Cyber Crime What's YOUR Weakest Link?

Cyber Crime What's YOUR Weakest Link?

The Secure Software Acquisition Process – C Level

1

Who am I?

• Chair Computer Information Systems Department University of Detroit Mercy

• Director Center for Cyber Security and Intelligence Studies

• Former Employee (on educational leave) Ford Motor Company IT Security & Strategy

• Student University of Michigan Dearborn PhD Program – Writing dissertation

Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 2

Who are we?

3

Undergraduate Student

Sam Rassam

University of Detroit Mercy

[email protected]

Undergraduate Student

Kyle Cisco


[email protected]

Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)

Aspirations


At the end of this presentation you will have a better

understanding of:

• The cyber risks you face as business owners

• The behaviors and technologies that put you at risk.

• The steps you can take to protect yourself

• The places you can go to learn more

Cyber Crime in General


• Popular accounts suggest that cybercrime is large,

rapidly growing, profitable and highly evolved.

• Annual loss estimates range from billions to nearly $1

trillion.

• Some claim cybercrime rivals the global drug trade in

size

• Estimates may be enormously exaggerated, but it

would be a mistake not to consider cybercrime a

serious problem

• Cybercrime is actually a relentless, low-profit struggle

for the majority.

• You have the power to limit your vulnerability to cyber

crime. *Source: The Cybercrime Wave That Wasn’t By DINEI FLORÊNCIO and CORMAC HERLEY, Published: April 14, 2012

What do they want?


• Assets that can be turned into money

• SSNs

• Bank accounts

• Credit Card accounts

• Identities

• Access to physical things

• Cars

• Places of business

• Underage candidates for exploitation

How do they get it?


Accepting without reading

• While browsing the Internet, an Internet advertisement

or window appears that says your computer is infected

or that a unique plug-in is required. Without fully

understanding what it is you're getting, you accept the

prompt.

• When installing or updating a program, you're prompted

(often checkboxes are already checked) if it's ok to

install additional programs that you may not want or are

designed to monitor your usage of the program.

Best defense: awareness training;

How do they get it?


Opening e-mail attachments

• Another very common way people become infected

with viruses and other spyware is by opening e-mail

attachments, even when from a co-worker, friend, or

family member. E-mail addresses can be faked and

even when not faked your acquaintance may

unsuspectingly be forwarding you an infected file.

• When receiving an e-mail with an attachment, if the e-

mail was not expected or from someone you don't know

delete it. If the e-mail is from someone you know, be

cautious when opening the attachment.

Best defense: awareness training; type in urls; email

scanner

Hands-on Demo #0 Wireless attack on an iphone



• Sniff iPhone wifi traffic even on https

connections

• Obtain user ID and password for email

account, credit card account, bank account

How do they get it?


Not running the latest updates

• Many of the updates, especially those associated with

Microsoft Windows and other operating systems and

programs, are security updates. Running a program or

operating system that is not up-to-date is a big security

risk.

Best defense: turn on automatic updates

How do they get it?


Pirating software, music, or movies

• Using underground places on the Internet where you're

downloading copyrighted music, movies, software, etc.

for free, often many of the files can contain viruses,

spyware or malicious software.

Best defense: don’t allow torrents; DNS filtering;

How do they get it?


No antivirus spyware scanner

• If you're running a computer with Microsoft Windows it's

highly recommended you have some form of antivirus

and spyware protection on that computer to help clean it

from any infections currently on the computer and to

help prevent any future infections.

Best defense: AVG antivirus/antispyware; defense in

depth

How do they get it?


USB attacks

• USB with company data is lost or stolen

• USB stick is found and inserted into a company

computer

Best defense: Full disk encryption; Encrypted USB

sticks; Removable media scanner (AVG)

Hands-on Demo #0 Computer on a stick



• Bypass all windows security and look at hard

drive

• Allows you to recover files from a broken OS

• Allows you to scan and repair

• Ubuntu 10.04 is easiest to use

How do they get it?


Wireless Attacks

• Company laptop or mobile device is used to access the

internet at a local coffee house, an airport, or a hotel. If

the access point is an imposter OR if the access point

uses WEP encryption OR if the access point uses WPA

with a dictionary password then all traffic will be

available to the attacker.

• HTTPS (SSL) is no help in this situation. An attacker

can easily strip it off.

Best defense: WPA2 or WPA with a strong key;

awareness training;

InternetCell Tower

$

Bank

Gmail

Google Calendar

Laptop

(Corporate)

PSP

iPhone

You

Blackberry

(Corporate)

Wireless Router

(Hotel)

Wireless Router

(Panera)

WiFi

WiFi

Acc

ount In

fo.

Cre

dit C

ard

Personal infoPersonal and

Corporate

Email & C

alendar

WiFi

Credit Card

Perso

nal a

nd

Corp

ora

te d

ata

Soccer

Registration

Hacker

I’m Listening!

Laptop

(Corporate)

WiFi

Your interconnectedness


• Purchases increasing at an annual growth

rate of more than 40%

• About 40% of corporate devices are

purchased by individuals who then use them

in the enterprise.

• Number one mitigation strategy for

organizations is limiting operating system

diversity

“We are going to limit ourselves to ONE risky

platform”

* Source International Data Corporation

Some numbers


Mobile Devices…

• iOS

• Proprietary code

• development uses objective-C and Cocoa

Touch

• Sold and distributed in Apple App Store

(or marketplace your company “buys”)

• Android (most sales in 2010)

• Open Source

• Development takes place using (primarily)

Java

• Sold in the Android Market and third party

stores

Mobile Devices…

How is software developed?

Apple, Android, RIM and Symbian = 89% of the

market


• Assurance

• iOS

• Apple inspects code for usage they don’t

like.

• Apple makes “recommendations”

• Proprietary nature reeks of risk

• No warnings about accessing resources

• Android

• Some code inspection depending on the

marketplace where the app is sold

• Open source nature smells better

• Warnings about accessing resources

Mobile Devices…

How is software assured?



Mobile Devices…

• Hosting

• iOS

• Runs through apple (messes up DNS)

• Could be hosted by provider

• Could be hosted by advertiser

• Could be hosted by you

• Android

• Could be hosted by provider

• Could be hosted by advertiser

• Could be hosted by you

Where is software hosted?


Mobile Devices…

• First Symbian malware (2004):

• Cabir worm (spread via Bluetooth)

• Skuller (spread via OS vulnerability)

• First iPhone virus (2009):

Ike worm targeted jail broken iPhones Written by a Dutch hacker who was ripped off by a punk hacker. It

targeted jailbroken phones running SSH

• First Android Malware (2010)

Trojan-SMS.AndroidOS.FakePlayer Distributed via websites not Android Market. Written by Russian

virus writers.

Mobile Malware Still waiting for the mushroom cloud

• 1 in 3 breaches attributed to mobile devices

includes lost or stolen devices

• Cyber criminals have moved to easier smaller

targets

• Healthcare and hospitality

• Malware, hacking, and physical compromise

were 5 of top 10 events in Verizon report

• Others were malware, hacking of servers

• Breaches are not matching increased usage

• My speculation is that people don’t report

loss of personally owned devices

Mobile Device Breaches


• Converged mobile devices sales is greater than

laptop sales

• Gen Y has shown a propensity to accept risk

• There is a lack of awareness of the differences

between an app and an enterprise application

• Antivirus / antispyware tools are available but not

as powerful as their laptop counterparts

• Antivirus / antispyware tools are often disabled

because of performance

• There is a lack of awareness of the differences

between WiFi and Cellular technology

Why worry?


• Forensics

• There no established digital forensic

guidelines that specifically address the

investigation of cloud computing systems.

Computer Law and Security Review, 2010

• How can you verify that the forensic evidence

has NOT been altered?

• UK Information Commissioner’s Office

(ICO,2010) recommends that all data be

encrypted prior to being sent to the cloud

• The acquisition and analysis of evidence from

cloud computing systems is going to be more

complex and in some cases impossible.

Cloud Computing…

Watch out for…


• Exposure

• Law enforcement agencies need warrants to

enter you premises, search your files and pull

out incriminating documents.

• It needs the same warrant for files on your

computer

• Does the same standard apply if your

information is stored in online servers

operated by cloud computing providers? See 1986’s Electronic Communications Privacy Act.

Cloud Computing…

Watch out for…


Hardening


• Turn off services you don’t need

• ftp, telnet

• Use Microsoft Configuration Manager

• In Windows Server 2012, the Security

Configuration Wizard is located in the Server

Manager dashboard

• Use a Mac OS X Server Hardening Checklist

• Several are available online

• Use a standard load

• Have a way of backing up and restoring (e.g.

cloning software)

Server Hardening


• Antivirus/Antispyware

• AVG Free 2012

• Firewall

• Comodo

• Antivirus/Antispyware #2

• Spybot Search an Destroy

• Encryption

• TrueCrypt

• DNS

• OpenDNS

• Virtualization

• VirtualBox

PC/Laptop hardening


• iPhones were not built for the enterprise

• iPhone forensics can be performed on the backups made by iTunes or directly on the live device.

• The bad: iphone backups are not encrypted by default

• The good: Apple makes it harder to read the data by adding level of encryption to the file (using a key from the phone)

• The bad: it’s still crackable

iPhone Hardening


• Every time you hit the home key, iphone takes a snapshot

iPhone Hardening


• Dynamic Dictionary • iPhones keep a “secret” file in the file system

called dynamic dictionary.dat. This file records keystrokes on the iPhone for the purpose of improving the recognition of words you type. (text messages, emails, other applications. Do you type in your passwords?

iPhone Hardening


• Google.com searches

The iphone keeps track of your google.com searches! The upper limit is unknown but 80,000 hits is not too many.

iPhone Hardening


8th circuit: U.S. V. Kramer, the court imposed a lengthier sentence because Kramer used his Motorola Razor to lure an underage girl across state lines. The court concluded that the phone was a “computer” (even that “dumb” phones should be considered computers)

Is your phone a computer?


Update Your Software

• To begin the software on the device must be update.

• The screen should look like the right figure if the software is up to date.


Passcodes

• Next you will want to Turn Passcode On

• You will want a Required Passcode as soon as the screen is locked

• You will also want the phone to erase the data if the password is incorrectly entered 10 times.

The Passcode Lock screen

should look like this Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)

Safari Security

• Next you will have to enable the Fraud Warning and Block Pop-ups on Safari this can be done on the screen to the right.


Wi-Fi Networks

• Wi-Fi settings are the next thing that will need to be adjusted.

• “Ask to Join Networks” so that…

• You will also only want to join secure networks, this will be shown by a lock next to the network name.

After using a wi-fi network you will

want to click on the network and

choose to “forget the network”

Bluetooth Settings

• Next you will always want to turn off Bluetooth on the device when not in use. This can be done here.


iTunes Security

• Always back up the data from your mobile device through iTunes. Make sure the back up is encrypted.


Guidelines to Live By

• Always erase all data off the device before repair or service. The use of a 3G network is more secure than the use of a wireless one.

• The use of a alphanumeric password is more secure than the average simple 4 number password.


If You Lose Your Device

• Location Tracking Certain applications will allow for tracking of your apple device via the location services.

• It is also possible to wipe the phone remotely with these applications.

This application is “Find My iPhone”

application provided by Apple Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)

Hands-on Demo #4 Compromising the iPhone via Siri



Hardening Your Android Device


Update Your Software

• To begin hardening your android device, the software on the device must be up to date.

• This can be done by going to device management and clicking on “check for updates”.


Password

Set up/Change the password to your device. This can be done under the location and security tab in settings.

• The screen will

look like this when

you are setting a new password.


Password Hints

• Once the password is set you will want to ensure that as soon as the screen is locked, a password will be required to access the device.

• There are also apps that can erase the data off a phone remotely incase the phone is lost. One of these applications is Google Sync and a remote wipe can be done from any computer.


Wi-Fi Settings

• The next thing that should be done is that the “auto connect” should be turned off. This will prevent the device from joining networks that you do not wish to join.


Network Security

• To find out if you are using a secure network, you can click on the network in the wi-fi settings.

• In the individual network you can view the type of security that the network has

• You can see that this has an Open Security.


Bluetooth

• Like the iPhone you will want to turn all Bluetooth off when not in use.


Wi-Fi Tips

• Once done using a Wi-Fi network you will want to go to the Wi-Fi settings and chose forget network. This will prevent from automatically rejoining the network.

• Another thing to remember is to always back-up and erase all data before sending a phone in for repair or replacement; this is also true if you chose to sell a device.


If You Lose Your Device

• Apps like Android Lost are good applications to have on your device if it is lost.

• This app can provide security for your device as well as erase the data remotely if it is lost.


Resources


• Risk Assessment (threat modeling)

• Reduces your risk by identifying threats and vulnerabilities

• Onsite investigation involves key employees

• Comprehensive report of findings

• Detailed recommendations

• Awareness training

• Reduces your risk by addressing individual behavior

• Onsite training can be individualized

• Hands-on, interactive sessions

248) 988-5844

(248) 417-5048

Jeff Ingalsbe

Chair - Computer Information Systems

Center for Cyber Security and Intelligence Studies


[email protected]

[email protected]

For more information


mailto:[email protected]

mailto:[email protected]

Documents

Cyber Crime What's YOUR Weakest Link?