Transcript Week 01 : Mail Merge

Week 08 : Security awareness
and hacking
PCB - KNOWLEDGE SHARING SESSION
White hat vs Black hat hacking
The good guys are "white hats,"
who identify weaknesses in
systems so they can be fixed.
"Black hats" are the ones who
take advantage of weaknesses in
systems.
3 main threats of the interweb
* Just to list of some generic examples
1. Hacking
◦
◦
◦
Man in the middle attack
Key loggers
DDoS (Distributed Denial of Service)
2. Phishing
◦
◦
Websites
Email
3. Spoofing (Identity Theft)
◦
◦
Email Spoofing
IP Spoofing/Gateway poisoning
Hacking : Man in the middle attack
In some cases, users may be sending
unencrypted data, which means
the man-in-the-middle (MITM) can
obtain any unencrypted information.
In other cases, a user may be able to
obtain information from the attack,
but have to unencrypt the information
before it can be read.
The attacker intercepts some or all
traffic coming from the computer,
collects the data, and then forwards it
to the destination the user was
originally intending to visit.
Hacking : Man in the middle attack
Watch the video below for a simulation of a MITM attack
I’ve done on an unencrypted e-commerce website
Initial chargeable figure was RM 43.00 but I could alter it to
RM1.00 upon checkout
http://www.youtube.com/
watch?v=yGF4FQb9rHQ
DISCLAIMER : No animals, property, human or interest was jeopardized during this process of “simulating” the scenario as the video
below that depicts the MITM by Jermaine Cheah Penn Hon
Hacking : Man in the middle attack
Prevention
1. Only buy with trusted/reputable sites
2. Only use trusted computers to perform online
transactions
3. Make sure you are not on a public untrusted network
Hacking : Key Logging
… is the action of recording (or logging) the keys struck on a
keyboard, typically in a covert manner so that the person using the
keyboard is unaware that their actions are being monitored.
2 main types of key logging : Hardware based and software based
Hacking : Key Logging
Hardware KeyLoggers
Hacking : Key Logging
Software KeyLoggers
1. Listener via Webpages field
2. Background services
3. Webcam hijacking
Hacking : Key Logging
Prevention
1. Use One-Time-Password (OTP)
2. Use 2D password (Perhaps google
authenticator)
3. Change your password more often with
higher complexity
4. Cover your laptop webcam when not in use
5. Only use trusted PC for sensitive
transactions
6. Use trusted anti-keylogging softwares like
http://www.qfxsoftware.com/
(KeyScrambler)
Hacking : DDoS
…is an attempt to make a machine or network
resource unavailable to its intended users.
A denial-of-service attack is characterized by an
explicit attempt by attackers to prevent
legitimate users of a service from using that
service.
There are 2 general forms of DoS attacks: those
that crash services and those that flood
services.
Hacking : DDoS (Famous Cases)
February, 2000: Mafiaboy Vs. Yahoo, CNN, eBay, Dell, & Amazon
1.
2.
3.
4.
5.
First largest DDoS in history
Done by "Mafiaboy," a.k.a. 15-year-old Michael Calce
Took down Yahoo, CNN, eBay, Dell, and Amazon
picked up by Canadian police—while watching Goodfellas, allegedly—and plead guilty for hacking.
8months in a juvenile detention center and forced to donate $250 to charity.
November 2008: Unknown Vs. Microsoft Windows (& the World)
1.
2.
3.
4.
Conficker worm exploited vulnerabilities in a number of Microsoft operating systems
Infected PC would be turned into a botnet / zombie machine
infected millions of computers and business networks in countries around the world,
Protect yourself with this Conficker Removal Tool.
Hacking : DDoS
Preventions
1.Update antivirus
2.Update Operation System fix
3.Be more inclined with security news
4.Avoid downloading media, softwares and files from
untrusted sources
5.Perform periodic scans on your machine
Phishing - Email
Phishing email messages are
designed to steal your identity.
They ask for personal data, or direct
you to websites or phone numbers
to call where they ask you to provide
personal data.
Phishing - Email
What does a phishing email message look like?
1.
Usually spoofing bank or financial institution, a company you regularly do business with,
such as Microsoft, or from your social networking site.
2.
They might appear to be from someone you in your email address book.
3.
They might ask phone call. Phone phishing scams direct you to call a phone number where
a person or an audio response unit waits to take your account number, personal
identification number you to make a, password, or other valuable personal data.
4.
They might include official-looking logos and other identifying information taken directly
from legitimate websites, and they might include convincing details about your personal
history that scammers found on your social networking pages.
5.
They might include links to spoofed websites where you are asked to enter personal
information.
Phishing – Email
Prevention
1. Do not be greedy
2. Again, do not be greedy
3. Check links before proceeding
4. Subscribe to phishing report list
5. Do not simply disclose personal information
◦
Secured and reputable services will not ask you so verify yourself via email
Phishing - Website
Phishing websites look
legitimate and users would
naturally enter their
credentials and eventually
fall into the trap of phishing.
< A facebook phishing site
Phishing – Website
Prevention
1. Do not be greedy
2. Again, do not be greedy
3. Check links before proceeding
4. Subscribe to phishing report list
5. Do not simply disclose personal information
◦
Secured and reputable services will not ask you so verify yourself via email
6. Do not login whilst using public open networks
◦
Phishing sites might even show your legitimate URL
Spoofing - email
Email spoofing may occur in different forms, but
all have a similar result:
a user receives email that appears to have
originated from one source when it actually was
sent from another source.
Email spoofing is often an attempt to trick the
user into making a damaging statement or
releasing sensitive information (such as
passwords).
Spoofing – Website/IP/DNS
Spoofing – Website/IP/DNS
Essentially, preliminary spoofing would display a misleading URL or so but it is still noticeable.
More intermediate hackers could use methods like ARP poisoning, DNS spoofing and IP spoofing
techniques to even forge SSL certs and URLs.
ARP Poisoning - is a technique whereby an attacker sends fake ("spoofed") Address Resolution
Protocol (ARP) messages onto a Local Area Network.
Spoofing – Website/IP/DNS
So, imagine u are looking at https://www.maybank2u.com.my/ but it is actually not an actual M2u site.
Spoofing – Website/IP/DNS
1.
Try to avoid using public networks
2.
Periodically perform scan on your PC to eliminate malicious agents
3.
Tether your mobile 3G for internet banking if you are on the go
◦
Phone cell spoofing is highly unlikely
That’s it!
Thanks for your kind attention and please stay tuned for the Week 7 session next week.
Good day!
Prepared by : Jermaine