22
Visual Hacking Bradley W. Deacon
| Date post: | 13-Apr-2017 |
| Category: |
Education |
| Upload: | bradley-w-deacon |
| View: | 211 times |
| Download: | 0 times |
Visual Hacking
Bradley W. Deacon
BRADLEY WDEACON
Session SpeakerBradley W Deacon
Bradley is a former Federal Agent and was one of the first members of the Australian Federal Police Computer Crime Unit Sydney where in 1995 his team was successful in having the first jail sentence imposed on a computer hacker.
Bradley is a qualified non practising lawyer focussing on Cyber related Law, with degrees in criminal justice, law, and postgraduate studies in Criminology and Law. Additionally Bradley has a Postgraduate Certificate in Distance Ed specialising in Digital Delivery from Penn State University. Bradley also has a Masters in National Security with his thesis centred around digital technology: “Evolving Digital Technology Terrorist Financing & The Threat To U.S National Security”
As a cyber bullying and stalking advocate, Bradley was approached by VCAT in 2014 to design and facilitate delivery of a social media awareness package in 2015 for Victorian Court Staff and the Judiciary and was recently a keynote speaker at the Say No 2 Bullying Conference on the Gold Coast.
Bradley lectures at several Australian Universities and colleges in a variety of Cyber related Law units and justice units and is about to undertake a PhD in Social Media by ‘publication’.
Session OutlineLearning Outcomes
• Background to visual hacking (shoulder surfing)• Types of visual hacking• Corporate espionage • Internal office visual control mechanisms to minimize
visual hacking• External visual control mechanisms to minimize visual
hacking
Visual Hacking-Shoulder Surfing Telephone Calling Cards Early 1990’s
● Cards linked back to home/business phone account● When away from home/business key in card # and
PIN # ● Calls billed to home/business account ● Option to key it in from phone or call an operator
and pass on card details and PIN # ● Several vulnerabilities resulted from such practice
Visual Hacking-Shoulder Surfing Vulnerabilities
● Travellers would use pay phones at bus terminus, airports, railway stations, shopping centres, casinos, hotel lobbies
● Criminal gangs would hover around such pay phone locations and pretended to be on adjoining phone
● Victim would call operator and pass on details of card which the ‘shoulder surfer’ would note down or film the details being entered and at this point the card is compromised
Visual Hacking-Shoulder Surfing Black Market For Card Details
● Calling card access details very attractive on black market
● Compromised card holder usually only received a phone bill once a month
● Pending on billing cycle card could be ‘live’ for up to 30 days or more
● Shoulder surfer would on sell the card details for as low as $20
● Sold usually at locations where card can be demonstrated to work
Visual Hacking-Shoulder Surfing Cost of Compromise
● Usually person who bought card details would also on sell card for a profit hundreds of times
● The domino effect of such a compromise amounted to phone bills for hundreds of thousands and even millions of dollars being delivered to card owner
● Simultaneous calls were made to all corners of the globe at a time when international calls were anywhere between $2 per minute and $8 per minute
Visual Hacking-Shoulder Surfing Lack of Safeguards In Place By Phone Company
● As one card was connected at hundreds of locations simultaneously phone companies failed to have safeguards in place to detect such activity
● As a result of the scenario in the following Infographic in the next slide a recommendation report was put forward to the phone companies to implement security safeguards to detect simultaneous use by one card
History & A Case Study Of Visual Hacking
Visual Hacking-Shoulder Surfing A Simple Solution That Eliminated The Issue
● Safeguards implemented by the phone companies were not expensive to roll out
● Provided a barrier that prevented card from being used simultaneously
● Customer education was also a key component of the phone companies strategy
● As a result of proactive activity, reducing fraud companies that were becoming more reliant on computers in the early 90’s started to look at security as a front of mind process
Visual Hacking 2016 Style From 1990’s to 2016 Visual Hacking
● Shoulder surfing now has a more appropriate name for the digital age
● ‘Visual Hacking’ which can be defined simply as to being as “obtaining or capturing sensitive information for unauthorized use”
Visual Hacking-Shoulder Surfing Examples of Visual Hacking
● Taking photos of documents left on a printer or information displayed on a screen
● Memorising details seen on a screen or a desk ● Micro audio recording of details seen ● Simply writing down employee login information that
is taped to a computer monitor● External visual hacking via telephoto lenses through
untinted windows
Visual Hacking-Shoulder Surfing Visual Hackers Can Be
● Staff members ● Interns ● Contractors ● Clients● Visitors● Persons in adjoining buildings
Visual Hacking-Shoulder Surfing Visual Hacking Experiment
● In the Visual Hacking Experiment, a study conducted by Ponemon Institute and jointly sponsored by 3M Company and the Visual Privacy Advisory Council, white-hat hackers posing as temporary or part-time workers were sent into the offices of eight U.S.-based, participating companies.
Visual Hacking-Shoulder Surfing Visual Hacking Experiment
● The hackers were able to visually hack sensitive and confidential information from exposed documents and computer screens.
● Able to visually hack information such as employee access and login credentials, accounting information and customer information in 88 percent of attempts and were not stopped in 70 percent of incidents.
● The following short video demonstrates the experiment
Visual Hacking Safeguards To Help Prevent Visual Hacking
● The best place to begin clamping down on visual privacy threats, is to perform a visual privacy audit
● The visual privacy audit will help you assess your key-risk areas and evaluate existing security measures that are in place
Visual Hacking Visual Privacy Audit
• Does your organization have a visual privacy policy?• Are shredders located near copiers, printers and desks
where confidential documents are regularly handled?• Are computer screens angled away from high-traffic
areas and windows, and fitted with privacy filters?• Do employees keep log-in and password information
posted at their workstations or elsewhere?
Visual Hacking-Shoulder Surfing Visual Privacy Audit Continued
• Are employees leaving computer screens on or
documents out in the open when not at their desks?• Do employees know to be mindful of who is on the
premises and what they are accessing,
photographing or viewing?• Are there reporting mechanisms for suspicious
activities?
Visual Hacking-Shoulder Surfing Key Points To Take Away
• Visual Hackers can be anyone who has access to your office
or are in close proximity • Reception areas are very vulnerable to visual hacking• What will clients/visitors think of your privacy safeguards if
they can openly see information • Make sure staff are aware of the phone card shoulder surfing
scenario and highlight to them using laptops and smartphones
in crowded places leave them open to visual hacking • Simple safeguards and a visual privacy policy will help you
protect your business
Visual Hacking Visual Hacking Hot Zone
Visual Hacking-Shoulder Surfing Further Information & Sample Privacy Audit Checklist
● For additional information on visual hacking go to my LinkedIn Profile and see my LinkedInPulse Blog
● ‘Visual Hacking An Old Tactic With A New Name’
● https://www.linkedin.com/pulse/visual-hacking-old-tactic-new-name-bradley-w-deacon?trk=mp-reader-card
Visual Hacking
