1 / 36

Computer security, I nternet privacy: What should we worry about?

Computer security, I nternet privacy: What should we worry about?. Sebastian Lopienski CERN Deputy Computer Security Officer Polish Teachers Programme, October 2014. Disclaimer. What follows are my opinions and not necessarily those of CERN. A cloud hack.

wing-clayton
Download Presentation

Computer security, I nternet privacy: What should we worry about?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer security, Internet privacy:What should we worry about? Sebastian LopienskiCERN Deputy Computer Security Officer Polish Teachers Programme, October 2014

  2. Disclaimer What follows are my opinions and not necessarily those of CERN. Sebastian Lopienski

  3. A cloud hack Digital life of a “Wired” journalist destroyed in one hour: (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking) • Amazon, Apple, Google, Twitter accounts compromised • all Apple devices wiped-out remotely Sebastian Lopienski

  4. A cloud hack How?? • call Amazon and add a new credit card • needed: name, billing address, e-mail address • call again, say you lost password, and add a new e-mail • needed: name, billing address, current credit card • reset password - get the new one to this new e-mail address • login and see all registered credit cards (last 4 digits) • call Apple, say you lost password, and get a temp one • needed: name, billing address, last 4 digits of a credit card • reset Google password - new one sent to Apple e-mail • (Apple e-mail was registered as an alternate e-mail) • reset Twitter password - new one sent to Google e-mail • (Google e-mail was linked to the Twitter account) Sebastian Lopienski

  5. A cloud hack Multiple security flaws and issues: • Interconnected accounts • Which one of your accounts is the weakest link? • Our full dependence on digital • digital information, devices, cloud services etc… • Very weak identity check procedures • … and often not even followed correctly • some procedures have changed as an outcome of this case • enable 2-step authentication (Google, LinkedIn, Apple, …) • “security“ questions with answers often trivial to find(remember Sarah Palin’s yahoo account hack in 2008?) Sebastian Lopienski

  6. From http://www.bizarrocomics.com Sebastian Lopienski

  7. E-mail account before e-bank account? From http://elie.im/blog/security/45-of-the-users-found-their-email-accounts-more-valuable-than-their-bank-accounts Sebastian Lopienski

  8. Passwords lost, or easy to guess… • Top 10 words used in passwords • password • welcome • qwerty • monkey • jesus • love • money • freedom • ninja • writer From http://www.zdnet.com/the-top-10-passwords-from-the-yahoo-hack-is-yours-one-of-them-7000000815/ Sebastian Lopienski

  9. Outline • Where we are? • Who are they? • What is ahead? • Where we are? Sebastian Lopienski

  10. Vulnerabilities Sebastian Lopienski

  11. Trying to sell a Yahoo XSS for 700$ Sebastian Lopienski

  12. Selling a Command Execution vulnerability in MS Office for $20k Sebastian Lopienski

  13. Vulnerability market shift • Finding vulnerabilities – difficult, time consuming • Selling to vendors, or publishing (mid 2000s) • limited money - 1s-10s thousands$, e.g. Mozilla up to $3000, Google up to $3133.7  • vulnerabilities eventually patched (good!) • Selling to underground (late 2000s) • busy and active “black market” • more profitable – 10s-100s thousands of USD • sometimes buyers are governments or their contractors • used in 0-day exploits (no patch) • researchers don’t commit crime • attackers don’t need skills, just money Sebastian Lopienski

  14. Botnets (networks of infected machines) From http://www.f-secure.com/weblog/archives/00002430.html Sebastian Lopienski

  15. Outline • Where we are? • Who are they? • What is ahead? Sebastian Lopienski

  16. Who are they? hacktivists motivation: ideology, revenge governments motivation: control, politics criminals motivation: profit Sebastian Lopienski

  17. Criminals Usual stuff: • Identity theft • Credit-card frauds • Malware targeting e-banking, e.g. Zeus, Gozi etc. • Scareware, e.g. fake AV, fake police warnings • Ransomware: taking your data hostage (soon: accounts?) • Mobile malware, e.g. sending premium rate SMSes • Denial of Service (DoS) • Spam • etc. Sebastian Lopienski

  18. 2-in-1: Scare and demand ransom SOPA is dead – but still used by criminals to scare people From symantec.com It pays off… Sebastian Lopienski From http://www.zdnet.com/sopa-reincarnates-to-hold-your-computer-hostage-7000005684

  19. Cyber criminals Thai police have arrested Algerian national HamzaBendelladj – wanted by the FBI for allegedly operating the Zeus botnet (e-banking malware) From http://www.bangkokpost.com Sebastian Lopienski

  20. Gangsters… From krebsonsecurity.com A hacker nicknamed “vorVzakone”, allegedly related to Gozi malware Sebastian Lopienski

  21. … employing “mules” “Become a foreign agent in the US” advertisement From krebsonsecurity.com Sebastian Lopienski

  22. Hacktivists Attacking to protest, to pass the message etc. Sebastian Lopienski

  23. The Anonymous, LulzSec, … … many groups, varying agendas, from ideologists to criminals Sebastian Lopienski

  24. Do you know this guy? Sebastian Lopienski

  25. Aaron Swartz A software developer, an open-access activist • 2001 (aged just 14!): helped developing RSS • 2002: working with Tim Berners-Lee on semantic web • 2008: released 20% of the Public Access to Court Electronic Records (PACER) database of United States federal court • 2011: arrested for retrieving scientific articles from JSTOR,believed in open access to results of publicly-funded research,risked 35 years of prison / $1m fine sentence • 2012: campaigned against the SOPA • 2013: committed suicide (because of the ongoing criminal investigation?) Sebastian Lopienski

  26. Google – a freedom activist? The same Google that outraged privacy defenders with its new Privacy Policy… https://www.google.com/takeaction/ Sebastian Lopienski

  27. …but governments? Sebastian Lopienski

  28. Spying on (some) citizens Network encryption?Infect computers or go after services • Syrian activists’ PCs infected with Trojans/backdoors • Tibetan rights activists often targeted • Israel demands e-mail passwords at borders • German police infects criminals’ PCs with Trojans/backdoors • buying surveillance code and services for 2M EURO (!) • or developing in-house • unfortunately, full of security holes From http://www.f-secure.com/weblog/archives/00002423.html Sebastian Lopienski

  29. PRISM mass online surveillance program Sebastian Lopienski

  30. Privacy vs. control “If you are doing nothing wrong, then you shouldn’t worry if we watch you.” “If I am doing nothing wrong, then you shouldn’t be watching me!” Cryptography/encryption (HTTPS) is still a good defense Sebastian Lopienski

  31. Agencies & contractors turning offensive From F-Secure Sebastian Lopienski

  32. Agencies & contractors turning offensive • Northrop Grumman looks for "Cyber Software Engineer" for “an Offensive Cyberspace Operation mission" From http://www.f-secure.com/weblog/archives/00002372.html Sebastian Lopienski

  33. Stuxnet(the worm that targeted Iranian uranium-enriching centrifuges, discovered 2010) Estimated development effort:10 man-years Result: sabotage30,000 Iranian computers infected, some HW damage, nuclear program set back by ~2 years Cui bono? (New York Times, June 2012: a joint US-Israel operation “Olympic Games” started by Bush and accelerated by Obama)  Sebastian Lopienski

  34. Outline • Where we are? • Who are they? • What is ahead? Sebastian Lopienski

  35. Does Stuxnet make us all more vulnerable? ? http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12 Sebastian Lopienski

  36. Thank you Sebastian Lopienski

More Related