Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting the World from Cybercrime Neil Daswani August 27, 2008.

Published byLeslie Edwards Modified over 9 years ago

Similar presentations

Presentation on theme: "Protecting the World from Cybercrime Neil Daswani August 27, 2008."— Presentation transcript:

1 Protecting the World from Cybercrime Neil Daswani http://www.neildaswani.com August 27, 2008

2 Overview Data breaches Hacking / Web application vulnerabilities What can software developers do? Malware distribution What is Google doing? What can you do to protect yourself?

3 Is the sky falling? TJX (March 2007)‏ –owns TJ Maxx, Marshalls, and other dept stores –over 45 million credit card (CC) #s dating back to 2002 –attacks exploited WEP used at branches Department of Veteran Affairs (August 2006) Unisys (sub-contractor) took equipment home/burglarized Name, DOB, SSN, address, insurance for 26.5M veterans Employee dismissed, supervisor resigned CardSystems (June 2005) credit card payment processing company: out of business 43 million CC #s stored unencrypted / compromised 263,000 CC #s stolen from database via SQL Injection

4 Data Breaches Over 230 million lost or stolen customer records since 2005. How did that happen? Source: privacyrights.org Hacking Stolen Equipment Lost Equipment

5 What do you mean “hacking?” Attacker Provides This Input

6 Username & Password SELECT passwd FROM USERS WHERE uname IS ‘$username’ Normal Query Web Browser Web Server Database 010010 1010101 0100101

7 SELECT passwd FROM USERS WHERE uname IS ‘’; DROP TABLE USERS; -- ' Malicious Query Eliminates all user accounts “Username & Password” Web Browser Web Server Database

8 http://xkcd.com/327/

9 Cross-Site-Request-Forgery (XRSF)‏ Attack scenario: Alice is using a (“good”) web-application: www.bank.com (assume user is logged in w/ cookie)‏ At the same time (i.e. same browser session), she’s also visiting a “malicious” web- application: www.evil.com

10 XSRF /viewbalance Cookie: sessionid=40a4c04de “Your balance is $25,000” Alice bank.com /login.html /auth uname=alice&pass=ilovebob Cookie: sessionid=40a4c04de

11 evil.com XSRF Alice bank.com /login.html /auth uname=alice&pass=ilovebob Cookie: sessionid=40a4c04de /evil.html /paybill?addr=123 evil st, amt=$10000 Cookie: sessionid=40a4c04de “OK. Payment Sent!”

12 What can the software community do? Software Developers:  Arm / educate yourself! (e.g., www.learnsecurity.com)‏  Elect a security czar for each project Managers:  Instrument development process for security  Organize for security (advisors, satellites, etc)‏  Invest in training!

13 Secure Development Lifecycle Source: Software Security, Gary McGraw, ISBN 0-321-35670-6

14 Malware Logs keystrokes (including passwords)‏ Joins a botnet Sends email spam from your machine Other countless bad things...

15 Powered by InvisionPowerBoard (U) v1.3.1 Final©2003 IPS,Inc. http://www.invisionpower.com Malware Distribution Old style: email, peer-to-peer, etc New style: infect web pages & drive-by-downloads

16 Building Botnets with SQL Injection Query for vulnerable sites Attacker Target Site(s)‏ Query for vulnerable sites Search Engine Target Site(s)‏ User View Page Get Infected: Drive-by-download Inject malicious Javascript/ActiveX What do you want to do today? Log keystrokes, DoS, etc.

17 “This site may harm your computer”

18 Really! We're not kidding!

19 How does Google do that? Uses Google's search index and distributed systems

20 Social Engineering BREAKING NEWS:  Abortion outlawed in California  How to save money on gas  Millions of credit card numbers stolen from bank database, find out if you are affected  Google launches free music downloads in China  Jerry Yang relinquishes control over Yahoo  McCain gives up fighting for presidency  US Dollar hits 6-year high, further gains expected

21 Next-Generation Phishing + Malware

22 What can you do to protect yourself? Change default router password. Use WPA. Use a personal firewall. Always keep ON. Use good anti-virus. (e.g. pack.google.com)‏ Install patches immediately. Use auto-update. Make backups or use backup service. Use browser with malware & phishing protection (e.g. Firefox 3).

23 What can you do to protect yourself? Don't install software you don't trust. Use bookmarks for financial sites (or Google). Check for SSL / HTTPS for important sites. Don't ignore security warnings. Use good passwords and reset questions. Use a credit card with a threshold limit. Consider virtual, one-time credit cards. If it sounds too good to be true, it probably is!

24 Summary What can software people do?  Learn, organize, prevent, etc What is Google doing?  Protecting you while you search & browse What can you do?  Be vigilant!

25 Acknowledgements Amit Patel Arkajit Dey “Jedis” on Google's Security Team

Download ppt "Protecting the World from Cybercrime Neil Daswani August 27, 2008."

Similar presentations

PHISHING AND ANTI-PHISHING TECHNIQUES Sumanth, Sanath and Anil CpSc 620.

PHISHING AND ANTI-PHISHING TECHNIQUES Sumanth, Sanath and Anil CpSc 620.
A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” emails to counterfeit sites Users “give up” personal financial.

A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” s to counterfeit sites Users “give up” personal financial.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
SECURITY CHECK Protecting Your System and Yourself Source:

SECURITY CHECK Protecting Your System and Yourself Source:
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Internet Security Awareness Presenter: Royce Wilkerson.

Internet Security Awareness Presenter: Royce Wilkerson.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.

Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.
Hey check out this cool PHISHING presentation! Benjamin Ross Lyerly.

Hey check out this cool PHISHING presentation! Benjamin Ross Lyerly.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
INFORMATION SECURITY AWARENESS PRESENTED BY KAMRON NELSON AND ROYCE WILKERSON.

INFORMATION SECURITY AWARENESS PRESENTED BY KAMRON NELSON AND ROYCE WILKERSON.
Teach a man (person) to Phish Recognizing email scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.

Teach a man (person) to Phish Recognizing scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
CERN - IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Update on the underground economy and making profit on the black market Wojciech Lapka.

CERN - IT Department CH-1211 Genève 23 Switzerland t Update on the underground economy and making profit on the black market Wojciech Lapka.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Similar presentations

Ads by Google