penetration testers Local security firm Student teams at the bottom West Point 26

Community Awareness Achieved Attendees feedback indicated shock Report made to State s Attorney General Publicity Front Page article Seattle Times Wall St Journal article Syndicated columnist daily blog West Point 27

Lessons Learned, Future Work, Conclusions West Point 28

Lessons Learned Security awareness training can be effective for educating a community NIST Special Publication 800-50 guidelines were applicable A Google-Hacking contest communicates effectively to non-technical people Such a contest is easy to stage Notify attendees in advance form teams, work logistics issues (numbers of computers, etc.) familiarize themselves with Google hacking before coming West Point 29

Future Work Continue the training effort thru U of Washington Center of Information Assurance and Cyber Security, an NSA Center of Academic Excellence Influence further legislation addressing protection of personal and sensitive data address the inequity of victims bearing coping costs associated with the misuse of personal information West Point 30

The Unfairness Principle West Point 31

Simple Fairness Principle West Point 32

Simple Fairness Principle Restated Individuals should bear inconvenience costs associated with misuse of any personal information that they control Individuals should not bear inconvenience costs associated with misuse of their personal information that they do not control While the fairness proposition appears obvious, it is not reflected in current law West Point 33

Conclusions Security awareness event achieved its goals: Alerted community leaders to take appropriate measures to ensure protection of personal and private information stored in databases Began process of influencing legislation to address problems arising from identity theft West Point 34

References ComSec, "Google, A Dream Come True," (Retrieved from the Web March 19, 2005). http://www.governmentsecurity.org/comsec/googletut1.txt Googledorks. (Retrieved from the Web March 19, 2005).http://johnny.ihackstuff.com/index.php?module=prodreviews Granneman, S. "The Perils of Googling," Security Focus (Retrieved from the Web March 19, 2005). http://www.theregister.co.uk/2004/03/10/the_perils_of_googling/ i-hacked.com, "Google Hacking at its Finest," (Retrieved from the Web April 15, 2005). http://www.i-hacked.com/content/view/23/42/ Long, J., Skoudis, E., van Eijkelenborg, A. (ed.) (2004). Google Hacking, for Penetration Testers. San Francisco: Syngress Publishing, Inc. Kotadia, M. (1977). "Protect yourself from 'Google hacking' ". Silicon.com, Jan. 14, 2005. (Retrieved from the Web March 19, 2005). http://networks.silicon.com/webwatch/0,39024667,39127080,00.htm. Ong Boon Kiat Google hacking for beginners. Cnet Asia, November 8, 2004. (Retrieved from the Web March 19, 2005). http://www.zdnet.co.uk/zdnetuk/comment/other/0,39020682,39172957,00.htm West Point 35