Presentation on theme: "Unclassified August 14, 2014. Unclassified Cyber Security for AFCEA 2 Cyber is derived from Ancient Greek (kyber), meaning “to steer” – Think: to pilot."— Presentation transcript:
Unclassified August 14, 2014
Unclassified Cyber Security for AFCEA 2 Cyber is derived from Ancient Greek (kyber), meaning “to steer” – Think: to pilot through the information universe. NETWORK Cyber Security
Unclassified Cyber Security for AFCEA The U.S. Government defines Cyber Security as “the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation (NSPD 54/HSPD 23 and the Comprehensive National Cyber Security Initiative). 3
Unclassified Cyber Security for AFCEA Cyber Security is a set of principles and practices designed to safeguard your computing assets and online information against threats It’s protecting your digital and online presence from being used without your permission. This includes everything from your own computer, tablet and phone to social networks and . As our lives become more dependent and invested in these digital products, it’s essential to keep them secure So, what does it mean? Cyber Security begins with you – as an end-user, you are the first & last line of defense. Therefore, it’s important that you: 1. Create/maintain user-IDs, passwords/passphrases, PIN #’s & Security Q&As 2. Gain knowledge of security guidelines, policies & procedures; stay up to date with cyber news – “Knowledge is Power!” 3. Manage your accounts & passwords 4. Secure your computer 5. Protect the data you handle 6. Assess risky behavior online 4
Unclassified Cyber Security for AFCEA 5
Unclassified Cyber Security for AFCEA 6 Zombie: Also known as a “bot.” A program that secretly takes over another Internet- attached computer, using that computer to launch attacks that are difficult to trace to the zombie’s creator. Botnet
Unclassified Cyber Security for AFCEA 7 What is a Computer Virus? A malicious program that can “infect” other programs by modifying them; Modification includes copy of virus program – an infected program can infect other programs. Virus Stages: Dormant phase: Idle Propagation phase: Places identical copy of itself into other programs or system areas on the disk. Triggering phase: Virus activated to perform intended function; Caused by variety of system events. Execution phase: Malicious function is performed. Types of Viruses: Parasitic: Attaches itself to executable files and replicates. -- When the infected program is executed, it looks for other executables to infect. Memory-resident: Lodges in main memory as part of a resident system program -- Once in memory, it infects every program that executes. Boot sector: Infects boot record (CryptoLocker Ransomware). – Spreads when system is booted from the disk containing the virus. Stealth: Designed to hide itself from detection by antivirus software. -- May use compression. Polymorphic: Mutates with every infection, making detection by the “signature” of the virus impossible. Mutation engine creates a random encryption key to encrypt the remainder of the virus. (Key is stored w/virus)
Unclassified Cyber Security for AFCEA Malware is malicious software – a term used for a variety of hostile or intrusive software. Malware is used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Malware is designed to ‘blend in’ with normal web traffic (making it difficult to detect) It is usually not particularly advanced, but very effective Malware includes computer viruses, ransomware, worms, trojans, rootkits, keyloggers, dialers, spyware, adware, malicious browser objects, rogue security software and other malicious programs; the majority of active malware threats are usually worms or trojans rather than viruses. Malware is different from defective software, which is a legitimate software but contains harmful bugs that were not corrected before release. However, some malware is disguised as genuine software, and may come from an official company website in the form of a useful or attractive program which has the harmful malware embedded in it along with additional tracking software that gathers marketing statistics. Anti-virus SW, anti-malware and firewalls are relied upon by home users, small, large organizations and governments around the globe to safeguard against malware attacks which helps in identifying and preventing further spread of malware in the network. Malware does not just affect Desktops & Laptops – Cyber criminals also target Mobile Devices (Smart Phones) 8
Unclassified Cyber Security for AFCEA 9 Trapdoor: Entry point into a program that allows someone who is aware of the trapdoor to gain access. Also used by programmers to debug and test programs: -- Avoids necessary setup and authentication. -- Method to activate program if something wrong with authentication procedure. Logic Bomb: Code embedded in a legitimate program set to “explode” when certain conditions are met: Presence or absence of certain files. Particular day of the week. Particular user running application. Trojan Horse: Useful program that contains hidden code that when invoked performs some unwanted or harmful function. Can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly. Worms: Use network connections to spread from system to system. Electronic mail facility: -- A worm mails a copy of itself to other systems Remote execution capability: -- Executes a copy of itself on another system Remote log-in capability: -- Logs on to a remote system as a user, then uses commands to copy itself from one system to the other.
Unclassified Cyber Security for AFCEA APT = Advanced Persistent Threat Reality: Not always that advanced ◦ Only as advanced as they need to be ◦ Unlikely to be detected by Anti-Virus (AV) or Intrusion Detection Systems (IDS) Generally assumed to be nation-state or state- sponsored intrusion sets Persistent targeting is the most significant characteristic ◦ Unlike opportunistic viruses, worms, and botnets, APT attempts to get and maintain access and retrieve data from a select list of targets, rather than all of the Internet 10
Unclassified Cyber Security for AFCEA Extensive reconnaissance ◦ Attend same conferences as target; Browse websites to trojanize content; Follow target through social media Spear phishing and Targeted s with Trojans Sources of information on personnel, processes, units, organizations ◦ Major SharePoint websites full of PDFs, Office Documents, etc ◦ Frequent social media posts ◦ Extensive personnel contact information ◦ Extensive insight available from FedBizOps Key personnel Design criteria Information on sensitive facilities Malware Other techniques ◦ Twitter feeds ◦ Google chat ◦ MSN messenger ◦ * see Mandiant ‘APT1’ report 11
Unclassified Cyber Security for AFCEA 12 1.You are an attractive target to hackers. Don’t ever say “It won’t happen to me.” 2.Practice good password management. Use a strong mix of characters, and don’t use the same PW for multiple sites. Don’t share your PW with others, don’t write it down, and definitely don’t write it on a post-it note attached to your monitor. 3.Back up your data regularly, and make sure your anti- virus software is always up to date, install patches ASAP. 4.Never leave your devices unattended. If you need to leave your computer, phone, or tablet for any length of time—no matter how short—lock it up so no one can use it while you’re gone. If you keep sensitive info on a flash (thumb/pony) drive or external hard drive, lock it up as well. 5.Always be careful when clicking on attachments or links in . If unexpected or suspicious for any reason, don’t click on it. Double check the URL of the website the link takes you to: bad actors often take advantage of spelling mistakes to direct you to a harmful site. Can you spot a phony website? Try this Phishing Quiz: 6.Sensitive browsing, such as banking or shopping, should only be done on a device that belongs to you, on a network that you trust. Whether it’s a friend’s phone, a public computer, or a cafe’s free WiFi—your data could be copied or stolen. 7.Be conscientious of what you plug in to your computer. Malware can be spread through infected flash drives, external hard drives, and even smartphones. 8.Watch what you’re sharing on social networks. Criminals can befriend you and easily gain access to a shocking amount of information—where you go to school, where you work, when you’re on vacation, your birth date, address—that could help them gain access to more valuable data. 9.Offline, be wary of social engineering, where someone attempts to gain information from you through manipulation. If someone calls or s you asking for sensitive information, it’s okay to say no. You can always call the company directly to verify credentials before giving out any information. 10.Monitor accounts for any suspicious activity. If you see something unfamiliar, it could be a sign that you’ve been compromised.
Unclassified Cyber Security for AFCEA Password Security: Your computer password (PW) is your first, last, and best line of defense against damaging intrusions. Without a well-chosen PW or set of PWs, any other security measures protecting your data are essentially useless. Never share your PWs! Avoid creating an insecure password by meeting these requirements: 10+ character minimum. The longer your PW, the more secure. Use a combination of upper and lowercase letters, including special characters such as Don’t use obvious items of personal info (names, birthdates, SS#’s, phone #’s street address, etc). Avoid English words or combos, e.g., “NVCCgirl,” “cooldude,” “kittykat” or “ninjawarrior”. Uses acronyms for unusual phrases that you invent, e.g., “ ~2myuIG-cw! ” which stands for: “ about 2 more years until I Graduate – can’t wait! ” Change it often. Every 90 days is ideal – but at least twice annually. It usually takes a hacker quite some time to crack a long, complex PW. If you change your PW every 90 days, chances of it being cracked are even more slim. When it comes to physical PW security, never record it anywhere close to the computer (on post-its, pull-out trays in desks, inside drawers, under shelves, etc.) Have a lot of PWs? You may wish to use a secure Password Manager.* Most systems have one. * ( Check out the one on your Smart phone) 13
Unclassified Cyber Security for AFCEA What is anti-virus software? Picture an alarm system on a house. Anti-virus (AV), like an alarm, protects your system against known threats, and alerts you when one of these threats enters your computer. However, just like an alarm, this doesn’t make you invulnerable to attacks. There are times when it may detect the threats too late or the threats may bypass it altogether. Overall though, it is a great way to help secure your computer with little work required from you. How does anti-virus work? Most common - automatically scheduled scans. These scans look at each individual file on your computer and compare them against a known signature. If the file, or part of the file, matches a signature, the AV software (SW) alerts the user and will attempt to quarantine the file. Outside of scheduled scans, some AV SW also supports active scanning. With active scanning, files are compared against the same set of signatures every time the file is accessed. This allows the antivirus to check files in-between the scheduled scans. Where do I get anti-virus? Good AV may seem expensive, but there are a lot of ways to get it for free. Many workplaces and educational institutions offer employees and students free AV SW for home use. Contact your work/school IT helpdesk. Many internet providers/cable companies offer AV as part of your subscription. Not available? Symantec Norton 360 or McAfee programs are among the most popular. Free anti virus for home use: https://www.acert.1stiocmd.army.mil/Antivirus/Home_Use.htm 14
Unclassified Cyber Security for AFCEA 15 Evolving Threats: Viruses aren't the only type of hazard. Security attacks continue to surface in myriad other ways. Many of you now use broadband to remain online full time. Hackers love to target "always-on" users, and are continually developing new ways to infiltrate well-connected home computers. Turn your system off when not in use. Security Updates Are Vital: Security SW is only as good as the intel available at the time of development. Virus writers, hackers and other “bad guys” are constantly coming up with new attack modes. Stay alert! Evolving Protections : As threats evolve, so do anti-threat technologies. However, the latest technology and intel have to make their way from the development lab to your desktop. That's where program updates come into play. Patching & Automatic Updates: The maker of your operating system (OS) (e.g., Microsoft or Mac) develops system updates on a regular basis. A patch can be an upgrade (adding increased features), a bug fix, a new hardware driver or update to address issues such as security, basic functionality or stability problems. Along with your Anti-Virus SW, ensure you have an Internet Security program to retrieve the latest spam definitions and Web filter updates. Up-to-date spam definitions help thwart unsolicited advertising schemes, and Web filter updates help prevent your children from stumbling across websites with inappropriate content. Do your part: Make it a habit to check your provider’s website for security advisories; take advantage of the Live or Automatic Updates. Configure SW to alert you when critical updates are available, set it to run automatically on a predefined schedule. Check for updates to your OS and Security SW at least once a week to safely stay ahead of the curve.
Unclassified Cyber Security for AFCEA What is a firewall? Picture a series of doors on the outside of a house. Doors allow those who live inside to come and go as they please while preventing intruders from entering. A firewall is the “door” to your computer or network. The firewall looks at people (systems) trying to connect to your computer and decides whether to let them in or keep them out. Without the firewall, anyone could come into your computer w/out your permission. Why do I need a firewall? If your house had no doors, you’d have no privacy, and all your belongings would be at the risk of those who walk through your house. Without anything to block incoming connections from unauthorized computers, everyone could take your files and watch what you do on the computer. How does a firewall work? A firewall looks at all the connections coming and going from your computer, and decides whether to allow them through or to block them. How? By looking at a list of rules called an Access Control List (ACL). The ACL is like a list a bouncer would have at a club so he would know who to let in and who to keep out. If a computer trying to access yours is on the list, it’s allowed through. Otherwise, the computer is blocked before it even gets a peek at what is going on inside. Where do I get a firewall? Some computers already have a firewall installed when you buy them – but check. You may also see some “premium” options offered as part of security SW and AV packages. 16 Firewall: Ensure you never turn it off, no matter ‘who’ comes knocking.
Unclassified Cyber Security for AFCEA Even the most secure password or online safety measures can be compromised if you step away from your computer while logged in. Make sure that you always limit incidental (other’s) access to your machine: log off or lock your computer when you leave your desk or the room and lock your room or office. While all computers are valuable to those looking to commit digital crimes, never forget that your computer equipment is also a target for theft. If you can, lock your laptop and any other easily portable equipment to a desk or other hefty object using a security cable (available in most college Student Stores). Keeping your computer and information safe using encryption software, antivirus, antispyware and a firewall are vital. However, it’s far too easy for someone to simply walk away with your computer. Physical security is easy and inexpensive, considering the peace of mind that it brings. 17
Unclassified Cyber Security for AFCEA 18
Unclassified Cyber Security for AFCEA A cheap way to avoid an expensive disaster How much is it to buy a backup drive? About $ Backup software? Usually included or $30 or less. Not losing your data? Priceless. How do I backup my computer? We store our digital lives online - photos, music, movies, much more. Backing up is making a copy of data and/or program files and keeping that copy in a safe, separate place. If you can’t retrieve or lose access to your data, you can recover it from a backup source copied elsewhere. 3 most common causes of data loss: Malware, hard drive failure & accidental deletion. Backups typically take 1 of 2 forms: 1.Copying your data. If you copy pictures from your digital camera and burn those images to a CD for safe- keeping, you’ve backed them up. Similarly, if you regularly take the contents of your “My Documents” folder tree and copy it to another machine or burn it to CD, you’ve backed up those files. They’re safely stored in another location in addition to the original. 2.Imaging your system. This makes a copy of everything; your data, SW programs, settings – even the operating system itself. Both types of backups share a common characteristic. Whatever you backup, do so by a) making a copy, and then b) placing that copy somewhere else. If your data is in only one place, there are no copies of that data, and you’re not backed up. Find an appropriate storage device capable of storing all of the data you need to backup - at least twice the size of the hard drive. An external hard drive is the best - or backup to the cloud. (A partition on the same computer is less safe - the system remains susceptible to viruses and hard drive failure. If your computer is stolen – so is your backup. * Check out Symantec’s Norton 360 and Carbonite 19
Unclassified Cyber Security for AFCEA Phishing is an online con game by tech-savvy con artists and identity thieves. They use malicious web sites, and instant messages to trick people into divulging sensitive information, such as bank and credit card accounts. Phishers attempt to gain personal by employing social engineering techniques. s are crafted to appear as if sent from a legitimate organization or known individual. These s attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. (Or to open an attachment that will launch malware.) The user may be asked to provide personal data, such as account usernames and PWs, that can further expose them to future compromises. Fraudulent websites may also contain malicious code. ALWAYS check the website BEFORE CLICKING in any you receive. Be wary of every attachment you receive – THINK: Do you REALLY need to view/open it? Is it vital? Beware of scams. Don't respond to , instant messages, texts or calls asking for your PW. Never disclose your PW to anyone, even if solicited by what looks like a familiar organization. Malicious links can infect your computer or take you to web pages designed to steal your data. Only click on links from trusted sources. Never click on a mystery link unless you have a way to independently verify it’s safe. This includes tiny URLs – like the one’s found in Twitter. -- US CERT: -- NORTON: 20
Unclassified Cyber Security for AFCEA 21
Unclassified Cyber Security for AFCEA Web Vigilance — Trust No One: Protect your personal privacy, remain forever vigilant and protective of your PW and other personal info. Hackers look for computers that are easy to crack and can be used for their own purposes. Strong PWs reduce the risk of getting hacked. Hackers will always choose a machine without a PW first, because it is far easier to get into. Do not allow a program to run on your computer unless you completely trust its source. Never give out your credit card #’s, social security #, or any personal info on an unfamiliar site or site that isn’t secured by Secure Socket Layer (SSL) encryption. Look for the lock icon in your web browser. Identity Theft is big business – don’t let them get into yours. Concerns: Never open attachments sent by a stranger. Be wary of those sent by family & friends, too. Avoid opening any attachment if it’s simply “funny” or entertaining. Don’t forward them, either. Think: Is this info VITAL for you to view, or for others to read/have for their own benefit? If so, copy and paste the data into the body of the – or give a good explanation re what the link or attachment is about. If not, save your own time and don’t waste theirs – don’t send! These kinds of attachments frequently double as a Trojan horse: a program that will distract you (or simply become invisible) while another computer user gains control of your computer. Create a separate web-based free account to receive newsletters, junk mail and other unimportant . Never respond to unsolicited , because doing so may confirm your existence to a SPAM-mail provider. 22
Unclassified Cyber Security for AFCEA 23 WiFi HotSpots – Beware: Free WiFi hotspots are provide access to the internet in airports, coffee shops, supermarkets, hotels, book stores, etc. Here, you may be putting your personal information at risk. Hackers can set up a fake WiFi hotspot and just wait for an unsuspecting person to attach to it so they can gather data. What You Can Do: Access only encrypted websites while on public hotspots. Look for ‘https’ at the beginning of a web address. Read tips on using public WiFi: Ensure Wi-Fi is disabled when not in use. Read Daniel Berg’s “9 Tips to Stay Safe on Public WiFi” for Laptops: See Session Hacking in Backup slides Coffee, Tea, Stolen ID?
Unclassified Cyber Security for AFCEA 1.Lost/Stolen Smart phone: Immediately contact your service provider (e.g., T-Mobile, AT&T, Sprint). Keep your provider phone # in your wallet, in your car and in your home for ease of access. 2.Wiping Contents: Settings should be set to wipe or remove contents after 10 unsuccessful login attempts; this ensures protection of data, should it fall into the wrong hands. Check if remote wiping is available. Note: remote wiping will often NOT wipe the SDRAM chip on the smart phone. 3.Passwords: Use a strong PIN, password, or passphrase to protect the contents. Use Caps, small case and special keys in all your PWs; and use data encryption if supported. 4.Disposal: Erase all personal information securely and remove the SIM card and Memory card (if one) before returning it to your service provider, giving it to another, or disposing of it. 5.Updates: Ensure both your operating system and applications are up to date to help protect against known threats. 6. and the Web: Use SSL encryption (https://) for browsing and webmail when possible. These services entail the same threats on a smartphone as they do on any computer, including phishing attacks, malicious websites, infected attachments, and scams. If you receive an that sounds too good to be true or looks suspicious, do not respond to it or click on any embedded links it contains. Limit your browsing to well-known and trusted websites. 24
Unclassified Cyber Security for AFCEA 7.Wireless Networks: Your smartphone may connect automatically to wireless networks without your knowledge. If connected to a public Wi-Fi hotspot, it's probably also being used by other people; someone could eavesdrop on your connection. Keep optional network connections (e.g., WiFi and Bluetooth) turned OFF except when specifically using them. 8.Applications (Apps): Install only needed Apps and ensure obtained from a vendor that has vetted it (like Samsung, Blackberry or Apple’s iPhone App Stores). You risk creating potential vulnerabilities by installing software (SW), and installing a malicious backdoor utilized by hackers to appear as a legitimate App, which sends sensitive info (e.g., SS#, credit card info, UserIDs/PWs, etc) while appearing to function normally. Don’t rush to install a new App. Wait until it has established a good reputation. 9.Documentation: Read the documentation and terms of service for each App before you install it. Apps often require you to grant permission to the vendor to collect, use, and sell personal info - about you, device usage, and your geographic location. Don’t give them access to your Contacts! 10.Posting Images to Facebook & Social Networks: Smart phones use geo-tagging, which tags photos with the time, date and GPS latitude and longitude. Change social-networking settings to PRIVATE so only people you invite into your network can see your photos, etc. Restrict privacy and info to friends. Turn off GPS settings on your smart phone's camera to prevent it from capturing location info. Remember, Photos you travel over the Web as well. Summary: BE AWARE of potential risks. Take caution when searching the Internet, opening s from unknown sources, on social networking sites like Facebook, Pintrist & Twitter, and clicking on links and opening attachments. 25
Unclassified Cyber Security for AFCEA Links of Interest: Glossary of Key Information Security Terms How to Fix a Malware Infected Computer How to Clean An Infected Computer How to Know If Your Computer Is Infected Learn to Write Code – Computer Science - Free tutorials for Beginners! - and - US Department of Homeland Security – Stop. Think. Connect - and - Remember: ALWAYS practice safe computing! 26
Unclassified Cyber Security for AFCEA 27
Unclassified Cyber Security for AFCEA 28
Unclassified Cyber Security for AFCEA Incident - Target: In Nov 2013, a group of Eastern European hackers entered Target’s network through a digital gateway, discovering that Target’s systems were astonishingly open, lacking virtual walls and motion detectors found in secure networks. ~110 million customers were affected. ~40 million at US stores had credit and debit card data stolen; hackers also lifted personal information - including names, addresses, addresses and phone #s -- for ~70 million.) Protecting Personally Identifiable Information (PII) is vital for your self - and especially at work. Be vigilant and on guard about protecting your own personal information and protecting your work site user data. Incident - Yahoo: Yahoo Mail was hacked – again – in January The number of accounts compromised is unknown. Attackers gained access through a third-party database outside of Yahoo control. Hacks happen, but If you've followed basic security practices and aren’t using the same login credentials for multiple sites and services, only your Yahoo account should be at risk. Change log-in credentials for any account that may share your Yahoo password, particularly if they use their Yahoo as their login. Also if you use a similar address as the username - it’s not a big leap for hackers to think you may be both and Lookout for spam as well. Use strong PWs, different for each account. -- Remember, cyber security begins with you. 29
Unclassified Cyber Security for AFCEA SQL Injection: Databases using structured query language (SQL) rely on specially formatted queries to locate and return requested data. Human or automated attackers can send requests that exploit the database's internal codes to alter the query as it's processed. This year alone, SQL injection was the culprit behind a number of notorious security breaches, such as hacker group LulzSec's alleged theft of data from the Sony Pictures server. Once again, the solution to this problem isn't in the user's hands. Well-designed software avoids the problem by weeding out any queries that don't meet strict standards. Those who create and maintain database apps are advised to "use whitelisting, not blacklisting," letting only specific data through instead of keeping only specific data out. That way previously unseen SQL injections won't get through. Fake Tech-Support Calls : You might get an unsolicited phone call from a tech-support representative claiming to be from Microsoft or another big-name IT corporation. But the caller won't be who he claims to be. After warning you that "suspicious activity" has been detected on your computer, he'll offer to help once you give him the personal information he requires to get his job done. That job isn't fixing your computer. In fact, he's really just after your personal information. If you receive a call like this, hang up, call the company the bogus technician claimed to be from, and report the incident to a legitimate representative. If there really is a problem, they'll be able to tell you; if not, you just thwarted a data thief. 30
Unclassified Cyber Security for AFCEA Fraudulent SSL Certificates: A Secure Sockets Layer (SSL) certificate reassures your browser that the site you've connected to is what it says it is. If you're looking at "HTTPS" instead of plain old "HTTP," you know there's security involved, such as when you log in to your bank account or pay your phone bill. The most trusted SSL certificates are issued by designated Certification Authorities worldwide. What happens if that trust between browser and website is exploited? Acquiring or creating fake SSL certificates is unlawful, but happens often enough that we need to be aware of it. On multiple occasions in 2011, the discovery of false certificates suggested an attempt to spy on Iranian citizens as they used Gmail and Google Docs. According security firm F-Secure, foreign governments are using these techniques to monitor local dissidents. Banking Trojans: A Trojan is malicious software that disguises itself as innocent program, counting on you to download or install it into your system so it can secretly accomplish its malicious tasks. The infamous ZeuS Trojan and its rival SpyEye take advantage of security holes in your Internet browser to "piggyback" on your session when you log in to your bank's website. These monsters are in the Ivy League of computer malware; they avoid fraud detection using caution, calculating inconspicuous amounts of money to transfer out of your account based on your balance and transaction history. Financial institutions continue to increase layers of security involved in large transactions, such as requiring confirmation through "out-of-band" communications. Mobile device digital crooks have lost no time adapting to the changes. Banking Trojans are able to change the mobile number tied to your account and intercept that confirmation request. Be careful what and from where you download. 31
Unclassified Cyber Security for AFCEA DNS Redirection: Internet service providers (ISPs) such as Time Warner Cable claim they're trying to help with DNS redirection, but the reality seems to come down to money. Domain Name System (DNS) redirection overrides your browser's normal behavior when you can't reach a webpage. Instead of displaying the normal 404 "File Not Found" error, the ISP sends you to a page of the ISP's choosing usually a page full of paid advertising and links. Innocent though that practice may be, computer viruses can do the same thing, redirecting your browser to a hostile page the first time you misspell a domain. With ISPs, you can opt out of their DNS redirection (you'll find links below all the ads); with viruses, stay on your toes. Make sure you know what your browser's default 404 page looks like, and take action if you see anything different. Open DNS Resolvers: Another danger lies in the way some DNS servers are configured. An "open resolver" can offer information it isn't authorized to provide. Not only are open resolvers exploited in distributed denial-of-service (DDoS) attacks, but an attacker can "poison" the DNS cache, providing false information and incorrect resolutions that must be detected to be corrected. If your browser trips over a case of cache poisoning, the agents in charge of a hostile server can glean detailed information about your system especially if you're in the middle of an important transaction. How can typical users solve this dilemma? The chilling answer: They can't. It's up to Internet service providers to address the problem. (DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server’s cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer (often the attacker's). 32
Unclassified Cyber Security for AFCEA Disguised Filenames: Modern operating systems accommodate speakers of languages such as Arabic and Hebrew by featuring codes which can reverse the direction of type to display such languages correctly: written right-to-left instead of left-to-right. Unfortunately, these "RTL" and "LTR" commands are special Unicode characters that can be included in any text, including filenames and extensions. Exploiting this fact, a malware purveyor can disguise ".exe" files as other files with different extensions. Your operating system will display the "disguised" name, though it still treats the file as an executable launching it will run the program and infect your computer. Practice caution with any and all files from unknown sources. Man-in-the-Middle Attacks: While you're still sipping your latte on that unsecured network, even your encrypted messages may not be all that safe. A Man-in-the-Middle (MTM) attack occurs when an attacker intercepts communications and proceeds to "relay" messages back and forth between the lawful parties. While the messaging parties believe their two-way conversation is private, and might even use a private encryption key, every message is re-routed through the attacker, who can alter the content before sending it on to the intended recipient. The encryption key itself can be swapped out for one the attacker controls, and the original parties remain unaware of the eavesdropper the entire time. 33
Unclassified Cyber Security for AFCEA The “Stuxnet” worm (discovered June 2010) targeted centrifuges at the Iranian Natanz uranium- enrichment plant in a clandestine fashion. Stuxnet blocked the outflow of gas from the cascades of centrifuges, causing pressure to build up and the equipment to become damaged. It even masked the attack by looping 21 seconds of the system's sensor values so that the engineers at the facility wouldn't realize anything was wrong. Until recently, it was believed that Stuxnet simply targeted the centrifuges by causing them to spin too fast and ultimately break. However, it took a more sophisticated, clandestine approach and set them up to fail at a later date, thereby further evading detection. Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to detected abnormal behavior. Such complexity is very unusual for malware. The worm consists of a layered attack against three different systems – Windows OS & Siemens. The "Shamoon" virus (Aug 2012) attacked Saudi Arabia's state oil company, ARAMCO - probably the most physically destructive attack the business sector has seen to date. The virus is sophisticated and a similar attack days later struck Qatar's natural gas firm, Rasgas. 30,000 + computers it infected (at ARAMCO) were rendered useless, and had to be replaced. Shamoon included a routine called a "wiper," coded to self-execute, which replaced crucial system files with an image of a burning U.S. flag. It also overwrote all the real data on the machine with garbage data. While not new, the scale and speed with which it happened was unprecedented. Like other malware, it steals information, taking data from Users, 'Documents and Settings', and 'System32/Drivers' and 'System32/Config' folders on Windows computers. One unusual characteristic, however, is that it can overwrite the master boot record (MBR) on infected machines, effectively rendering them useless. Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware's command-and-control server. After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server. 34
Unclassified Cyber Security for AFCEA Oligo - indicating a “few,” “little,” or “scant” -- An oligomorphic engine is generally used by a computer virus to generate a decryptor for itself. It does this by randomly selecting each piece of the decryptor from several predefined alternatives. The pieces used to build the decryptor are usually too common to be detected with signatures. Most oligomorphic viruses aren't able to generate more than just a few 100 different decryptors, so detecting them with simple signatures is still possible. Poly - many -- Polymorphic code mutates while keeping the original algorithm intact, so the code changes itself each time it runs, but the function of the code will not change at all (e.g., 1+3 and 6-2 both achieve the same result (“4”) while using different code. Sometimes used by computer viruses, shellcodes and computer worms to hide their presence. Meta - abstraction from one concept to another; Morph - to transform (an image) by computer Metamorphosi s - a conspicuous, relatively abrupt physical change in body structure through cell growth and differentiation. Think Caterpillar to butterfly. -- Metamorphic code outputs a logical equivalent version of its own code under some interpretation. Used by viruses to avoid pattern recognition of AV software. Metamorphic code is used by some viruses when they are about to infect new files, so the next generation will never look like current generation. Mutated code will do exactly the same thing; where the children's binary representation will typically be completely different from the parent's. 35