2011Cyber Security &Social Technology
Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+Director, Maze & Associates University of San Francisco / San Diego City College www.LearnSecurity.org | www.linkedin.com/in/donaldehester | www.facebook.com/LearnSec | www.twitter.com/sobca
© 2011 Maze & Associates 3Rev2/28/2011
© 2011 Maze & Associates 4
Pervasive By Nature
Social Tech
Private Life
Work
Family
School
Rev2/28/2011
© 2011 Maze & Associates 5
Social Tech Issues
Rev2/28/2011
M• Marketing• Brand Protection• Customer
Relations
HR• Hiring• Personnel
Management
P• Privacy• Identity• Home/Work
© 2011 Maze & Associates 6
MARKETING & BRANDING USES
Rev2/28/2011
© 2011 Maze & Associates 7
Brand Protection - Concerns
• Fear of losing control• Fear of losing customers• Fear of losing money• Fear of customers speaking up• Avoiding social media– Fear of the unknown– Thinking it is a fade
• Not understanding social media• How will you measure impactRev2/28/2011
© 2011 Maze & Associates 8
Brand Issues
Rev2/28/2011
© 2011 Maze & Associates 9
Monitor Social Media for your Brand
Rev2/28/2011
© 2011 Maze & Associates 10
Social Shopping
Rev2/28/2011
© 2011 Maze & Associates 11
How to get started
• Social Technology– The train has left the building, are you on it?
• Get informed• Get help (technical and soft skills)• Develop a social media marketing
strategic plan• Create short term goals• Execute and Adapt
Rev2/28/2011
© 2011 Maze & Associates 12
Marketing
• Manger's Guide to Social Media – by Scott Klososky
• The FaceBook Era – by Clara Shih
• Facebook Marketing: An Hour a Day – by Chris Treadaway and Mari Smith
• New Rules of Marketing and PR– by David Meerman Scott
• The Zen of Social Media Marketing: An Easier Way to Build Credibility, Generate Buzz, and Increase Revenue – by Shama Kabani and Chris Brogan
Rev2/28/2011
© 2011 Maze & Associates 13
Establish Brand in Social Media
Rev2/28/2011
© 2011 Maze & Associates 14
Market Saturation
Rev2/28/2011
© 2011 Maze & Associates 15
Integration
Your Website
Other
Rev2/28/2011
© 2011 Maze & Associates 16
Deceptive Marketing
Rev2/28/2011
© 2011 Maze & Associates 17
Endorsements
• If you are being paid to endorse a product, you must make that clear to consumers.
Rev2/28/2011
http://www.ftc.gov/opa/2009/10/endortest.shtm
© 2011 Maze & Associates 18
HUMAN RESOURCES USES
Rev2/28/2011
© 2011 Maze & Associates 19
Social Media Uses in HR
• The use of social media outside of personal lives has increased and continues to increase
• Concern that potential employers will misconstrue what is seen
• Used for monitoring current employees• Used for screening job applicants– Employees see it as a good way to “get to
know” the applicantRev2/28/2011
© 2011 Maze & Associates 20http://www.ajc.com/news/barrow-teacher-fired-over-733625.html
Rev2/28/2011
© 2011 Maze & Associates 21http://www.dailyfinance.com/story/media/facebook-spying-costs-canadian-woman-her-health-benefits/19250917/ Rev2/28/2011
© 2011 Maze & Associates 22Rev2/28/2011
http://smallbiztrends.com/2009/09/social-media-background-checks.html
© 2011 Maze & Associates 23
Horns of a dilemma
• If employers use social media to do background checks on employees– The company is open to discrimination
charges– The candidates is vulnerable to
discrimination
Rev2/28/2011
© 2011 Maze & Associates 24
Horns of a dilemma
• If employers don’t use social media to do background checks on employees– The company is open to negligent hires– Good candidates are missed– Bad candidates are hired
Rev2/28/2011
© 2011 Maze & Associates 25
Use of Social Media at Work
• Does your company have a social media policy?
• How much time do employees use social media?
• Does it effect employee productivity?• How much cross over between work /
home life?
Rev2/28/2011
© 2011 Maze & Associates 26
PERSONAL USES
Rev2/28/2011
© 2011 Maze & Associates 27
Computer Security: Malware
Rev2/28/2011
© 2011 Maze & Associates 28
Online Privacy• Do you have control of what is posted?• Not all fame is good!• People use anonymity to post stuff about
others!• Embarrassing, loss of credibility
Rev2/28/2011
© 2011 Maze & Associates 29
Information about you online• Do I have control of
what is posted about me?
• Look yourself up!• All but one of these is
about me.• One of these I was
completely unaware of.• Even if you are not on
the web, you may be on the web!
• Do what you can to control what is out there.
• What is you social relevancy (Reputation)?
Rev2/28/2011
© 2011 Maze & Associates 30
Sony Play Station Network Breach
Rev2/28/2011
© 2011 Maze & Associates 31
SOCIAL MEDIA & POLITICS
Rev2/28/2011
© 2011 Maze & Associates 32
Elections
Rev2/28/2011
© 2011 Maze & Associates 33
Social Media and Politics
Rev2/28/2011
© 2011 Maze & Associates 34
IDENTITY THEFT
Rev2/28/2011
© 2011 Maze & Associates 35
Social Media (Web 2.0)Services are extremely popular and usefulAlmost a must today, (if you are not in, you are
out)People post too much information about
themselves or their kidsBe aware of your aggregate informationThe key is to be aware of what you are sharing
Rev2/28/2011
© 2011 Maze & Associates 36
Online Privacy• Would you invite a
stranger into your house to look at your children's photo album?
• Public v. Private• Aggregate
information sources could give someone more information than intended.
Rev2/28/2011
© 2011 Maze & Associates 37
Situation
• Why does someone want your personal information?– In an information age information
becomes a commodity– Information has a value– Some information has a greater
value– Your personal information is
potentially worth more than you think
Rev2/28/2011
© 2011 Maze & Associates 38
What is PII• Personally Identifiable Information– Name and account number– Name and social security number– Name and address– Credit Card Number
• Where you might find it– Tax files– Account Statements– Records (Medical, Public and other)– Businesses you do business with
Rev2/28/2011
© 2011 Maze & Associates 39
ID Theft vs. ID Fraud
• “Identity fraud," consists mainly of someone making unauthorized charges to your credit card.
• “Identity theft,” is when someone gathers your personal information and assumes your identity as their own.
"Identify theft is one of the fastest growing crimes in the US."John Ashcroft79th US Attorney General
Rev2/28/2011
© 2011 Maze & Associates 40
• March 20th 2001, MSNBC reported the first identity theft case to gain widespread public attention
• Thief assumed the identities of Oprah Winfrey and Martha Stewart, took out new credit cards in their names, and accessed their bank accounts
• Stole more than $7 million from 200 of the world’s super rich - Warren Buffet and George Soros, tech tycoons Paul Allen and Larry Ellison
• Used a library computer, public records, a cell phone, a fax machine, a PO Box, and a copy of Forbes Richest People
• 32-year-old Abraham Abdallah was described as “a high school dropout, a New York City busboy, a pudgy, disheveled, career petty criminal.”
The Busboy That Started It All
Rev2/28/2011
© 2011 Maze & Associates 41
ID Theft & Fraud
• PII exposed by others (Data Breaches)• PII exposed by ourselves (online & others)• Malware (Spyware, Viruses, etc…)• Social Engineering
– Phone– Internet (Phishing, social websites etc…) – In Person (at your door, in a restaurant etc…)
• Physical theft– Mail box– Trash (Dumpster diving)– ATMs (skimming)– Home break-ins
Rev2/28/2011
© 2011 Maze & Associates 42
What do they do with stolen IDs?
Rev2/28/2011
© 2011 Maze & Associates 43
Drug Trafficking and ID Theft
Meth users see mail theft and check washing as a low risk way to pay for their habit.The same chemicals used in Meth production are used in check washing.Meth users, dealers and fraudsters are partners in crime.
Rev2/28/2011
© 2011 Maze & Associates 44
FTC 2009 Stats
• Top counties with ID theft– Solano County 18 out of 375
• Average per victim loss– $10,000
• Total complaints filed in 2009– 1.3 Million
Rev2/28/2011
FTC http://www.ftc.gov/opa/2010/02/2009fraud.shtm
© 2011 Maze & Associates 45
HOW MIGHT YOU EXPOSE YOUR PII
Rev2/28/2011
© 2011 Maze & Associates 46
Watch what you put online
Rev2/28/2011
http://www.youtube.com/watch?v=Soq3jzttwiA
© 2011 Maze & Associates 47
Can someone use what you post against you?
Rev2/28/2011
© 2011 Maze & Associates 48
P2P (Peer to Peer file sharing)
• Napster used to fit in this category• Used to ‘share’ computer files• Legal issues with copyright• Malware issues, often the P2P software
will install adware or tracking software.• Privacy issues, do you know what you
are sharing?
Rev2/28/2011
© 2011 Maze & Associates 49
HOW BAD GUYS MIGHT GET YOUR PII
Rev2/28/2011
© 2011 Maze & Associates 50
Malware• Malware (Viruses, Worms, Spyware,
etc…)– 1999 Melissa, Kevin Mitnick, – 2000 Mafiaboy, DoS Assault, – 2001 Code Red, Nimda, – 2002 Root Rot, Slapper, – 2003 SQL Slammer, – 2004 MyDoom, BerBew, – 2005 Samy (MySpace), – 2007 Storm Worm, Botnets, etc..
Malware has cost trillions of dollars in
the last decade
Rev2/28/2011
© 2011 Maze & Associates 51
Viruses
• In the past they were primarily destructive
• Today they focus on stealing information• Using your computer as a Bot (Zombie)
to send out SPAM
Rev2/28/2011
© 2011 Maze & Associates 52
Phishing: Internet Fraud• Oldest trick in the book,
there are examples in the 1500s
• One particular fraud is called the “Nigerian 419” scam or “Advanced Fee Fraud”
• Started as a letter, then it showed up in faxes and now it is sent by email.
• Many variations on the story the message containshttp://www.secretservice.gov/fraud_email_advisory.shtml
Rev2/28/2011
© 2011 Maze & Associates 53Rev2/28/2011
© 2011 Maze & Associates 54
Phishing Example
Rev2/28/2011
© 2011 Maze & Associates 55
Spyware
Rev2/28/2011
© 2011 Maze & Associates 56
Cell Phone Spyware
Rev2/28/2011
http://www.youtube.com/watch?v=uCyKcoDaofghttp://news.rutgers.edu/medrel/news-releases/2010/02/rutgers-researchers-20100222http://www.youtube.com/watch?v=UZgf32wVTd4
© 2011 Maze & Associates 57
Physical theft
• Dumpster diving• ATM – Credit Card skimming• Mailbox• Home Break-in
Rev2/28/2011
© 2011 Maze & Associates 58
Close to Home
Rev2/28/2011
© 2011 Maze & Associates 59
“Lock Bumping”
http://cbs11tv.com/seenon/Bump.Key.Safety.2.499252.html Rev2/28/2011
© 2011 Maze & Associates 60
ATM Skimming
Rev2/28/2011
http://www.youtube.com/watch?v=m3qK46L2b_c
© 2011 Maze & Associates 61
Credit Card Skimming
Rev2/28/2011
© 2011 Maze & Associates 62
Credit Card Skimming StatsTOP MERCHANT GROUPS
RESTAURANTSGASHOTELSCAR RENTALSALL OTHER
SOURCE: CALIFORNIA RESTAURANT ASSOCIATION, VISA USA, UNITED STATES SECRET SERVICE
Rev2/28/2011
© 2011 Maze & Associates 63
Credit Card Skimming StatsBY MERCHANT LOCATIONS
CALIFORNIAFLORIDANEW YORKNEW JERSEYTEXASMEXICOILLINOISALL OTHER
SOURCE: CALIFORNIA RESTAURANT ASSOCIATION, VISA USA, UNITED STATES SECRET SERVICE
Rev2/28/2011
© 2011 Maze & Associates 64
HOW OTHERS MIGHT EXPOSE YOUR PII
Rev2/28/2011
© 2011 Maze & Associates 65
How others might expose your PII
• Data Breach– Lack of security on the part of businesses– Organization may post information online– Loss of a laptop, hard drive or paper work– Data loss by a third party– Hacker (Organized Crime & Nation State)– Organizations may break into your
computer
Rev2/28/2011
© 2011 Maze & Associates 66
Sony PlayStaion Network Breach
Rev2/28/2011
© 2011 Maze & Associates 67
Public Records
Rev2/28/2011
“The federal government is the biggest offender.”Paul StephensPrivacy Rights Clearinghouse
© 2011 Maze & Associates 68
Others losing your ID
4.2 million customer card transactions were compromised by hackers
Rev2/28/2011
© 2011 Maze & Associates 69
Unknown Exposure
Rev2/28/2011
© 2011 Maze & Associates 70
Top 10 Largest Breaches*Records Date Organizations
130,000,000 2009-01-20 Heartland Payment Systems
94,000,000 2007-01-17 TJX Companies Inc.
90,000,000 1984-06-01 TRW, Sears Roebuck
76,000,000 2009-10-05 National Archives and Records Administration
40,000,000 2005-06-19 CardSystems, Visa, MasterCard, American Express
30,000,000 2004-06-24 America Online
26,500,000 2006-05-22 U.S. Department of Veterans Affairs
25,000,000 2007-11-20 HM Revenue and Customs, TNT
17,000,000 2008-10-06 T-Mobile, Deutsche Telekom
16,000,000 1986-11-01 Canada Revenue Agency
Rev2/28/2011
*Top ten data breaches as of 22 Feb 2010. Data provided by DataLoss db.725,797,885 breached records out of 2466 reported incidents.
© 2011 Maze & Associates 71
Repeat Offenders*Company Number of
Reported BreachesLPL Financial 12
Nationwide 11
Equifax 11
Experian 11
Blue Cross 10
B of A 9
Cornell University 9
University of Iowa 9
HSBC 8
Pfizer 8
Rev2/28/2011
*As of 22 Feb 2010. Data provided by DataLoss db.725,797,885 breached records out of 2466 reported incidents.
© 2011 Maze & Associates 72
Sony Root kit• Sony, in its efforts to preserve control
over its product, installed root kits on consumers computers
• Consumers were not aware it was installed (on copy-protected CDs)
• Gave Sony and potentially hackers the ability to remotely control your computer
• Removal of software disabled CD drives on consumers computers
http://www.cnet.com/4520-6033_1-6376177-1.html?tag=nl.e501 Rev2/28/2011