Transcript Slide

Andy Malone, MVP, MCT
CEO / Trainer / Consultant
Quality Training (Scotland) Ltd &
Dive Deeper Technology Events EMEA
SIA330
The Disclaimer!
In attending this session you agree that any software
demonstrated comes absolutely with NO WARRANTY.
Use entirely at your own risk. Microsoft Corporation,
Quality Training (Scotland) Ltd, Dive Deeper
Technology Events EMEA & the other 3rd party
vendors whose software is demonstrated as part of
this session are not responsible for any subsequent
loss or damage whatsoever...You have been warned!
This Session Covers!
The Top 10 security nightmares
Covert information gathering techniques
How it’s done! - identity theft
Tools the bad guy use
Hiding your tracks
Possible solutions
The need to know principle
Conclusions and Q&A
The Top 10 Security Nightmares
1. Physical
2. Human Error
3. Malfunction
4. Malware
5. Spoofing
6. Scanning
7. Eavesdropping
8. Scavenging
9. Spamming
10. Out of Band!
How Severe is the Threat?
Professional Cyber
Criminals & Terrorists
Disgruntled
Employees
Competitors
Hacktivists
Script Kiddies
(Advertises Actions)
T
H
R
E
A
T
Problem: Identifying the Threat
Uneducated
Employees
Disgruntled
Employees
Competitors
Hackers
Foreign
Governments
Problem:
It’s the way we’ve always done it!
Problem: Unorganized Response
What should I do?
Who should I call?
Should I shut the system
down?
Should I run the virus
cleaner?
Should I trust my Anti-virus
quarantine?
Should I re-image the
system?
Problem: Reliance on Technology!
Quest for a silver
bullet
Many business
decisions are
market driven
Marketing +
Architecture =
Marchitecture
Many solutions are
event driven
People can be Your Greatest or
Weakest Asset!
If You Look Hard Enough Bad
Security is Everywhere!
Places!
No Seriously!
The Hotel Intrusion
Employees on the Road: The Soft Target!
Free, er Room Service!
The Office Intrusion
Organized Security…Er!
Badges: Instant Credibility
Free Floor Plans!
Get on the Inside with a Job!
Too much Information
Office Security Tips
Ensure Employees are Security Aware
Adopt an “Acceptable Use” Policy in terms of IT, Email,
Internet etc
Ensure Employees are Security Vetted
Wear ID Badges
Question Visitors – “Offer Help”
Secure all Entrances & Exits
Know Emergency Procedures
Secure your Valuables
Laptops, Phones, Keys, IDs Etc
Consequences of Poor Security:
Brett Kingstone Nexus Lighting!
“What took us $10 million and 10 years to
develop, they were able to do for $1.4 million in
six months”Brett Kingstone
http://people.forbes.com/profile/brett-m-kingstone/57603
http://www.gss.co.uk/news/article/5613/Cyberthieves_mine_onl
ine_for_corporate_data_nuggets/?highlight=Finjan
Hacker 101
Target Selection & Information Gathering
Hacker 101: Target Selection
Person
Identity Theft
Revenge
Invasion of Privacy
Company
Trade Secrets
Hostile Takeover
Industrial Espionage
Government
Military Coup
Political Corruption
Bribery
Country Destabilisation
My Name is John Davidson!
The ID Theft Hustle
No it Really is!
My Qualifications
John Davidson
John Davidson
My Life!
John Davidson
Xx xxxxxxx xxx, Stockport, xxx xxx UK
Email Address: [email protected]
Or [email protected]
Phone: 079 3705 9862
Mother's maiden name: Smith
Birthday: June 16, 1965
Social Security Number: TP 41 79 92 B
Visa: 4485 4037 3695 59xx
Expires: 2/2011
Passport: GB 4017783
What About a Blog then!... Live.com
Are You LinkedIn.... John is Now!
So Who are You?
Information required:
Social Security Number
Full name
Birth date
Address
Possibly Drivers license number
Sources
Doctor
Accountant
Lawyer
School
place of work
Hotels
health insurance carrier
many others
5 Pages of Heaven! Aka a Resume
Once you get someone's resume' you know
all about the person
You can search for it ...or...
You can get people to send it to you
Recruitment is easy: Post a job ad and wait
for people to send their life story
You can even specify which types of
people...:)
“Looking for nuclear scientist/engineer with
experience in Uranium enrichment and
military background. Earn top dollar, 401K
plan, dental coverage, 25days leave. Flexi
time. Apply within...”
A Growing Problem
• Revealed: 8 Million Victims in the Worlds Biggest Cyber
Heist! – Best Western Hotels. (Aug 08) – Russian Gangs
involved. Details offered for sale on underground
website. (www.cuxxxx0.ru)
• 10,000 Criminal Records Go Missing on Memory Stick!
(July 08)
• Fasthosts UK ISP – 50,000 Websites Hacked. (Nov 07)
• ID Theft costs the UK economy £1.6bn Per Year*
• UK Child Support Agency: 25 Million Records Missing.
MI5 ordered to recover data.
• Bank of India etc...
*Sunday Times
How it's Done - Identity Theft
You are Unique...Keep it that Way!
Check your credit score regularly
Don't reveal too much personal information,
especially on on-line forums & social
networking groups.
Watch out for shoulder surfers.
Learn to ask questions...”Why you need this
information, How will it be used.
Be aware of your privacy rights.
Make use of new encryption technologies
Lets do Some Damage!
Corporate ID Theft
Employee Stupidity (UK Dept work & Pensions
25 Million records LOST because of a mistake...
Fraudulent use of business identity
"account takeover" fraud that hijacks a clean
identity for illicit trading
UK Companies House – does not validate any data
provided
Spoof emails and “phishing“, “Spear Phishing”
Corporate Governance implications
UK's Turnbull Report (internal controls)
Tools the Bad Guys Use!
Google hacking!
Google Hacking
Various usernames and passwords (both encrypted
and in plain text)
Internal documents
Internal site statistics
Intranet access
Database access
Open Webcams
VNC Connections
Mail server access
And much more
Google Hacking Examples!
Site:com filetype:xls "Accounts"
site:gov.uk filetype:xls users
site:gov.uk filetype:doc staff
site:gov.uk filetype:ini WS_FTP PWD
site:gyhs.co.uk "index of /" password.txt
site:co.uk "index of /" +passwd
site:dk +hotel filetype:xls
site:com +password filetype:xls
Inurl:admin users passwords
inurl:admin intitle:index.of
"Microsoft-IIS/5.0 Server at"
intitle:index.of
How it’s done - Google Hacking
Don’t Get Google Hacked!
Keep sensitive information off the internet
Be careful how you write your scripts and access
your databases
Use robots.txt to let Google know what parts of
your website it is ok to index. Specify which parts of
the website are “off bounds”
Ensure directory rights on your web server are
in order
Monitor your site for common errors
“Google hack” your own website
Data Mining: Paterva Maltego 2
Data Mining with Paterva, Maltego 2
Data Mining with BidiBlah
Hacking #102
Hide your Tracks!
Hiding Data - Steganography!
Steganography: The art of storing information in such a way that
the existence of the information is hidden
To human eyes, data usually contains known forms, like images,
e-mail, sounds, and text. Most Internet data naturally includes
gratuitous headers, too. These are media exploited using new
controversial logical encodings: steganography and marking.
The duck flies at midnight. Tame uncle Sam
Simple but effective when done well
How it’s Done - Steganography
What the Bad Guys Use!
Undetectable and Unbreakable Encryption!
Creates a virtual encrypted disk within a
file and mounts it as a real disk.
Encrypts an entire partition or storage
device such as USB flash drive or
hard drive.
Encryption is automatic, real-time (onthe-fly) and transparent.
Provides two levels of plausible
deniability, in case an adversary forces
you to reveal the password:
Hidden volume (steganography) and
hidden operating system.
No TrueCrypt volume can be identified
(volumes cannot be distinguished from
random data).
Encryption algorithms: AES-256, Serpent,
and Twofish. Mode of operation: XTS.
Uncovering Secrets & Lies
The Compliance Gorilla!
When the focus is only on
compliance, the
organization's overall
security posture suffers by
focusing solely on systems.
The network pieces are
"compliant" but what
about the internetworking
of these systems?
The result of this problem
is indefensible networks.
Pro-Active Cybercrime Prevention Tips
 Learn to Identify Threats
 Monitoring Staff & Ensure Corporate Awareness
 Reward Corporate Loyalty
 Internal & External Legislation
 Anonymiser Services
 Right Management Software
 Make use of Cryptography
 Use good o’l fashioned Cash
The Need to Know Principle!
Keeping up Appearances!
Although I don't know the
overall network security
posture of the airport, this
didn't look good
Good security is simply
appearing to be secure
The military teach that the
appearance of a hard
target can deter attacks.
Developments
Biometric Passports ,
DNA Identity Solutions
Cloud Data centre Solutions
Credit Cards with Biometrics
Project Goldeneye / Goldfinger!
Identity Cards
Cut the myriad of means to prove identity
Proposed new criminal offence
of "identity fraud"
Civil liberties arguments
Criminalize legitimate anonymity?
National Criminal Intelligence Service
Conclusions!
The Top 10 security nightmares
Covert information gathering techniques
How it’s done! - identity theft
Tools the bad guys use
Hiding your tracks
Possible solutions
The need to know principle
Conclusions & Q&A
Thanks for
Attending!
Andy Malone MVP, MCT
CEO / Consultant
Quality Training (Scotland) Ltd & Dive
Deeper Technology Events EMEA
[email protected]
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.