Docstoc

Presentation Title

Document Sample
Presentation Title Powered By Docstoc
					       “What the Eyes See and the Ears Hear, the Mind
                                            believes”




                                                                                                                                                                                                  September 22, 2009


Kristof Philipsen, CISSP, CCSP
Principal Consultant
Verizon Business Security Solutions


  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   1
                                                                                                                                                                                                                Agenda

  • Our Goal for this Presentation:

                – Provide an overview of common Internet attacks targeting end users’
                  personal information and ways to tackle these threats.

  • What and Why Personal Information?

  • Trends in Cybercrime – The move towards end user attacks

  • Examples of end user attacks targeting personal information

  • Mitigating factors for end user attacks



Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   3
                                                                                                What and Why Personal Information
                                                                                                                     Verizon Business 2009 Data Breach Investigations Report

• Payment Card Data – Credit Cards, Debit Cards, etc.
     • Motivation: Direct Access to funds, wire transfer, etc.

• Personal Information – Social Security Numbers, Medical Records, Financial Records
     • Motivation: Identity Theft allows organized crime to open bank accounts, obtain loans, passports, drivers licenses, etc

• Authentication Credentials – Online banking credentials, e-mail credentials, service providers
     • Motivation: Authentication credentials are used to support identity theft, gain access to funds via online banking systems, etc




   Source: 2009 Data Breach Investigations Report - http://www.verizonbusiness.com/resources/security/databreachreport.pdf

    Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   4
                                                                                                   Trends in Cybercrime - Overview

Organizations and Financial Institutions are boosting their security levels, as such
cybercriminals look for new ways of gaining access to personal data.

• Attack Types:
        • Opportunistic Random (ME against the WORLD)
        • Opportunistic Directed (ME against a part of the WORLD)
        • Fully Targeted (ME against YOU)


• Common Internet Attacks targeting end users’ personal data:
        • Email Based: Phishing & Spear Phishing
        • Web Based: Cross Site Scripting
        • Browser Based: ClickJacking
        • Browser Based: Drive By Attacks

  Source: 2009 Data Breach Investigations Report - http://www.verizonbusiness.com/resources/security/databreachreport.pdf

   Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   5
                                                                                         Trends in Cybercrime – Rise of the
                                                                                                                  Malware
Malware, or malicious software, is one of the most effective ways for attackers to
obtain all the personal data they need from end users.

                                                                                                                                                          •Customized Malware:
                                                                                                                                                                        • Obtain Login Credentials
                                                                                                                                                                        • Create “backdoor” on system
                                                                                                                                                                        • Gather banking and payment
                                                                                                                                                                        card details




Driven by the prospects of large hauls of valuable data, organized crime are investing
considerable amounts of time, money and expertise into customizing malware.


 Source: 2009 Data Breach Investigations Report - http://www.verizonbusiness.com/resources/security/databreachreport.pdf

  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   6
                                                                                                                                                                                                              Phishing
Most attacks to obtain end user personal information at one point or another involve
a form of phishing.

          Phishing is a method used in order to obtain personal
           information, generally through email, by making the mail
           appear to come from a trustworthy entity and fooling the
           user into visiting a web site and / or giving up personal
           information.

          Phishing is now also entering the Social Networking space
           in attempts to perform identity theft. (The ClickJacking
           Attack shows how such attacks can be performed without
           the user’s knowledge).

          Phishing is generally an opportunistic directed or
           opportunistic random attack, cases have been seen where
           a specific organization or user has been the target of a
           phishing attack. These targeted phishing attacks are
           referred to as “spear phishing”.


  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   7
                                                                                                                                                                                Spear Phishing
While Phishing are generally opportunistic random or directed attacks, Spear
Phishing is a fully targeted form of a phishing attack where attackers are carefully
choosing their victim end-users.
          Spear Phishing attacks are generally launched in cases
           where the cybercriminal already has certain information
           regarding the victims, but wants to gain additional personal
           information.

          An example of Spear Phishing happened when hackers
           had gained access to the customer database of online
           broker firm TD Ameritrade and launched a follow up
           phishing attack against the customer email addresses to
           gather additional data.

          A hot-of-the-press new type of Spear Phishing attack is
           happening called “Chat-in-the-Middle”, where users of an
           online banking site think they are speaking to customer
           support and are asked to provide answers to security
           questions. On the other end of the chat there is actually a
           fraudster.
  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   8
                                                                                                                                                         Phishing - Examples
Phishing attacks are designed to create the look and feel of the real web site, but
often do not have a valid URL or valid SSL certificate.




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   9
                                                                                                                                                            Cross Site Scripting
Attackers use insecure features in web sites which an end user trusts to trick them
into visiting another site or “lose” the connection to a web application to an attacker

          Difficult to detect as an end user because Cross Site Scripting (XSS) attacks use
           insecure features on “trusted” web sites to target a user. Cross Site Scripting attacks
           are generally fully targeted as they are generally not helpful to the attacker if the
           victim end user does not have any prior interaction with the site on which the
           insecure features are exploited.

          Cross Site Scripting attacks take advantage of insufficient security controls on the
           targeted web site. Generally error messages are exploited where the user can
           modify the content of this error message in the request and change the content of
           the web site through this process.

          Attackers use Cross Site Scripting attacks in the following ways to obtain personal
           data:
               Modify the content of a trusted web page to make a user to a certain action (i.e.
                 click a link, send an email with information, etc)
               Obtain the necessary information to take control over an end user connection to
                 a web application.
  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   10
                                                                                                  Cross Site Scripting – Demo Site
      Cross Site Scripting “Victim Bank” an Demo
An attacker takes advantage of the trust XSSend user has in a web site and modifies
the appearance of the site to make the end user perform a certain action.

                                         Regular Site                                                                                                                                     XSSed Site




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   11
                                                       Cross Site Scripting – A Practical Example
In a Cross Site Scripting attack, cybercriminals exploit the end users’ trust in the site
to obtain certain personal information from the end user.

                         Original Web Page                                                                                                                              XSSed Web Page



                     http://testasp.acunetix.com/Search.asp                                                                           http://testasp.acunetix.com/Search.asp?tfSearch=%3Cbr%3E%3Cbr
                                                                                                                                      %3EPlease+login+with+
                                                                                                                                      the+form+below+before+proceeding%3A%3C
                                                                                                                                      form+action%3D%22test.asp%22%3E%3C
                                                                                                                                      table%3E%3Ctr%3E%3Ctd%3ELogin%3A%3C%2Ftd%3E%3Ctd%3E
                                                                                                                                      %3Cinput+type%3D
                                                                                                                                      text+
                                                                                                                                      length%3D20+name%3Dlogin%3E%3C%2Ftd%3E%3C%2Ftr%3E%3
                                                                                                                                      Ctr%3E%3C
                                                                                                                                      td%3EPassword%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput
                                                                                                                                      +type%3Dtext+length%3D20
                                                                                                                                      +name%3Dpassword%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftabl
                                                                                                                                      e%3E%3Cinput
                                                                                                                                      +type%3Dsubmit+value %3DLOGIN%3E%3C%2Fform%3E




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   12
                                                                                                     Cross Site Scripting – Examples
      Cross Site sites have been Bank” to be susceptible to XSS issues
High profile web Scripting “Victim known XSS Demo




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   13
                                                                                                                                                         ClickJacking Attacks
Attackers use “ClickJacking” to trick users into inadvertently clicking on objects within
web pages, possibly authorizing attacks to accessing personal data.

          In ClickJacking attackers, a user is tricked into clicking on an object (i.e. picture,
           button, online game), which appears to have little or no importance, however in
           reality the user is inadvertently clicking on another object (which would have
           importance to them or the attacker).

          ClickJacking attacks are attacks that superimpose two or more zones (layers) on a
           web page in order to get an end user to click the desired object for the attacker.

          ClickJacking attacks are generally opportunistic directed or fully targeted attacks.

          Attackers use ClickJacking for the following purposes:
               Get users to change settings in their profiles
               Get users to acknowledge transactions
               Attackers could take control of a computer’s camera and microphone



  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   14
                                                       ClickJacking Attacks – How do they work?




Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   15
                                                                                        ClickJacking Attacks – An Example
Generally, the end user would never see the web site on the back, but only the
“front” web site (i.e. a clicking game) but would inadvertently change settings




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   16
                                                                                                                                                                          Drive-By Attacks
Attackers use Drive-By attacks to load malware onto end user systems. Malware can
allow the attacker to control the victim’s system, log credentials such as usernames
and passwords and gather personal information such as credit card numbers.

           Drive-By attacks generally come in the form of downloads, where a site is asking you
            to trust applets. Other Drive-By-Download attacks don’t even warn the end user and
            exploit weaknesses in browsers (Internet Explorer, Firefox, Opera, Safari, etc) to
            install the malicious program automatically without any notification to the user.




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   17
                                                               How to recognize these types of attacks?
  All these attacks have one thing in common: they want to obtain your personal
  information. Look with scrutiny at any attempt to request your personal information,
  especially when the request is not end user initiated.


• Questionable URLs (i.e. www.logon.citibank.citibank.ru,
www.paypalpro.us)
• Invalid Certificate on SSL websites (Most browsers now
support web site rating based on valid certificates)
• Changed content on web sites (i.e. new links,
installers,..)
• Being asked to enter information which you generally
don’t need to supply
• Spelling and grammar mistakes can often rise suspicion




    Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   18
                                                                How to recognize these types of attacks?
“As a general rule, a trusted web site should never ask you to disclose your personal
information…”
        When being asked to enter
        information, ask yourself the following
        questions:


1)      Isn’t this information the company
        should already have?
2)      Have you seen the company ask for
        this information before or is this the
        first time?
3)      If someone called you and claimed to
        be from the company in question,
        would you give them the same data
        over the phone as the one you’re
        being requested to provide online?
        If you’re not sure, call your bank
        branch or your customer care
        representative.

     Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   19
                                                      What can be done to thwart these attacks?
Good Awareness and Common Sense goes a long way!
• http://www.microsoft.com/protect/fraud/phishing/symptoms.aspx
• Also watch out for sites with typo squatting, for example:
         • www.micosoft.com
         • www.citbank.com




                                                                                                                                                                                                                             The devil can
                                                                                                                                                                                                                             be in the
                                                                                                                                                                                                                             details.


  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.        20
                                                      What can be done to thwart these attacks?
Keep your systems current with the most recent patches (e.g. Automatic Updates)

                                                                                                                     •          Automatic updating ensures that the most recent
                                                                                                                                patches are installed
                                                                                                                     •          Knowing that your PC is being updated on an
                                                                                                                                automated and regular basis limits the exposure to
                                                                                                                                known vulnerabilities affecting operating systems,
                                                                                                                                browsers and email clients.
                                                                                                                     •          Creating awareness around automatic updating
                                                                                                                                may change the mind set of persons clicking on
                                                                                                                                web sites offering “software updates”.




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   21
                                                      What can be done to thwart these attacks?
Install a Desktop Firewall and enable the Firewall on your DSL / Cable Modem

                                                                                                                     •          DSL / Cable Modem firewall protects your home
                                                                                                                                network by limiting exposure to Internet based
                                                                                                                                attacks such as worms and common Trojans.
                                                                                                                     •          Desktop Firewall protects your individual desktops
                                                                                                                                and laptops from attacks by other systems (for
                                                                                                                                example an infected or compromised system on
                                                                                                                                your own network).




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   22
                                                      What can be done to thwart these attacks?
Keep your Anti-virus software and signatures up to date.

                                                                                                                     •          Keeping Antivirus software and signatures up to
                                                                                                                                date ensures that you are safe from the latest
                                                                                                                                publicly known threats.
                                                                                                                     •          Generally, antivirus software also includes anti-
                                                                                                                                phishing, anti-spam, anti-malware, anti-drive-by-
                                                                                                                                download, and other similar preventions.
                                                                                                                     •          These antivirus vendors generally also maintain
                                                                                                                                lists of known malicious and potentially dangerous
                                                                                                                                sites and provide warnings on these.
                                                                                                                     •          Integration with browsers and email clients limit end
                                                                                                                                user exposure to these attacks.




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   23
                                                      What can be done to thwart these attacks?
Use Browser Anti-Phishing features

                                                                                                                     •          Browser Anti-Phishing features look out for and
                                                                                                                                alert upon suspicious patterns within web pages
                                                                                                                                that may be indicative of phishing attempts.




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   24
                                                      What can be done to thwart these attacks?
Use Browser Anti-Threat features

                                                                                                                     •          Most popular browsers and threat protection
                                                                                                                                software nowadays contain features to detect and
                                                                                                                                prevent the following threats:
                                                                                                                                   •          ClickJacking
                                                                                                                                   •          Malware
                                                                                                                                   •          Malicious scripts
                                                                                                                                   •          Malicious code
                                                                                                                                   •          Pop-Ups




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   25
                                                      What can be done to thwart these attacks?
Configure Browser High Security

                                                                                                                     •          Configuring Browser High Security:
                                                                                                                                   •          Disables Scripting
                                                                                                                                   •          Disables launching applications from browser
                                                                                                                                   •          Disables installation of desktop items
                                                                                                                     •          On the down side, Browser High Security may limit
                                                                                                                                your ability to run properly view certain web sites.




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   26
                                                      What can be done to thwart these attacks?
Turn off Third Party Cookies

                                                                                                                     •          Third Party Cookies allow an external party to track
                                                                                                                                your surfing habits across the Internet.
                                                                                                                     •          In order to limit exposure to mass spamming or
                                                                                                                                disclosure of your privacy on surfing habits, Third
                                                                                                                                Party Cookies should be disabled




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   27
                                                      What can be done to thwart these attacks?
Validate Web Site Certificates and check EV SSL Certificates

                                                                                                                     •          Attackers oftentimes use self created certificates.
                                                                                                                                Your browser will alert on these. When you see a
                                                                                                                                message of an “invalid certificate”, this may indicate
                                                                                                                                a potentially malicious web site.
                                                                                                                     •          Recently, Certificate Authorities (trusted companies
                                                                                                                                which give out certificates) have introduced
                                                                                                                                Extended Validation SSL Certificates (EVC’s), for
                                                                                                                                which the Certificate Authority does additional
                                                                                                                                checks to ensure the company requesting the
                                                                                                                                certificate are indeed who they say they are. This
                                                                                                                                limits the exposure to malicious sites.




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   28
                                                      What can be done to thwart these attacks?
Some useful tips and web sites to know about

                                                                                                                     •          If you think you may be dealing with a Phishing
                                                                                                                                incident, why not take a dive into the PhishTank?
                                                                                                                                http://www.phishtank.com/
                                                                                                                     •          You can search the PhishTank website to identify
                                                                                                                                any “known” phishing web sites as well as to add
                                                                                                                                any phishing web sites you may have come across.
                                                                                                                     •          Another great web site to check out is the Anti
                                                                                                                                Phishing Working Group who have put online a
                                                                                                                                collection of interesting links at
                                                                                                                                http://www.antiphishing.org/resources.html
                                                                                                                     •          More information about Extended Validation SSL
                                                                                                                                Certificates can be found at
                                                                                                                                http://www.cabforum.org




  Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   29
                                                                                                                                                                                                 Conclusion

  • Cybercriminals are lurking around the corner to steal your personal
    information driven by prospects of large hauls of valuable data


  • It’s important to stay one step ahead of these cybercriminals by…
                – Keeping your systems up to date (Patching, Anti-Virus, Anti-Spam)
                – Enabling a desktop and DSL / Cable Modem Firewall
                – Enabling Browser Security Features (Anti-Phishing, Anti-Threat, High Security
                  Zones)
                – Validating web site SSL certificate

  • … and to know how to act when these attacks occur:
                – Maintain a skeptical, but healthy, attitude towards any site requesting your
                  personal information
                – Beware of invalid certificates on SSL websites
                – Watch out for questionable URLs and suspicious changed content on web sites




Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   30
                                                                                                                                                                                                            Questions




Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.   31

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:5
posted:4/15/2010
language:English
pages:30