Computer security, Internet privacy:What should we worry about?Sebastian LopienskiCERN Deputy Computer Security Officer
Polish Teachers Programme, October 20141DisclaimerWhat follows are my opinions and not necessarily those of CERN.Sebastian Lopienski2A cloud hackDigital life of a Wired journalist destroyed in one hour:(http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking)Amazon, Apple, Google, Twitter accounts compromisedall Apple devices wiped-out remotely3
3A cloud hackHow??call Amazon and add a new credit card needed: name, billing address, e-mail addresscall again, say you lost password, and add a new e-mailneeded: name, billing address, current credit cardreset password - get the new one to this new e-mail addresslogin and see all registered credit cards (last 4 digits)call Apple, say you lost password, and get a temp oneneeded: name, billing address, last 4 digits of a credit cardreset Google password - new one sent to Apple e-mail(Apple e-mail was registered as an alternate e-mail)reset Twitter password - new one sent to Google e-mail(Google e-mail was linked to the Twitter account)4
Sebastian LopienskiInterlinked accounts, digiral life important, very weak identity check procedures4A cloud hackMultiple security flaws and issues:Interconnected accountsWhich one of your accounts is the weakest link?
Our full dependence on digitaldigital information, devices, cloud services etc
Very weak identity check procedures and often not even followed correctlysome procedures have changed as an outcome of this caseenable 2-step authentication (Google, LinkedIn, Apple, )security questions with answers often trivial to find(remember Sarah Palins yahoo account hack in 2008?)
From http://www.bizarrocomics.comSebastian LopienskiChildren warned name of first pet should contain 8 characters and a digitPopular pet names Rover, Cheryl and Kate could be a thing of the past. Banks are now advising parents to think carefully before naming their childs first pet. For security reasons, the chosen name should have at least eight characters, a capital letter and a digit. It should not be the same as the name of any previous pet, and must never be written down, especially on a collar as that is the first place anyone would look. Ideally, children should consider changing the name of their pet every 12 weeks.http://www.newsbiscuit.com/2012/06/08/children-warned-name-of-first-pet-should-contain-8-characters-and-a-digit/
6E-mail account before e-bank account?7
From http://elie.im/blog/security/45-of-the-users-found-their-email-accounts-more-valuable-than-their-bank-accountsSebastian LopienskiBTW, why people reply this way? Because they realise how important their e-mail account is, and how many other services/accounts depend on its security?Or rather because they believe banks will help them with any e-banking issue (and they are often right), while they are on their own with any e-mail account issues?
See also: http://www.schneier.com/blog/archives/2012/06/e-mail_accounts.html7Sebastian LopienskiPasswords lost, or easy to guessTop 10 words used in passwordspasswordwelcomeqwertymonkeyjesuslovemoneyfreedomninjawriter8From http://www.zdnet.com/the-top-10-passwords-from-the-yahoo-hack-is-yours-one-of-them-7000000815/http://ieeelog.com/http://www.zdnet.com/450000-user-passwords-leaked-in-yahoo-breach-7000000772http://www.zdnet.com/the-top-10-passwords-from-the-yahoo-hack-is-yours-one-of-them-7000000815/http://www.schneier.com/blog/archives/2012/10/keccak_is_sha-3.htmlhttp://codahale.com/how-to-safely-store-a-password/8Where we are?
Outline9Sebastian LopienskiWhere we are?Who are they?What is ahead?Whan next? / What to expect? / Where will this take us?
Trying to sell a Yahoo XSS for 700$
The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users.11Selling a Command Execution vulnerability in MS Office for $20k
http://www.youtube.com/watch?v=pKhulHEFrR012Vulnerability market shiftFinding vulnerabilities difficult, time consumingSelling to vendors, or publishing (mid 2000s)limited money - 1s-10s thousands$, e.g. Mozilla up to $3000, Google up to $3133.7 vulnerabilities eventually patched (good!)Selling to underground (late 2000s)busy and active black marketmore profitable 10s-100s thousands of USDsometimes buyers are governments or their contractorsused in 0-day exploits (no patch)
13researchers dont commit crimeattackers dont need skills, just moneySebastian Lopienskihttp://googleonlinesecurity.blogspot.ch/2010/11/rewarding-web-application-security.htmlhttp://blog.chromium.org/2010/01/encouraging-more-chromium-security.htmlhttps://www.facebook.com/security/posts/238039389561434https://www.mozilla.org/security/bug-bounty.html
Another threat: a programmer in a software company now has an incentive to plant or leave a security bug, and sell it later
13Botnets (networks of infected machines)14
From http://www.f-secure.com/weblog/archives/00002430.htmlSebastian LopienskiUS Court allowing Microsoft to take control over 3322.org, hosting 70k subdomains used for hosting malware (found out because some computers were sold with pre-installed Windows infected with Nitol malware) within hours, 35M (!) unique IP contacted these subdomains http://krebsonsecurity.com/2012/09/malware-dragnet-snags-millions-of-infected-pcs/BTW, some researchers and law enforcement agencies not happy of MS taking such unilateral actions
Outline15Sebastian LopienskiWhere we are?Who are they?What is ahead?Whan next? / What to expect? / Where will this take us?
15Who are they?16
motivation: control,politicsSebastian LopienskiCriminalsUsual stuff:Identity theftCredit-card fraudsMalware targeting e-banking, e.g. Zeus, Gozi etc.Scareware, e.g. fake AV, fake police warningsRansomware: taking your data hostage (soon: accounts?)Mobile malware, e.g. sending premium rate SMSesDenial of Service (DoS)Spametc.17
Sebastian LopienskiZeus + P2P -> GameOver infections -> bankshttp://www.f-secure.com/weblog/archives/00002424.htmlhttp://www.f-secure.com/weblog/archives/00002421.html
172-in-1: Scare and demand ransom18
From http://www.zdnet.com/sopa-reincarnates-to-hold-your-computer-hostage-7000005684SOPA is dead but still used by criminals to scare peopleSebastian Lopienski
It pays offFrom symantec.comhttp://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/18Cyber criminalsThai police have arrested Algerian national Hamza Bendelladj wanted by the FBI for allegedly operating the Zeus botnet (e-banking malware)Sebastian Lopienski19From http://www.bangkokpost.com
Mr Bendelladj, who graduated in computer sciences in Algeria in 2008, has allegedly hacked private accounts in 217 banks and financial companies worldwide, amassing "huge amounts" in illicit earnings With just one transaction he could earn 10 to 20 million dollars He's been travelling the world flying first class and living a life of luxury.19GangstersSebastian Lopienski20
From krebsonsecurity.comA hacker nicknamed vorVzakone, allegedly related to Gozi malwarehttp://krebsonsecurity.com/2012/10/project-blitzkrieg-promises-more-aggressive-cyberheists-against-u-s-banks/
20 employing mulesBecome a foreign agent in the US advertisementSebastian Lopienski21
From krebsonsecurity.comhttp://krebsonsecurity.com/2012/11/online-service-offers-bank-robbers-for-hire/21HacktivistsAttacking to protest, to pass the message etc.22
Sebastian LopienskiThe Anonymous, LulzSec, many groups, varying agendas, from ideologists to criminalsSebastian Lopienski23
23Do you know this guy?Sebastian Lopienski24
Aaron SwartzA software developer, an open-access activist2001 (aged just 14!): helped developing RSS2002: working with Tim Berners-Lee on semantic web2008: released 20% of the Public Access to Court Electronic Records (PACER) database of United States federal court2011: arrested for retrieving scientific articles from JSTOR,believed in open access to results of publicly-funded research,risked 35 years of prison / $1m fine sentence2012: campaigned against the SOPA2013: committed suicide (because of the ongoing criminal investigation?)Sebastian Lopienski25
http://en.wikipedia.org/wiki/Aaron_Swartzhttp://www.economist.com/blogs/babbage/2013/01/remembering-aaron-swartz?fsrc=scn/tw_ec/commons_man25Google a freedom activist?https://www.google.com/takeaction/
Sebastian LopienskiSpying on (some) citizensNetwork encryption? Infect computers or go after servicesSyrian activists PCs infected with Trojans/backdoorsTibetan rights activist
Click here to load reader