Home >Documents >Computer security, Internet privacy: What should we worry about? Sebastian Lopienski CERN Deputy...

Computer security, Internet privacy: What should we worry about? Sebastian Lopienski CERN Deputy...

Date post:25-Dec-2015
View:213 times
Download:1 times
Share this document with a friend
  • Slide 1
  • Computer security, Internet privacy: What should we worry about? Sebastian Lopienski CERN Deputy Computer Security Officer Polish Teachers Programme, October 2014
  • Slide 2
  • Disclaimer What follows are my opinions and not necessarily those of CERN. Sebastian Lopienski 2
  • Slide 3
  • A cloud hack Digital life of a Wired journalist destroyed in one hour: (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking)http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking Amazon, Apple, Google, Twitter accounts compromised all Apple devices wiped-out remotely 3 Sebastian Lopienski
  • Slide 4
  • A cloud hack How?? call Amazon and add a new credit card needed: name, billing address, e-mail address call again, say you lost password, and add a new e-mail needed: name, billing address, current credit card reset password - get the new one to this new e-mail address login and see all registered credit cards (last 4 digits) call Apple, say you lost password, and get a temp one needed: name, billing address, last 4 digits of a credit card reset Google password - new one sent to Apple e-mail (Apple e-mail was registered as an alternate e-mail) reset Twitter password - new one sent to Google e-mail (Google e-mail was linked to the Twitter account) 4 Sebastian Lopienski
  • Slide 5
  • A cloud hack Multiple security flaws and issues: Interconnected accounts Which one of your accounts is the weakest link? Our full dependence on digital digital information, devices, cloud services etc Very weak identity check procedures and often not even followed correctly some procedures have changed as an outcome of this case enable 2-step authentication (Google, LinkedIn, Apple, ) security questions with answers often trivial to find (remember Sarah Palins yahoo account hack in 2008?) 5 Sebastian Lopienski
  • Slide 6
  • 6 From http://www.bizarrocomics.com Sebastian Lopienski
  • Slide 7
  • E-mail account before e-bank account? 7 From http://elie.im/blog/security/45-of-the-users-found-their-email-accounts-more-valuable-than-their-bank-accounts Sebastian Lopienski
  • Slide 8
  • Passwords lost, or easy to guess Top 10 words used in passwords password welcome qwerty monkey jesus love money freedom ninja writer 8 From http://www.zdnet.com/the-top-10-passwords-from- the-yahoo-hack-is-yours-one-of-them-7000000815/
  • Slide 9
  • Where we are? Outline 9 Sebastian Lopienski Where we are? Who are they? What is ahead?
  • Slide 10
  • Vulnerabilities Sebastian Lopienski 10
  • Slide 11
  • Trying to sell a Yahoo XSS for 700$ Sebastian Lopienski 11
  • Slide 12
  • Selling a Command Execution vulnerability in MS Office for $20k Sebastian Lopienski 12
  • Slide 13
  • Vulnerability market shift Finding vulnerabilities difficult, time consuming Selling to vendors, or publishing (mid 2000s) limited money - 1s-10s thousands$, e.g. Mozilla up to $3000, Google up to $3133.7 vulnerabilities eventually patched (good!) Selling to underground (late 2000s) busy and active black market more profitable 10s-100s thousands of USD sometimes buyers are governments or their contractors used in 0-day exploits (no patch) 13 researchers dont commit crime attackers dont need skills, just money researchers dont commit crime attackers dont need skills, just money Sebastian Lopienski
  • Slide 14
  • Botnets (networks of infected machines) 14 From http://www.f-secure.com/weblog/archives/00002430.html Sebastian Lopienski
  • Slide 15
  • Outline 15 Sebastian Lopienski Where we are? Who are they? What is ahead?
  • Slide 16
  • Who are they? 16 criminals motivation: profit hacktivists motivation: ideology, revenge governments motivation: control, politics Sebastian Lopienski
  • Slide 17
  • Criminals Usual stuff: Identity theft Credit-card frauds Malware targeting e-banking, e.g. Zeus, Gozi etc. Scareware, e.g. fake AV, fake police warnings Ransomware : taking your data hostage (soon: accounts?) Mobile malware, e.g. sending premium rate SMSes Denial of Service (DoS) Spam etc. 17 Sebastian Lopienski
  • Slide 18
  • 2-in-1: Scare and demand ransom 18 From http://www.zdnet.com/sopa-reincarnates-to-hold-your-computer-hostage-7000005684 SOPA is dead but still used by criminals to scare people Sebastian Lopienski It pays off From symantec.com
  • Slide 19
  • Cyber criminals Thai police have arrested Algerian national Hamza Bendelladj wanted by the FBI for allegedly operating the Zeus botnet (e-banking malware) Sebastian Lopienski 19 From http://www.bangkokpost.com
  • Slide 20
  • Gangsters Sebastian Lopienski 20 From krebsonsecurity.com A hacker nicknamed vorVzakone, allegedly related to Gozi malware
  • Slide 21
  • employing mules Become a foreign agent in the US advertisement Sebastian Lopienski 21 From krebsonsecurity.com
  • Slide 22
  • Hacktivists Attacking to protest, to pass the message etc. 22 Sebastian Lopienski
  • Slide 23
  • The Anonymous, LulzSec, many groups, varying agendas, from ideologists to criminals Sebastian Lopienski 23
  • Slide 24
  • Do you know this guy? Sebastian Lopienski 24
  • Slide 25
  • Aaron Swartz A software developer, an open-access activist 2001 (aged just 14!): helped developing RSS 2002: working with Tim Berners-Lee on semantic web 2008: released 20% of the Public Access to Court Electronic Records (PACER) database of United States federal court 2011: arrested for retrieving scientific articles from JSTOR, believed in open access to results of publicly-funded research, risked 35 years of prison / $1m fine sentence 2012: campaigned against the SOPA 2013: committed suicide (because of the ongoing criminal investigation?) Sebastian Lopienski 25
  • Slide 26
  • Google a freedom activist? https://www.google.com/takeaction/ Sebastian Lopienski 26 The same Google that outraged privacy defenders with its new Privacy Policy
  • Slide 27
  • but governments? 27 Sebastian Lopienski
  • Slide 28
  • Spying on (some) citizens Network encryption? Infect computers or go after services Syrian activists PCs infected with Trojans/backdoors Tibetan rights activists often targeted Israel demands e-mail passwords at borders German police infects criminals PCs with Trojans/backdoors buying surveillance code and services for 2M EURO (!) or developing in-house unfortunately, full of security holes 28 From http://www.f-secure.com/weblog/archives/00002423.html Sebastian Lopienski
  • Slide 29
  • PRISM mass online surveillance program Sebastian Lopienski 29
  • Slide 30
  • Privacy vs. control If you are doing nothing wrong, then you shouldnt worry if we watch you. If I am doing nothing wrong, then you shouldnt be watching me! Cryptography/encryption (HTTPS) is still a good defense Sebastian Lopienski 30
  • Slide 31
  • Agencies & contractors turning offensive 31 From F-Secure Sebastian Lopienski
  • Slide 32
  • Agencies & contractors turning offensive Northrop Grumman looks for "Cyber Software Engineer" for an Offensive Cyberspace Operation mission" 32 From http://www.f-secure.com/weblog/archives/00002372.html Sebastian Lopienski
  • Slide 33
  • Stuxnet (the worm that targeted Iranian uranium-enriching centrifuges, discovered 2010) Estimated development effort: 10 man-years Result: sabotage 30,000 Iranian computers infected, some HW damage, nuclear program set back by ~2 years Cui bono? (New York Times, June 2012: a joint US-Israel operation Olympic Games started by Bush and accelerated by Obama) 33 Sebastian Lopienski
  • Slide 34
  • Outline 34 Sebastian Lopienski Where we are? Who are they? What is ahead?
  • Slide 35
  • Does Stuxnet make us all more vulnerable? 35 Sebastian Lopienski http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12
  • Slide 36
  • Thank you 36 Sebastian Lopienski
Popular Tags:

Click here to load reader

Reader Image
Embed Size (px)