Personal Data Security in a Digital World

Alex DavisVice President of Engineering

AllClear ID

Key Points

• Risks of Data Insecurity & Identity Theft• The Old Standby: Failure of the password• Multi-Factor Authentication• Mobile Risks

2

What is Identity Theft?

FTC: Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.

Source: FTC.gov

• Types:– Financial – Medical – Criminal – Identity Cloning

Real Life Examples

Why does Identity Theft happen?

Source: FTC.gov

Failed Authentication

The Old Standby: Failure of the Password

• Brute force dictionary attacks (Brutus)• Hash-based dictionary attacks (John-the-Ripper)• People use terrible passwords

– Top 3 Gawker passwords:o 123456o passwordo 12345678

– Top 3 rootkit.com (HBGary) passwords: o 123456o passwordo rootkit

– 25 Worst Passwords of 2011 • http://tinyurl.com/badpassword

• Best Practice: Password generator/repository– PasswordSafe http://passwordsafe.sourceforge.net/– Keepass http://keepass.info/

The Old Standby, Round 2: Challenge Questions

• When easy enough for you to answer, thieves can answer too• When difficult enough to defeat thieves, defeats you• Examples:

– Sarah Palin email hack– “Mother’s Maiden Name”

• Best Practice:If you have to use them, come up with an answer that is not directly related to the question.

7

Multi-Factor Authentication

8

ATM Card + PIN Biometrics

OTPtokens

Cellphone + PIN & VoiceKey

The Rise of the Smartphones

• In 2011, 83% of adults have cell phones• 42% are smart phones• 62% for ages 25 – 34• 68% of smartphone users go online with it every day• 25% use it as their primary internet access

Sources:http://www.pewinternet.org/Reports/2011/Smartphones.aspxhttp://blog.nielsen.com/nielsenwire/online_mobile/generation-app-62-of-mobile-users-25-34-own-smartphones/

9

Mobile Risks: Android Phones

• Study by Penn State, Duke University and Intel Labs of 30 of the most popular Android apps found half of them were misusing personal information, sending unauthorized info to advertisers. – http://appanalysis.org/

• Recent study by Dasient security company of 10,000 Android apps shows 8% sending personal data to unauthorized servers, some including sending unauthorized SMS messages to contacts

• Mobile “drive by” attack demonstrated. Malicious website installs unauthorized code that can exploit further vulnerabilities, in this case eavesdropping on Skype conversations– http://www.dasient.com/

• Android developer Trevor Eckhart reported on discovery of pre-installed software by CarrierIQ on Sprint and Verizon phones that monitors, collects, and sends personal usage data, including: websites visited, search terms used, location data, “demographic data” (gender, age, sports fan, frequent diner, pet owner, etc)– http://androidsecuritytest.com/

10

Mobile Risks: iPhones

• When iOS 4 was released in 2010, iPhones and iPads started storing up to a year’s worth of your timestamped location information in a unencrypted text file

• Security researcher Charlie Miller discovered a “trojan horse” iPhone app exploit to download and execute unrestricted code

• Even official financial apps aren’t always safe (http://viaforensics.com/appwatchdog/)

– Wells Fargo stored passwords unencrypted on the phone– Bank of America app left answers to security questions in plain text on phones– USAA stored account and transit numbers, balances and payments– PayPal stored transaction histories unencrypted, including email addresses for

both parties

11

Mobile Risks: Wireless Networks

• WEP Encrypted Networks– Can be cracked in 15 minutes with a standard Linux laptop

1. Airmon-ng – set network card in monitoring mode to access network data without being on the network

2. Airdump-ng – capture wireless data packets 3. Aireplay-ng – inject additional network traffic to speed analysis 4. Aircrack-ng – extract WEP key from captured packets. Key can be extracted from 10k – 40k

packets

• WPA/WPA2-PSK Encrypted Networks– Stronger security but vulnerable to dictionary attacks, takes longer to crack

depending on password strength1. Airmon-ng & Airdump-ng as above2. Aireplay-ng – force deauthentication/reauthentication to speed cracking attempts3. Aircrack-ng – use pre-generated password dictionary to attack network password

12

Mobile Risks: Cellular Networks

• GSM Networks (ATT&T, T-Mobile) are vulnerable to “IMSI Catchers”– Spoofs a cellular base station. Intercepts, records, and re-transmits voice calls and text messages– Typically costs hundreds of thousands of dollars, only available to law enforcement and intelligence

agencies– Security Researcher Chris Paget in 2010 was able to build a laptop-based IMSI Catcher from scratch

for $1500 (most of the cost was the laptop)– Encrypted calls are no help, the “base station” can simply tell the phone to turn off encryption. – Intercepts outbound calls only, incoming calls will go straight to voicemail

13

Putting it together: “Aerial Cyber Apocalypse”

14

Richard Perkins and Mike Tasseyhttp://rabbit-hole.org/

DIY Spy Drone• Surplus army target practice drone

bought online• 6 ft long, 14 lbs• 22,000 ft max altitude• Up to 45 minute flight time• GPS & Google Maps

pre-programmed flight path

Payload – all off-the shelf parts!• HD Camera• 32 Gb onboard storage• Wi-Fi hotspot spoofing and penetration• 340 million word dictionary for

brute-forcing passwords• 4G T-Mobile card• Spoof GSM cellphone tower to intercept, decrypt, and record calls and text messages

Total project cost: about $6000

Increasing Awareness

• Identity Theft is A) big business, B) damaging, C) caused by a failure to identify the authentic user

• A strong authentication solution is required• The rising ubiquity of smartphones and wireless networks provide

enormous increases in convenience and capability, but also introduces significant new vectors of attack to obtain and expose private information.

Source: ITRC

“Often the hardest part of cryptography is getting people to use it…It's hard to build a system that provides strong authentication on top of systems that can be penetrated by knowing someone's mother's maiden name.” – Bruce Schneier, Applied Cryptography