ACI-NA Annual Conference
San Diego, CA
The perils of a connected world
Dom Nessi, CISSP, GSLC, PMP, CM
Deputy Executive Director/Chief Information Officer
Los Angeles World Airports
October 17, 2011
When U.S. Attorney Jenny
Durkan appeared at a
Seattle press conference
to talk about the rise in
ATM skimming, she was
very knowledgeable
about the topic. It is the protection of personal or
A little too well- sensitive information, or any form of
prepared, in fact: Durkan
lost $1,000 from her digital asset stored in a computer or in
own bank account
recently after using an any digital memory device.
ATM kiosk whose door
lock was broken.
It is also the protection of physical IT
assets from random attacks targeted to
destroy or disable computing power.
The Dutch company
DigiNotar, who is a
"certificate authority" got
hacked, breached and an
unknown number of
fraudulent certificates
were issued for domain Four Key Domains:
names that included the
Dutch government, Confidentiality – preventing unauthorized
Google.com, Mozilla,
Skype, Yahoo, Facebook, access to information
Twitter, the CIA, Mossad
(Israeli intelligence
agency), UK’s MI6, as
Integrity – preventing unauthorized
well as who's who on the
Internet, and so on.
modification or theft of information
This breach probably Availability – preventing denial of service and
occurred in July 2011,
and was not discovered ensuring authorized access to information
Non-Repudiation – preventing the denial of
until August 29, 2011.
This made ALL DigiNotar
certificates
untrustworthy. an action that took place or the claim of an
action that did not take place
DigiNotar has been
unable to recover from
the blow and filed for
bankruptcy in a
Netherland court. An
investigation sponsored
by the Dutch Simple malicious codes called malware
government, conducted
by security firm Fox-IT and spyware, and serious viruses that
in the Netherlands,
revealed that DigiNotar can wipe out a system
Hackers that target a specific device or
lacked basic security
safeguards, such as
organization for either malicious
strong passwords, anti-
virus protection, and up-
enjoyment or financial gain
to-date software
patches.
After DigiNotar went Denial of Service attacks that cripple an
public with the breach,
all five of the major organization’s ability to operate
browser makers --
Apple, Google,
Microsoft, Mozilla and
Opera -- issued updates
that barred users from
reaching sites secured
with DigiNotar-issued
certificates.
Japan's Sony Corp. was a
victim of one of the
largest data breaches in
history. Sony's
PlayStation Network, its
Qriocity music streaming
service and Sony Online
Attacks via USB
Entertainment were
among the services
Large-scale, targeted Botnet Attacks
targeted by hackers
recently in cyber attacks DDoS Attacks
and data breaches which
compromised more than Attacks via Social Networks
100 million accounts.
Click Jacking and Cross-Site Scripting Web
Sony chairman and
president Howard Attacks
Stringer apologized to
shareholders and Phishing from “trusted” third parties
customers for the
massive online data Online Fraud
theft, which helped drag
the company's share Cloud Computing Concerns
price to a two-year low.
Data Exfiltration and Insider Threats
Mobile Devices and Wireless Network Attacks
Targeted Hacking Attempts
A regional retailer
contracted with a third
party service provider. A
burglar stole two laptops
of the service provider
containing the data of
over 800,000 clients of
Aviation continues to be the target of
the retailer.
terrorists- whether it be aircraft,
Under applicable
notification laws, the
airports or airlines
retailer – not the service
provider – was required Aviation is highly dependent on and
to notify affected
individuals. driven by computer systems
Total expenses incurred Federal level
for notification and crisis
management to Airline level
customers was nearly $5
million. Airport level
Airport tenants
eEnabled aircraft will present an
entirely new challenge
In 1993, the Clinton
administration began
producing the so-called
Clipper Chip, an NSA-
developed encryption
chip intended for use in
computers and
Homeland Security Presidential
telephones and designed
with a “key recovery”
Directive 7 (HSPD-7) along with the
feature that would allow
the government to crack
National Infrastructure Protection
the encryption on
demand, with the proper
Plan (NIPP) identified and categorized
legal authority.
18 Critical Infrastructure and & Key
The chip was a dismal
failure in the
Resources Sectors
marketplace, and the
project was dead by Transportation is one of the 18
1996.
In February 2000, a 15-
year-old Canadian boy
experimentally
programmed his botnet
to hose down the
highest-traffic websites
he could find.
Potential targets
CNN, Yahoo!, Amazon,
Malicious
eBay, Dell, and E-Trade Network
all buckled down under
the deluge, leading to Wireless network
national headlines and
an emergency meeting Baggage systems (hand-held devices)
of security experts at the
White House.
External airport/airline website
Passenger wireless
Theft
Sensitive data of employees and
contractors
Credit card information
Airline ticketing
Concession POS
Passengers’ wireless devices
In 2003, the Commerce
City Bank in Kansas City,
MO was the first to
uncover an international
scam when they
discovered that their
customer accounts were
Potential targets
being sacked for
$10,000 to $20,000 a Terrorism
day from cash machines
in Italy, as a result of a Security systems – access control, CCTV,
phishing attack aimed perimeter intrusion
specifically at the
customers’ debit card Credentialing
numbers and PINs.
eEnabled aircraft systems
Document management systems (CAD,
blueprints)
Radar systems
Ground radar
Destruction of airport data can cost
billions of dollars to replace, if it is
even possible
In 2004, the source code
for the unreleased first-
person shooter Half-Life
2, perhaps the most
anticipated game of all
time, had been stolen
from the computers of
Smart phones aren’t so smart when it
Valve Software in
Bellevue, WA.
comes to malware
Based on the sales of the Adoption rate is so quick, security
original game, Valve
valued the software at a can’t keep up
quarter billion dollars.
Privacy and data security concerns in
new hardware and software
Rapid roll out of new technologies too
quick for current security standards
Breaches occurring with greater
regularity
Cyber attacks due to always-on-and-
synchronized, comingling of personal
and business data
In the late 1990s, thieves
began buying swiped
credit card data called
“dumps” across the U.S.
from waiters, drive-thru
attendants, gas station
managers, retail workers
Recently, 300 businesses reported
for typically $10 a swipe.
A “dump” contained two
losing 86,000 laptops, causing $2.1
lines of text on a credit
card’s three-inch-long
billion in damages
Theft comes from hotel rooms and
magstripe. Much of it
was sent to Eastern
employees’ homes
Europe and sold over the
Internet ten, twenty, a
hundred, or even
thousands at a time. A You can’t fight mobile device issues
dump was worth $20 for
a standard card, $50 for with technological safeguards alone –
a gold card, $80 to $100
for a high-limit you will need strong organizational
corporate card.
standards and policies
In July 2005, a record-
breaking 45.6 million
dumps were stolen from
the TJX-owned retail
chains T.J. Maxx,
Marshalls, and
HomeGoods.
In 2004, when stolen
magnetic stripe data
became a massive
cybercrime underground
commodity, losses to
counterfeit cards
followed the same
Active/Registered users of Social
stratospheric climb.
networking services:
In the first quarter of 500 million on Facebook
2006, counterfeiting
cards topped at $125 175 million on Twitter
million in quarterly
losses to Visa’s member 100 million on MySpace
banks alone.
80 million on LinkedIn
Attacks and Unintended Information
Disclosure
Download of Malware
Professional and Personal Implications
Endangering yourself and others
In 2000, cyberattacks by
a group from Russia or
Ukraine, breached
victim’s networks, stole
credit card numbers
then sent an email to the Pre-production compromise (built-in back doors)
company demanding
payment to keep quiet Substitution of parts (Trojans in software)
about the intrusion and
to fix the security holes Code attacks (viruses)
the hackers exploited.
Network attacks (worms)
The gang hit Sterling System specific attacks (OS vulnerability)
Microsystems in
Anaheim, CA, E-Money Authentication bypass (theft of credentials,
in New York, and even
Western Union, which
spoofing)
had lost nearly 16,000 Shutdown of support systems (power, AC, flight
customer credit card
numbers in an attack controls etc.)
that came with a
$50,000 extortion Disgruntled employee (malicious or paid)
threat. When music-
seller CD Universe did
Content exploitation (information made public,
not give in to a identity of crew/passengers, aircraft incidents or
$100,000 ransom
demand, thousands of
failures)
customers’ credit card Inventory scan: Preliminary findings = 613 Control
numbers showed up in a
public website. Systems (211 ranked)
In 2009, a specialized
Trojan horse software
emerged, designed to
steal a target’s online
banking passwords and
initiate money transfers Headline: Fourteen airports in the US, Canada and Asia, are
from the victim’s
using open or poorly secured wireless networks
account right through
his own computer.
The thieves recruited 77 percent appeared to be airport networks
ordinary consumers as
unwitting money
launderers through 80 percent were unsecured or using legacy WEP (wired
bogus work-at-home equivalent privacy) encryption
opportunities. “Work”
consisted of accepting
money transfers and
10 percent of the laptops detected were infected with a
payroll deposits, then
sending the bulk of the viral (ad-hoc) Wi-Fi Network, making the users vulnerable
cash to Eastern Europe to data leakage and identity theft
by Western Union. The
scheme’s first year of
widespread operation, Only three percent of all mobile users were using virtual
banks and their
customers lost an private networks (VPNs)
estimated $120 million
to the attack, with small
businesses as the most Airports reviewed: Ottawa, Canada; San Jose, San Francisco,
common target. Chicago, and other US cities; Seoul, Malaysia and Singapore
In 2006, a California
identity thief stole at
least $200,000 by e-
filing bogus tax returns
through H&R Block, then
collecting the refunds The review concluded that if hackers can bring down the
himself.
power grid in several cities, “how easy it would be for them
The victims’ Social to create havoc with an unsecured baggage system.”
Security numbers were
mined from online
databases, including “Imagine the ripple effect at a large hub airport if
California’s Death Index someone could work their way into the baggage transition
of recently departed
Golden State residents. system and reroute luggage all over the world. It could
bring the system to a grinding halt with both economic
and security consequences.”
The findings concluded that retailers, airlines and
providers of critical systems at airports are still not taking
a long hard look at cyber security or understanding the
additional risks that wireless introduces.
In October 2003, T-
Mobile failed to patch a
critical security hole in a
commercial server
application.
U.S. Customs and Border Protection officials chose to hold off
Its customer database installing Microsoft's critical security patch on US-VISIT
was accessed and the workstations until they could test to ensure the update
files of Hollywood stars wouldn't interfere with the tangle of peripherals attached to
were raided, circulating the computers. The Zotob virus changed their minds.
grainy candid photos of
Paris Hilton, Demi
Moore, Ashton Kutcher, The$400 million US-VISIT program aims at securing the
and Nicole Richie, stolen border from terrorists by gathering biometric information
from their SideKick from visiting foreign nationals and comparing it against
PDAs. government watch lists.
The SideKick of a Secret
Service agent was also
US-VISIT consists of older mainframe databases, fronted by
hacked. Windows 2000 workstations at nearly 300 airports,
seaports and border crossings
On Aug. 9, Microsoft announced a vulnerability in the
software's plug-and-play feature that allowed attackers to
take complete control of a computer over a network. It took
only four days for a virus writer to launch an internet worm,
called Zotob, that spread through the security hole.
An Aug. 18, 2005 computer failure led to long lines at
international airports in Los Angeles, New York, San
Francisco, and elsewhere, while U.S. Customs and Border
Protection (CBP) officials processed foreign visitors by hand
Google search is used by
millions of people every
day. Now, it is also used
with increasing
frequency by hackers
seeking sensitive data Two CBP reports show that the virulent Zotob worm
like Social Security infiltrated CBP PCs the day of the outage, prompting a
numbers.
hurried effort to patch hundreds of Windows-based US-
A recent data breach at VISIT workstations installed at 300 airports, seaports and
Yale University marks the land border crossings around the country
latest example of a
security flaw exposed by
"Google hacking.“ For 10
months, names and CBP officials postponed pushing the fix to CBP's Windows
Social Security numbers 2000 computers because of the array of peripherals
belonging to 43,000 hanging off of the US-VISIT workstations -- fingerprint
people affiliated with
Yale were visible through readers, digital cameras and passport scanners – fearing
Google search. that the patch itself might cause a disruption.
Yale officials said - the
breach occurred because White House cyber security adviser Howard Schmidt says
they were unaware that
Google had changed its
the incident is typical of a large agency struggling with
search engine last fall to complex networks and evolving threats. "We've got
find and index such catching up to do in all areas, particularly areas having to
servers.
do with national security and public safety," says Schmidt.
"I hope you and I, 10 years from now, look back and say,
'Wow, I'm glad we survived that.'"
Criminals recruit
“cashers” to use
counterfeit credit cards.
The low-limit classic
cards were for small
purchases, $500 or so. Fake Boarding Passes Land Student in Heap of Trouble
The high-limit gold or
platinum cards were 24-year-old Indiana University student creates a web site
used for purchases from that enables anyone to make a fake boarding pass
$1,000 to $10,000.
Home raided and all computers confiscated
“Cashers” are typically
attractive college-aged
FBI and the TSA conducting an investigation
women who could walk Boarding pass would not have allowed unauthorized
into Nordstrom and
access to an aircraft
snatch up a couple of
$500 Coach bags Student claims that he created the website to expose a
without raising loophole in national security
eyebrows, then cross to
the other side of the mall Trams Derailed with Modified TV Remote
and do the same thing at
Bloomingdale’s. 14-year-old boy derails four Polish light rail trains (trams)
Tool used: Converted television IR remote
The purchased items
were then sold on eBay. Vulnerability: Locks disabling track changes when vehicle
are present not installed
In September 2005, a
deadly new Internet
Explorer bug emerged.
The security hole was a
monster. There was no
patch, making every Malware in the new baggage system located in a
Internet Explorer user
vulnerable. private network
The hacker’s target list: A Botnet in the Airport Coordination Center and in
CitiMortgage, GMAC,
Experian’s the Airport Security private network did call backs
Lowermybills.com, Bank to the Attackers’ Command & Control (C&C) Server
of America, Western
Union Money-Gram,
Lending Tree, and
Successfully prevented 6,408 separate hacking
Capital One Financial, attempts into a new file transfer server two days
one of the largest credit
card issuers in the
after its deployment
country. The hacker
fired up a spamming Blocked 58,884 Internet misuse and abuse within
software that opened a two days
back door, which
allowed him to slip in
and scour the victims’ Blocked 2.9 million hacking attempts into the
hard drives for sensitive Internet infrastructure within two days
data, and steal
passwords.
“I love the Internet… It’s
a place where we can
entertain ourselves; we
can get information; we
can watch videos… we
can buy things.
Four components are vulnerable and
eBay is a great place, you
can bid on things. If you each require a different approach to
think about it, you can
buy it on eBay. But… security
The Network
there’s a side of the
Internet that we don’t
like to think about.
The Device
There’s kind of a dark
underbelly to the
Internet, one where not
The Application
The Back-End System
trinkets or bobbles are
bought, sold, and
traded. There’s a part of
the Internet where
people’s lives are
bought, sold, and
traded…”
-Federal prosecutor’s
opening statement at the first
federal trial of the carding
underground.
In 2004, nearly half
America’s banks, S&Ls,
and credit unions were
not verifying the CVV on
ATM and debit
transactions, which was Get configuration management under control
why America’s inboxes
were flooded with Patches and updates need to be handled as soon as possible,
phishing emails especially those which address a security hole
targeting debit card Once a machine’s settings are finalized, a baseline of those
numbers and PIN codes settings need to be recorded
for “cashable” banks.
Eliminate unused programs – close unused ports
Citibank, the nation’s
largest consumer bank
Install anti-virus software and keep it updated
by holdings, was the Launch a "social engineering awareness" campaign
most high-profile victim.
Social media is your IT systems worst nightmare
In May 2005, a Gartner Password policies
analyst organized a
Cyber security training
survey of 5,000 online
consumers and, Instant messaging files
extrapolating the results,
estimated that it had
Test your own systems
cost U.S. financial Internet-facing web sites
institutions $2.75 billion Penetration testing
in one year.
External audits from DHS and others
In the 1997 Carlos
Salgado Jr. case – the
first large-scale online
credit card heist – the
government persuaded
the sentencing judge to
permanently seal the
Make better use of white lists and black lists
court transcripts for fear Control the zombies
the targeted company
would suffer “loss of Lock down the servers
business due to the
perception by others that Use egress filtering
computer systems may
be vulnerable.” Thin clients are your friend
Consequently, the Improve pattern recognition for network
80,000 victims were
never notified that their traffic
names, addresses, and
credit card numbers had Create a cyber security team in your
been offered for sale on
Internet Relay Chat (IRC),
organization
a website devoted to Insist your IT staff acquire the CISSP or some
hackers, counterfeiters
and others seeking to other IT security related certification
illegally exploit
consumers.
In 2007, the majority of
compromised cards were
stolen from brick-and-
mortar retailers and
restaurants.
The large retail
intrusions were
compromising millions
of cards at a time, but
breaches at smaller
merchants were far more
common – Visa’s
analysis found 83
percent of credit card
breaches were at
merchants processing
one million Visa
transactions or less
annually, with the
majority of thefts taking
place at restaurants.
Sony recently revealed
intruders staged a
massive attempt to
access user accounts on
its PlayStation Network
and other online
entertainment services in
Give cyber-security an international focus
the second major attack through conferences, meetings, etc.
on its flagship gaming
site this year. Create a permanent cyber-security sub-
The announcement committee which embraces airports and
follows an embarrassing airline concerns
data breach in April,
which compromised Create an airport cyber-security advisory on
personal data from more
than 100 million online zero-day vulnerabilities and other security
gaming and
entertainment accounts
threats
and forced PlayStation
Network to be shut for a
Initiate dialogue at all levels of airport
month. management – not just IT
Sony was subsequently
criticized for lax security
and acting too slowly to
inform customers as it
grappled with one of the
largest-ever security
thefts.
“If you spend more
on coffee than on IT
security, you will be
hacked. What's more,
you deserve to be
hacked. “
-- former White House
Cyber security Advisor,
Richard Clarke
Questions?