CyberThreats and CyberSecurity · 2015-03-27 · Home Depot Hack •On Sept 2, 2014, a German...
Transcript of CyberThreats and CyberSecurity · 2015-03-27 · Home Depot Hack •On Sept 2, 2014, a German...
CyberThreats and CyberSecurity 2014.5
An Overview: Global, Community, and Personal
Branon Dunn – Fall 2014/Spr. 2015
Agenda
• Overview of Cyberthreat history
• Who are the Hackers, and how has that changed over time
• Current trends affecting cyber security
• What can you do about it?
A Few (Very) Old Examples
• Brain Virus – 1st “PC” Virus – 1986 Welcome to the Dungeon © 1986 Brain & Amjads (pvt).
BRAIN COMPUTER SERVICES 730 NIZAM BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination...
• The Morris Worm - 1st Internet Worm – 1988 – Probably infected about 10% of the machines then on
the Internet (Arpanet). UNIX only.
– Prompted DARPA to fund the establishment of the CERT/CC (Cyber Emergency Response Team)
Stuxnet • In 2010, German security noticed a “worm” with activity centered in Iran
(which has pretty poor cyber security as a nation).
• It worked on all versions of Windows, contained 4 Zero-day vulnerabilities, utilized stolen digital signatures, was widely distributed, but …
• It only targeted Siemens WinCC/PCS 7 centrifuge controllers in arrays of 984 units.
• This is the exact configuration of the secret Iranian uranium enrichment facility.
• The virus would speed up/slow down the centrifuges until they failed.
• Iranians were unaware of the problem, did not understand why there were so many failures, but continued to replace the centrifuges. Their enrichment program was set back years.
• Although the Iranian nuclear facility was isolated from the Internet, the virus was brought in by a scientist on a memory stick!
An Attack?
• Stuxnet was a targeted cyber weapon.
• Does use of a weapon such as Stuxnet qualify as an act of war?
• How do you decide who attacked you?
Operation Buckshot Yankee
• In 2008, a foreign intelligence agency left a few USB flash drives in the parking lot of a US military base.
• A soldier saw one of these drives in the dirt and just wanted to know what was on it. So he stuck it into a PC on his military PC … (on the US Central Command network)!
• The virus on the drive (agent.btz) scanned all the computers on the DoD network, created “backdoor accounts” and connected to remote command and control servers.
• It took the Pentagon 14 months to get the virus out of the US network! They then created the United States Cyber Command.
• Humans are usually the weakest link in all cyber security systems.
The Target Credit Card Loss
• On Dec. 19, 2013 Target announced that 40 million credit card numbers were stolen between Nov. 27 and Dec. 15, 2013 (and sent to Russia) – They were notified on Nov. 30, 2013 by detection software
installed 6 month earlier – They ignored the notice – Ultimately everyone got new credit cards (at an estimated cost
of $200 million to the credit card industry) – CIO (Chief Information Officer) lost his job – CEO lost his job.
• Upper Management must now care about cyber security
– Target’s profit for the holiday shopping period fell 46 percent from the same quarter the year before. Final estimated cost to Target - $148 million
Home Depot Hack
• On Sept 2, 2014, a German security specialist announced that 56 Million credit cards had been stolen from Home Depot – Cards had just been offered for sale on the black market – Zip codes matched Home Depot locations to 98% correlation
• On Sept 8, Home Depot confirmed the loss • Affected HD customers who made purchases from April
2014 – Sept 2014 • This POS virus, FrameworkPOS, was different from the
Target POS hack • The virus was designed to look like McAfee antivirus
software to avoid detection
Heartbleed
• First virus with a logo! • SSL (secure sockets layer) is what your computer uses when
your browser needs to pass secure information (passwords, credit card info). It’s the “lock” that you see on your browser.
• Encryption keys are generated on demand and only used for one “session”.
• On April 1, 2014, Google found a bug in OpenSSL that could expose encryption keys and data to a “man in the middle” attack. Bug had existed since March 14, 2012.
• Usernames/passwords could be intercepted and stored. • Fixed version of OpenSSL was released April 7.
Heartbleed - cont
• MANY websites use Open SSL.
• All users are vulnerable to Un/PW loss from Mar 2012 to April 2014.
• User fix …
– Check your websites for “fix” application
• https://lastpass.com/heartbleed/ for example
– THEN, change your password
– (more on implications later)
Who are the Hackers - and how has this changed over time
• Individuals and “clubs” – Teenage boys in their rooms – Clubs (virtual) of these kids
• Governments – NSA and Cyber Command (Snowden revelations) – China (2nd Bureau of the 3rd Army, Unit 61398)
• Patriotic Hackers – Combination of both! – Government support/synchronization without direct cyber action – Can sometimes “get out of control”
• “Professional” Hackers – Corporate espionage – trade secrets – Stealing of financial data – “ransomware”
Current Trends affecting CyberSecurity 5 trends noticed by the Brookings Institute
• The rise of “Cloud Computing” – Move from owning hardware to renting it online – May actually improve security due to professional services.
• Less systems administrators.
– A huge list of new security concerns from new model
• “Big Data” – unprecedented knowledge of us is being mined – Impact on human social, legal, and ethical boundaries
• The “Mobile Revolution” – Smaller computers, using smaller interfaces, on compressed bandwidth, tends
to concentrate security problems – Convenience tends to supersede security concerns – Security often managed by non-security companies with other priorities
• Demographic shift of net users – By 2015 there will be more users speaking Chinese than English
• The Internet of Things (IoT)
Internet of Things
• Here's the scenario:
– As you approach the front door of your house, a remote control built into your key unlocks the door.
– The door's wireless radio messages your home network, which prompts the hall light to turn on.
– The house thermostat, which was raised after you left for work, returns to a comfort zone.
Internet of Things (cont 2)
• Another scenario:
– You are away on vacation and the house is empty.
– A moisture sensor detects water on the basement floor.
– That sensor finding is processed by an app, which has received another report from a temperature sensor that detects the flow of water in the main water pipe. (When water flows, it takes away heat and lowers the temperature).
Internet of Things (cont 3)
• That both sensors are detecting anomalies is cause for concern.
– A high rate of flowing water may signal a burst pipe, triggering an automated valve shutoff;
– a slight water flow might be a running toilet, and
– the water on the basement floor by routine leakage from a heavy rain.
• In either case, you get a machine-generated message describing the findings.
Internet of Things (cont 4)
• Here's how you investigate.
– Via a mobile app, you get two one-time codes to unlock your front door, one for your neighbor and another for a plumber. When the door is unlocked, a text alert tells you who entered.
• Having knowledge of the condition of your home may be a big driver of IoT adoption.
So, What Can I Do?
• Be a good Net-izen
– What you do on your computer affects the security of the Net
– You can Do the Right Things
– You can Don’t Do the Wrong Things
Do the Right Things!
• Protect physical access to your computer
• Use strong passwords
• Change them regularly
• Don’t use the same password for many sites
• Consider using a Password Manager
– LastPass is excellent. www.lastpass.com
• Change default Usernames and Passwords
– Especially on Routers/Gateways
Do the Right Things! (cont)
• Don’t install programs you don’t want – Look for “install options” when downloading or
upgrading
• Uninstall programs you don’t use – Reduce the locations that “bugs” can exist on your
computer
• Regularly update the programs you DO use – Consider “auto update”
• Backup your computer and your important information – Keep it offline! Perhaps on a USB hard drive
– Consider exchanging “offsite storage” with a friend or relative.
Don’t Do the Wrong Things!
• Don’t open emails from “people” you don’t know China's Cyber Spies
• Don’t open emails from “people” you DO know, but that have a single picture content
• Don’t visit websites that your browser identifies as “Untrusted”
• Don’t download programs from “strange” sites
In Conclusion
• Thank You for your Attention and Input
• Quote from Robert Morris (Sr.)
– The three golden rules to ensure computer security are:
– do not own a computer;
– do not power it on; and
– do not use it.
References
• Singer, P.W. and Friedman, A. (2014). Cybersecurity and cyberwar: What everyone needs to know. New York, NY: Oxford University Press.
• Thibodeau, P. (2014). Explained: The ABCs of the Internet of Things. Computerworld. http://www.computerworld.com/s/article/9248058/Explained_The_ABCs_of_the_Internet_of_Things_