Title: ID Theft: Are County Governments a Threat Or How Id Take Over the World
1ID Theft Are County Governments a Threat? Or How
Id Take Over the World
- Randy Marchany, VA Tech IT Security Office and
Lab - marchany_at_vt.edu
2We Already Know How
- We already know how to educate the general public
on how to use a highly complex technical device
safely - Its called
- Drivers Ed
- The DMV
- We already know how to teach the general public
to use 2 factor authentication - Its called an ATM card
- Why arent we showing home users how to secure
3What People Think of Security
Internal Network
The Firewall will protect us!
The Big Bad Internet
4Place to Steal Personal Data
Good Sysadmin Practices
No Effective Defense if the Client is PC/Mac
Install Encryption
S
C
Install Sniffer, more dangerous in the wireless
arena
Email Attachments
Attack The Server
5Passwords ARE the First Defense
6(No Transcript)
71 M
47 Million
8(No Transcript)
9(No Transcript)
10(No Transcript)
11(No Transcript)
12(No Transcript)
13We have met the enemy and it is vendors..
14Its Insecure Out of the Box
- Security vs. Convenience
- Let the users debug the code
- OS vendors are starting to see the light
- Windows XP/2003 with security features enabled
- Apple OSX
- Linux systems with firewall enabled
- Application Vendors still dont get it
- Oracle stepped in it
- http//news.com.com/Whensecurityresearcherbecom
etheproblem/2010-1071_3-5807074.html
15(No Transcript)
16(No Transcript)
17Why is this an option? This should be the
default! Wait! I already know the last 4 digits
of my SSN so why have this at all?
18Unlocked Key Mean Transmission In the Clear!
19Let Me Read Your Email!
20Its Insecure Out of the Box
- Viruses will never be eliminated
- Multibillion industry to fight them
- Eliminate the threat, we no longer have
multibillion industry. - Wireless cash register software sending data in
the clear - Document imaging systems sending data in the
clear - Govt/LE records digitized by insecure software
- Printers, copiers based on NT!
21Why buy the cow when you can get the milk for
free?
22(No Transcript)
23(No Transcript)
24(No Transcript)
25(No Transcript)
26(No Transcript)
27Obtaining Personal Information
- Public Records can be accessed from anywhere in
the world. - Local governments are allowing access to
sensitive info via the Web without thinking about
security.
28County Clerks and Identity Theft
- Making legal docs available on the net w/o good
security practices. - A secure www site isnt enough
- Tom Delay SSN From Public Records
- Jeb Bush SSN From Public Documents
- Colin Powell Deed of Trust
- Colin Powell SSN from Public Records
- Do County Clerks (by extension, the state
legislature) facilitate ID Theft?
29Whats Going On Here?
- Were spending to protect sensitive data
(SSN) - State govt is allowing SSN info to be obtained
online - Laws need to be coordinated
- Sometimes the data isnt where you think it is.
30T-Mobile said the company's computer forensics
and security team were "actively investigating to
determine how Ms. Hilton's information was
obtained."
31PDA/Smartphones
32 Motivation
- People want access to information all the time
- User expectation of information everywhere and
all the time. - Rapid evolution to use interconnected networks.
- Security Challenges
- Information sharing and security at odds.
- Laws, regulations, and policies not keeping pace.
- Stopgap measures.
33RFID Technology
- RFID tags.
- first true pervasive technology.
- Correlation tracking for inventory mgt
- Potential misuse by combining user habits with
tags tracking data
34PDA/RFID Threat Summary
- Data Disclosure
- Data Modification
- Tracking the target
- Denial of Service Attacks
- Drain the battery
35B-SIPS Client An Intrusion Detection System
Basic ViewThis lets the users only view
intrusion detection status of the B-SIPS Client
Application.
Advanced ViewThis lets the users view more
information related to intrusion detection
analysis. They can view the Smart Battery Data
(SBData), currently running process list, the
dynamic threshold (DT) value, and also calibrate
the system.
36Battery Power Attack Contrasts
Four sequential attacks detected by Axim X51v.
Nmap SYN -sS, UDP -sU, Xmas -sX, FIN -sF
37Attack the Client or the Server? Attack the PDA
- PC, Mac, PDA/Smartphone Clients
- Your overall security architecture is subverted
by PC, Mac, PDA/Smartphone insecurity.
38Why PDA Attacks Work
- Poor Password Selection
- System Management Training Deficiencies
- Inadequate User Training
- External Open Environments affect your network
- Vendor supplied defects
- Lack of Mgt. Support to correct problems
39Taking Advantage of the Surveillance Society
Weve Become..
40(No Transcript)
41(No Transcript)
42(No Transcript)
43(No Transcript)
44(No Transcript)
45(No Transcript)
46(No Transcript)
47(No Transcript)
48(No Transcript)
49(No Transcript)
50(No Transcript)
51(No Transcript)
52(No Transcript)
53(No Transcript)
54(No Transcript)
55(No Transcript)
56(No Transcript)
57(No Transcript)
58(No Transcript)
59Protect the Data not the Machine
- File system encryption
- Nice but why encrypt everything on the device?
- Oooh, I encrypted Office CE!
- Probably will win because people are lazy
- Data File Encryption
- Thumb drive encryption
60(No Transcript)
61What we would do to take over the world
- Deep Strike Strategy
- Local Strike Strategy
- Use Stealth worms
- Attack gadgets
- Pollute LE, Govt identities
- Wipe out the machines on D-day
62Deep Strike
- Target the data entry process
- Forget modifying it once its in the system
- Input faults at data entry point
- Corrupt NCIS/AFIS data
- Corrupt legal record entry
- Attack local stock broker systems
- Someone just bought a lot of shares
- Use to trigger auto buy/sell programs
- Corrupt in-stream stock quotes
- Just enough to fly under the radar
- Target hospital/medical wireless nets
- DDOS them to prevent info transmission
63Deep Strike
- Target RFID Inventory systems
- DOD, Walmarts
- Direct shipments elsewhere. Dont steal it, just
redirect it at the critical time - Force manual control to slow down the process
- E-passport, E-Drivers License, E-tags
- Track your targets
- Target the compilers, microcode
- Modify the chip instruction set
- Change the compilers to add backdoors
- Ken Thompsons paper on Trust
64Target Security Clearances
- Target security clearance methodology
- Question the vetting process means every one that
got clearance using that process is suspect - Target Military personnel credit ratings
- Get SSN from county court house www sites
- Bad credit revoked security clearances
65Deep Strike
- Target automated public service radio systems
- Use EAS automated receivers to send fake
evacuation messages - Evacuate mid size cities, small towns
- Target stadium or highway display boards
- theres a bomb in the seats
- Stress local 911
- 1 more call than there are ambulances
- Use cell phones to generate the calls
66Deep Strike
- Target gadgets
- Not for control but for DDOS
- Target E-voting systems
- Target home systems
- For ID theft and DDOS
- Use stealth worm capabilities to fly under the
radar of IDS, IPS - Avoid Blaster-style attacks until needed as a
diversion
67Deep Strike
- Erode trust in security mechanisms so they will
be ignored - For example, businesses will not turn down a sale
but they will turn down a security process that
is perceived to be corrupted - Pick an infrastructure
- Stock market
- Credit card
- Drivers license
68Local Strike
- Target LE, Military for ID pollution
- Mess up agents credit rating so the family cant
buy anything - Its a distraction
- Repeat for investigative teams/leaders/mgt
- Attack via Choicepoint, Seisint, etc. Use the
tools LE would use - Repeat for civilian leadership
- Legislative, executive, judicial
69D-DAY
- Use the previous setup to create minor
distractions - Why are they shipping 30K snowblowers to AZ
- Launch real attack
- Activate bots introduced by stealth worms
- Wipe out all user data on infected machines
70Solutions
- Need Cyber training, awareness at ALL levels of
society - ATM Cards prove it can be done
- Society learned how to use a complex
transportation technology (cars) in the past - Drivers license ensure a base level of knowledge
of proper use of the technology - ATM Cards prove it can be done
71Summary
- Nothing has changed?
- Users trigger attacks
- Sysadmins trigger attacks
- Vendors trigger attacks
- The order has changed
- Vendors errors move to the top
- Mgt errors close second
- Cause training deficiencies
- State legislation is moving to the top