Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting the World from Cybercrime Neil Daswani August 27, 2008.

Similar presentations

Presentation on theme: "Protecting the World from Cybercrime Neil Daswani August 27, 2008."— Presentation transcript:

1 Protecting the World from Cybercrime Neil Daswani August 27, 2008

2 Overview Data breaches Hacking / Web application vulnerabilities What can software developers do? Malware distribution What is Google doing? What can you do to protect yourself?

3 Is the sky falling? TJX (March 2007)‏ –owns TJ Maxx, Marshalls, and other dept stores –over 45 million credit card (CC) #s dating back to 2002 –attacks exploited WEP used at branches Department of Veteran Affairs (August 2006) Unisys (sub-contractor) took equipment home/burglarized Name, DOB, SSN, address, insurance for 26.5M veterans Employee dismissed, supervisor resigned CardSystems (June 2005) credit card payment processing company: out of business 43 million CC #s stored unencrypted / compromised 263,000 CC #s stolen from database via SQL Injection

4 Data Breaches Over 230 million lost or stolen customer records since 2005. How did that happen? Source: Hacking Stolen Equipment Lost Equipment

5 What do you mean “hacking?” Attacker Provides This Input

6 Username & Password SELECT passwd FROM USERS WHERE uname IS ‘$username’ Normal Query Web Browser Web Server Database 010010 1010101 0100101

7 SELECT passwd FROM USERS WHERE uname IS ‘’; DROP TABLE USERS; -- ' Malicious Query Eliminates all user accounts “Username & Password” Web Browser Web Server Database


9 Cross-Site-Request-Forgery (XRSF)‏ Attack scenario: Alice is using a (“good”) web-application: (assume user is logged in w/ cookie)‏ At the same time (i.e. same browser session), she’s also visiting a “malicious” web- application:

10 XSRF /viewbalance Cookie: sessionid=40a4c04de “Your balance is $25,000” Alice /login.html /auth uname=alice&pass=ilovebob Cookie: sessionid=40a4c04de

11 XSRF Alice /login.html /auth uname=alice&pass=ilovebob Cookie: sessionid=40a4c04de /evil.html /paybill?addr=123 evil st, amt=$10000 Cookie: sessionid=40a4c04de “OK. Payment Sent!”

12 What can the software community do? Software Developers:  Arm / educate yourself! (e.g.,‏  Elect a security czar for each project Managers:  Instrument development process for security  Organize for security (advisors, satellites, etc)‏  Invest in training!

13 Secure Development Lifecycle Source: Software Security, Gary McGraw, ISBN 0-321-35670-6

14 Malware Logs keystrokes (including passwords)‏ Joins a botnet Sends email spam from your machine Other countless bad things...

15 Powered by InvisionPowerBoard (U) v1.3.1 Final©2003 IPS,Inc. Malware Distribution Old style: email, peer-to-peer, etc New style: infect web pages & drive-by-downloads

16 Building Botnets with SQL Injection Query for vulnerable sites Attacker Target Site(s)‏ Query for vulnerable sites Search Engine Target Site(s)‏ User View Page Get Infected: Drive-by-download Inject malicious Javascript/ActiveX What do you want to do today? Log keystrokes, DoS, etc.

17 “This site may harm your computer”

18 Really! We're not kidding!

19 How does Google do that? Uses Google's search index and distributed systems

20 Social Engineering BREAKING NEWS:  Abortion outlawed in California  How to save money on gas  Millions of credit card numbers stolen from bank database, find out if you are affected  Google launches free music downloads in China  Jerry Yang relinquishes control over Yahoo  McCain gives up fighting for presidency  US Dollar hits 6-year high, further gains expected

21 Next-Generation Phishing + Malware

22 What can you do to protect yourself? Change default router password. Use WPA. Use a personal firewall. Always keep ON. Use good anti-virus. (e.g.‏ Install patches immediately. Use auto-update. Make backups or use backup service. Use browser with malware & phishing protection (e.g. Firefox 3).

23 What can you do to protect yourself? Don't install software you don't trust. Use bookmarks for financial sites (or Google). Check for SSL / HTTPS for important sites. Don't ignore security warnings. Use good passwords and reset questions. Use a credit card with a threshold limit. Consider virtual, one-time credit cards. If it sounds too good to be true, it probably is!

24 Summary What can software people do?  Learn, organize, prevent, etc What is Google doing?  Protecting you while you search & browse What can you do?  Be vigilant!

25 Acknowledgements Amit Patel Arkajit Dey “Jedis” on Google's Security Team

Download ppt "Protecting the World from Cybercrime Neil Daswani August 27, 2008."

Similar presentations

Ads by Google