Download - Computer security, Internet privacy: What should we worry about? Sebastian Lopienski CERN Deputy Computer Security Officer Polish Teachers Programme, October.

Computer security, Internet privacy: What should we worry about? Sebastian Lopienski CERN Deputy Computer Security Officer Polish Teachers Programme, October 2014

Disclaimer What follows are my opinions and not necessarily those of CERN. Sebastian Lopienski 2

A cloud hack Digital life of a Wired journalist destroyed in one hour: (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking)http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking Amazon, Apple, Google, Twitter accounts compromised all Apple devices wiped-out remotely 3 Sebastian Lopienski

A cloud hack How?? call Amazon and add a new credit card needed: name, billing address, e-mail address call again, say you lost password, and add a new e-mail needed: name, billing address, current credit card reset password - get the new one to this new e-mail address login and see all registered credit cards (last 4 digits) call Apple, say you lost password, and get a temp one needed: name, billing address, last 4 digits of a credit card reset Google password - new one sent to Apple e-mail (Apple e-mail was registered as an alternate e-mail) reset Twitter password - new one sent to Google e-mail (Google e-mail was linked to the Twitter account) 4 Sebastian Lopienski

A cloud hack Multiple security flaws and issues: Interconnected accounts Which one of your accounts is the weakest link? Our full dependence on digital digital information, devices, cloud services etc Very weak identity check procedures and often not even followed correctly some procedures have changed as an outcome of this case enable 2-step authentication (Google, LinkedIn, Apple, ) security questions with answers often trivial to find (remember Sarah Palins yahoo account hack in 2008?) 5 Sebastian Lopienski

6 From http://www.bizarrocomics.com Sebastian Lopienski

E-mail account before e-bank account? 7 From http://elie.im/blog/security/45-of-the-users-found-their-email-accounts-more-valuable-than-their-bank-accounts Sebastian Lopienski

Passwords lost, or easy to guess Top 10 words used in passwords password welcome qwerty monkey jesus love money freedom ninja writer 8 From http://www.zdnet.com/the-top-10-passwords-from- the-yahoo-hack-is-yours-one-of-them-7000000815/

Where we are? Outline 9 Sebastian Lopienski Where we are? Who are they? What is ahead?

Vulnerabilities Sebastian Lopienski 10

Trying to sell a Yahoo XSS for 700$ Sebastian Lopienski 11

Selling a Command Execution vulnerability in MS Office for $20k Sebastian Lopienski 12

Vulnerability market shift Finding vulnerabilities difficult, time consuming Selling to vendors, or publishing (mid 2000s) limited money - 1s-10s thousands$, e.g. Mozilla up to $3000, Google up to $3133.7 vulnerabilities eventually patched (good!) Selling to underground (late 2000s) busy and active black market more profitable 10s-100s thousands of USD sometimes buyers are governments or their contractors used in 0-day exploits (no patch) 13 researchers dont commit crime attackers dont need skills, just money researchers dont commit crime attackers dont need skills, just money Sebastian Lopienski

Botnets (networks of infected machines) 14 From http://www.f-secure.com/weblog/archives/00002430.html Sebastian Lopienski

Outline 15 Sebastian Lopienski Where we are? Who are they? What is ahead?

Who are they? 16 criminals motivation: profit hacktivists motivation: ideology, revenge governments motivation: control, politics Sebastian Lopienski

Criminals Usual stuff: Identity theft Credit-card frauds Malware targeting e-banking, e.g. Zeus, Gozi etc. Scareware, e.g. fake AV, fake police warnings Ransomware : taking your data hostage (soon: accounts?) Mobile malware, e.g. sending premium rate SMSes Denial of Service (DoS) Spam etc. 17 Sebastian Lopienski

2-in-1: Scare and demand ransom 18 From http://www.zdnet.com/sopa-reincarnates-to-hold-your-computer-hostage-7000005684 SOPA is dead but still used by criminals to scare people Sebastian Lopienski It pays off From symantec.com

Cyber criminals Thai police have arrested Algerian national Hamza Bendelladj wanted by the FBI for allegedly operating the Zeus botnet (e-banking malware) Sebastian Lopienski 19 From http://www.bangkokpost.com

Gangsters Sebastian Lopienski 20 From krebsonsecurity.com A hacker nicknamed vorVzakone, allegedly related to Gozi malware

employing mules Become a foreign agent in the US advertisement Sebastian Lopienski 21 From krebsonsecurity.com

Hacktivists Attacking to protest, to pass the message etc. 22 Sebastian Lopienski

The Anonymous, LulzSec, many groups, varying agendas, from ideologists to criminals Sebastian Lopienski 23

Do you know this guy? Sebastian Lopienski 24

Aaron Swartz A software developer, an open-access activist 2001 (aged just 14!): helped developing RSS 2002: working with Tim Berners-Lee on semantic web 2008: released 20% of the Public Access to Court Electronic Records (PACER) database of United States federal court 2011: arrested for retrieving scientific articles from JSTOR, believed in open access to results of publicly-funded research, risked 35 years of prison / $1m fine sentence 2012: campaigned against the SOPA 2013: committed suicide (because of the ongoing criminal investigation?) Sebastian Lopienski 25

Google a freedom activist? https://www.google.com/takeaction/ Sebastian Lopienski 26 The same Google that outraged privacy defenders with its new Privacy Policy

but governments? 27 Sebastian Lopienski

Spying on (some) citizens Network encryption? Infect computers or go after services Syrian activists PCs infected with Trojans/backdoors Tibetan rights activists often targeted Israel demands e-mail passwords at borders German police infects criminals PCs with Trojans/backdoors buying surveillance code and services for 2M EURO (!) or developing in-house unfortunately, full of security holes 28 From http://www.f-secure.com/weblog/archives/00002423.html Sebastian Lopienski

PRISM mass online surveillance program Sebastian Lopienski 29

Privacy vs. control If you are doing nothing wrong, then you shouldnt worry if we watch you. If I am doing nothing wrong, then you shouldnt be watching me! Cryptography/encryption (HTTPS) is still a good defense Sebastian Lopienski 30

Agencies & contractors turning offensive 31 From F-Secure Sebastian Lopienski

Agencies & contractors turning offensive Northrop Grumman looks for "Cyber Software Engineer" for an Offensive Cyberspace Operation mission" 32 From http://www.f-secure.com/weblog/archives/00002372.html Sebastian Lopienski

Stuxnet (the worm that targeted Iranian uranium-enriching centrifuges, discovered 2010) Estimated development effort: 10 man-years Result: sabotage 30,000 Iranian computers infected, some HW damage, nuclear program set back by ~2 years Cui bono? (New York Times, June 2012: a joint US-Israel operation Olympic Games started by Bush and accelerated by Obama) 33 Sebastian Lopienski

Outline 34 Sebastian Lopienski Where we are? Who are they? What is ahead?

Does Stuxnet make us all more vulnerable? 35 Sebastian Lopienski http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12

Thank you 36 Sebastian Lopienski