Presentation on theme: "Protecting the World from Cybercrime Neil Daswani August 27, 2008."— Presentation transcript:
Protecting the World from Cybercrime Neil Daswani http://www.neildaswani.com August 27, 2008
Overview Data breaches Hacking / Web application vulnerabilities What can software developers do? Malware distribution What is Google doing? What can you do to protect yourself?
Is the sky falling? TJX (March 2007) –owns TJ Maxx, Marshalls, and other dept stores –over 45 million credit card (CC) #s dating back to 2002 –attacks exploited WEP used at branches Department of Veteran Affairs (August 2006) Unisys (sub-contractor) took equipment home/burglarized Name, DOB, SSN, address, insurance for 26.5M veterans Employee dismissed, supervisor resigned CardSystems (June 2005) credit card payment processing company: out of business 43 million CC #s stored unencrypted / compromised 263,000 CC #s stolen from database via SQL Injection
Data Breaches Over 230 million lost or stolen customer records since 2005. How did that happen? Source: privacyrights.org Hacking Stolen Equipment Lost Equipment
What do you mean “hacking?” Attacker Provides This Input
Username & Password SELECT passwd FROM USERS WHERE uname IS ‘$username’ Normal Query Web Browser Web Server Database 010010 1010101 0100101
SELECT passwd FROM USERS WHERE uname IS ‘’; DROP TABLE USERS; -- ' Malicious Query Eliminates all user accounts “Username & Password” Web Browser Web Server Database
Cross-Site-Request-Forgery (XRSF) Attack scenario: Alice is using a (“good”) web-application: www.bank.com (assume user is logged in w/ cookie) At the same time (i.e. same browser session), she’s also visiting a “malicious” web- application: www.evil.com
XSRF /viewbalance Cookie: sessionid=40a4c04de “Your balance is $25,000” Alice bank.com /login.html /auth uname=alice&pass=ilovebob Cookie: sessionid=40a4c04de
What can the software community do? Software Developers: Arm / educate yourself! (e.g., www.learnsecurity.com) Elect a security czar for each project Managers: Instrument development process for security Organize for security (advisors, satellites, etc) Invest in training!
Secure Development Lifecycle Source: Software Security, Gary McGraw, ISBN 0-321-35670-6
Malware Logs keystrokes (including passwords) Joins a botnet Sends email spam from your machine Other countless bad things...
How does Google do that? Uses Google's search index and distributed systems
Social Engineering BREAKING NEWS: Abortion outlawed in California How to save money on gas Millions of credit card numbers stolen from bank database, find out if you are affected Google launches free music downloads in China Jerry Yang relinquishes control over Yahoo McCain gives up fighting for presidency US Dollar hits 6-year high, further gains expected
What can you do to protect yourself? Change default router password. Use WPA. Use a personal firewall. Always keep ON. Use good anti-virus. (e.g. pack.google.com) Install patches immediately. Use auto-update. Make backups or use backup service. Use browser with malware & phishing protection (e.g. Firefox 3).
What can you do to protect yourself? Don't install software you don't trust. Use bookmarks for financial sites (or Google). Check for SSL / HTTPS for important sites. Don't ignore security warnings. Use good passwords and reset questions. Use a credit card with a threshold limit. Consider virtual, one-time credit cards. If it sounds too good to be true, it probably is!
Summary What can software people do? Learn, organize, prevent, etc What is Google doing? Protecting you while you search & browse What can you do? Be vigilant!
Acknowledgements Amit Patel Arkajit Dey “Jedis” on Google's Security Team