ID Theft: Are County Governments a Threat Or How Id Take Over the World

1
ID Theft Are County Governments a Threat? Or How
Id Take Over the World

• Randy Marchany, VA Tech IT Security Office and
  Lab
• marchany_at_vt.edu

2
We Already Know How

• We already know how to educate the general public
  on how to use a highly complex technical device
  safely
• Its called
• Drivers Ed
• The DMV
• We already know how to teach the general public
  to use 2 factor authentication
• Its called an ATM card
• Why arent we showing home users how to secure

3
What People Think of Security
Internal Network
The Firewall will protect us!
The Big Bad Internet
4
Place to Steal Personal Data
Good Sysadmin Practices
No Effective Defense if the Client is PC/Mac
Install Encryption
S
C
Install Sniffer, more dangerous in the wireless
arena
Email Attachments
Attack The Server
5
Passwords ARE the First Defense

• Bad Password Examples

6
(No Transcript)
7
1 M
47 Million
8
(No Transcript)
9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
We have met the enemy and it is vendors..
14
Its Insecure Out of the Box

• Security vs. Convenience
• Let the users debug the code
• OS vendors are starting to see the light
• Windows XP/2003 with security features enabled
• Apple OSX
• Linux systems with firewall enabled
• Application Vendors still dont get it
• Oracle stepped in it
• http//news.com.com/Whensecurityresearcherbecom
  etheproblem/2010-1071_3-5807074.html

15
(No Transcript)
16
(No Transcript)
17
Why is this an option? This should be the
default! Wait! I already know the last 4 digits
of my SSN so why have this at all?
18
Unlocked Key Mean Transmission In the Clear!
19
Let Me Read Your Email!
20
Its Insecure Out of the Box

• Viruses will never be eliminated
• Multibillion industry to fight them
• Eliminate the threat, we no longer have
  multibillion industry.
• Wireless cash register software sending data in
  the clear
• Document imaging systems sending data in the
  clear
• Govt/LE records digitized by insecure software
• Printers, copiers based on NT!

21
Why buy the cow when you can get the milk for
free?
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
Obtaining Personal Information

• Public Records can be accessed from anywhere in
  the world.
• Local governments are allowing access to
  sensitive info via the Web without thinking about
  security.

28
County Clerks and Identity Theft

• Making legal docs available on the net w/o good
  security practices.
• A secure www site isnt enough
• Tom Delay SSN From Public Records
• Jeb Bush SSN From Public Documents
• Colin Powell Deed of Trust
• Colin Powell SSN from Public Records
• Do County Clerks (by extension, the state
  legislature) facilitate ID Theft?

29
Whats Going On Here?

• Were spending to protect sensitive data
  (SSN)
• State govt is allowing SSN info to be obtained
  online
• Laws need to be coordinated
• Sometimes the data isnt where you think it is.

30
T-Mobile said the company's computer forensics
and security team were "actively investigating to
determine how Ms. Hilton's information was
obtained."
31
PDA/Smartphones
32
Motivation

• People want access to information all the time
• User expectation of information everywhere and
  all the time.
• Rapid evolution to use interconnected networks.
• Security Challenges
• Information sharing and security at odds.
• Laws, regulations, and policies not keeping pace.
• Stopgap measures.

33
RFID Technology

• RFID tags.
• first true pervasive technology.
• Correlation tracking for inventory mgt
• Potential misuse by combining user habits with
  tags tracking data

34
PDA/RFID Threat Summary

• Data Disclosure
• Data Modification
• Tracking the target
• Denial of Service Attacks
• Drain the battery

35
B-SIPS Client An Intrusion Detection System
Basic ViewThis lets the users only view
intrusion detection status of the B-SIPS Client
Application.
Advanced ViewThis lets the users view more
information related to intrusion detection
analysis. They can view the Smart Battery Data
(SBData), currently running process list, the
dynamic threshold (DT) value, and also calibrate
the system.
36
Battery Power Attack Contrasts
Four sequential attacks detected by Axim X51v.
Nmap SYN -sS, UDP -sU, Xmas -sX, FIN -sF
37
Attack the Client or the Server? Attack the PDA

• PC, Mac, PDA/Smartphone Clients
• Your overall security architecture is subverted
  by PC, Mac, PDA/Smartphone insecurity.

38
Why PDA Attacks Work

• Poor Password Selection
• System Management Training Deficiencies
• Inadequate User Training
• External Open Environments affect your network
• Vendor supplied defects
• Lack of Mgt. Support to correct problems

39
Taking Advantage of the Surveillance Society
Weve Become..
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49
(No Transcript)
50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55
(No Transcript)
56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
Protect the Data not the Machine

• File system encryption
• Nice but why encrypt everything on the device?
• Oooh, I encrypted Office CE!
• Probably will win because people are lazy
• Data File Encryption
• Thumb drive encryption

60
(No Transcript)
61
What we would do to take over the world

• Deep Strike Strategy
• Local Strike Strategy
• Use Stealth worms
• Attack gadgets
• Pollute LE, Govt identities
• Wipe out the machines on D-day

62
Deep Strike

• Target the data entry process
• Forget modifying it once its in the system
• Input faults at data entry point
• Corrupt NCIS/AFIS data
• Corrupt legal record entry
• Attack local stock broker systems
• Someone just bought a lot of shares
• Use to trigger auto buy/sell programs
• Corrupt in-stream stock quotes
• Just enough to fly under the radar
• Target hospital/medical wireless nets
• DDOS them to prevent info transmission

63
Deep Strike

• Target RFID Inventory systems
• DOD, Walmarts
• Direct shipments elsewhere. Dont steal it, just
  redirect it at the critical time
• Force manual control to slow down the process
• E-passport, E-Drivers License, E-tags
• Track your targets
• Target the compilers, microcode
• Modify the chip instruction set
• Change the compilers to add backdoors
• Ken Thompsons paper on Trust

64
Target Security Clearances

• Target security clearance methodology
• Question the vetting process means every one that
  got clearance using that process is suspect
• Target Military personnel credit ratings
• Get SSN from county court house www sites
• Bad credit revoked security clearances

65
Deep Strike

• Target automated public service radio systems
• Use EAS automated receivers to send fake
  evacuation messages
• Evacuate mid size cities, small towns
• Target stadium or highway display boards
• theres a bomb in the seats
• Stress local 911
• 1 more call than there are ambulances
• Use cell phones to generate the calls

66
Deep Strike

• Target gadgets
• Not for control but for DDOS
• Target E-voting systems
• Target home systems
• For ID theft and DDOS
• Use stealth worm capabilities to fly under the
  radar of IDS, IPS
• Avoid Blaster-style attacks until needed as a
  diversion

67
Deep Strike

• Erode trust in security mechanisms so they will
  be ignored
• For example, businesses will not turn down a sale
  but they will turn down a security process that
  is perceived to be corrupted
• Pick an infrastructure
• Stock market
• Credit card
• Drivers license

68
Local Strike

• Target LE, Military for ID pollution
• Mess up agents credit rating so the family cant
  buy anything
• Its a distraction
• Repeat for investigative teams/leaders/mgt
• Attack via Choicepoint, Seisint, etc. Use the
  tools LE would use
• Repeat for civilian leadership
• Legislative, executive, judicial

69
D-DAY

• Use the previous setup to create minor
  distractions
• Why are they shipping 30K snowblowers to AZ
• Launch real attack
• Activate bots introduced by stealth worms
• Wipe out all user data on infected machines

70
Solutions

• Need Cyber training, awareness at ALL levels of
  society
• ATM Cards prove it can be done
• Society learned how to use a complex
  transportation technology (cars) in the past
• Drivers license ensure a base level of knowledge
  of proper use of the technology
• ATM Cards prove it can be done

71
Summary

• Nothing has changed?
• Users trigger attacks
• Sysadmins trigger attacks
• Vendors trigger attacks
• The order has changed
• Vendors errors move to the top
• Mgt errors close second
• Cause training deficiencies
• State legislation is moving to the top