Cyber Security Awareness Everything You Were Afraid to Know About Computer Security, But Always Want

1
Cyber Security AwarenessEverything You Were
Afraid to Know About Computer Security, But
Always Wanted to Ask

• Commonwealth of Mass.
• Information Technology Division
• November, 2008

2
Objectives for Today

• Understand network security threats
• Learn simple defensive measures
• Review some recent breaches
• Introduce applicable new legislation

3
The Sermon

• Sobering Statistics
• Why do we need to be here today?
• The Threats
• How Things Go Wrong
• Protecting Yourself
• Have I Been Compromised?
• A Few High-Profile Case Studies
• A Recent Eye-Opening Incident
• Security Resources and References
• Q A

4
Statistics

• One new infected web page is discovered every 5
  seconds
• One in 500 e-mail messages contains confidential
  information
• One in 2500 e-mail messages contains an infected
  attachment
• 41 of people use the same password at every site
  they visit
• In 2007, 37000 reported breaches of government
  and private systems occurred
• Revenues from cybercrime now exceed drug
  trafficking as the most lucrative illegal global
  business, estimated at more than 1 trillion
  annually in illegal profits
• 75 percent of companies surveyed in 2004 reported
  a data-security breach within the past 12 months.
  (The Ponemon Institute)
• 70 of security incidents are inside jobs.
  (Gartner Group)
• Many government offices dont even know yet that
  they are leaking information. 90 of cases are
  probably still not known. McAfee Criminology
  Report

5
Why are we here today?

• The World has Changed!
• Flying?
• Technology Advancements
• Moores Law 50 years of supporting data
• Processor Speed
• Memory (Smaller, Faster, Larger Capacity)
• Hard Drives (Smaller, with Larger Capacity)
• Price (Bang per Buck)
• What was Impossible 10 Years Ago is Routine
  Today.
• Searching for a Cure to Web Malware

6
Our Mission

• We still need to do our jobs
• Educating Students of the Commonwealth
• Securing Cyber-Resources
• ID Theft Data Breach Legislation
• M.G.L. Ch 93H
• Executive Order 504
• 201 CMR 17.00

7
The Challenge

• Walking the tightrope between
• Taking full advantage of the constantly expanding
  wealth of IT resources available to us, and
• Increased risk of exposure to attacks that
  accompanies increased reliance on technology.
• Allowing business operations anytime and
  anywhere, via an increasing number of different
  devices and to an increasing number of mobile
  users and customers.

8
Threats to Students

• MySpace
• FaceBook
• YouTube
• Peer-to-Peer Networks
• Instant Messaging
• Cyber Predators/Bullies
• Inappropriate/Offensive Web Content

9
Threats to Networks

• Two primary categories of threat
• Denial of Service
• Loss/Leakage of Sensitive Data

10
Denial of Service (DoS)

• Definition
• Flooding a network with useless traffic, to the
  point of slowing or completely interrupting
  regular services
• Often in combination with groups of other
  remotely-controlled computers
• a/k/a Bot Nets
• Result Distributed Denial of Service (DDoS)

11
Data Loss/Leakage

• Definition
• Accidental leaking of sensitive information
  through sent data
• Refers to the transmission of data which are
  either sensitive or useful in the further
  exploitation of the system through standard data
  channels
• Result ? compromise of data confidentiality
• Since 2005, more than 200 million victims of data
  breach have been reported!

12
How Things Go Wrong

• Actively
• User does something explicit to enable compromise
• Open an infected email attachment
• Follow a malicious web link
• Accept IM-initiated downloads
• Execute Web 2.0 rogue application
• Passively
• Attacker breaks into the users PC via scans
• Unpatched operating system
• Buggy application software
• Vulnerable open ports
• Compromised legitimate web sites

13
How Things Go Wrong (cont.)

• Carelessness
• 98 of breaches are the result of stupidity or
  inadvertent user action. (IANS, 2007)
• Actions by Malicious Insiders
• 1.5 of breaches
• Efforts by Organized Crime, Industrial Spies, and
  Foreign Government Agents
• Least Frequent ( 0.5), but Most Costly, Most
  Sophisticated, and Most Difficult to Detect and
  Defend Against

14
Who is Most Vulnerable?

• Those who dont patch regularly and dont keep
  A/V up to date
• Dial-up Users (but not very appealing to
  attackers)
• Home Broadband Users
• University Users
• Mobile Users

15
Protecting Yourself

• Patch, Patch, Patch!
• Use auto-update whenever possible
• Anti-Virus Software (update daily)
• Anti-SpyWare Software
• Personal Firewall Software
• Set and use good passwords on all accounts
• How Strong is Your Password?
• Encrypt Sensitive Data
• Separate Student and Teacher/Admin Networks

16
Protecting Yourself (cont.)

• Wireless Networks Beware!
• Wireless Routers/Access Points
• Change default password and default SSID
• SSID name should be non-trivial
• Disable broadcasting of SSID if possible
• Enable WPA/WPA-2 encryption, and change default
  key
• Enable and use MAC filtering
• Dont save user IDs and passwords on your hard
  drive
• Dont Web surf from a privileged account!
• Turn off auto-run for removable media
• Practice Safe Internet
• E-mail attachments
• Downloads from Questionable Sites (esp. Freeware)
• Peer-to-Peer Networks Promiscuous Files Sharing

17
10 Tips for Fighting Malware

• Install (and use!) Anti-Virus Software
• Install a Personal Firewall
• Install an Anti-Spyware Tool
• Patch!
• Keep Browser Security Settings at Medium or High
• Just Say No! to Orgs You Dont Know/Trust
• Avoid Browser Search-Help Bars
• Verify Software Certificates Trusted by Your
  Browser
• Get a Credit Card Only for Internet Shopping
• Dont Run Executable E-mail Attachments (Even
  From a Known Source)

18
Have I Been Compromised?

• How to tell if youve fallen victim
• Abnormal slowdown in performance
• Mysterious failures in commonly-used apps
• Email
• Web surfing
• Unexpected popups
• Mysterious/Unexpected outbound traffic
• The only sure-fire way to detect a compromise
• Cleaning a Bot
• Painful!
• Requires 8-16 hours of cleanup time
• Best if done by a professional

19
Data Breach ID Theft

• M. G. L. c. 93H and 93I
• New law went into effect October 31, 2007
• Civil fine of up to 100 per affected person
• Executive Order 504
• Mandatory information security training
• Effective September 19, 2008
• Training for current staff within 12 months
• 201 CMR 17.00
• Mandates encryption of personal data
• Effective January 1, 2009

20
Cyber-Breach Poster Children

• Milton Academy Network Breach (Nov 07)
• Needham PowerSchool Breach (August 08)
• GOP Stolen Laptop Unencrypted (September 08)
• CardSystems Solutions
• TJX Companies, Inc.
• CitiFinancial Services
• Boston College
• Monster.com
• Massachusetts DPL
• Nordea Bank (Sweden)

21
In the News

• Commonwealth of PA, 1/4/08
• Network attacked via compromised agency web pages
• SQL injection used to update DB tables with links
  to malicious website
• Users who visit compromised agencys web site are
  silently redirected to a series of malicious web
  pages that try to exploit client-side (i.e.,
  users) vulnerabilities in a number of
  applications
• IE, RealPlayer, et al
• Vulnerable systems become infected with malware
• An example of drive-by downloads

22
Evolving Threats to Users

• New and sophisticated forms of attack
• Customized viruses, self-modifying threats, and
  threats that attack back
• Attacks targeting new technologies
• Peer-to-peer and VoIP services
• Attacks targeting online social networks
• MySpace, Facebook, YouTube, etc.
• Attacks targeting online services
• Especially online banking

23
New Threat Spamdexing

• Web Searches!
• 20 lead to unwanted content or malware sites
• 80 of search blocks point to offensive content
• Drive-by Downloads
• Compromised, legitimate web site silently
  redirects user to malware sites
• Mitigation corporate safe web search tool
• Notify web users of potential risks in real time

24
Resources References

• US-CERT (United States Computer Emergency
  Readiness Team)
• http//www.us-cert.gov/
• MS-ISAC (Multi-State Information Sharing and
  Access Center)
• http//www.msisac.org
• Identity Theft Research Center
• http//www.idtheftcenter.org

25
Close to Home a Lesson

• Analysis completed on October 30, 2007
• Involved breach of non-secret military network
• But could happen to anyone
• Attack vector?
• New York City public library!

26
NYC Public Library
27
NYC Public Library (cont.)
28
NYC Public Library (cont.)
29
NYC Public Library (cont.)

• Hidden in the bogus NYPL web page is
• Whats that???

30
NYC Public Library (cont.)

• Whats really there
• _id1" style"visibility hiddendisplay
  none"
• This redirects user to http//meraxe.com/fsp1/i
  ndex.php
• This all happens silently and invisibly!
• Whats at meraxe.com?

31
NYC Public Library (cont.)

• At meraxe.com, we find
• function v4726d05808fd9(v4726d058097a8)
  function v4726d05809f78 () var
  v4726d0580a74816 return v4726d0580a748
  return(parseInt(v4726d058097a8,v4726d05809f78()))
  function v4726d0580af18(v4726d0580b6e8)
  function v4726d0580ce59 () var v4726d0580d6302
  return v4726d0580d630 var v4726d0580beb8''for(
  v4726d0580c68d0 v4726d0580c68dngth v4726d0580c68dv4726d0580ce59())
  v4726d0580beb8(String.fromCharCode(v4726d05808fd
  9(v4726d0580b6e8.substr(v4726d0580c68d,
  v4726d0580ce59()))))return v4726d0580beb8
  document.write(v4726d0580af18('Truncated))t
• Effects
• The above code is (silently) downloaded and
  executed

32
NYC Public Library (cont.)

• What happened???
• Downloaded and executed a file (age.exe)
• Added file c\WINDOWS\system32\control.dll
• Added several Registry entries
• Control.dll is loaded as a Browser Helper Object
  (BHO) when IE is started and becomes a keylogger
• Deleted itself
• Effects
• Control.dll monitors data entered into forms in
  IE
• Steals users login credentials for legitimate
  web sites
• On-line banking, credit cards, eBay, Paypal, etc,
  etc
• Phones home with stolen data

33
Q A

• Summary
• Protecting yourself is only half the battle
• Constant vigilance awareness are a must
• Trust, but verify. Ronald Regan, quoting an
  old Russian (!) proverb
• Questions?