However, there is one kind of crime which may exist in the future - computer crime. Instead of mugging people in the streets or robbing houses, tomorrow's criminal may try to steal money from banks and other organizations by using a computer.
… it is very difficult to carry out a successful robbery by computer. Many computers have secret codes to prevent anyone but their owners from operating them. As computers are used more and more, it is likely that computer crime will become increasingly difficult to carry out.
From The 1981 book, School, Work and Play (World of Tomorrow)
“ Security is two different things: It's a feeling
It's a reality ”
Bruce Schneier – TedxPSU
Intro
Intro
Criminals
Activists
Government
AgentsIntro
Where Are They Working?
• Social Networks
• Search Engines
• Advertising
•Web Sites
•Web Servers
•Home Computers
•Mobile Devices
Intro
What Are They Doing?
Address Bar Spoofing
Advanced Persistent Threats
Adware
Arbitrary Command Execution
Arbitrary File Downloads
Array Integer OverflowsBackdoors
Blended Threats
Buffer Overflows
Code Injections
Cookie Disclosures
Cross Site Request Forgery
Cross Site Scripting
Data Aggregation Attacks
Data Exfiltration
Denial Of Service
Directory Traversals
DNS Changes
DNS Poisoning
File Overwrite
Forced Tweet
Format Strings
Frankenmalware
Heap Overflows
Information Disclosures
Keyloggers
Local File Inclusions
Local Stack Buffer Overflow
Malware
Man In The Browser Attacks
Man In The Middle Attacks
Null Byte Injection
Open Redirection
Privilege Escalations
Remote Code Injection
Remote Code Execution
Remote Command Executions
Remote Stack Buffer Overflow
Rootkits
Scareware
Shell UploadsSpyware
SQL Injections
Stack Pointer Underflow
Tojan-Downloaders
Trojans
Viruses
Worms
Malvertising
Crimevertising
HTTP Parameter Pollution
Intro
What Are They Using?
Incognito
Blacole
SefnitPhoenix
Eleonore
Bleeding Life
SEO Sploit
CrimePack
Intoxicated
Siberia
IRCBot
Onescan
Hotbar
Zwangi
OpenCandy
GameVance
SideTab
FineTop
ClickPotato CoinMiner
AlureonCycbot
Alureon
Ramnit
SpyEye
Taterf
FakeRean
TaterfConficker
Rimecud
Sality Pdfjsc
Camec
Conedex
Poison
Sirefef
FakeCheck
MSIL
PlayBryte
Dofoil
Citadel
ZeuS
SpyZeus
cutwail
grum
lethic
bobax
fivetoone
darkmailer
maazbenghegsendsafe
s_torpig
Intro
RedKit
Malware Incorporated
• Matured, Diversified and Dangerous
• Hard to reach
• They conduct business anonymously
Intro
*Thanks to Brian Krebs for sharing screenshots: krebsonsecurity.comAnd to Dr. Mark Vriesenga, BAE systems
Examples
Intro
What Are They After?
• PINs• Passwords• Credit Cards• Bank Accounts• Computers
• Usernames
• Contact Lists
• Emails
• Phone Numbers
Intro
Intro
Personal information is the currency of the underground
economy
Intro
The Era Of Steal Everything
Intro
There is no such thing as a
secure computer
Intro
• Passwords• Staying Safe
– Desktops & Laptops– Email– Browsers– Wi-Fi– Social Media– Mobile Devices
• Security In Libraries– Biggest Mistakes– Practical Policies
• Server Side Security
Intro – Next - Passwords
Passwords
Passwords
Reuse Wea
k
Passwords Are Like Bubblegum...
• Best When Fresh
• Should Be Used Once
• Should Not Be Shared
• Make A Mess When Left Lying Around
• Easy To StealNativeIntelligence.com
Passwords
What Have We Learned From Breaches?
1. Passwords Are Reused
2. Passwords Are Weak
Passwords
What Makes a Good Password?
1. Uniqueness2. Complexity3. Length4. Strength5. Memorableness
Passwords
World’s Best Password Policy!• Be at least 32 characters in length.• Contain all of the following 4 character types:
– Uppercase letters (ABCDEFGHIJKLMNOPQRSTUVWXYZ)– Lowercase letters (abcdefghijklmnopqrstuvwxyz)– Symbols (,./’~<?;:”[]{}\|!@#$%^&*()_=-+)– Numbers (0123456789)
• Not be similar to or contain any portion of your name or login name• Not contain English words that are longer than 4 letters• Not begin or end with a number• Not be the same as any of the previous 78 passwords in the password history• Be changed at least once every 12 days• NOT Use a sequence of keys on the keyboard, such as QWERTY or 12345• NOT Use information about yourself, family members, friends or pets. This includes (in whole
or in part) names, birthdates, nicknames, addresses, phone numbers• NOT Use words associated with your occupation or hobbies• NOT Use words associated with popular culture, such as song titles, names of sports teams,
etc.• NOT Be reused for multiple accounts
Passwords
O9q[#*FjJ9kds7HJ&^4&!@&$#s(6@G
Passwords
Simple Things Make a Strong Password
• Some Letters – UPPER and lower case• Maybe some numbers• Maybe a something else (*%$@!-+=)
1. DO Make it as l o n g as you can
2. Do not reuse it on multiple sites
Passwords
Assume Your Password Will Be Stolen
Passwords
What Makes a Bad Password
• Default Passwords
• Dictionary and Common Words
• Predictable Patterns
• Passwords From Password Lists
• Obvious Personal Details
Passwords
Should You Change Your Passwords Every X # of Months?
• Email?• Bank Account?• Network?• Server?• Router?• Facebook & Twitter?• Library Web Site?• LISNews?
Passwords
What Can Sysadmins Do?
• Don’t allow bruteforcing
• Encrypt and Salt Passwords
• Allow Large Passwords
• Allow Large Character Sets
Passwords
Nobody – nobody – is immune from getting hacked
Passwords
Have your accounts been compromised?
https://www.pwnedlist.com/
Passwords – Next – Staying Safe Online
Staying Safe Online
Patches
Trust
Passwords
Staying Safe Online
Staying Safe Online
How Do You Know If You Are Infected?
• Fans Spinning Wildly
• Programs start unexpectedly
• Your firewall yells at you
• Odd emails FROM you
• Freezes
• Your browser behaves funny
• Sudden slowness
• Change in behavior
• Odd sounds or beeps
• Random Popups
• Unwelcome images
• Disappearing files
• Random error messages
You Don’t
Staying Safe Online
Your antivirus software is a seat belt – not a force
field.- Alfred Huger
Staying Safe Online
Desktops & Laptops
• Keep everything patched / updated
• Don’t Trust anything–Links / Downloads / Emails
• Backup your stuff!
Staying Safe Online
Only 1% of all cyber attacks are from previously
unknown threatsMicrosoft Report
If I took your laptop/iPad right now....
What would I have access to?
Staying Safe Online
Laptops
• Prey / LoJack
• Passwords
• Sign Out & Do NOT Save Form Data
Staying Safe Online
Carry A SafeNot A Suitcase
Staying Safe Online
• Don’t trust anything
• Don’t leave yourself logged in
• 2 Factor Authentication
• Passwords
Staying Safe Online
Email Blended Threats
• 新 任 经 理 全 面 管 理 技能 提 升
• Fwd: Scan from a Hewlett-Packard ScanJet 38061
• Airline Itineraries
• Temporarily suspended your account
• Your intuit.com order.
• Better Business Bureau complaints (BBB)
• UPS / FedEX Delivery Notifications
Staying Safe Online
Staying Safe Online
35% 2% 20% 35% 4%
Staying Safe Online
Browsers
• Use Two
• Keep Everything Updated
Staying Safe Online
Browsers• Know Your Settings
– Phishing & Malware Detection - Turned ON
– Software Security & Auto / Silent Patching - Turned ON
• A Few Recommended Plugins:– Something to Limit JavaScript – Something to Force HTTPS– Something to Block Ads
Staying Safe Online
Collusion
Staying Safe Online
Wi-Fi• Passworded & Encrypted• MAC & DHCP• Firmware Updates• Off
Never Trust Public Wi-Fi
Staying Safe Online
Social Media• Understand and adjust your privacy
settings
• Use HTTPS
• Be skeptical of everything
– especially ANYONE asking you for money
Staying Safe Online
Social Media Common Threats
• YOU HAVE TO SEE THIS• Free iPhone 5!• SOMEONE IS LYING ABOUT YOU• Celebrity / Current Event• Twitter @s Hidden behind URL
Shortners
Staying Safe Online
Social Media
Facebook: <4% of all posts were spam Twitter: 1.5% of all Tweets were spam
Evil hits less than 0.5% of Facebook users
Staying Safe Online
Four Million People
Staying Safe Online
600,000 times a day, someone tries to log into
a stolen account(out of 1.2 billion logins)
Staying Safe Online
Mobile Devices
Staying Safe Online
Mobile Devices - Threats
• Trojans, Viruses & Malware
• Lost and/or Stolen
• Opaque Apps - Data Access
• Open Wi-Fi Networks and Public
Hotspots
Staying Safe Online
Carry A SafeNot A Suitcase
Staying Safe Online – Next - Libraries
Security In Libraries
IT Security For Libraries
But We’re Just A Library
IT Security For Libraries
You Should Worry
IT Security For Libraries
We Are All Targets
IT Security For Libraries
83% of victims were targets of
opportunity
92% of attacks were easy
85% of hacks were found by a 3rd
party
Verizon Data Breach Investigations Report – Fall 2011
IT Security For Libraries
• Only 16% of the companies managed to detect the breach on their own
• They had an average of 173.5 days within the victim's environment before detection occurred
Trustwave 2012 Global Security Report
IT Security For Libraries
It’s Easy Being Bad
IT Security For Libraries
The attacker only needs to succeed once...
securosis.com/blog/
IT Security For Libraries
Staying safe takes more than just a firewall...
IT Security For Libraries
Your firewall is a seat belt – not a force field.
IT Security For Libraries
What are the biggest mistakes you can make in
your library?
• Ignoring it and thinking you're safe
• Not Preparing
• Not Training
IT Security For Libraries
Ignoring it and thinking you're safe
83% of victims are targets of opportunity
92% of attacks are easy
96% of hacks were avoidable
Do something.... Do Anything!
IT Security For Libraries
What Does A Library Need To Protect?
• OPAC / ILS• Staff Computers• Network Thingys• Databases• Printers / Copiers /
Thingys• Website• Servers• Laptops
IT Security For Libraries
• Backups• Printers• Cell Phones• Wi-Fi Routers• Routers• Cell Phones• Ipads
Your Employees Homes / Phones / etc...?
Public Access Computers
IT Security For Libraries
Public Access Computers
• Staying Safe On This Computer:– Make Sure You Log Out– Don’t Access Sensitive Sites– Beware of the "remember me" option – Don't send personal or financial
information via email– Don't send personal or financial
information over unsecure websites
IT Security For Libraries
Your security software is a seat belt – not a force field.
IT Security For Libraries
Preparation- Practical Policies• Patching and updates of the OS and
applications on a regular basis• Regular automated checks of public PCs &
network• Check the internets for
usernames/passwords for your library (e.g. pastebin)
• Dedicated staff? Someone needs to stay current
• Lost USB Drives?• Is your domain name going to expire?
IT Security For Libraries
Preparation - Practical Resources
• SANS 20 Critical Security Controlshttp://www.sans.org/critical-security-controls/
InventorySecure Hardware & NetworkAuditsWirelessMalwareTraining
• Securing Library Technology: A How-To-Do-It ManualEarp & Wright
IT Security For Libraries
Not Training
IT Security For Libraries
Training
• Train The Security Mindset
• Train The Hacker’s Mindset
IT Security For Libraries
IT Security For Libraries
IT Security For Libraries
IT Security For Libraries
Carver, Blake Member Name123456 Member ID Number00123456 Online User IDcarver Online Password05/01/2012 Termination Date
Training
• Phishing• Privacy• Passwords• Email Attachments• Virus Alerts• How to practice safe social
networking• Keeping things updated
IT Security For Libraries
TrainingWhat About Patrons?
• Your patrons don't care much for security
• Their habits are inviting malware• Look for ways to make things safer in
ways that don't interfere with people's everyday tasks as much as possible.
• Principle of Least PrivilegeIT Security For Libraries
Library Security Mantra
SecurityPrivacyConfidentialityIntegrityAvailabilityAccess
(based on Net Sec 101 Ayre and Lawthers 2001)
IT Security For Libraries
Server Security
Sever Side Security
Server Security
• Keep things updated • Passwords • Limit logins • Logs • Watch for file changes (IDS) • Firewall • Kill unneeded processes
Sever Side Security
Any Good Web Site Can Go Bad
At Any Time
Sever Side Security
Sever Side Security
Why?
Sever Side Security
How Good Sites Go Bad
• Remote File Inclusion• SQL Injection• Local & Remote File Inclusion• Cross Site Scripting (XSS)• Directory Traversal
Sever Side Security
Sever Side Security
Sever Side Security
SecRule REQUEST_BODY|ARGS"mortgage|autoloan|prequalify|refinance|tramadol|ultram“"deny,log,auditlog,status:403,msg: 'General Link Spammers Must Die',id:‘6010'"
SecRule REQUEST_BODY|ARGS "free-codec|rolex|tolltech|anime|batteries“"deny,log,auditlog,status:403,msg: ‘Misc Spammers Must Die',id:'61206
Sever Side Security
ConfigServer Security & Firewall
http://www.configserver.com/cp/csf.html• A Stateful Packet Inspection (SPI) firewall, Login/Intrusion
Detection and Security application for Linux servers.• This suite of scripts provides:• Straight-forward SPI iptables firewall script• Daemon process that checks for login authentication failures
for: – Courier imap, Dovecot, uw-imap, Kerio – openSSH– cPanel, WHM, Webmail (cPanel servers only) – Pure-ftpd, vsftpd, Proftpd– Password protected web pages (htpasswd)– Mod_security failures (v1 and v2) – Suhosin failures
Trustwave - Monthly Web Honeypot Status Report February 2012
Staying Current • Schneier on Security : http://www.schneier.com/blog/
• Naked Security – Sophos : http://nakedsecurity.sophos.com/
• Security FAQs : http://www.security-faqs.com/
• SANS Reading Room : http://www.sans.org/reading_room/
• Security Now Podcast : http://grc.com/securitynow.htm
Conclusions
Done!
• Use Good Passwords
• Be Paranoid
• Keep Everything Updated
Conclusions
IT Security For Libraries
Blake Carver – [email protected]://lisnews.org/security
10 Tips
1. Use a Password Manager2. Turn on GMail two-step verification3. Switch to Google Chrome and install KB SSL Enforcer4. Use a VPN everywhere5. Full Disk Encryption6. Routine Backups7. Kill Java8. Upgrade to Adobe Reader X9. Common sense on social networks10. Don’t forget the basics
Common Security Myths
1. You have nothing important to steal 2. Using Mac/Linux makes you safe 3. Patches and updates make things worse and break them 4. You can look at a site and know it's safe and not serving bad
stuff 5. Avoiding IE makes me safe 6. If an email comes from a familiar face it's ok7. If I'm compromised I will know it 8. P2P and torrents are safe 9. I have a firewall10. I'm too smart to get infected... Yes, you and me both!
Staying Safe Online
top security excuses1. It's okay, it's behind the firewall.2. Won't antivirus catch that?3. No, we don't have confidential data on our system, just these Social
Security numbers of our employees.4. But nobody would do that [exploit of a vulnerability].5. I can't remember all these passwords.6. My application won't work with a firewall in the way.7. They won't be able to see that; it's hidden.8. It's safe because you have to log in first.9. No, we don't have credit cards on our system, just on this one PC here.10. We didn't HAVE any security issues until YOU came to work here.
by Wendy Nather
Six ways to be a model cyber citizen
1. Be cyber security aware, use security best practices and report cyber crime
2. Use an antivirus product as it helps not only to protect you but prevents your
computer from hosting malware that affect others
3. Be a good cyber parent, educate your child on the dangers, ethics and safety
measures to be used online
4. Stay away from using pirated products
5. Encourage your government to invest in raising the national standard of cyber
security in curriculum, law and customer protection
6. Be responsible for your online habits, tweets, as what you do online affects your
reputation, family, colleagues, religion, nation and company
5 big security mistakes
1. Assuming that patching is good enough2. Failing to understand what apps are running3. Overlooking the anomalies4. Neglecting to ride herd on password policy5. Failing to educate users about the latest
threats
MYTH
TIP
Excuse