Post on 04-Dec-2014
description
transcript
Stealing Your Identity
FAST FACTSWhat you don’t know can cost you your “life”
Interaction is Good
• Please ask questions as we go, others may benefit from your query
• No such thing as a stupid question – This is a very difficult subject
• Let’s try to stay on topic, but side discussions are welcome
Overview
• Introduction• Current situation – How bad is it really ??• How does ID theft happen• Why should you protect your information• How does ID theft affect you • How to protect your information • What to do if you are a victim of ID theft
Introduction
Why trust me ?? • More than 25 years experience in security• Industry Certified
– CISSP– CISM– ISSAP– ISSMP– CEH– IAM– IEM
Why Alternate Identity
• Anonymous• Financial Gain• Revenge
Your Identity
• Social Security Number• Passport• Birth Certificate• Drivers License• Diploma• Credit Cards• Bank Accounts
Methods
• Obtaining New Identity
• Inheriting Identity• Stealing Identity
Obtaining Social Security Numbers
• New SSN– Through Identity Theft
– Juvenile Application Method
– International Citizens
– Witness Protection Program
International Citizens
• Genuine Passports – Dominica and St.Kitts/Nevis
– Venezuela
• Camouflage Passports– British Honduras
– Zanzibar
– New Granada
– Rhodesia
• Lottery
New SSN Through Identity Theft
• Police Reports• Credit Reports• FTC Reports• Name Changes
Other Identifications
• Drivers License• Professional ID
Other Identifications
• Birth Certificate
Other Identifications
• Credit Cards
Other Identifications
• Degrees and Certificates– Life Experience Degree– Rocheville University
The Address
• PO Boxes public or private• Rural Routes• International Addresses• Property
– Private
– Industrial
– Vacant
– Office buildings
– Broom closets
• Other
Stealing an Identity
• Postal System• Shoulder Surfing• Garbage• Hacking• Social Engineering• Inheritance
Stealing an identity
Finding the SSN
– Mail System
– Purchasing• Terminally ill
– Public Records• DMV• Tax records
– Internet• www.bestpeoplesearch.com• www.docusearch.com• www.gum-shoes.com• www.secret-info.sslrx.com• www.zabasearch.com • www.familytreesearcher.com
Part II
How Bad is it……
• ID Theft – FBI/FTC #1 Crime – Very real threat
• Federal and state agencies are passing the buck
• Scans and mass mailers will find you
• Scanning and hacking systems are freely available on the internet
How Bad is it…..
• General weak information security practices everywhere
• The Internet is NOT the most common vector – Physical theft is a much greater risk
• Hackers, criminals and even terrorists are actively looking for you
• Watch out for scams
Hacking on the Internet
Google search results: – Hacker: 12,500,000 hits– Hacking Windows 2000: 271,000 hits– Hacker tools: 757,000 hits– Hacking tools: 697,000 hits– Hacking Microsoft: 545,000 hits– Hacking Linux: 12,290,000 hits– Hacking Mac: 266,000 hits– Hacker Exploits: 103,000 hits– Computer Vulnerabilities 403,000 hits
SPAM Dominates Internet Traffic
In April of 2004, SPAM
topped 82% of all U.S. email.
• Spam is estimated to cost U.S. corporations in excess of $10 billion in lost productivity.
Reputation Money
Diversion of Resources
Legal and Regulatory
The VIRUS Threat
95% of all businesses are affected by viruses each year.
• By number, there are well over 100,000 known computer viruses.
• Variations of 180 of the most potent viruses pose the greatest threat.
• Viruses are no longer “recreational” but
a growing tool of organized criminals
who use “zombie” computers.
The ZOMBIE Threat
Hackers don’t use their own computer systems.
HACKERS USE YOUR COMPUTERS.
More and more hackers are gaining access to large entities by entering through a small business or home computer system.
Shortened Response Time
Writers of malicious code are developing viruses as soon as weaknesses become apparent.
• January 2003 -- The Slammer virus appears several months after Microsoft releases a patch for a vulnerability.
• August 2005 - "IRCBOT.WORM" and "RBOT.CBQ” surface, exploiting flaws announced by Microsoft less than five days prior.
Why Hack any Business ?
Because we have made it easy andit is the most inconspicuous way to hack.
• Inadequate or no firewalls to overcome• Easy or no passwords• No Intrusion Detection systems
The vast majority of businesses and home users are completely unprotected and ignorant.
Phishing
Phishing
Valued Citibank client
In our bank we value our clients and money, thats why we have to upgrade our database. The upgrade requires our costumers to update their debit/credit card information to avoid problems in our ATM services.
The reson to this upgrade is that we want to be well prepared for the smartcard upgrade on VISA creditcards. The smarcards reads a different type of encryption from our databases wich is more secure than the old type.
Please update your debit/credit card information as soon as possible.
Click on this link to verify: http://www.securityupdate.citibank.com/secure/
Phishing
Phishing
Phishing
The 7 Top Errors in Addressing Risks
7. Fail to realize the value of their information and organizational reputations.
6. Pretend the problem will go away if they simply ignore it.
5. Use technology as a fix and not a solution
4. Fail to fully design, develop and implement an IT Plan.
3. Address Security and Disaster Recovery as an afterthought, “something we can add later”.
2. Believe that “it” will never happen to them!
1. Treat IT and Security as an expense not an investment
100% Security vs. Reality
• No “Silver Bullet”• Requires constant vigilance• Nothing is truly secure• Tradeoff of functionality/convenience• More security = Higher cost
How Does ID Theft Happen
• Criminals get information through businesses– Stealing employee records– Bribing to access these records– Hacking into organizations computers
How Does ID Theft Happen
• Types of information that can be stolen– Names– Addresses– Date of birth– Social security numbers– Phone numbers– ID cards (passport, driver license, bank card, more…)– Passwords (mothers maiden name, pin codes, more…)– Credit Cards
How Does ID Theft Happen
• Steal wallets and purses– containing id, credit cards, bank cards, checks
• Steal personal information from your home• Steal mail from your mailbox
– Pre approved credit offers, new checks, bank statements, tax info, social security info…more…..
Theft
How Does ID Theft Happen
• Criminals rummage through trash to obtain:– Credit card applications
– Bills
– Bank statements
– Sticky Notes
– Other valuable documents
Dumpster Diving
How Does ID Theft Happen
• Criminals pose as:
– Government Officials
– Legitimate business people
• Cable Company
• Online Provider
• Phone Company
Social Engineering
How Does ID Theft Happen
• Who– Prior criminals branching
out
– First time criminals
– Neighbors
– Co-Workers
– Friends and Family
• Why– Financial gain
– Revenge
– Challenge
Who and Why
How does ID theft affect you
• Impacts associated with ID theft…….– Loss of funds– Negative impact to credit rating– Loss of time– Denied jobs– Denied loans– Tickets and warrants– Check writing privileges
How to protect your information
• Protection software• Protection hardware• Passwords• E-mail security• Web browser security• Internet purchasing security• Encryption• Secure deletion (guard your trash)• Snail mail security• Credit card and check security• Telephone security
Electronic Information Security• Protection hardware• Protection Software• Patch, Patch, Patch• Use strong passwords• Encrypt where feasible• Beware of free credit reports• Don’t give out valid
information via e-mail, web or otherwise – fake it when you can.
The ring (fortress Model)
• Think of walls around a fortress or castle• Never put an unprotected system on the internet – you
are an accident waiting to happen.• Not protecting systems may become a crime – Due
Care Act 1977
Hardware Firewall
Software (Personal) Firewall
Anti-Virus
Spyware/Adware Blocker
Hardened System
Protection Software
• Personal firewalls• Anti virus• Spyware/Adware blockers• Others
– Content filters
– Pop up blockers
– Cookie crushers
– History scrubbers
Protection Hardware
• Hardware Firewalls– Routers/modems– VPN– Wireless
• USB Tokens• 2 Way Authentication• Biometrics
Internet Purchasing Security
• Get a “webmail” (or otherwise separate) account for all personal transactions– keeps primary e-mail cleaner and
less noisy
– More than one may be needed
• Only use credit cards with fraud protection
• Consider using “one-time” credit card numbers
• Use strong passwords
E-mail Security• Use special/restricted account for
financial activity• Don’t “unsubscribe” to spam• Watch for “phishing” and other online
scams– Microsoft
– Paypal, Ebay
– Various banks
• Trust no one – even friends/family• Learn attachment types
– (*.exe, *.zip, *.com, *bat, *.scr…….)
• Concerned – Just don’t open it !!!
Web Browser Security• You can easily be hacked through
your web browser – Quickly becoming most common threat factor
• Don’t click “OK/Yes” on any prompt without reading it very carefully
• Don’t click on pop-ups, use “Alt+F4 or Alt+tab to pop unders
• Clean out cookies regularly• Do not allow browser to store
passwords• Ensure “padlock” is visible before
entering any sensitive information• Consider an “alternate” browser such
as Firefox
Encryption• Password safes
– Store all passwords in a safe location accessed by a single password
– Hold multiple safes in one location
• File encryption– Encrypt specific files
– Encrypt entire drives or partitions
• E-mail encryption (PGP, Gnupg)– Encrypt content attached to e-mail
– Encrypt entire e-mail
Secure Deletion
• Donating to charity ?• Giving your old system to friends ?• Throwing away an old hard drive ?
– Don’t forget to scrub your data
• What is in your garbage ?– Purchase a shredder
“Snail Mail Security
• Don’t leave mail in mailbox for long periods of time
• Lock your mailbox if you can
• Pay online or direct debit/deposit if you can
• Shred all sensitive information with a cross-cut shredder – even free offers
• Request non-SSN unique identifiers for all bills
• Periodic change of address form, just to be safe
Check Security• Use initials on checks instead of first name• Only use the last 4 digits of your credit card number in the
“For/Memo” space to pay checks to credit card company• Use work phone number and address on checks instead of
home number (or use PO Box – even better!)• Never put your SSN on your checks• Shred any voided check
Tip:Tip: photocopy all photocopy all items in your wallet items in your wallet and keep on file…and keep on file…
Credit Card Security
• Write down all toll free numbers• Don’t sign credit cards, use “PHOTO ID
REQUIRED” instead• Handle credit card receipts carefully – like
cash• Shred all pre-approved offers• Shred all unused credit card checks• Shred anything with account info/number
Telephone SecurityCord vs. Cordless phones…• Encrypted handset-to-base is the only secure
cordless (not cell/mobile) phone
• Wireless/cordless traffic is easy to “scan”
• Digit grabbers capture touchpad entries
Mobile/Cell phones…• Mobile/cell traffic is easy to intercept
• Bluetooth issues for mobile/cell phones– Viruses, DoS, Cross-talk– War-nibbling, Snarfing
• Phone scams– a.k.a. Social Engineering
– “Yes/No” recording
– Fake charities
– Phone phishing
Wireless Security
• Use Encryption• Log events• Use Mac addressing• Upgrade to WPA
Home Network Security Checklist• Use a hardware firewall• Use a software firewall (w/IDS)• Patch, patch, patch - automatically…• Use anti-virus – and keep it updated (or auto-update)• Use a spyware/adware blocker• Harden operating system
– Don’t use Admin account by default; assign specific users– Strong passwords; upper and lower case, numbers, special
characters– Disable unnecessary services
• Test your system periodically– Microsoft Baseline Security Analyzer– GRC – Shields Up!
• Configure wireless to be “secure”– Strong WEP key– MAC address restrictions– “Wardriving” happens…
What To Do If You’re A Victim• Contact all creditors – immediately!
– Change account information/number– Remove SSN as identifier– Establish a password, if possible
• Contact Credit Bureaus and get a Fraud Alert put on your account– Experian, Equifax, Trans Union
• Contact Federal agencies– Social Security Administration, Federal
Bureau of Investigation, Federal Trade Commission, Secret Service, etc…
• Contact Police , FBI• Contact your Legislators• Monitor all accounts very closely
(daily)
What To Do If You’re A Victim• Create a checklist and log --
– Document all agencies and companies contacted
– Document exactly what they are going to do to remedy your issue and when they expect to have it done (verify)
– Get name of contact person you speak with every time you call – it may change
– Record every phone number you call and if you get transferred, write down the new number
– Record time, number and duration of calls– Take extensive notes or record
conversation– Be persistent! Ask to speak with a
supervisor. Don’t take “no” for an answer unless you absolutely have to
Fraud Reporting Resources• Experian (formerly TRW)
– http://www.experian.com – 888.397.3742• Equifax
– http://www.equifax.com – 800.525.6285• Trans Union
– http://www.transunion.com – 800.680.7289• Social Security Administration
– http://www.consumer.gov/idtheft/ – 800.269.0271• Federal Trade Commission
– https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_ORG_CODE=PU03 – 1.877.IDTHEFT (438.4338)
• Federal Bureau of Investigation– http://www.fbi.gov
• Secret Service– http://www.ustreas.gov/usss
Microsoft Security Resources
• Microsoft Update Center– http://v4.windowsupdate.microsoft.com/en/default.asp
• Microsoft Security Center– http://www.microsoft.com/security/
• Microsoft Office Updates– http://office.microsoft.com/productupdates
• Microsoft Security Bulletin Service– http://www.microsoft.com/technet/security/bulletin/notify.asp
• Microsoft Security Tools and Checklists– http://www.microsoft.com/technet/security/tools/tools.asp
• Microsoft Baseline Security Analyzer– www.microsoft.com/technet/security/ tools/tools/MBSAHome.ASP
• Microsoft HFNetCheck– http://www.microsoft.com/technet/security/tools/tools/hfnetchk.asp
Other Security Resources
• US CERT – US Computer Emergency Response Team– http://www.us-cert.gov/
• The I3P – Security in the News– http://www.thei3p.org/news/today.html
• DHS Daily Report - Department of Homeland Security daily report– http://www.nipc.gov/dailyreports/dailyindex.htm
• SANS Internet Storm Center - Internet “weather report”– http://www.incidents.org
• Packet Storm – Security Information site– http://www.packetstormsecurity.net
• Security Tracker - Comprehensive list of all known vulnerabilities– http://www.securitytracker.com
• World Virus Map - Interactive map of all current viruses– http://www.trendmicro.com/map
• Security Focus– http://www.securityfocus.com
Hackers password cracking tools decode
Over the network tools = 3-4000 words per min
On the local computer =
1.4 MM passwords per 4 min
Security Alert Overload
The average Security Professional spends 2.5 hours a day tracking information.
• 1997 – Internet Security Systems X-Force reported an average of 20 vulnerabilities a month.
• 2004 – Symantec documented more than 1,237 new vulnerabilities between Jan. 1 and June 30, an average of 48 new vulnerabilities per week. 70% were considered easy to exploit, and 96% were considered moderately or highly severe.
CEBIC Technologies, Inc.
Protecting your networks and your dataProtecting your networks and your data• Managed Virus ServicesManaged Virus Services
• Symantec, McAfee, TrendMicro system-wide updatingSymantec, McAfee, TrendMicro system-wide updating• ConfigurationConfiguration• Live updatesLive updates• SubscriptionsSubscriptions
• Managed Intrusion DetectionManaged Intrusion Detection• Intrusion detection and protection services (Patching)Intrusion detection and protection services (Patching)• File sharing: Permissions, Encryption, PasswordsFile sharing: Permissions, Encryption, Passwords• Content Management: Anti-Spyware ManagementContent Management: Anti-Spyware Management• Hardware firewallsHardware firewalls
• Computer Network Systems Health Computer Network Systems Health MonitoringMonitoring
CEBIC Technologies Inc.