Computer Security_ Vulnerabilities_ and Privacy 2001

Document Sample
Computer Security_ Vulnerabilities_ and Privacy 2001 Powered By Docstoc
					Bob Koepke
Network Security Manager - Electronic Systems
Raytheon Company                   February 2001
February 2001   Bob Koepke   2
Approaching the Risk

    Your goal should be…

       Risk Management
       NOT: Risk avoidance

February 2001       Bob Koepke   3
    Education as a Defense
 Many exploits are not very technical
 Memorizing “Chapter & Verse” generic
  technical guidelines:
  - Is not enough to defend against threats
  - Will keep you constantly behind the
     threat “power curve”
 You must learn:
  - To spot new vulnerabilities
  - To change your mode of thinking

February 2001       Bob Koepke                4
Internet “Consumer Services”
ISPs, websites, e-mail, anonymizers, online stores,
gambling / pornography sites, etc.

     Service Privacy Policy
         (look for one, but don’t trust it blindly)

     Cookies – there are worse things on the net

     “Free” Services:
         - ISP
         - E-Mail
         - Web Space
         - Free Long Distance Services Via the Internet
     Encryption – for sensitive personal information
         (But what do they do with the information once they have it?)

February 2001                        Bob Koepke                          5 Consumer Data
Privacy Statement Excerpt:
       “Business Transfers: As we continue to
        develop our business, we might sell or buy
        stores or assets. In such transactions,
        customer information generally is one of the
        transferred business assets. Also, in the
        unlikely event that, Inc., or
        substantially all of its assets are acquired,
        customer information will of course be one
        of the transferred assets.”

February 2001             Bob Koepke                    6
Internet Transaction Security

 Data passing via encrypted paths normally
  do not have significant risk.
 What happens to the data at and past the
  destination can be a risk.
 The human factor is usually a greater risk
  than the technology factor.

February 2001       Bob Koepke                 7
        Risk Levels for Encrypted
        Internet Transactions

February 2001      Bob Koepke       8
Website Visitor Tracking
(not all-inclusive)

 Your IP address (ISP, city, state, employer, etc.)
 Browser info: O/S, Version, Screen Size, Preference Settings, etc.
 Cookies (read & written)
 Locations that you visit on their website
 The website where you came from prior to their website
  (aka: referrer site)
 Number of web pages visited prior
 Plug-ins installed (midi, ShockWave, RealPlayer, etc.)
 Limited hardware configuration (i.e., soundcard)

 Anything else you might have volunteered!

February 2001                 Bob Koepke                               9
Home Computers
 DSL, Cable Modem, or Dialup
     (always on + higher speed connection = more risk)

 Antivirus software installed & current?
 Firewall installed, current, and configured?
  - BlackIce ( - $40 (/year)
  - ZoneAlarm ( – free*
  - Hardware firewall
 Latest O/S Patches (i.e.,

February 2001                  Bob Koepke                10
Internet Connectivity

February 2001   Bob Koepke   11
Port Scans & Probes
                                                      Back-Orifice Trojan Query
                         SubSeven Trojan Query

                This is from a DIAL-UP connection !!!
February 2001                Bob Koepke                                       12
Home Network

February 2001   Bob Koepke   13
            The BLUETOOTH trademarks are owned by
            Telefonaktiebolaget L M Ericsson, Sweden

February 2001                Bob Koepke                14
  Effortless instant wireless connections between
   various electronic devices. Range = 10 meters.
  Desktop Computers, Laptop Computers, Printers,
   Cameras, Cell phones, PDAs, Pagers ………...
  Cost to implement BlueTooth
   in a product is low
  Security risk is high, especially in classified areas

February 2001           Bob Koepke                         15
     You may not be able to tell if a device has
      the Bluetooth chip!
     OEM computer equipment companies may
      not be know their products have Bluetooth
     There’s no easy security solution !

February 2001            Bob Koepke                 16
     Bluetooth’s FAQ on Security
    “Are transmissions secure in a business and
    home environment?”

    “Bluetooth wireless technology has built-in
    sufficient encryption and authentication and is
    thus very secure in any environment. In
    addition a frequency-hopping scheme with
    1600 hops/sec is employed. All of this, together
    with an automatic output power adaption to
    reduce the range exactly to requirement, makes
    the system extremely difficult to eavesdrop.”

February 2001          Bob Koepke                      17
                   Bluetooth Module

February 2001                     Bob Koepke            18
Know Your Adversary
9 Hacker/Perpetrator Subtypes
                           (derived from Infosecurity Magazine July 2000)

        Curious individuals who commit
        violations in the process of learning,
        generally without malicious intent,
        unaware they are violating company
        policies or laws

February 2001          Bob Koepke                                           20
9 Hacker/Perpetrator Subtypes
(continued)               (derived from Infosecurity Magazine July 2000)

     Individuals who ignore policies or
     laws to hack into systems to fix
     problems or accomplish assignments,
     believing their efforts to be more
     efficient than following laws or
     approved procedures

February 2001      Bob Koepke                                              21
9 Hacker/Perpetrator Subtypes
(continued)               (derived from Infosecurity Magazine July 2000)

 HACKERS (Black Hat) /
   Individuals who have a prior history of
   unauthorized system penetration

February 2001      Bob Koepke                                              22
9 Hacker/Perpetrator Subtypes
(continued)                 (derived from Infosecurity Magazine July 2000)

     Individuals that install logic bombs or
     other devices to serve as job insurance.

     (They defuse the logic bombs in
     exchange for severance considerations)

February 2001        Bob Koepke                                              23
9 Hacker/Perpetrator Subtypes
(continued)                 (derived from Infosecurity Magazine July 2000)

      Individuals that engage in acts of
      sabotage, espionage or other
      malicious activity to advance their
      own agenda

February 2001        Bob Koepke                                              24
9 Hacker/Perpetrator Subtypes
(continued)                  (derived from Infosecurity Magazine July 2000)

      “Entitled” individuals who feel they
      are special and deserving of special
      recognition, because of their self-
      perceived talents or suffering, believe
      themselves above the rules or law

February 2001         Bob Koepke                                              25
9 Hacker/Perpetrator Subtypes
(continued)                 (derived from Infosecurity Magazine July 2000)

      Act as though they “own” the system
      they are entrusted with and will do
      anything to protect their control and
      power over this territory

February 2001        Bob Koepke                                              26
9 Hacker/Perpetrator Subtypes
(continued)                 (derived from Infosecurity Magazine July 2000)

      Classic disgruntled individuals, who
      act out of revenge for perceived
      wrongs done to themselves

February 2001        Bob Koepke                                              27
9 Hacker/Perpetrator Subtypes
(continued)                 (derived from Infosecurity Magazine July 2000)

      Individuals who penetrate systems
      solely to commit theft, fraud,
      embezzlement or other illegal acts

February 2001        Bob Koepke                                              28
 It is estimated that 80%
 of the security threat is from

February 2001   Bob Koepke        29
Advice (all are important!)
 Do not provide your full and/or real personal
      information …
     Get Hotmail (or similar) account(s) for untrusted
     Do not respond to unsolicited e-mail
     Do not post to Internet newsgroups with your
      real e-mail address or name.
     Update your antivirus software at least weekly!
      Scan regularly!
     Get firewall software on your home PC(s). Keep
      it updated & tight!
     Download files & programs only from known
      trusted sources
February 2001            Bob Koepke                       30
Advice (continued)
 Do not share passwords or PINs between
      Dialup ISPs anonymously (*67)
      On-Line Credit Card Use:
         1. Encrypted Session & Encryption
       Certificate Valid For That Merchant
         2. Known & Trusted Web Sites Only
      Be careful of “typo look-alike” sites !!!
      Do not use your work computer for
       anything you want to keep private

February 2001           Bob Koepke                 31
Advice (continued)

 Do not keep your computer “live on the net”
  when not in use
 Keep your home phone number unlisted with a
  strict need-to-know
  (Avoid giving it to ANY businesses -
    online or in-person !)
 Make certain your business has a proxying
  firewall with NO ports open
 Make certain your business uses strong dialup

February 2001        Bob Koepke                   32
Strong .vs. Weak Authentication

                + PIN =
                & PIN =

USER ID & PASSWORD =                   ACCESS

                + PIN =           ACCESS
February 2001        Bob Koepke             33
Strong Authentication - (Businesses)
 A.k.a.: Two-factor Authentication
 Something you have + Something you know
 One Time Passwords

February 2001             Bob Koepke                34
Web Site Security SSL Certificate
          • Proof of Identity
          • Proof of Point-To-Point Encryption
          • More info on SSL:

February 2001                Bob Koepke                 35
Privacy Compromised for Profit
 Recently some online data-gathering
  companies will pay you to give up your
  private information.
 They rationalize that most of your privacy is
  gone anyway, so why not give up the rest
  for a small fee? !!!!
 Example:

February 2001        Bob Koepke               36
   Web Educational Resources

      (formerly / Heavy Industries)

February 2001              Bob Koepke               37
 $100/node-locked license (15 day trial-ware)
 NT Password Sniffer & Cracker combined in one
  user-friendly package.
 An example company had a policy requiring
  passwords longer than 8 characters, with at least
  one upper case character plus a numeric or symbol
 L0phtCrack cracked 90% of the passwords in
  under 48 hours on a Pentium II/300.
 18% of the passwords were cracked in under 10
 The Administrator and most of the Domain Admin
  passwords were cracked.
February 2001         Bob Koepke                  38
Hardcopy Educational Resources
 Hacking Exposed:
     Network Security Secrets and Solutions
     by George Kurtz

 Secrets and Lies:
     Digital Security in a Networked World
     by Bruce Schneier

 Digital Evidence and Computer Crime
     by Eoghan Casey

 2600 Magazine

February 2001            Bob Koepke           39
Last Pieces of Advice:
  There is no 100% perfect solution…
  Technology changes…
  What’s safe today, may not be safe tomorrow…
  Don’t give-up...
  Use a good plan of risk    management
 Know Your Adversary !!!

            Sleep well !
February 2001         Bob Koepke                  40