1 / 27

A F ew Miscellaneous Topics on Security

A F ew Miscellaneous Topics on Security. Sankar Roy. Acknowledgement. In preparing the presentation slides and the demo, I received help from Professor Simon Ou Professor Gurdip Singh Professor Eugene Vasserman. Agenda. Password cracking Information gathering (reconnaissance)

tymon
Download Presentation

A F ew Miscellaneous Topics on Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Few Miscellaneous Topics on Security Sankar Roy

  2. Acknowledgement In preparing the presentation slides and the demo, I received help from • Professor Simon Ou • Professor Gurdip Singh • Professor Eugene Vasserman

  3. Agenda • Password cracking • Information gathering (reconnaissance) • Spoofed emails or phone calls • Threats through emails • phishing attack • other attacks • Risks of swiping a credit card in an untrusted place • Security concerns associated with RFID tags

  4. Password-based Security • We use passwords everywhere • email accounts, bank accounts, social networking sites, personal computers, and so on… • What makes a good password • long but should be easy for you to remember • should be very difficult for the attacker to guess

  5. Good or Bad Passwords? 7@Ack ilove soccer 07deserteagle chuck#0123 5lakers5 oliveoil7 john1 eagle1900 beethoven5th PTL!1g1M05 Pizza qwerty123 dhx@yahoo.comjustin_bieber_sux! h.o.u.s.e {T@!4u2N9^}& $trongPassword WeRtheChamp10n !ILh2dW&%D@etF1 zeppelinIV

  6. Password Cracking • How long is good enough? • we can compute the password strength • use alphanumeric letters, big case, and small case • use special characters • Dictionary attack • the attacker first tries a list of frequently used passwords • then, she may try all possible combinations (brute-force) • Social engineeringto aid in cracking • information gathering can work if, as an example, a family member or pet’s name is used as the password • you may leak your secret while responding to a fake email or phone call

  7. Password Crackers Tools • Hydra, Medusa • can crack network logon passwords (e.g. FTP, HTTP, VNC, POP3) • Ophcrack • Pre-computed Rainbow tables can reduce cracking time • Top 10 Password Crackers: • http://sectools.org/crackers.html

  8. Information Gathering The attacker can employ several techniques • Uses Internet search engines and social networks • collect names, address, login names, email addresses, host machine’s names, etc. • automated tools available, e.g. theHarvester • Sends information requests via fake email or phone • and waits for response from a potential victim • Does dumpster diving • Buys information from the black market

  9. TheHarvester: An Automated Miner • Atool for gathering e-mail accounts, user names and hostnames from different public sources. • It supports multiple sources: • Google, Bing, LinkedIn, etc. • Caution: the attacker can use all sources • An example: • Using this tool a SPAMer can collect your email address (e.g. from your public webpage) • Anti-Harvesting methods • Address munging (e.g. instead of alice@abc.com publish “aliceat abc dot com") • Using images to display part or all of an email address

  10. Spoofed Email • Email system does NOT provide “sender authentication” • in a spoofed email, the sender’s address is altered • receiving an email proves nothing about the actual sender • Spoofed email sending software is available • which is used in sending SPAM or phishing email

  11. Let’s do a Hands-on Activity • Note: there are some websites via which anybody can send a spoofed email to anybody • Let’s test one of them to understand how easy it is for the attacker to send a fake message • Caution: this activity is only for the testing purpose. It is a crime to send a phishing email.

  12. Gmail Ways to Detect Email Spoofing • Sender Policy Framework (SPF) is an email validation system • allows administrators of a domain D to specify which hosts are allowed to send email from D • checks authorization of the sender’s IP addresses using the DNS system • DomainKeys Identified Mail (DKIM)is a way to digitally sign emails • verifies if the email was actually sent by a particular domain D as claimed in the email.

  13. How to Check the Authentication Information of a Message on Gmail Acknowledgement: Gmail’s User Guide

  14. Phone Caller Id Spoofing • Makes a phone call appear to have come from any number the caller wishes • Most common spoofing method is through the VoIP system • Open source tools e.g. Asterisk, FreeSWITCHcan be used for spoofing

  15. Email Threats • Security risks include • phishing scams • links (in body) or attachments have malware • Nowadays these risks are high • bad guys can hire a SPAM sending botnet to launch a large-scale attack • millions of valid email addresses are available for sale in the underground black market

  16. Phishing Attack: An Example Email Subject: E-mail Security Alert!From: Kansas State University <notifications@ksu.edu>Date: Tue, 18 Dec 2012 06:14:01 +0900 (JST) Access to your e-mail account is about to expired.Please Click here <http://sevenes.com/zboard/ksu/> to restore access to your e-mail account.We apologise for any inconvenience and appreciate your understanding. Regards, Kansas State University Acknowledgement: K-State IT Security Threats Blog

  17. Phishing Attack: Another Example Acknowledgement: FraudWatchInternational.com

  18. More on the Phishing Attack • Fake email messages apparently coming from a trusted person or institution(e.g. a bank) • trickpeople into passing secret information such as passwords, credit card numbers and bank account numbers. • A phishing email can have links to • fake login pages impersonating financial institutions • malware, virus, spyware, etc.

  19. Countering Phishing Attack • Remember that the institution (e.g. your bank or KSU) will never ask for your secret through emails • Be suspicious when you receive an email; know that the email sender address can be spoofed • Avoid clicking any link in such emails • double check if the link URL name is fishy • visit only https links; do not proceed if you get a bogus certificate warning • Do not respond to any such email; call them if unsure • Always use the latest versions of web browsers

  20. How to Recognize a Fraudulent Email? • Train yourself by studying several resources which are available on the KSU ITS website • Some resource examples are • Anti-Phishing Working Group www.antiphishing.org (http://www.antiphishing.org/resources/Educate-Your-Customers/) • Looks Too Good To Be True www.lookstoogoodtobetrue.com

  21. Examples of Phishing Scams • Advance fee scam • Job offer scam • Nigerian scam • Beneficiary of a will scam • Over-paying (Craigslist) scam • Charitable donation scam • Facebook friend scam Acknowledgement: K-State ITS

  22. Spear Phishing • A more targeted method of phishing • only known members of the targeted institution receive the email • Email addresses are acquired by • joining a mailing list • buying a list from a hacker • guessing email addresses based on the general format e.g. abc123@k-state.edu

  23. Threats via Email Attachment • Email attachment may contain malware • worms, virus, Trojan horses, etc. • which can seriously damage your computer • Do not open any suspicious attachment • it can trigger/execute the malware • just delete such emails • Install an anti-virus software on your computer • ensure that it scans all attachments automatically before you open them • Anti-virus “Trend Micro Security” is available to K-staters

  24. Risks of Swiping a Credit Card in an Untrusted Place • An ATM skimmer can steal the card secret • later the bad guys collect the data from the skimmer device • difficult to detect: it blends in with the cash machine in form and color • Typically two components build a skimmer • a device that fits over the card acceptance slot and steals the data stored on the card’s magnetic stripe • a pinhole camera built into a false panel that thieves can fit above or beside the PIN pad. • Risk Mitigation • try to avoid using ATMs in unknown non-standard places • frequently check your credit card transactions and report fraud, if any

  25. Basics of RFID Technology • The tracking system has three components: • ascanning antenna • a RFID tag programmed with information • a transceiver to interpret the data • A RFID tag can be read • from a distant place (up to 300 feet) • no need to be in the line of sight (unlike a barcode) • RFID tags have NO batteries • so, it remains usable for long time

  26. RFIDTags: Security and Privacy Concerns • A thief with a scanner can activate the RFID tag and read its contents • example: if someone walks by your bag of books with a "sniffer”, that person can get a complete list of books. • Concern with RFID devices in a company badge • example: a RF field may make the RFID chip in the badge spill the badge secret, allowing the thief access.

  27. Summary • We discussed a few common security issues. • We presented the standard countermeasures to mitigate the risks • This was the last class of CIS 490 • Thanks a lot for your time and cooperation

More Related