510 likes | 691 Views
Topics in Internet Security. STC Training Tuesday, August 23 2011 Brian Allen, CISSP brianallen@wustl.edu Network Security Analyst, Washington University in St. Louis http ://nso.wustl.edu/presentations/. Let’s Talk About. Email Security Password Managers PNA Examples Phishing Examples
E N D
Topics in Internet Security STC TrainingTuesday, August 23 2011 Brian Allen, CISSPbrianallen@wustl.eduNetwork Security Analyst,Washington University in St. Louishttp://nso.wustl.edu/presentations/
Let’s Talk About • Email Security • Password Managers • PNA Examples • Phishing Examples • Top Ten Security Tips • Virus Example and Case Study
Business School NSS Internet Law School NSO Arts & Sciences Medical School Decentralized Campus Network NSS = Network Services and Support NSO = Network Security Office Library Social Work Art & Architecture Engineering School
Free Password Managers • KeePass – I use this one • Called KeePassX for the Mac • Password Safe • I Use Dropbox.com to store my KeePass file so I can always access it
Email Security Tip #1 • Do not click on links in emails
Email Security Tip #2 • See Tip #1
Spam Product Supplier Accountant Seller 1 Seller 2 Seller 3 Spammer3 Spammer1 Spammer1 Spammer3 Spammer2 Spammer2 Spammer1 Spammer3 Spammer2
Where Does Spam Originate?Why Do We Care? • Spam = Bots (Large armies of infected machines sending out spam) • Bots = Sophisticated Malware • Sophisticated Malware = Organized Crime • More than 89% of all email messages were spam in 2010 - Symantec
Spam is Big Business • Rates for one million email addresses: $25 to $50 http://www.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf • 10,000 malware installations: $300–$800 • Sending 100 million emails per day: $10,000 per month http://www.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf • Cutwail’s profit for providing spam services: $1.7 - $4.2 million since June 2009 – Aug 2010 • How much do the spammers gross per day? $7000 http://www.wired.com/magazine/2011/02/st_equation_spamprofits/
CBL Breakdown By Country Country Count %total %cumu Rank Infect % India 1253890 18.80 18.80 1 4.465% Vietnam 565839 8.48 27.28 23.306% Brazil 479491 7.19 34.47 30.857% Indonesia 392814 5.89 40.36 4 3.163% Pakistan 383319 5.75 46.10 57.688% Russia 358142 5.37 51.47 60.912% China 222761 3.34 54.81 70.075%
One Cause Of This Problem • Many machines in these countries are running pirated copies of Windows. • They are not getting security updates. • They are vulnerable and get infected. • Also, it can take a long time to download updates.
Underground Economy • Spammers also are involved in: • CAPTCHA solving • Email harvesting • Custom software • Bulletproof hosting • Proxys
Spam Volume • From Jul 30- Aug 25, 2010 security researchers infiltrated the Cutwail spam network and discovered 87.7 billion emails were successfully sent
Spam Content • The Zeus/SpyEyeBanking Trojan Typically Uses: • Greeting card • Resume • Invitation • Mail delivery failure • Receipt for a recent purchase
Department of Justice Disrupts International Cyber Crime Rings Distributing Scareware • June 22, 2011 • ”Today the Department of Justice and the FBI, along with international law enforcement partners, announced the indictment of two individuals from Latvia and the seizure of more than 40 computers, servers and bank accounts as part of Operation Trident Tribunal, an ongoing, coordinated enforcement action targeting international cyber crime. The operation targeted international cyber crime rings that caused more than $74 million in total losses to more than one million computer users through the sale of fraudulent computer security software known as scareware.”
Real or Phish? <http://michaelkellett com/ez/wustl.html>
Emails, Like Postcards, Are Not Encrypted Contact me to discuss encryption options for storing or sending sensitive information
Social Security Number Email 1 From: BOB [BOB@WUSTL.EDU] Sent: Friday, April 01, 2011 12:54 PM To: ALICE [ALICE@NOTWUSTL.COM] Subject: Registration Request ALICE: Couldn't remember if I had already sent this request or not. Please register CHARLIE ( 111-11-1111 ) for the session Thank you BOB
Social Security Number Email 2 From: BOB [BOB@WUSTL.EDU] Subject: FW: University talk To: ALICE@NONWUSTL.EDU, CHARLIE@NOTWUSTL.COM Date: Monday, April 4, 2011, 12:57 PM Dear Ms. ALICE and CHARLIE, I sent this e-mail a couple of weeks, but I haven't heard back from you yet, so I thought that I would send it again. Also, my SSN is 222-22-2222 and my home address is: 1234 Oak Ave. St. Louis, MO 63130
Top 10 Security Tips For Everyone I • Make sure the Windows Firewallis turned on • Make sure all accounts on your computer have good passwords • Make sure Windows Automatic Updates is on • Install an Anti-Virus software package. Microsoft is now providing their Security Essentials anti-virus/anti-spyware for free to home users: http://www.microsoft.com/Security_Essentials
Top 10 Security Tips For Everyone II • I use Firefox with AdBlock Plus • Run Secunia Personal Software Inspector (www.secunia.com). It is free, and it will tell you when you need to update your other software (Adobe, Java, Quicktime, RealPlayer, etc). • Educate yourself on Phishing and don’t become a victim (Google: “phishing quiz”)
Top 10 Security Tips For Everyone III • Don’t click on links in e-mail. • Don’t give out your password to anyone, for any reason, especially in an e-mail! • Never enter your password into a site that is not using HTTPS.
When We Met • July 3, 2009 • One of Patrick’s students came to work for me as a student lackey worker PNA is Born • First mention of PNA to me was Mar 18, 2010 • PNA was installed at WUSTL Aug 11, 2010 • It monitors our primary ISP link
Security Data I Rely On • I use flowlogs to look for: • Scanners • Spammers • Connections to known bot C&C IP addresses • Suspicious IRC traffic • ad-hoc incidents (i.e. Law enforcement) • I also look for: • Connections to known bot C&C hostnames in DNS • NMAP every IP address, every port (a LOT of data)
Hacker’s IP Addresses • December 2010 -> well known local IT shop had a data breach • I was able to get the hacker’s two IP addresses that were used to log into their network • I used PNA to check if those IP addresses were anywhere on our network in the past week • They were not
Infected Laptop • Owner’s Response: “Hello, Thanks for the update! Yea this machine is hosed! I knew it was bad but, I didn't know it was that bad. I am in the midst of transferring all of my stuff to a new machine because I needed to reformat this laptop anyway. I can't get wireless signal either...lol!Thanks,”
Infected RedHat Server • Forensics -> four key hacker IP addresses • Who else were these hackers talking to on campus? • Two other machines were compromised
Law Enforcement Incident • Person threatening/harassing a student • LE provided: IP address, General time frame • Using PNA we could tell them every time that suspect talked to a WUSTL machine
Bot Example $ nslookup 64.74.223.41 ** server can't find 41.223.74.64.in-addr.arpa.: NXDOMAIN • What to do? • Passive DNS can help WU nslookup X = 64.74.223.41
Passive DNS Within PNA • PNA can optionally collect passive DNS data • It can look at all outgoing DNS traffic • Notify security community • Google it to get more info, who owns it? • Add it to my blackhole DNS server nslookup irc.berthabig.info=64.74.223.41