710 likes | 831 Views
2. We Already Know How . We already know how to educate the general public on how to use a highly complex technical device safelyIt's calledDriver's EdThe DMVWe already know how to teach the general public to use 2 factor authenticationIt's called an ATM cardWhy aren't we showing home users h
E N D
1. September 8, 2012 ID Theft: Are County Governments a Threat? Or How I’d Take Over the World Randy Marchany, VA Tech IT Security Office and Lab
marchany@vt.edu
2. 2 We Already Know How We already know how to educate the general public on how to use a highly complex technical device safely
It’s called
Driver’s Ed
The DMV
We already know how to teach the general public to use 2 factor authentication
It’s called an ATM card
Why aren’t we showing home users how to secure
3. 3 What People Think of Security
4. 4 Place to Steal Personal Data It is my personal opinion that the PC/MAC OS design will subvert any security architecture.
The standard client/server model consists of three parts: the server system (S), the client system (C) and the network (denoted by the straight line). In the old days, hackers attacked the server because that’s where the access was. Good sysadmin practices such as patch maintenance, detection tools, logging tools, etc. helped reduce the threat to the server system. The hacker then shifted their attacks to the network by installing sniffers. This was an attempt to capture the cleartext traffic and hopefully grab userid and password information. The sysadmins countered this threat by installing encryption tools such as Kerberos, SSH or PGP. The hackers are now shifting their attacks to the client systems. If the client is a Unix variant then the same server defense mechanisms could be applied to the client system. However, if the client is a PC or Mac, there is no effective defense because the OS design allows anyone who can access the machine to install a program on it. Viruses are the classic example of this scenario.
It’s quite easy to install a trojan program on a PC/Mac client via email attachments. The FBI installed a keystroke recorder on an organized crime figure’s laptop recently. The suspect was using PGP to encrypt his files and the keystroke recorder captured his personal/private key. The files could be decrypted since the private key was no longer “private”.
There is no effective security until this basic security flaw in client OS is corrected. IMHO.
I presented a paper attacking PC/MAC clients with a keystroke recorder sent via an attachment at the SANS Network Security Conference in 1996. The problem still hasn’t been fixed.It is my personal opinion that the PC/MAC OS design will subvert any security architecture.
The standard client/server model consists of three parts: the server system (S), the client system (C) and the network (denoted by the straight line). In the old days, hackers attacked the server because that’s where the access was. Good sysadmin practices such as patch maintenance, detection tools, logging tools, etc. helped reduce the threat to the server system. The hacker then shifted their attacks to the network by installing sniffers. This was an attempt to capture the cleartext traffic and hopefully grab userid and password information. The sysadmins countered this threat by installing encryption tools such as Kerberos, SSH or PGP. The hackers are now shifting their attacks to the client systems. If the client is a Unix variant then the same server defense mechanisms could be applied to the client system. However, if the client is a PC or Mac, there is no effective defense because the OS design allows anyone who can access the machine to install a program on it. Viruses are the classic example of this scenario.
It’s quite easy to install a trojan program on a PC/Mac client via email attachments. The FBI installed a keystroke recorder on an organized crime figure’s laptop recently. The suspect was using PGP to encrypt his files and the keystroke recorder captured his personal/private key. The files could be decrypted since the private key was no longer “private”.
There is no effective security until this basic security flaw in client OS is corrected. IMHO.
I presented a paper attacking PC/MAC clients with a keystroke recorder sent via an attachment at the SANS Network Security Conference in 1996. The problem still hasn’t been fixed.
5. 5 Passwords ARE the First Defense Bad Password Examples
6. 6 VNC Viewer works on Windows machines as well. Here I connect to my W2K box from my Unix workstation. The W2K desktop has the beach background. The other windows are my standard Unix windows. Again, the point is that someone at a remote site could see what was being done on your desktop.
Is this a bad tool? NO! This is an excellent remote administration and help desk tool. But with power comes responsibility. VNC Viewer works on Windows machines as well. Here I connect to my W2K box from my Unix workstation. The W2K desktop has the beach background. The other windows are my standard Unix windows. Again, the point is that someone at a remote site could see what was being done on your desktop.
Is this a bad tool? NO! This is an excellent remote administration and help desk tool. But with power comes responsibility.
7. 7 This plot shows the rest of the viruses intercepted between 8/15/01 and 4/10/02. We average about 50-100 hits a day with some peaks here and there when a new virus hits.This plot shows the rest of the viruses intercepted between 8/15/01 and 4/10/02. We average about 50-100 hits a day with some peaks here and there when a new virus hits.
8. 8
9. 9
10. 10
11. 11
12. 12 Being a VP means you have to lead the way to new technologies. Sometimes, people don’t want to follow you so you have to provide motivation or incentives to them.
Those that don’t follow will get the message soon enough.
Being a VP means you have to lead the way to new technologies. Sometimes, people don’t want to follow you so you have to provide motivation or incentives to them.
Those that don’t follow will get the message soon enough.
13. September 8, 2012 We have met the enemy and it is vendors…..
14. 14 It’s Insecure Out of the Box Security vs. Convenience
Let the users debug the code
OS vendors are starting to see the light
Windows XP/2003 with security features enabled
Apple OSX
Linux systems with firewall enabled
Application Vendors still don’t get it
Oracle stepped in it
http://news.com.com/When+security+researcher+become+the+problem/2010-1071_3-5807074.html
15. 15
16. 16 Every laser printer has a www server running on it. They don’t have an adminstrative password set. The vendor documentation strongly recommends setting an administrative password on the printer but in reality, this is not always the case. Look at the control panels on the left side and the top bar of the screen. You can do a lot of things to remotely control this printer if the admin password isn’t set.
This is an example of how a vendor product comes already equipped to sabotage your security architecture. In fairness, this vendor does provide the capability to create an admin password but it’s up to the customer to enable this feature. We’ve seen Point-of-Sale Cash register systems based on Windows NT SP3! We’ve seen printer/scanner/plotter systems whose control units are based on the same architectures. Window NT is currently at SP7, in case you didn’t know.
There was even the case of a hospital MRI whose control box was backleveled in security patches.Every laser printer has a www server running on it. They don’t have an adminstrative password set. The vendor documentation strongly recommends setting an administrative password on the printer but in reality, this is not always the case. Look at the control panels on the left side and the top bar of the screen. You can do a lot of things to remotely control this printer if the admin password isn’t set.
This is an example of how a vendor product comes already equipped to sabotage your security architecture. In fairness, this vendor does provide the capability to create an admin password but it’s up to the customer to enable this feature. We’ve seen Point-of-Sale Cash register systems based on Windows NT SP3! We’ve seen printer/scanner/plotter systems whose control units are based on the same architectures. Window NT is currently at SP7, in case you didn’t know.
There was even the case of a hospital MRI whose control box was backleveled in security patches.
17. 17
18. 18
19. 19
20. 20 It’s Insecure Out of the Box Viruses will never be eliminated
Multibillion $ industry to fight them
Eliminate the threat, we no longer have multibillion $ industry.
Wireless cash register software sending data in the clear
Document imaging systems sending data in the clear
Govt/LE records digitized by insecure software
Printers, copiers based on NT!
21. September 8, 2012 Why buy the cow when you can get the milk for free?
22. 22
23. 23
24. 24 This is my favorite of the phishing sites. The beauty of this design is in the detail. If you clicked on the privacy pledge or any of the links in the bottom blue bar, you got the real US Bank site. A number of users did this, saw that it was the real US Bank site, figured the request was legit and then proceeded to the next screens.This is my favorite of the phishing sites. The beauty of this design is in the detail. If you clicked on the privacy pledge or any of the links in the bottom blue bar, you got the real US Bank site. A number of users did this, saw that it was the real US Bank site, figured the request was legit and then proceeded to the next screens.
25. 25 Here’s the next screen. Notice the amount of information it asks from the user. Feel uncomfortable?Here’s the next screen. Notice the amount of information it asks from the user. Feel uncomfortable?
26. 26 At least we got a ticket number……At least we got a ticket number……
27. 27 Obtaining Personal Information Public Records can be accessed from anywhere in the world.
Local governments are allowing access to sensitive info via the Web without thinking about security.
28. 28 County Clerks and Identity Theft Making legal docs available on the net w/o good security practices.
A secure www site isn’t enough
Tom Delay SSN From Public Records
Jeb Bush SSN From Public Documents
Colin Powell Deed of Trust
Colin Powell SSN from Public Records
Do County Clerks (by extension, the state legislature) facilitate ID Theft?
29. 29 What’s Going On Here? We’re spending $$$ to protect sensitive data (SSN)
State govt is allowing SSN info to be obtained online
Laws need to be coordinated
Sometimes the data isn’t where you think it is….
30. 30
31. 31 PDA/Smartphones
32. 32 Motivation People want access to information all the time
User expectation of information everywhere and all the time.
Rapid evolution to use interconnected networks.
Security Challenges
Information sharing and security at odds.
Laws, regulations, and policies not keeping pace.
Stopgap measures.
33. 33 RFID Technology RFID tags.
first “true” pervasive technology.
Correlation tracking for inventory mgt
Potential misuse by combining user habits with tags tracking data
34. 34 PDA/RFID Threat Summary Data Disclosure
Data Modification
Tracking the target
Denial of Service Attacks
Drain the battery
35. 35
36. 36 Battery Power Attack Contrasts
37. 37 Attack the Client or the Server? Attack the PDA PC, Mac, PDA/Smartphone Clients
Your overall security architecture is subverted by PC, Mac, PDA/Smartphone insecurity. Microsoft has become a favorite target of hacker for a number of reasons. Those are of no concern to us now but the fact of the matter is that there a many more Microsoft and Macintosh systems than servers.
The inherent insecurity of the client systems subverts any security architecture you can design.Microsoft has become a favorite target of hacker for a number of reasons. Those are of no concern to us now but the fact of the matter is that there a many more Microsoft and Macintosh systems than servers.
The inherent insecurity of the client systems subverts any security architecture you can design.
38. 38 Why PDA Attacks Work Poor Password Selection
System Management Training Deficiencies
Inadequate User Training
External Open Environments affect your network
Vendor supplied defects
Lack of Mgt. Support to correct problems Faculty members were just starting to use Unix workstations on the Internet in 1990 and we didn’t realize that we needed to setup adequate training for them. Poor passwords allowed the hacker to gain access to the system and create the fake accounts. .rhosts files allowed him to access machines that had stronger passwords for the compromised userids. We failed to train our sysadmins and users on accessing the Internet (remember this was in 1992), having strong passwords and not using r-commands.
The last bullet is a familiar lament among system and lab administrators. It was a lot cheaper to purchase machines instead of paying for people to manage them. Some of the system:person ratios were 60:1, 80:1.
The 5th bullet is important. The lack of security at your site affect my site. This was true in 1992 and it’s true today.Faculty members were just starting to use Unix workstations on the Internet in 1990 and we didn’t realize that we needed to setup adequate training for them. Poor passwords allowed the hacker to gain access to the system and create the fake accounts. .rhosts files allowed him to access machines that had stronger passwords for the compromised userids. We failed to train our sysadmins and users on accessing the Internet (remember this was in 1992), having strong passwords and not using r-commands.
The last bullet is a familiar lament among system and lab administrators. It was a lot cheaper to purchase machines instead of paying for people to manage them. Some of the system:person ratios were 60:1, 80:1.
The 5th bullet is important. The lack of security at your site affect my site. This was true in 1992 and it’s true today.
39. September 8, 2012 Taking Advantage of the Surveillance Society We’ve Become…..
40. 40
41. 41
42. 42
43. 43
44. 44
45. 45
46. 46 There are tons of Internet sites that have information about individuals. This is one of the online white/yellow page phone directories on the net. You can see the variety of service options available to you. In this example, I entered the name of the individual in the White Pages section of the search engine. I didn’t know what town/city the person lives so I asked it to give me everyone in the state who matches the request. The next slide shows the result.There are tons of Internet sites that have information about individuals. This is one of the online white/yellow page phone directories on the net. You can see the variety of service options available to you. In this example, I entered the name of the individual in the White Pages section of the search engine. I didn’t know what town/city the person lives so I asked it to give me everyone in the state who matches the request. The next slide shows the result.
47. 47 Here are a couple of names that matched my search request. I have the address and phone number of the person. I see the person I’m looking for in this list.Here are a couple of names that matched my search request. I have the address and phone number of the person. I see the person I’m looking for in this list.
48. 48 Remember that all of the information displayed so far is public information. There has been NO access to sites that might have sensitive information. You don’t really need that much information to steal someone’s identity.Remember that all of the information displayed so far is public information. There has been NO access to sites that might have sensitive information. You don’t really need that much information to steal someone’s identity.
49. 49 If I want to know how to get to the person’s address, I have a couple of sites that will give me that information. This is one of the more popular sites. I enter the address in the form on the left side of the screen.If I want to know how to get to the person’s address, I have a couple of sites that will give me that information. This is one of the more popular sites. I enter the address in the form on the left side of the screen.
50. 50 Here’s is a map of the address. We can zoom in or out depending on how much detail we want.Here’s is a map of the address. We can zoom in or out depending on how much detail we want.
51. 51 Here they are. Here they are.
52. 52 This is an example of one of the pay sites on the net. The following slides show some of the information resources available to an “investigator”. Once again, you can build a pretty complete profile on a person using these resources.
This site is interesting because it puts all of the links in one place.This is an example of one of the pay sites on the net. The following slides show some of the information resources available to an “investigator”. Once again, you can build a pretty complete profile on a person using these resources.
This site is interesting because it puts all of the links in one place.
53. 53 This page has a number of links that can be used to obtain someone’s telephone records. The SSN link has interesting implications simply because you can build a personal history. You need to pay some $$$ ($35-$150 per search) to use these features but there’s nothing here that would break your bank.This page has a number of links that can be used to obtain someone’s telephone records. The SSN link has interesting implications simply because you can build a personal history. You need to pay some $$$ ($35-$150 per search) to use these features but there’s nothing here that would break your bank.
54. 54 Some more telephone links but there are the criminal records, property records and DMV searches. Now, most of the data obtained via these sources is subject to the individual site’s privacy policies. You need to know what they are.Some more telephone links but there are the criminal records, property records and DMV searches. Now, most of the data obtained via these sources is subject to the individual site’s privacy policies. You need to know what they are.
55. 55 The professional license search link is another example of how you can build a profile on someone.The professional license search link is another example of how you can build a profile on someone.
56. 56 Some other free site for obtaining information about an individual. The aircraft related sites and Coast Guard vessel sites are interesting.Some other free site for obtaining information about an individual. The aircraft related sites and Coast Guard vessel sites are interesting.
57. 57 The SSN is the primary identification number for most applications. There are numerous documents that describe the SSN numbering scheme.The SSN is the primary identification number for most applications. There are numerous documents that describe the SSN numbering scheme.
58. 58 This is one of the places that describes the SSN numbering process. The links at the bottom of the page will help verify some information about a particular SSN.This is one of the places that describes the SSN numbering process. The links at the bottom of the page will help verify some information about a particular SSN.
59. 59 Protect the Data – not the Machine File system encryption
Nice but why encrypt everything on the device?
Oooh, I encrypted Office CE!
Probably will win because people are lazy
Data File Encryption
Thumb drive encryption
60. 60
61. 61 What we would do to take over the world Deep Strike Strategy
Local Strike Strategy
Use Stealth worms
Attack gadgets
Pollute LE, Govt identities
Wipe out the machines on D-day
62. 62 Deep Strike Target the data entry process
Forget modifying it once it’s in the system
Input faults at data entry point
Corrupt NCIS/AFIS data
Corrupt legal record entry
Attack local stock broker systems
Someone just “bought” a lot of shares
Use to trigger auto buy/sell programs
Corrupt in-stream stock quotes
Just enough to fly “under the radar”
Target hospital/medical wireless nets
DDOS them to prevent info transmission
63. 63 Deep Strike Target RFID Inventory systems
DOD, “ Walmarts”
Direct shipments elsewhere. Don’t steal it, just redirect it at the critical time
Force manual control to slow down the process
E-passport, E-Drivers License, E-tags
Track your targets
Target the compilers, microcode
Modify the chip instruction set
Change the compilers to add backdoors
Ken Thompson’s paper on Trust
64. 64 Target Security Clearances Target security clearance methodology
Question the vetting process means every one that got clearance using that process is suspect
Target Military personnel credit ratings
Get SSN from county court house www sites
Bad credit = revoked security clearances
65. 65 Deep Strike Target automated public service radio systems
Use EAS automated receivers to send fake evacuation messages
Evacuate mid size cities, small towns
Target stadium or highway display boards
“there’s a bomb in the seats”
Stress local 911
1 more call than there are ambulances
Use cell phones to generate the calls
66. 66 Deep Strike Target gadgets
Not for control but for DDOS
Target E-voting systems
Target home systems
For ID theft and DDOS
Use stealth worm capabilities to fly under the radar of IDS, IPS
Avoid Blaster-style attacks until needed as a diversion
67. 67 Deep Strike Erode trust in security mechanisms so they will be ignored
For example, businesses will not turn down a sale but they will turn down a security process that is perceived to be corrupted
Pick an infrastructure
Stock market
Credit card
Drivers license
68. 68 Local Strike Target LE, Military for ID pollution
Mess up agent’s credit rating so the family can’t buy anything
It’s a distraction
Repeat for investigative teams/leaders/mgt
Attack via Choicepoint, Seisint, etc. Use the tools LE would use
Repeat for civilian leadership
Legislative, executive, judicial
69. 69 D-DAY Use the previous setup to create minor distractions
“Why are they shipping 30K snowblowers to AZ”
Launch real attack
Activate bots introduced by stealth worms
Wipe out all user data on infected machines
70. 70 Solutions Need Cyber training, awareness at ALL levels of society
ATM Cards prove it can be done
Society learned how to use a complex transportation technology (cars) in the past
Driver’s license ensure a base level of knowledge of proper use of the technology
ATM Cards prove it can be done
71. 71 Summary Nothing has changed?
Users trigger attacks
Sysadmins trigger attacks
Vendors trigger attacks
The order has changed
Vendors errors move to the top
Mgt errors close second
Cause training deficiencies
State legislation is moving to the top