Computer security, Internet privacy: What should we worry about? Sebastian Lopienski CERN Deputy...
36
Computer security, Internet privacy: What should we worry about? Sebastian Lopienski CERN Deputy Computer Security Officer Polish Teachers Programme, October 2014
Computer security, Internet privacy: What should we worry about? Sebastian Lopienski CERN Deputy Computer Security Officer Polish Teachers Programme, October
Computer security, Internet privacy: What should we worry
about? Sebastian Lopienski CERN Deputy Computer Security Officer
Polish Teachers Programme, October 2014
Slide 2
Disclaimer What follows are my opinions and not necessarily
those of CERN. Sebastian Lopienski 2
Slide 3
A cloud hack Digital life of a Wired journalist destroyed in
one hour:
(http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking)http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking
Amazon, Apple, Google, Twitter accounts compromised all Apple
devices wiped-out remotely 3 Sebastian Lopienski
Slide 4
A cloud hack How?? call Amazon and add a new credit card
needed: name, billing address, e-mail address call again, say you
lost password, and add a new e-mail needed: name, billing address,
current credit card reset password - get the new one to this new
e-mail address login and see all registered credit cards (last 4
digits) call Apple, say you lost password, and get a temp one
needed: name, billing address, last 4 digits of a credit card reset
Google password - new one sent to Apple e-mail (Apple e-mail was
registered as an alternate e-mail) reset Twitter password - new one
sent to Google e-mail (Google e-mail was linked to the Twitter
account) 4 Sebastian Lopienski
Slide 5
A cloud hack Multiple security flaws and issues: Interconnected
accounts Which one of your accounts is the weakest link? Our full
dependence on digital digital information, devices, cloud services
etc Very weak identity check procedures and often not even followed
correctly some procedures have changed as an outcome of this case
enable 2-step authentication (Google, LinkedIn, Apple, ) security
questions with answers often trivial to find (remember Sarah Palins
yahoo account hack in 2008?) 5 Sebastian Lopienski
Slide 6
6 From http://www.bizarrocomics.com Sebastian Lopienski
Slide 7
E-mail account before e-bank account? 7 From
http://elie.im/blog/security/45-of-the-users-found-their-email-accounts-more-valuable-than-their-bank-accounts
Sebastian Lopienski
Slide 8
Passwords lost, or easy to guess Top 10 words used in passwords
password welcome qwerty monkey jesus love money freedom ninja
writer 8 From http://www.zdnet.com/the-top-10-passwords-from-
the-yahoo-hack-is-yours-one-of-them-7000000815/
Slide 9
Where we are? Outline 9 Sebastian Lopienski Where we are? Who
are they? What is ahead?
Slide 10
Vulnerabilities Sebastian Lopienski 10
Slide 11
Trying to sell a Yahoo XSS for 700$ Sebastian Lopienski 11
Slide 12
Selling a Command Execution vulnerability in MS Office for $20k
Sebastian Lopienski 12
Slide 13
Vulnerability market shift Finding vulnerabilities difficult,
time consuming Selling to vendors, or publishing (mid 2000s)
limited money - 1s-10s thousands$, e.g. Mozilla up to $3000, Google
up to $3133.7 vulnerabilities eventually patched (good!) Selling to
underground (late 2000s) busy and active black market more
profitable 10s-100s thousands of USD sometimes buyers are
governments or their contractors used in 0-day exploits (no patch)
13 researchers dont commit crime attackers dont need skills, just
money researchers dont commit crime attackers dont need skills,
just money Sebastian Lopienski
Slide 14
Botnets (networks of infected machines) 14 From
http://www.f-secure.com/weblog/archives/00002430.html Sebastian
Lopienski
Slide 15
Outline 15 Sebastian Lopienski Where we are? Who are they? What
is ahead?
Slide 16
Who are they? 16 criminals motivation: profit hacktivists
motivation: ideology, revenge governments motivation: control,
politics Sebastian Lopienski
Slide 17
Criminals Usual stuff: Identity theft Credit-card frauds
Malware targeting e-banking, e.g. Zeus, Gozi etc. Scareware, e.g.
fake AV, fake police warnings Ransomware : taking your data hostage
(soon: accounts?) Mobile malware, e.g. sending premium rate SMSes
Denial of Service (DoS) Spam etc. 17 Sebastian Lopienski
Slide 18
2-in-1: Scare and demand ransom 18 From
http://www.zdnet.com/sopa-reincarnates-to-hold-your-computer-hostage-7000005684
SOPA is dead but still used by criminals to scare people Sebastian
Lopienski It pays off From symantec.com
Slide 19
Cyber criminals Thai police have arrested Algerian national
Hamza Bendelladj wanted by the FBI for allegedly operating the Zeus
botnet (e-banking malware) Sebastian Lopienski 19 From
http://www.bangkokpost.com
Slide 20
Gangsters Sebastian Lopienski 20 From krebsonsecurity.com A
hacker nicknamed vorVzakone, allegedly related to Gozi malware
Slide 21
employing mules Become a foreign agent in the US advertisement
Sebastian Lopienski 21 From krebsonsecurity.com
Slide 22
Hacktivists Attacking to protest, to pass the message etc. 22
Sebastian Lopienski
Slide 23
The Anonymous, LulzSec, many groups, varying agendas, from
ideologists to criminals Sebastian Lopienski 23
Slide 24
Do you know this guy? Sebastian Lopienski 24
Slide 25
Aaron Swartz A software developer, an open-access activist 2001
(aged just 14!): helped developing RSS 2002: working with Tim
Berners-Lee on semantic web 2008: released 20% of the Public Access
to Court Electronic Records (PACER) database of United States
federal court 2011: arrested for retrieving scientific articles
from JSTOR, believed in open access to results of publicly-funded
research, risked 35 years of prison / $1m fine sentence 2012:
campaigned against the SOPA 2013: committed suicide (because of the
ongoing criminal investigation?) Sebastian Lopienski 25
Slide 26
Google a freedom activist? https://www.google.com/takeaction/
Sebastian Lopienski 26 The same Google that outraged privacy
defenders with its new Privacy Policy
Slide 27
but governments? 27 Sebastian Lopienski
Slide 28
Spying on (some) citizens Network encryption? Infect computers
or go after services Syrian activists PCs infected with
Trojans/backdoors Tibetan rights activists often targeted Israel
demands e-mail passwords at borders German police infects criminals
PCs with Trojans/backdoors buying surveillance code and services
for 2M EURO (!) or developing in-house unfortunately, full of
security holes 28 From
http://www.f-secure.com/weblog/archives/00002423.html Sebastian
Lopienski
Slide 29
PRISM mass online surveillance program Sebastian Lopienski
29
Slide 30
Privacy vs. control If you are doing nothing wrong, then you
shouldnt worry if we watch you. If I am doing nothing wrong, then
you shouldnt be watching me! Cryptography/encryption (HTTPS) is
still a good defense Sebastian Lopienski 30
Slide 31
Agencies & contractors turning offensive 31 From F-Secure
Sebastian Lopienski
Slide 32
Agencies & contractors turning offensive Northrop Grumman
looks for "Cyber Software Engineer" for an Offensive Cyberspace
Operation mission" 32 From
http://www.f-secure.com/weblog/archives/00002372.html Sebastian
Lopienski
Slide 33
Stuxnet (the worm that targeted Iranian uranium-enriching
centrifuges, discovered 2010) Estimated development effort: 10
man-years Result: sabotage 30,000 Iranian computers infected, some
HW damage, nuclear program set back by ~2 years Cui bono? (New York
Times, June 2012: a joint US-Israel operation Olympic Games started
by Bush and accelerated by Obama) 33 Sebastian Lopienski
Slide 34
Outline 34 Sebastian Lopienski Where we are? Who are they? What
is ahead?
Slide 35
Does Stuxnet make us all more vulnerable? 35 Sebastian
Lopienski
http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12