Week 08 : Security awareness and hackingPCB - KNOWLEDGE SHARING SESSION

White hat vs Black hat hackingThe good guys are "white hats," who identify weaknesses in systems so they can be fixed.

"Black hats" are the ones who take advantage of weaknesses in systems.

3 main threats of the interweb* Just to list of some generic examples1. Hacking

◦ Man in the middle attack◦ Key loggers◦ DDoS (Distributed Denial of Service)

2. Phishing◦ Websites◦ Email

3. Spoofing (Identity Theft)◦ Email Spoofing◦ IP Spoofing/Gateway poisoning

Hacking : Man in the middle attack

In some cases, users may be sending unencrypted data, which means the man-in-the-middle (MITM) can obtain any unencrypted information.

In other cases, a user may be able to obtain information from the attack, but have to unencrypt the information before it can be read.

The attacker intercepts some or all traffic coming from the computer, collects the data, and then forwards it to the destination the user was originally intending to visit.

Hacking : Man in the middle attack

DISCLAIMER : No animals, property, human or interest was jeopardized during this process of “simulating” the scenario as the video below that depicts the MITM by Jermaine Cheah Penn Hon

http://www.youtube.com/watch?v=yGF4FQb9rHQ

Watch the video below for a simulation of a MITM attack I’ve done on an unencrypted e-commerce website

Initial chargeable figure was RM 43.00 but I could alter it to RM1.00 upon checkout

Hacking : Man in the middle attackPrevention1. Only buy with trusted/reputable sites2. Only use trusted computers to perform online

transactions3. Make sure you are not on a public untrusted network

Hacking : Key Logging… is the action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.

2 main types of key logging : Hardware based and software based

Hacking : Key LoggingHardware KeyLoggers

Hacking : Key LoggingSoftware KeyLoggers

1. Listener via Webpages field2. Background services3. Webcam hijacking

Hacking : Key LoggingPrevention1. Use One-Time-Password (OTP)2. Use 2D password (Perhaps google

authenticator)3. Change your password more often with

higher complexity4. Cover your laptop webcam when not in use5. Only use trusted PC for sensitive

transactions6. Use trusted anti-keylogging softwares like

http://www.qfxsoftware.com/ (KeyScrambler)

Hacking : DDoS…is an attempt to make a machine or network resource unavailable to its intended users.

A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.

There are 2 general forms of DoS attacks: those that crash services and those that flood services.

Hacking : DDoS (Famous Cases)February, 2000: Mafiaboy Vs. Yahoo, CNN, eBay, Dell, & Amazon

1. First largest DDoS in history2. Done by "Mafiaboy," a.k.a. 15-year-old Michael Calce3. Took down Yahoo, CNN, eBay, Dell, and Amazon4. picked up by Canadian police—while watching Goodfellas, allegedly—and plead guilty for hacking. 5. 8months in a juvenile detention center and forced to donate $250 to charity.

November 2008: Unknown Vs. Microsoft Windows (& the World)

6. Conficker worm exploited vulnerabilities in a number of Microsoft operating systems7. Infected PC would be turned into a botnet / zombie machine8. infected millions of computers and business networks in countries around the world, 9. Protect yourself with this Conficker Removal Tool.

Hacking : DDoSPreventions1.Update antivirus2.Update Operation System fix3.Be more inclined with security news4.Avoid downloading media, softwares and files from

untrusted sources5.Perform periodic scans on your machine

Phishing - Email

Phishing email messages are designed to steal your identity.

They ask for personal data, or direct you to websites or phone numbers to call where they ask you to provide personal data.

Phishing - Email What does a phishing email message look like?

1. Usually spoofing bank or financial institution, a company you regularly do business with, such as Microsoft, or from your social networking site.

2. They might appear to be from someone you in your email address book.

3. They might ask phone call. Phone phishing scams direct you to call a phone number where a person or an audio response unit waits to take your account number, personal identification number you to make a, password, or other valuable personal data.

4. They might include official-looking logos and other identifying information taken directly from legitimate websites, and they might include convincing details about your personal history that scammers found on your social networking pages.

5. They might include links to spoofed websites where you are asked to enter personal information.

Phishing – EmailPrevention

1. Do not be greedy

2. Again, do not be greedy

3. Check links before proceeding

4. Subscribe to phishing report list

5. Do not simply disclose personal information◦ Secured and reputable services will not ask you so verify yourself via email

Phishing - Website

Phishing websites look legitimate and users would naturally enter their credentials and eventually fall into the trap of phishing.

< A facebook phishing site

Phishing – WebsitePrevention

1. Do not be greedy

2. Again, do not be greedy

3. Check links before proceeding

4. Subscribe to phishing report list

5. Do not simply disclose personal information◦ Secured and reputable services will not ask you so verify yourself via email

6. Do not login whilst using public open networks◦ Phishing sites might even show your legitimate URL

Spoofing - emailEmail spoofing may occur in different forms, but all have a similar result:

a user receives email that appears to have originated from one source when it actually was sent from another source.

Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).

Spoofing – Website/IP/DNS

Spoofing – Website/IP/DNSEssentially, preliminary spoofing would display a misleading URL or so but it is still noticeable.

More intermediate hackers could use methods like ARP poisoning, DNS spoofing and IP spoofing techniques to even forge SSL certs and URLs.

ARP Poisoning - is a technique whereby an attacker sends fake ("spoofed") Address Resolution Protocol (ARP) messages onto a Local Area Network.

Spoofing – Website/IP/DNS

So, imagine u are looking at https://www.maybank2u.com.my/ but it is actually not an actual M2u site.

Spoofing – Website/IP/DNS1. Try to avoid using public networks

2. Periodically perform scan on your PC to eliminate malicious agents

3. Tether your mobile 3G for internet banking if you are on the go◦ Phone cell spoofing is highly unlikely

That’s it! Thanks for your kind attention and please stay tuned for the Week 7 session next week.

Good day!

Prepared by : Jermaine