A Journey to the Dark Side Jayesh Mowjee Security Consultant Microsoft Services Session Code SIA330 The Disclaimer In attending this session you agree that any software demonstrated comes absolutely with NO WARRANTY Use entirely at your own risk Microsoft Corporation amp the other 3 ID: 267682
Download Presentation The PPT/PDF document "Cybercrime:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Cybercrime:A Journey to the Dark Side
Jayesh Mowjee
Security Consultant
Microsoft Services
Session Code: SIA330Slide3
The Disclaimer!In attending this session you agree that any software demonstrated comes absolutely with NO WARRANTY. Use entirely at your own risk. Microsoft Corporation, & the other 3rd party vendors whose software is demonstrated as part of this session are not responsible for any subsequent loss or damage whatsoever.Slide4
This Session CoversThe Top 10 security nightmaresCovert information gathering techniquesHow it’s done! - identity theftTools the bad guy useHiding your tracksPossible solutionsThe need to know principleConclusions and Q&ASlide5
The Top 10 Security Nightmares1. Physical2. Human Error3. Malfunction4. Malware5. Spoofing6. Scanning7. Eavesdropping8.
Scavenging
9.
Spamming
10.
Out of Band!Slide6
How Severe is the Threat?Professional Cyber Criminals & Terrorists Disgruntled EmployeesCompetitorsHacktivistsScript Kiddies (Advertises Actions)
THREATSlide7
Problem: Identifying the ThreatUneducated EmployeesDisgruntled EmployeesCompetitorsHackersForeign GovernmentsSlide8
Problem: It’s the way we’ve always done it!Slide9
Problem: Unorganized ResponseWhat should I do?Who should I call?Should I shut the system down?Should I run the virus cleaner?Should I trust my Anti-virus quarantine?Should I re-image the system?Slide10
People can be Your Greatest AssetSlide11
Or your Weakest !!Slide12
If You Look Hard Enough Bad Security is Everywhere!Slide13Slide14Slide15
Places!Slide16Slide17Slide18
No Seriously!The Hotel IntrusionSlide19
Employees on the Road: The Soft Target!Slide20
The Office IntrusionSlide21
Organized Security…Er!Slide22
Badges: Instant CredibilitySlide23
Free Floor Plans!Slide24Slide25
Get on the Inside with a Job! Slide26
Too much InformationSlide27
Office Security TipsEnsure Employees are Security AwareAdopt an “Acceptable Use” Policy in terms of IT, Email, Internet etcEnsure Employees are Security VettedWear ID Badges Question Visitors – “Offer Help”Secure all Entrances & ExitsKnow Emergency ProceduresSecure your ValuablesLaptops, Phones, Keys, IDs Etc Slide28
Security HeadlinesSlide29
Consequences of Poor Security:Brett Kingstone Nexus Lighting!“What took us $10 million and 10 years to develop, they were able to do for $1.4 million in six months”Brett Kingstone
http://people.forbes.com/profile/brett-m-kingstone/57603
http://www.gss.co.uk/news/article/5613/Cyberthieves_mine_online_for_corporate_data_nuggets/?highlight=FinjanSlide30
Hacker 101Target Selection & Information GatheringSlide31
Hacker 101: Target SelectionPersonIdentity TheftRevengeInvasion of PrivacyCompanyTrade SecretsHostile TakeoverIndustrial EspionageGovernmentMilitary CoupPolitical CorruptionBriberyCountry DestabilisationSlide32
So Who are You?Information required:ID numberFull nameBirth dateAddressPossibly Drivers license numberSourcesDoctorAccountantLawyerSchoolplace of workHotelshealth insurance carriermany others Slide33
5 Pages of Heaven! Aka a CVOnce you get someone's CV, you know all about the personYou can search for it ...or...
You can get people to send it to you
Recruitment is easy: Post a job ad and wait for people to send their life story
You can even specify which types of people...:)
“Looking for nuclear scientist/engineer with experience in Uranium enrichment and military background. Earn top dollar, 401K plan, dental coverage, 25days leave. Flexi time. Apply within...”Slide34
A Growing ProblemRevealed: 8 Million Victims in the Worlds Biggest Cyber Heist! – Best Western Hotels. (Aug 08) – Russian Gangs involved. Details offered for sale on underground website. (www.cuxxxx0.ru)10,000 Criminal Records Go Missing on Memory Stick! (July 08)Fasthosts UK ISP – 50,000 Websites Hacked. (Nov 07)ID Theft costs the UK economy £1.6bn Per Year*UK Child Support Agency: 25 Million Records Missing. MI5 ordered to recover data.Bank of India etc...
*Sunday TimesSlide35
How it's Done - Identity Theft demoSlide36
You are Unique...Keep it that Way!Check your credit rating regularlyDon't reveal too much personal information, especially on on-line forums & social networking groups.Watch out for shoulder surfers.Learn to ask questions...”Why you need this information, How will it be used.Be aware of your privacy rights. Make use of new encryption technologiesSlide37
Corporate ID TheftEmployee Stupidity (Xxx Dept work & Pensions 25 Million records LOST because of a mistake...Fraudulent use of business identity"account takeover" fraud that hijacks a clean identity for illicit tradingCertain countries Companies House – does not validate any data providedSpoof emails and “phishing“, “Spear Phishing”Corporate Governance implicationsSlide38
Tools the Bad Guys Use!Google hacking!Slide39
Google HackingVarious usernames and passwords (both encrypted and in plain text) Internal documents Internal site statistics Intranet access Database access Open WebcamsVNC ConnectionsMail server access And much moreSlide40
Google Hacking Examples!Site:com filetype:xls "Accounts"site:gov.uk filetype:xls userssite:gov.uk filetype:doc staffsite:gov.uk filetype:ini WS_FTP PWDsite:gyhs.co.uk "index of /" password.txtsite:co.uk "index of /" +passwd
site:dk
+hotel
filetype:xls
site:com
+password
filetype:xls
Inurl:admin
users passwords
inurl:admin
intitle:index.of
"Microsoft-IIS/5.0 Server at"
intitle:index.ofSlide41
Don’t Get Google Hacked!Keep sensitive information off the internet Be careful how you write your scripts and access your databasesUse robots.txt to let Google know what parts of your website it is ok to index. Specify which parts of the website are “off bounds” Ensure directory rights on your web server are in order Monitor your site for common errors“Google hack” your own website Slide42
Hacking #102Hide your Tracks!Slide43
Hiding Data - Steganography!Steganography: The art of storing information in such a way that the existence of the information is hiddenTo human eyes, data
u
sually
c
ontains
k
nown
f
orms,
l
ike
i
mages,
e
-mail,
s
ounds,
a
nd
t
ext.
M
ost
I
nternet
d
ata
n
aturally
i
ncludes
g
ratuitous
h
eaders,
t
oo
.
T
hese
a
re
m
edia
e
xploited
u
sing
n
ew
c
ontroversial
l
ogical
e
ncodings:
s
teganography
a
nd
m
arking.
The duck flies at midnight. Tame uncle Sam
Simple but effective when done wellSlide44
How it’s Done - SteganographydemoSlide45
What the Bad Guys Use!Slide46
Pro-Active Cybercrime Prevention Tips Learn to Identify ThreatsMonitoring Staff & Ensure Corporate AwarenessReward Corporate LoyaltyInternal & External LegislationAnonymiser ServicesRight Management SoftwareMake use of CryptographyUse good o’l fashioned CashSlide47
The Need to Know Principle!Slide48
Keeping up Appearances!Although I don't know the overall network security posture of the airport, this didn't look goodGood security is simply appearing to be secureThe military teach that the appearance of a hard target can deter attacks.Slide49
Developments Biometric Passports ,DNA Identity SolutionsCloud Data centre SolutionsCredit Cards with BiometricsProject Goldeneye / Goldfinger!Identity CardsCut the myriad of means to prove identityProposed new criminal offenceof "identity fraud"Civil liberties argumentsCriminalize legitimate anonymity?National Criminal Intelligence Service Slide50
Conclusions!The Top 10 security nightmaresCovert information gathering techniquesHow it’s done! - identity theftTools the bad guys useHiding your tracksPossible solutionsThe need to know principleConclusions & Q&ASlide51
question & answerSlide52
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
ResourcesSlide53
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.