240 likes | 352 Views
Week 08 : Security awareness and hacking. PCB - Knowledge Sharing session. White hat vs Black hat hacking. The good guys are "white hats," who identify weaknesses in systems so they can be fixed. " Black hats" are the ones who take advantage of weaknesses in systems.
E N D
Week 08 : Security awareness and hacking PCB - Knowledge Sharing session
White hat vs Black hat hacking The good guys are "white hats," who identify weaknesses in systems so they can be fixed. "Black hats" are the ones who take advantage of weaknesses in systems.
3 main threats of the interweb * Just to list of some generic examples • Hacking • Man in the middle attack • Key loggers • DDoS (Distributed Denial of Service) • Phishing • Websites • Email • Spoofing (Identity Theft) • Email Spoofing • IP Spoofing/Gateway poisoning
Hacking : Man in the middle attack In some cases, users may be sending unencrypted data, which means the man-in-the-middle (MITM) can obtain any unencrypted information. In other cases, a user may be able to obtain information from the attack, but have to unencrypt the information before it can be read. The attacker intercepts some or all traffic coming from the computer, collects the data, and then forwards it to the destination the user was originally intending to visit.
Hacking : Man in the middle attack Watch the video below for a simulation of a MITM attack I’ve done on an unencrypted e-commerce website Initial chargeable figure was RM 43.00 but I could alter it to RM1.00 upon checkout http://www.youtube.com/watch?v=yGF4FQb9rHQ DISCLAIMER : No animals, property, human or interest was jeopardized during this process of “simulating” the scenario as the video below that depicts the MITM by Jermaine Cheah Penn Hon
Hacking : Man in the middle attack Prevention Only buy with trusted/reputable sites Only use trusted computers to perform online transactions Make sure you are not on a public untrusted network
Hacking : Key Logging … is the action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. 2 main types of key logging : Hardware based and software based
Hacking : Key Logging Hardware KeyLoggers
Hacking : Key Logging Software KeyLoggers Listener via Webpages field Background services Webcam hijacking
Hacking : Key Logging Prevention Use One-Time-Password (OTP) Use 2D password (Perhaps google authenticator) Change your password more often with higher complexity Cover your laptop webcam when not in use Only use trusted PC for sensitive transactions Use trusted anti-keyloggingsoftwares like http://www.qfxsoftware.com/ (KeyScrambler)
Hacking : DDoS …is an attempt to make a machine or network resource unavailable to its intended users. A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. There are 2 general forms of DoS attacks: those that crash services and those that flood services.
Hacking : DDoS (Famous Cases) February, 2000: Mafiaboy Vs. Yahoo, CNN, eBay, Dell, & Amazon First largest DDoS in history Done by "Mafiaboy," a.k.a. 15-year-old Michael Calce Took down Yahoo, CNN, eBay, Dell, and Amazon picked up by Canadian police—while watching Goodfellas, allegedly—and plead guilty for hacking. 8months in a juvenile detention center and forced to donate $250 to charity. November 2008: Unknown Vs. Microsoft Windows (& the World) Confickerworm exploited vulnerabilities in a number of Microsoft operating systems Infected PC would be turned into a botnet / zombie machine infected millions of computers and business networks in countries around the world, Protect yourself with this ConfickerRemoval Tool.
Hacking : DDoS Preventions Update antivirus Update Operation System fix Be more inclined with security news Avoid downloading media, softwares and files from untrusted sources Perform periodic scans on your machine
Phishing - Email Phishing email messages are designed to steal your identity. They ask for personal data, or direct you to websites or phone numbers to call where they ask you to provide personal data.
Phishing - Email • What does a phishing email message look like? • Usually spoofing bank or financial institution, a company you regularly do business with, such as Microsoft, or from your social networking site. • They might appear to be from someone you in your email address book. • They might ask phone call. Phone phishing scams direct you to call a phone number where a person or an audio response unit waits to take your account number, personal identification numberyou to make a, password, or other valuable personal data. • They might include official-looking logos and other identifying information taken directly from legitimate websites, and they might include convincing details about your personal history that scammers found on your social networking pages. • They might include links to spoofed websites where you are asked to enter personal information.
Phishing – Email Prevention • Do not be greedy • Again, do not be greedy • Check links before proceeding • Subscribe to phishing report list • Do not simply disclose personal information • Secured and reputable services will not ask you so verify yourself via email
Phishing - Website Phishing websites look legitimate and users would naturally enter their credentials and eventually fall into the trap of phishing. < A facebook phishing site
Phishing – Website Prevention • Do not be greedy • Again, do not be greedy • Check links before proceeding • Subscribe to phishing report list • Do not simply disclose personal information • Secured and reputable services will not ask you so verify yourself via email • Do not login whilst using public open networks • Phishing sites might even show your legitimate URL
Spoofing - email Email spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).
Spoofing – Website/IP/DNS Essentially, preliminary spoofing would display a misleading URL or so but it is still noticeable. More intermediate hackers could use methods like ARP poisoning, DNS spoofing and IP spoofing techniques to even forge SSL certs and URLs. ARP Poisoning - is a technique whereby an attacker sends fake ("spoofed") Address Resolution Protocol (ARP) messages onto a Local Area Network.
Spoofing – Website/IP/DNS So, imagine u are looking at https://www.maybank2u.com.my/ but it is actually not an actual M2u site.
Spoofing – Website/IP/DNS • Try to avoid using public networks • Periodically perform scan on your PC to eliminate malicious agents • Tether your mobile 3G for internet banking if you are on the go • Phone cell spoofing is highly unlikely
That’s it! • Thanks for your kind attention and please stay tuned for the Week 7 session next week. • Good day! • Prepared by : Jermaine