CyberThreats and CyberSecurity 2014.5

An Overview: Global, Community, and Personal

Branon Dunn – Fall 2014/Spr. 2015

Agenda

• Overview of Cyberthreat history

• Who are the Hackers, and how has that changed over time

• Current trends affecting cyber security

• What can you do about it?

A Few (Very) Old Examples

• Brain Virus – 1st “PC” Virus – 1986 Welcome to the Dungeon © 1986 Brain & Amjads (pvt).

BRAIN COMPUTER SERVICES 730 NIZAM BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination...

• The Morris Worm - 1st Internet Worm – 1988 – Probably infected about 10% of the machines then on

the Internet (Arpanet). UNIX only.

– Prompted DARPA to fund the establishment of the CERT/CC (Cyber Emergency Response Team)

Stuxnet • In 2010, German security noticed a “worm” with activity centered in Iran

(which has pretty poor cyber security as a nation).

• It worked on all versions of Windows, contained 4 Zero-day vulnerabilities, utilized stolen digital signatures, was widely distributed, but …

• It only targeted Siemens WinCC/PCS 7 centrifuge controllers in arrays of 984 units.

• This is the exact configuration of the secret Iranian uranium enrichment facility.

• The virus would speed up/slow down the centrifuges until they failed.

• Iranians were unaware of the problem, did not understand why there were so many failures, but continued to replace the centrifuges. Their enrichment program was set back years.

• Although the Iranian nuclear facility was isolated from the Internet, the virus was brought in by a scientist on a memory stick!

An Attack?

• Stuxnet was a targeted cyber weapon.

• Does use of a weapon such as Stuxnet qualify as an act of war?

• How do you decide who attacked you?

Operation Buckshot Yankee

• In 2008, a foreign intelligence agency left a few USB flash drives in the parking lot of a US military base.

• A soldier saw one of these drives in the dirt and just wanted to know what was on it. So he stuck it into a PC on his military PC … (on the US Central Command network)!

• The virus on the drive (agent.btz) scanned all the computers on the DoD network, created “backdoor accounts” and connected to remote command and control servers.

• It took the Pentagon 14 months to get the virus out of the US network! They then created the United States Cyber Command.

• Humans are usually the weakest link in all cyber security systems.

The Target Credit Card Loss

• On Dec. 19, 2013 Target announced that 40 million credit card numbers were stolen between Nov. 27 and Dec. 15, 2013 (and sent to Russia) – They were notified on Nov. 30, 2013 by detection software

installed 6 month earlier – They ignored the notice – Ultimately everyone got new credit cards (at an estimated cost

of $200 million to the credit card industry) – CIO (Chief Information Officer) lost his job – CEO lost his job.

• Upper Management must now care about cyber security

– Target’s profit for the holiday shopping period fell 46 percent from the same quarter the year before. Final estimated cost to Target - $148 million

Home Depot Hack

• On Sept 2, 2014, a German security specialist announced that 56 Million credit cards had been stolen from Home Depot – Cards had just been offered for sale on the black market – Zip codes matched Home Depot locations to 98% correlation

• On Sept 8, Home Depot confirmed the loss • Affected HD customers who made purchases from April

2014 – Sept 2014 • This POS virus, FrameworkPOS, was different from the

Target POS hack • The virus was designed to look like McAfee antivirus

software to avoid detection

Heartbleed

• First virus with a logo! • SSL (secure sockets layer) is what your computer uses when

your browser needs to pass secure information (passwords, credit card info). It’s the “lock” that you see on your browser.

• Encryption keys are generated on demand and only used for one “session”.

• On April 1, 2014, Google found a bug in OpenSSL that could expose encryption keys and data to a “man in the middle” attack. Bug had existed since March 14, 2012.

• Usernames/passwords could be intercepted and stored. • Fixed version of OpenSSL was released April 7.

Heartbleed - cont

• MANY websites use Open SSL.

• All users are vulnerable to Un/PW loss from Mar 2012 to April 2014.

• User fix …

– Check your websites for “fix” application

• https://lastpass.com/heartbleed/ for example

– THEN, change your password

– (more on implications later)

Who are the Hackers - and how has this changed over time

• Individuals and “clubs” – Teenage boys in their rooms – Clubs (virtual) of these kids

• Governments – NSA and Cyber Command (Snowden revelations) – China (2nd Bureau of the 3rd Army, Unit 61398)

• Patriotic Hackers – Combination of both! – Government support/synchronization without direct cyber action – Can sometimes “get out of control”

• “Professional” Hackers – Corporate espionage – trade secrets – Stealing of financial data – “ransomware”

Current Trends affecting CyberSecurity 5 trends noticed by the Brookings Institute

• The rise of “Cloud Computing” – Move from owning hardware to renting it online – May actually improve security due to professional services.

• Less systems administrators.

– A huge list of new security concerns from new model

• “Big Data” – unprecedented knowledge of us is being mined – Impact on human social, legal, and ethical boundaries

• The “Mobile Revolution” – Smaller computers, using smaller interfaces, on compressed bandwidth, tends

to concentrate security problems – Convenience tends to supersede security concerns – Security often managed by non-security companies with other priorities

• Demographic shift of net users – By 2015 there will be more users speaking Chinese than English

• The Internet of Things (IoT)

Internet of Things

• Here's the scenario:

– As you approach the front door of your house, a remote control built into your key unlocks the door.

– The door's wireless radio messages your home network, which prompts the hall light to turn on.

– The house thermostat, which was raised after you left for work, returns to a comfort zone.

Internet of Things (cont 2)

• Another scenario:

– You are away on vacation and the house is empty.

– A moisture sensor detects water on the basement floor.

– That sensor finding is processed by an app, which has received another report from a temperature sensor that detects the flow of water in the main water pipe. (When water flows, it takes away heat and lowers the temperature).

Internet of Things (cont 3)

• That both sensors are detecting anomalies is cause for concern.

– A high rate of flowing water may signal a burst pipe, triggering an automated valve shutoff;

– a slight water flow might be a running toilet, and

– the water on the basement floor by routine leakage from a heavy rain.

• In either case, you get a machine-generated message describing the findings.

Internet of Things (cont 4)

• Here's how you investigate.

– Via a mobile app, you get two one-time codes to unlock your front door, one for your neighbor and another for a plumber. When the door is unlocked, a text alert tells you who entered.

• Having knowledge of the condition of your home may be a big driver of IoT adoption.

So, What Can I Do?

• Be a good Net-izen

– What you do on your computer affects the security of the Net

– You can Do the Right Things

– You can Don’t Do the Wrong Things

Do the Right Things!

• Protect physical access to your computer

• Use strong passwords

• Change them regularly

• Don’t use the same password for many sites

• Consider using a Password Manager

– LastPass is excellent. www.lastpass.com

• Change default Usernames and Passwords

– Especially on Routers/Gateways

“Scan” of 2 block area

Do the Right Things! (cont)

• Don’t install programs you don’t want – Look for “install options” when downloading or

upgrading

• Uninstall programs you don’t use – Reduce the locations that “bugs” can exist on your

computer

• Regularly update the programs you DO use – Consider “auto update”

• Backup your computer and your important information – Keep it offline! Perhaps on a USB hard drive

– Consider exchanging “offsite storage” with a friend or relative.

Don’t Do the Wrong Things!

• Don’t open emails from “people” you don’t know China's Cyber Spies

• Don’t open emails from “people” you DO know, but that have a single picture content

• Don’t visit websites that your browser identifies as “Untrusted”

• Don’t download programs from “strange” sites

In Conclusion

• Thank You for your Attention and Input

• Quote from Robert Morris (Sr.)

– The three golden rules to ensure computer security are:

– do not own a computer;

– do not power it on; and

– do not use it.

References

• Singer, P.W. and Friedman, A. (2014). Cybersecurity and cyberwar: What everyone needs to know. New York, NY: Oxford University Press.

• Thibodeau, P. (2014). Explained: The ABCs of the Internet of Things. Computerworld. http://www.computerworld.com/s/article/9248058/Explained_The_ABCs_of_the_Internet_of_Things_