SlideShare une entreprise Scribd logo

Security Primer

Alison Gianotto
Alison Gianotto

Security

Technologie
1  sur  36
Télécharger pour lire hors ligne
Social Engineering & Security Primer AKA “People are bastard covered bastards with bastard-filling.”
Hacking, Cracking, Phishing, Zombies - OMGWTFSRSLY? Hacker: someone who breaks into computer networks for legitimate or illegitimate reasons. (This definition has changed over time and still means a few different things.) Cracker: someone who reverse-engineers computer software for the purpose of embedding spyware/malware or working around commercial licenses (“Warez”). Phishing: attempting to acquire information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
WARNING! The word “hacker” does not inherently imply illegal or unethical behavior. The negative connotation came years later, as “hacker” originated as a positive term for people who kick ass at computers and/or coding. Hackers get very upset when this word is misused. Very. Upset.
Malicious Hacking Has Grown Up Years ago, hacking was often done for just fun and bragging rights. Today, hacking is a lucrative industry often backed by organized crime. LOTS of $$$ to be made stealing identities, credit card info, etc.
Why Hackers Hack To steal/sell identities, credit card numbers, corporate secrets, military secrets Fun, Excitement and/or Notoriety Political (“Hacktivism”) Revenge Blackhat SEO
White Hat vs Black Hat White Hat: The Good Guys. Grey Hat: The (Mostly) Good Guys Black Hat: The Bad Guys This is over-simplified, of course, but you get the gist,
Virus Self-replicating program that infects a system without authorization. They can install keyloggers, download, delete or alter files, render a system unusable or worse. Travels from computer to computer. (No, they cannot spread to humans. Yet.)
Worm Similar to a virus, but can self- replicate without human interaction. Takes advantage of network transport protocols - can send thousands of copies of itself.
Worm Example A worm sends a copy of itself to everyone in your e-mail address book. The worm then replicates and sends itself out to everyone listed in each of the recipient’s address book. And so on, and so on.
Trojan Horse Masquerades as useful software such as anti-virus, video codecs, browser plugins, etc. Victims are tricked into opening Trojan Horse files because they appear to be receiving legitimate software or files from a legitimate source.
Macs are NOT Immune Trojans frequently appear as fake video codec downloads, rogue anti-virus (“scareware”), and attachments in emails such as phony receipts.
Email Attachments Spoofed emails that contain malware attachments frequently appear to come from Amazon.Com, PayPal, E-Bay, iTunes, and Banks. They often use the scare tactic that the recipient’s account has been suspended or compromised.
Botnets (AKA “Zombie Armies”) Infected computers become part of a controlled “army” of infected machines. They can be used to send SPAM, viruses, or to initiate a DDoS (Distributed Denial of Service) attack on a website or network that can cause the website or network to stop responding altogether.
Phishing Phishing attacks attempt to trick users into entering their login/credit card/SS#/etc into a fake version of a legitimate site so the sensitive data can be saved and used later by the attacker. Many phishing attacks originate from e-mails and can be VERY convincing.
What’s the Point? Phishers capture login information even for non- financial sites because they know that MANY PEOPLE RE-USE THE SAME LOGINS FOR MULTIPLE WEBSITES. *cough*Gawker*cough*
Platform Agnostic Since Phishing scams take advantage of vulnerabilities in the human condition instead of vulnerabilities in technology, ALL users are at risk, whether they are on Mac, PC, Linux, etc. same password for email + forgotten password request= access to hijack any account
SSL Different browsers indicate that your connection is secure (encrypted) in different ways. Becoming familiar with how each browser indicates a healthy SSL connection will help you avoid being fooled. NOTE: Just because an SSL connection is legit, that doesn’t mean the site is. Be skeptical.
Phishing & Smartphones Smartphone users are particularly vulnerable to phishing attacks because the browser takes up the whole screen, and doesn’t provide as much information about a page as a desktop browser. This makes it easier to trick users into thinking the site is real.
Case Study: Stanley Mark Rifkin In 1978, a computer tech stole $10.2 million dollars from Security Pacific Bank using only social engineering. Talked his way into room where daily wire transfer security code was posted and memorized it. Called the bank, impersonating an authorized employee and requested a transfer of $10.2 million to his swiss bank account. Because he was able to talk his way into learning the daily code, the transfer went through without a hitch. The woman who performed the transfer thanked him before hanging up.
“Social Engineering”? The act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. Trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face-to-face with the victim. Social Engineering attacks are commonly executed over the phone or through email.
419 Scams Nigerian Bank Scams (also called 419 scams after the section of Nigerian law it violates) are a type of advance-fee scam. See: 419eater.com scambaiter.com “Message number 419” by MC Frontalot
Things to Watch For “Hi, I’m having a problem using the XYZ website. It’s not working in my browser. I’m using IE7, what browser are you using?” Attacker can then target the attack based on vulnerabilities in the browser. “I’m having a problem using the website. Let me send you a link to the page I’m having trouble with.” Link contains malware/ phishing payload. “This is John Smith from XYZ Software Vendor. There was a critical security patch released that we need you to install or you are at risk of massive data loss.”
Good Habits Shred ALL paper documents that contain intellectual property, financial or account information. Every time. If someone you do not recognize claims to be a new superintendent or maintenance worker, call downstairs to confirm before letting them in. If someone calls or walks in claiming to be a representative or worker from a company but you do not know them personally, call the company to confirm their identity and meeting.
PAY ATTENTION An attacker targets users of a website myfantasyfootballleague.com by finding people who post on the forums. The attacker sends them an email claiming a new feature or compromised account, directing them to myfantasyfootballeague.com, which they own. Note the missing third “l”. Victim clicks and is phished, hijacked or tricked into downloading malware.
Case Study: Video Rental Shop Attacker Tom calls Jennifer at XYZ Video, claiming to be the manager of a different branch, asking if they have a copy of a video they can’t find. Tom does this repeatedly over several weeks, building up a rapport with Jennifer and establishing the pretext. Tom then calls saying he has a customer of Jennifer’s shop that forgot his membership and credit card but would like to rent from Tom’s store. Jennifer provides that information to Tom to be helpful.
Attackers Will Research Their Targets After looking up the domain name records of a website, an attacker knows that someone named James Li is the technical contact. Tom calls James. “Hi, this is Bob Dickins from LuckyRegister. We have detected fraudulent activity on your account and we need you to reset your password.” Vacation messages in email and voicemail can alert an attacker that you are out of town, giving them information that may help them sound legitimate to other people in the company
USB Keys A very easy and often successful attack is to leave a poisoned USB key out where people can find it. Who doesn’t want a free USB drive? The poisoned USB key infects the computer or entire network once it’s plugged in.
Social Media - Make sure your profiles are locked down so only friends can see your information - Turn OFF geotagging on images in your Smartphone.
Location Services Be careful using location services such as Foursquare, Facebook Places, etc if your social media accounts are open to anyone.
Gawker Passwords 307: trustno1 303: baseball 302: gizmodo 2516: 123456 300: whatever 2188: password 297: superman 1205: 12345678 276: 1234567 696: qwerty 266: sunshine 498: abc123 266: iloveyou 459: 12345 262: fuckyou 441: monkey 256: starwars 413: 111111 255: shadow 385: consumer 241: princess 376: letmein 234: cheese 351: 1234 318: dragon
ALL Passwords Are Crackable Using an eight-core Xeon-powered system, Duo Security brute- forced 400,000 password hashes of the 1.3 million stolen from Gawker, cracking the first 200,000 in under an hour. 15 of the accounts for which it had cracked password encryption belonged to people working at NASA, nine were assigned to users employed by Congress, and six belonged to employees of the Department of Homeland Security. 2009 RockYou hack: “123456" was the most common password in the collection posted on the Web by hackers, followed by "12345," "123456789," "password" and "iloveyou"
There is NO Excuse for Shitty Passwords Anymore 1Password and LastPass both allow you to: generate long, highly random passwords that are unique to each website you log into store the passwords in a database and auto-fill sync that database across your iphone, ipad, other computers, etc.
Password Tips Don't use only letters or only numbers. Don't use names of spouses, children, girlfriends/boyfriends or pets Don't use phone numbers, Social Security numbers or birthdates. Don't use the same word as your log-in, or any variation of it. Don't use any word that can be found in the dictionary — even foreign words. Don't use passwords with double letters or numbers.
Password Tips Use the first letters of the words in a favorite line of poetry or a verse of song. "Hail, hail the lucky ones, I refer to those in love" becomes "H,hTL0,IR2t1L." EVERY SINGLE WEBSITE you have an account with should use a different password. You have no idea how secure their websites are, so you should assume they are not secure at all.
Passwords are like underwear - they should never be shared with friends and should be changed often!
Alison L. Gianotto snipe@snipe.net http://www.snipe.net http://www.un-hacker.com

Recommandé

Five habits that might be a cyber security risk
Five habits that might be a cyber security riskFive habits that might be a cyber security risk
Five habits that might be a cyber security riskK. A. M Lutfullah
 
Phishing
PhishingPhishing
PhishingDeepak Kumar (D3)
 
Ia 124 1621324160 ia_124_lecture_02
Ia 124 1621324160 ia_124_lecture_02Ia 124 1621324160 ia_124_lecture_02
Ia 124 1621324160 ia_124_lecture_02ITNet
 
My presentation
My presentationMy presentation
My presentationDevashri Balinge
 
Phishing demo
Phishing demoPhishing demo
Phishing demoJennifer Leone Thompson
 
secure from Phishing Hacking and Keylogger
secure from Phishing Hacking and Keylogger secure from Phishing Hacking and Keylogger
secure from Phishing Hacking and Keylogger Abhishek Hirapara
 
An overview study on cyber crimes in internet
An overview study on cyber crimes in internetAn overview study on cyber crimes in internet
An overview study on cyber crimes in internetAlexander Decker
 
Name parul
Name parulName parul
Name parulParul231
 

Recommandé

Five habits that might be a cyber security risk
Five habits that might be a cyber security riskFive habits that might be a cyber security risk
Five habits that might be a cyber security riskK. A. M Lutfullah
 
Phishing
PhishingPhishing
PhishingDeepak Kumar (D3)
 
Ia 124 1621324160 ia_124_lecture_02
Ia 124 1621324160 ia_124_lecture_02Ia 124 1621324160 ia_124_lecture_02
Ia 124 1621324160 ia_124_lecture_02ITNet
 
My presentation
My presentationMy presentation
My presentationDevashri Balinge
 
Phishing demo
Phishing demoPhishing demo
Phishing demoJennifer Leone Thompson
 
secure from Phishing Hacking and Keylogger
secure from Phishing Hacking and Keylogger secure from Phishing Hacking and Keylogger
secure from Phishing Hacking and Keylogger Abhishek Hirapara
 
An overview study on cyber crimes in internet
An overview study on cyber crimes in internetAn overview study on cyber crimes in internet
An overview study on cyber crimes in internetAlexander Decker
 
Name parul
Name parulName parul
Name parulParul231
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeDurban Chamber of Commerce and Industry
 
Cyber crime
Cyber crime Cyber crime
Cyber crime srishtig993
 
Users guide
Users guideUsers guide
Users guideDarren Thomas
 
Anti phishing
Anti phishingAnti phishing
Anti phishingShethwala Ridhvesh
 
Emp tech las-week-2
Emp tech las-week-2Emp tech las-week-2
Emp tech las-week-2Joemer Mabagos
 
Cyber security tips in Banking in Nepal
Cyber security tips in Banking in NepalCyber security tips in Banking in Nepal
Cyber security tips in Banking in NepalResham Acharya
 
Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Shawon Raffi
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on PhishingCreative Technology
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposedtamfin
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Strategies to handle Phishing attacks
Strategies to handle Phishing attacksStrategies to handle Phishing attacks
Strategies to handle Phishing attacksSreejith.D. Menon
 
Anatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing AttackAnatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing AttackMark Mair
 
What is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | EdurekaWhat is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | EdurekaEdureka!
 
Seminar
SeminarSeminar
SeminarKavis Pandey
 
Cybersecurity Awareness Infographics
Cybersecurity Awareness InfographicsCybersecurity Awareness Infographics
Cybersecurity Awareness InfographicsNetLockSmith
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringVinay Bhargav
 
Phishing
PhishingPhishing
PhishingJayaseelan Vejayon
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity AwarenessJoshuaWisniewski3
 
Information security
Information securityInformation security
Information securityAlfred Thompson
 
Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Alison Gianotto
 
Walking Dead
Walking DeadWalking Dead
Walking DeadLuluk Westwood
 

Contenu connexe

Tendances

Cyber security tips in Banking in Nepal
Cyber security tips in Banking in NepalCyber security tips in Banking in Nepal
Cyber security tips in Banking in NepalResham Acharya
 
Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Shawon Raffi
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposedtamfin
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Strategies to handle Phishing attacks
Strategies to handle Phishing attacksStrategies to handle Phishing attacks
Strategies to handle Phishing attacksSreejith.D. Menon
 
Anatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing AttackAnatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing AttackMark Mair
 
What is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | EdurekaWhat is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | EdurekaEdureka!
 
Cybersecurity Awareness Infographics
Cybersecurity Awareness InfographicsCybersecurity Awareness Infographics
Cybersecurity Awareness InfographicsNetLockSmith
 

Tendances (20)

Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Cyber crime
Cyber crime Cyber crime
Cyber crime
 
Users guide
Users guideUsers guide
Users guide
 
Anti phishing
Anti phishingAnti phishing
Anti phishing
 
Emp tech las-week-2
Emp tech las-week-2Emp tech las-week-2
Emp tech las-week-2
 
Cyber security tips in Banking in Nepal
Cyber security tips in Banking in NepalCyber security tips in Banking in Nepal
Cyber security tips in Banking in Nepal
 
Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on Phishing
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposed
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS Working
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing Awareness
 
Strategies to handle Phishing attacks
Strategies to handle Phishing attacksStrategies to handle Phishing attacks
Strategies to handle Phishing attacks
 
Anatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing AttackAnatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing Attack
 
What is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | EdurekaWhat is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | Edureka
 
Seminar
SeminarSeminar
Seminar
 
Cybersecurity Awareness Infographics
Cybersecurity Awareness InfographicsCybersecurity Awareness Infographics
Cybersecurity Awareness Infographics
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Phishing
PhishingPhishing
Phishing
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity Awareness
 
Information security
Information securityInformation security
Information security
 

En vedette

Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Alison Gianotto
 
Managing in the Public Sector - The Rules are Changing: John Oxley
Managing in the Public Sector - The Rules are Changing: John OxleyManaging in the Public Sector - The Rules are Changing: John Oxley
Managing in the Public Sector - The Rules are Changing: John Oxleyukactive
 
KW Careers: Driving Your Business Through Technology
KW Careers: Driving Your Business Through TechnologyKW Careers: Driving Your Business Through Technology
KW Careers: Driving Your Business Through TechnologyKeller Williams Careers
 
Oh Dear God Not Again! Gobi Capital @ Georgian College
Oh Dear God Not Again! Gobi Capital @ Georgian CollegeOh Dear God Not Again! Gobi Capital @ Georgian College
Oh Dear God Not Again! Gobi Capital @ Georgian CollegeGobi
 

En vedette (7)

Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses
 
Walking Dead
Walking DeadWalking Dead
Walking Dead
 
Nenuco
NenucoNenuco
Nenuco
 
Managing in the Public Sector - The Rules are Changing: John Oxley
Managing in the Public Sector - The Rules are Changing: John OxleyManaging in the Public Sector - The Rules are Changing: John Oxley
Managing in the Public Sector - The Rules are Changing: John Oxley
 
KW Careers: Driving Your Business Through Technology
KW Careers: Driving Your Business Through TechnologyKW Careers: Driving Your Business Through Technology
KW Careers: Driving Your Business Through Technology
 
Oh Dear God Not Again! Gobi Capital @ Georgian College
Oh Dear God Not Again! Gobi Capital @ Georgian CollegeOh Dear God Not Again! Gobi Capital @ Georgian College
Oh Dear God Not Again! Gobi Capital @ Georgian College
 
Home for sale at aliana july 21 2011
Home for sale at aliana july 21 2011Home for sale at aliana july 21 2011
Home for sale at aliana july 21 2011
 

Similaire à Security Primer

ccs12-18022310494mghmgmyy3 (1).pdf
ccs12-18022310494mghmgmyy3 (1).pdfccs12-18022310494mghmgmyy3 (1).pdf
ccs12-18022310494mghmgmyy3 (1).pdfKALPITKALPIT1
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityMd Nishad
 
Cyber Crime and Social Media Security
Cyber Crime and Social Media SecurityCyber Crime and Social Media Security
Cyber Crime and Social Media SecurityHem Pokhrel
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Cyber Crime & Security.pdf
Cyber Crime & Security.pdfCyber Crime & Security.pdf
Cyber Crime & Security.pdfMohanPandey31
 
HACKING AND PHISHING
HACKING AND PHISHINGHACKING AND PHISHING
HACKING AND PHISHINGsanthuana sg
 
Cyber crime in pakistan by zubair
Cyber crime in pakistan by zubairCyber crime in pakistan by zubair
Cyber crime in pakistan by zubairMuhammad Zubair
 
CYBER CRIME AWARENESS (Thematic Presentation)
CYBER CRIME AWARENESS (Thematic Presentation)CYBER CRIME AWARENESS (Thematic Presentation)
CYBER CRIME AWARENESS (Thematic Presentation)AFROZULLA KHAN Z
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessInnocent Korie
 
Computer hacking
Computer hackingComputer hacking
Computer hackingArjun Tomar
 
Internet Security
Internet SecurityInternet Security
Internet SecurityAvnish Jain
 
Presentation on cyber security
Presentation on cyber securityPresentation on cyber security
Presentation on cyber security9784
 
Cyber security and privacy
Cyber security and privacyCyber security and privacy
Cyber security and privacyJIJO CLEETUS
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKeshab Nath
 
Name parul
Name parulName parul
Name parulParul231
 
A Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comA Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comBusiness.com
 

Similaire à Security Primer (20)

ccs12-18022310494mghmgmyy3 (1).pdf
ccs12-18022310494mghmgmyy3 (1).pdfccs12-18022310494mghmgmyy3 (1).pdf
ccs12-18022310494mghmgmyy3 (1).pdf
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
 
Cyber Crime and Social Media Security
Cyber Crime and Social Media SecurityCyber Crime and Social Media Security
Cyber Crime and Social Media Security
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
Cyber Crime & Security.pdf
Cyber Crime & Security.pdfCyber Crime & Security.pdf
Cyber Crime & Security.pdf
 
HACKING AND PHISHING
HACKING AND PHISHINGHACKING AND PHISHING
HACKING AND PHISHING
 
Cyber crime in pakistan by zubair
Cyber crime in pakistan by zubairCyber crime in pakistan by zubair
Cyber crime in pakistan by zubair
 
CYBER CRIME AWARENESS (Thematic Presentation)
CYBER CRIME AWARENESS (Thematic Presentation)CYBER CRIME AWARENESS (Thematic Presentation)
CYBER CRIME AWARENESS (Thematic Presentation)
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Computer hacking
Computer hackingComputer hacking
Computer hacking
 
Β. Hucking
Β. Hucking Β. Hucking
Β. Hucking
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Presentation on cyber security
Presentation on cyber securityPresentation on cyber security
Presentation on cyber security
 
HACKING
HACKINGHACKING
HACKING
 
Cyber security and privacy
Cyber security and privacyCyber security and privacy
Cyber security and privacy
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
 
Name parul
Name parulName parul
Name parul
 
Cyber Crime Types & Tips
Cyber Crime Types & TipsCyber Crime Types & Tips
Cyber Crime Types & Tips
 
A Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comA Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.com
 
Cyber Attacks
Cyber AttacksCyber Attacks
Cyber Attacks
 

Plus de Alison Gianotto

Laravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and PoliciesLaravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and PoliciesAlison Gianotto
 
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteLonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteAlison Gianotto
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
Failing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsFailing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsAlison Gianotto
 
Facebook Timeline for Pages
Facebook Timeline for PagesFacebook Timeline for Pages
Facebook Timeline for PagesAlison Gianotto
 
Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Alison Gianotto
 

Plus de Alison Gianotto (8)

Laravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and PoliciesLaravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and Policies
 
dotScale 2014
dotScale 2014dotScale 2014
dotScale 2014
 
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteLonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
 
Failing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsFailing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance Applications
 
DNS 101 for Non-Techs
DNS 101 for Non-TechsDNS 101 for Non-Techs
DNS 101 for Non-Techs
 
Facebook Timeline for Pages
Facebook Timeline for PagesFacebook Timeline for Pages
Facebook Timeline for Pages
 
Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.
 

Dernier

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Dernier (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Security Primer

  • 1. Social Engineering & Security Primer AKA “People are bastard covered bastards with bastard-filling.”
  • 2. Hacking, Cracking, Phishing, Zombies - OMGWTFSRSLY? Hacker: someone who breaks into computer networks for legitimate or illegitimate reasons. (This definition has changed over time and still means a few different things.) Cracker: someone who reverse-engineers computer software for the purpose of embedding spyware/malware or working around commercial licenses (“Warez”). Phishing: attempting to acquire information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
  • 3. WARNING! The word “hacker” does not inherently imply illegal or unethical behavior. The negative connotation came years later, as “hacker” originated as a positive term for people who kick ass at computers and/or coding. Hackers get very upset when this word is misused. Very. Upset.
  • 4. Malicious Hacking Has Grown Up Years ago, hacking was often done for just fun and bragging rights. Today, hacking is a lucrative industry often backed by organized crime. LOTS of $$$ to be made stealing identities, credit card info, etc.
  • 5. Why Hackers Hack To steal/sell identities, credit card numbers, corporate secrets, military secrets Fun, Excitement and/or Notoriety Political (“Hacktivism”) Revenge Blackhat SEO
  • 6. White Hat vs Black Hat White Hat: The Good Guys. Grey Hat: The (Mostly) Good Guys Black Hat: The Bad Guys This is over-simplified, of course, but you get the gist,
  • 7. Virus Self-replicating program that infects a system without authorization. They can install keyloggers, download, delete or alter files, render a system unusable or worse. Travels from computer to computer. (No, they cannot spread to humans. Yet.)
  • 8. Worm Similar to a virus, but can self- replicate without human interaction. Takes advantage of network transport protocols - can send thousands of copies of itself.
  • 9. Worm Example A worm sends a copy of itself to everyone in your e-mail address book. The worm then replicates and sends itself out to everyone listed in each of the recipient’s address book. And so on, and so on.
  • 10. Trojan Horse Masquerades as useful software such as anti-virus, video codecs, browser plugins, etc. Victims are tricked into opening Trojan Horse files because they appear to be receiving legitimate software or files from a legitimate source.
  • 11. Macs are NOT Immune Trojans frequently appear as fake video codec downloads, rogue anti-virus (“scareware”), and attachments in emails such as phony receipts.
  • 12. Email Attachments Spoofed emails that contain malware attachments frequently appear to come from Amazon.Com, PayPal, E-Bay, iTunes, and Banks. They often use the scare tactic that the recipient’s account has been suspended or compromised.
  • 13. Botnets (AKA “Zombie Armies”) Infected computers become part of a controlled “army” of infected machines. They can be used to send SPAM, viruses, or to initiate a DDoS (Distributed Denial of Service) attack on a website or network that can cause the website or network to stop responding altogether.
  • 14. Phishing Phishing attacks attempt to trick users into entering their login/credit card/SS#/etc into a fake version of a legitimate site so the sensitive data can be saved and used later by the attacker. Many phishing attacks originate from e-mails and can be VERY convincing.
  • 15. What’s the Point? Phishers capture login information even for non- financial sites because they know that MANY PEOPLE RE-USE THE SAME LOGINS FOR MULTIPLE WEBSITES. *cough*Gawker*cough*
  • 16. Platform Agnostic Since Phishing scams take advantage of vulnerabilities in the human condition instead of vulnerabilities in technology, ALL users are at risk, whether they are on Mac, PC, Linux, etc. same password for email + forgotten password request= access to hijack any account
  • 17. SSL Different browsers indicate that your connection is secure (encrypted) in different ways. Becoming familiar with how each browser indicates a healthy SSL connection will help you avoid being fooled. NOTE: Just because an SSL connection is legit, that doesn’t mean the site is. Be skeptical.
  • 18. Phishing & Smartphones Smartphone users are particularly vulnerable to phishing attacks because the browser takes up the whole screen, and doesn’t provide as much information about a page as a desktop browser. This makes it easier to trick users into thinking the site is real.
  • 19. Case Study: Stanley Mark Rifkin In 1978, a computer tech stole $10.2 million dollars from Security Pacific Bank using only social engineering. Talked his way into room where daily wire transfer security code was posted and memorized it. Called the bank, impersonating an authorized employee and requested a transfer of $10.2 million to his swiss bank account. Because he was able to talk his way into learning the daily code, the transfer went through without a hitch. The woman who performed the transfer thanked him before hanging up.
  • 20. “Social Engineering”? The act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. Trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face-to-face with the victim. Social Engineering attacks are commonly executed over the phone or through email.
  • 21. 419 Scams Nigerian Bank Scams (also called 419 scams after the section of Nigerian law it violates) are a type of advance-fee scam. See: 419eater.com scambaiter.com “Message number 419” by MC Frontalot
  • 22. Things to Watch For “Hi, I’m having a problem using the XYZ website. It’s not working in my browser. I’m using IE7, what browser are you using?” Attacker can then target the attack based on vulnerabilities in the browser. “I’m having a problem using the website. Let me send you a link to the page I’m having trouble with.” Link contains malware/ phishing payload. “This is John Smith from XYZ Software Vendor. There was a critical security patch released that we need you to install or you are at risk of massive data loss.”
  • 23. Good Habits Shred ALL paper documents that contain intellectual property, financial or account information. Every time. If someone you do not recognize claims to be a new superintendent or maintenance worker, call downstairs to confirm before letting them in. If someone calls or walks in claiming to be a representative or worker from a company but you do not know them personally, call the company to confirm their identity and meeting.
  • 24. PAY ATTENTION An attacker targets users of a website myfantasyfootballleague.com by finding people who post on the forums. The attacker sends them an email claiming a new feature or compromised account, directing them to myfantasyfootballeague.com, which they own. Note the missing third “l”. Victim clicks and is phished, hijacked or tricked into downloading malware.
  • 25. Case Study: Video Rental Shop Attacker Tom calls Jennifer at XYZ Video, claiming to be the manager of a different branch, asking if they have a copy of a video they can’t find. Tom does this repeatedly over several weeks, building up a rapport with Jennifer and establishing the pretext. Tom then calls saying he has a customer of Jennifer’s shop that forgot his membership and credit card but would like to rent from Tom’s store. Jennifer provides that information to Tom to be helpful.
  • 26. Attackers Will Research Their Targets After looking up the domain name records of a website, an attacker knows that someone named James Li is the technical contact. Tom calls James. “Hi, this is Bob Dickins from LuckyRegister. We have detected fraudulent activity on your account and we need you to reset your password.” Vacation messages in email and voicemail can alert an attacker that you are out of town, giving them information that may help them sound legitimate to other people in the company
  • 27. USB Keys A very easy and often successful attack is to leave a poisoned USB key out where people can find it. Who doesn’t want a free USB drive? The poisoned USB key infects the computer or entire network once it’s plugged in.
  • 28. Social Media - Make sure your profiles are locked down so only friends can see your information - Turn OFF geotagging on images in your Smartphone.
  • 29. Location Services Be careful using location services such as Foursquare, Facebook Places, etc if your social media accounts are open to anyone.
  • 30. Gawker Passwords 307: trustno1 303: baseball 302: gizmodo 2516: 123456 300: whatever 2188: password 297: superman 1205: 12345678 276: 1234567 696: qwerty 266: sunshine 498: abc123 266: iloveyou 459: 12345 262: fuckyou 441: monkey 256: starwars 413: 111111 255: shadow 385: consumer 241: princess 376: letmein 234: cheese 351: 1234 318: dragon
  • 31. ALL Passwords Are Crackable Using an eight-core Xeon-powered system, Duo Security brute- forced 400,000 password hashes of the 1.3 million stolen from Gawker, cracking the first 200,000 in under an hour. 15 of the accounts for which it had cracked password encryption belonged to people working at NASA, nine were assigned to users employed by Congress, and six belonged to employees of the Department of Homeland Security. 2009 RockYou hack: “123456" was the most common password in the collection posted on the Web by hackers, followed by "12345," "123456789," "password" and "iloveyou"
  • 32. There is NO Excuse for Shitty Passwords Anymore 1Password and LastPass both allow you to: generate long, highly random passwords that are unique to each website you log into store the passwords in a database and auto-fill sync that database across your iphone, ipad, other computers, etc.
  • 33. Password Tips Don't use only letters or only numbers. Don't use names of spouses, children, girlfriends/boyfriends or pets Don't use phone numbers, Social Security numbers or birthdates. Don't use the same word as your log-in, or any variation of it. Don't use any word that can be found in the dictionary — even foreign words. Don't use passwords with double letters or numbers.
  • 34. Password Tips Use the first letters of the words in a favorite line of poetry or a verse of song. "Hail, hail the lucky ones, I refer to those in love" becomes "H,hTL0,IR2t1L." EVERY SINGLE WEBSITE you have an account with should use a different password. You have no idea how secure their websites are, so you should assume they are not secure at all.
  • 35. Passwords are like underwear - they should never be shared with friends and should be changed often!