Jayesh Mowjee Security Consultant Microsoft Services Session Code: SIA330
The Disclaimer! In attending this session you agree that any software demonstrated comes absolutely with NO WARRANTY. Use entirely at your own risk. Microsoft Corporation, & the other 3 rd party vendors whose software is demonstrated as part of this session are not responsible for any subsequent loss or damage whatsoever.
This Session Covers The Top 10 security nightmares Covert information gathering techniques How it’s done! - identity theft Tools the bad guy use Hiding your tracks Possible solutions The need to know principle Conclusions and Q&A
The Top 10 Security Nightmares 1. Physical 2. Human Error 3. Malfunction 4. Malware 5. Spoofing 6. Scanning 7. Eavesdropping 8. Scavenging 9. Spamming 10. Out of Band!
How Severe is the Threat? Professional Cyber Criminals & Terrorists Disgruntled Employees Competitors Hacktivists Script Kiddies (Advertises Actions) THREATTHREAT
Problem: Unorganized Response What should I do? Who should I call? Should I shut the system down? Should I run the virus cleaner? Should I trust my Anti-virus quarantine? Should I re-image the system?
Consequences of Poor Security: Brett Kingstone Nexus Lighting! “What took us $10 million and 10 years to develop, they were able to do for $1.4 million in six months”Brett Kingstone http://people.forbes.com/profile/brett-m-kingstone/57603 http://www.gss.co.uk/news/article/5613/Cyberthieves_mine_onl ine_for_corporate_data_nuggets/?highlight=Finjan
Hacker 101 Target Selection & Information Gathering
Hacker 101: Target Selection Person Identity Theft Revenge Invasion of Privacy Company Trade Secrets Hostile Takeover Industrial Espionage Government Military Coup Political Corruption Bribery Country Destabilisation
So Who are You? Information required: ID number Full name Birth date Address Possibly Drivers license number Sources Doctor Accountant Lawyer School place of work Hotels health insurance carrier many others
5 Pages of Heaven! Aka a CV Once you get someone's CV, you know all about the person You can search for it...or... You can get people to send it to you Recruitment is easy: Post a job ad and wait for people to send their life story You can even specify which types of people...:) “Looking for nuclear scientist/engineer with experience in Uranium enrichment and military background. Earn top dollar, 401K plan, dental coverage, 25days leave. Flexi time. Apply within...”
A Growing Problem Revealed: 8 Million Victims in the Worlds Biggest Cyber Heist! – Best Western Hotels. (Aug 08) – Russian Gangs involved. Details offered for sale on underground website. (www.cuxxxx0.ru)www.cuxxxx0.ru 10,000 Criminal Records Go Missing on Memory Stick! (July 08) Fasthosts UK ISP – 50,000 Websites Hacked. (Nov 07) ID Theft costs the UK economy £1.6bn Per Year* UK Child Support Agency: 25 Million Records Missing. MI5 ordered to recover data. Bank of India etc... *Sunday Times
You are Unique...Keep it that Way! Check your credit rating regularly Don't reveal too much personal information, especially on on-line forums & social networking groups. Watch out for shoulder surfers. Learn to ask questions...”Why you need this information, How will it be used. Be aware of your privacy rights. Make use of new encryption technologies
Corporate ID Theft Employee Stupidity (Xxx Dept work & Pensions 25 Million records LOST because of a mistake... Fraudulent use of business identity "account takeover" fraud that hijacks a clean identity for illicit trading Certain countries Companies House – does not validate any data provided Spoof emails and “phishing“, “Spear Phishing” Corporate Governance implications
Google Hacking Various usernames and passwords (both encrypted and in plain text) Internal documents Internal site statistics Intranet access Database access Open Webcams VNC Connections Mail server access And much more
Don’t Get Google Hacked! Keep sensitive information off the internet Be careful how you write your scripts and access your databases Use robots.txt to let Google know what parts of your website it is ok to index. Specify which parts of the website are “off bounds” Ensure directory rights on your web server are in order Monitor your site for common errors “Google hack” your own website
Hiding Data - Steganography! Steganography: The art of storing information in such a way that the existence of the information is hidden To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. The duck flies at midnight. Tame uncle Sam Simple but effective when done well
Keeping up Appearances! Although I don't know the overall network security posture of the airport, this didn't look good Good security is simply appearing to be secure The military teach that the appearance of a hard target can deter attacks.
Developments Biometric Passports, DNA Identity Solutions Cloud Data centre Solutions Credit Cards with Biometrics Project Goldeneye / Goldfinger! Identity Cards Cut the myriad of means to prove identity Proposed new criminal offence of "identity fraud" Civil liberties arguments Criminalize legitimate anonymity? National Criminal Intelligence Service
Conclusions! The Top 10 security nightmares Covert information gathering techniques How it’s done! - identity theft Tools the bad guys use Hiding your tracks Possible solutions The need to know principle Conclusions & Q&A
www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification & Training Resources Resources