Presentation on theme: "Hackers in the Library Creative Commons License: You are free to share and remix but you must provide attribution and you must share alike. October is."— Presentation transcript:
1Hackers in the LibraryCreative Commons License: You are free to share and remix but you must provide attribution and you must share alike.October is Cybersecurity Awareness Month. For Academic Libraries this is a growing event but there is no reason why it shouldn't include all institutions including all types of libraries. Because “information” is central to library activities, information technology and therefore cybersecurity should be of growing concern and interest.I began working with libraries in 2002 and during that time I have heard some shocking myths repeated regarding security. My goal with this presentation is to dispel one such myth: that libraries are not likely targets for cyberattacks.To achieve that goal I don't intend to lecture about solid information security fundementals, risk management, or threat analysis. Instead, I'm going to tell some stories about actual incidents that have occured in libraries. Mainly these are things I have personally experienced occaisionally puntuated by reports of similar events in the media.My intention is to entertain you and get you interested in these issues and to make you think about the things that make “a library a library” and how those things affect the probability and severity of cyberattacks against us.Another myth, that I will only deal with indirectly, is that “security is the opposite of access.” I once was told, “Firewalls are used to deny access. A library is suppose to provide access. Therefore I don't think this library should have firewalls on the principle of the matter.” After you hear real story after real story, I think you will be inclinded to believe that “Security is what we do to GUARANTEE access... not to prevent it. Security ensures that no one will stop us from providing our communities to with access to our information.”
2Library Website Shutdown by Hacker Cyberattacks against libraries are not new and they are not limited or simple.This slide shows an report of a library website being hacked.
3ILS Server HackedLibrary ILS systems also get attacked(the commentary in this particular report is questionable in my opinion and servers to divert blame rather than constructively contribute to stronger security and access).This isn't exactly true: Unix isn't any more or less “hacker friendly”than any other OS (not at this level of discussion). Beware, thisopinion is expressed in the L.I.S. literature (but contradicted inI.T. Literature). Don't play the blame game... come up with adefense-in-depth strategy instead.
4Library Phonelines Hacked Even library phone lines have been hacked.Sometimes hacks are a prank (as in the case of the xrate storyline hack)Sometimes hacks are for money (and I believe this is the currently reality). I will talk more about motivation near the end of this talk.
5Even Library of Congress was Hacked Even the library of congress was hacked (albeit a long time ago).
6And More...Library hacking isn't limit to any one geographical region. We see here a hack against a French library.Neither is this an issue of the past or just an issue of the future. We see here attacks that are old and newer.
7Many Library Hacks: Old & New And finally we see that all kinds of things get hacked. Individual librarians blogs, library websites, ILS systems. This was with us in the past and continues to be a problem for us in all areas.
8This talk covers 3 Kinds of Library Cybersecurity Case Study 1Libraries as unique targets2Libraries as attractive targetsInstead, I intend to share with you the stories of real incidents that took place in real libraries. These examples will show the various motivations attackers have and the methods they use. You will see that libraries are not only a valid target for cyberattacks, but a nice big inviting target.And hopefully you'll find these stories entertaining and intriguing as well.I intend to focus on three areas:1) Cases where hackers wouldn't target a non-library to get what they want2) Cases where libraries are not unique but are more attractive targets3) Cases that highlight how trends in cybercrime may make libraries more attractive in the future4) anything that I find fun or intersting as well (lots of these!)3Trends in cybercrime
9Libraries fit into the 2nd Most Hacked Organization Type According to Shezaf (2008) [Ofer Shezaf's OWASP 2008 presentation on Trends in Application Security based on analysis vulnerabilty databases], Education is the 2nd more attacked type of organization. Libraries would fall into that category.We could argue that Libraries might be a small part of that category, however Shezaf's explanation of why education is attacked, fits Libraries extremely well.Educational organization are attacked because they have many of the characteristics of Government (weak IT systems and staff) plus the need to be extremely open. Libraries often resist security arguing that it is antithetical to the mission of libraries. Educational institutions, especially post-secondary and research organization make the same arguments.Importantly, we must acknowledge that security is not something we do to deny access, it is something we do to guarantee access. Security interferes with access when the need for access is inadequately understood, documented and communicated.LibrariesShezaf (2008)
10Libraries can be Unique Targets Public Access Computers+Lots of UsersPrivate Records for Large PopulationsLots of BandwidthAccess to Valuable Licensed InformationLibraries represent a unique type of target to hackers. No one thing about libraries is unique, but in combination they are somewhat unique.First, libraries offer public access computers. Cybercafes, hotels, and others do this too, but libraries offer LOTS of public access computers and typically have a mandate to provide a few restrictions as possible. Library PACs are typically free to use.Libraries have LOTS of users. If hackers need a target rich with users (for social engineering attacks, identity theft, etc.) then libraries fit the bill. A large corporation also has LOTS of users, but libraries have more than one user per computer, so the ratio of users that can be reached with a single compromised computer is very high.Libraries hold the private records for a LOT of people. Large corporations and government also have private records. Libraries typically have weak I.T. Systems. In particular ILS systems are extremely poor at protecting the privacy of users.Libraries have LOTS of bandwidth. Libraries have to host servers and have to provide bandwidth for all those PAC stations. Lots of companies have bandwidth, but libraries have bandwidth on networks where the emphasis on access and openness.The most unique thing about libraries is that they provide restricted access to valueable licensed information (“databases”). There is a whole underworld of professors and doctors that hack libraries just to get free access to databases.
11PAC Desktop Wallpaper Defacement Here is an example of a hack that exploits that fact that libraries have LOTS of users.In one large library, a small number of PAC stations in a particular area were found to have their wallpapers set to a political message (i.e. “support the last stand of the lubicon”).The PAC stations were configured so that the desktop wallpaper could not be changed but someone found a way around that.Importantly, the wallpaper on these PAC stations was normally set to something that provided instruction on how to use the PACs.While this was a relatively easy thing to fix, it went undetected for an unknown period of time (probably months). It is not know what impact this had on users of the PAC stations.The PAC station was in a moderately trafficed area (a walkway) so that might explain why those specific machines were targeted and not others. The odd thing is that this logo dates back to an event from 1988 but was discovered around It is unclear why someone would choose this.An alternate explaination is that the defacement might have been an accident but it was on multiple PACs so this is less likely.There is an obvious balance at play here. This type of defacement was trivial and the chance of being caught low. Would someone deface our website if they could that just as easily? Would the disruption be as minor?A politically motivated defacement of PAC station desktop wallpaper. The regular wallpaper was used to provide instructions for use of the PAC and was “locked down”.
12Helpful HOWTO on Library Hacking I found this site while preparing for this talk and it highlights the risk to our PACs.We talk about our systems in terms of openess and free access. But we do put constraints on their use for a variety of important reasons (including protecting users from those who would deny them access or harm them in ways they cannot predict).As soon as we put limits on our systems, there are people who will want to bypass them. Here we see a person/group of users who list the problems with library/school/public computers and promise a 3-step process to bypass any restrictions.We have to be honest about our restrictions and their importance and set standards for handling violations. They kinds of things people do to bypass our systems might damage them and thus waste our valuable resources.Don't lock down your systems more than you have to and realize that users will try to bypass what you do lock down.
13Ezproxy Password “Fans” Here is a very unique library issue. We license an enormous amount of information and make access available to our communities at reduced cost. In Alberta is this more true than is most other communities due to our Louis Hole funding for database licensing and our other (very effective) consortial licensing activities.This makes us target. While we talk about access with words like “open” and “free” there is another perspective. We provide restricted access to valueable licensed resources. Resources that other communities do not have access to and value as highly as we do (or value more!).There is a community (with a website called “passfans” short for “password fans” or “password sharing fans” if you will) that works together to share passwords to library systems. This community distributes instructions on how to hack into library systems (in particular ezproxy but also VPNs/firewalls) and how to share access. In the past year this community has grown substantially more sophisticated.I was able to dig into documents and webpages that are not restricted to members of that community using a combination of search engine caches and the wayback machine. The users are primarily academics and other professionals in areas that don't have access to the databases we license but where access to that information makes a big difference to their professional activities. They encourage others to hack into proxy servers and networks... doctors and professors from around the world our our special library hackers.
14Academics and Doctors Dedicated to Hacking Libray Proxy Servers This screenshot comes from a differenct password sharing site. Actually its a discussion forum for medical professionals, but many threads focus on sharing passwords and they frequently link back to the passfans site.You can see here that they are announcing that they have compromised a university site. I have blurred the name, but it is a large university in our community here in Alberta.In another posting not shown here, they go on to talk about how they are wasting their time gathering individual passwords for users at the University and that they should start to focus on compromising the University's network so that they can setup a VPN that everyone can share.A VPN is a Virtual Private Network connection. When you are at home and use a VPN connection to connect to your institution's network, your computer temporarily joins that network... it's almost the same as using a computer at work. You've got an IP address from work and you've got access to all the same things you as if your were at work.If they create a VPN connection, they don't have their access logged the same way as if they are using ezproxy and it would be harder to detect the compromised accounts.These guys are evolving fast. Think about the money involved... we pay MILLIONS for these databases... they need that access... how much would they be willing to do to get access... LOTS... MILLIONS of dollars worth in aggregate.
15Forums show why libraries are being targeted Here you can see the motivations and a little about the identities of these “hackers”. These are probably not the people you thought would be hacking your library systems.There are a few good books on library security but few address computer/network/information security. One book that does (citation please) gives the profile of a hacker as a young male looking to learn or explore systems or looking for bragging rights.. someone with little regard for privacy. It's a good book that gives that quote... but that information is wrong (it may never had been true, it sounds like the profiles that the FBI was working from in the mid 1990s which were based on information from the mid 1980s and that caused them much embarassement).The real profile is harder to come by. There are lots of types of people that will hack you... no one type. Some are young, some old, some in-between. Some are professionsals with money, some are poor students or homeless people (with computer access and an education). Some are not that bright and some are women and some are men.Instead of profiling the hacker, profile the target. What is valueable about your systems? How are they access? How are they protected? That will tell more about how they might be compromised, how often they will be targeted, and how badly you will be hurt when they are compromised, than any information about the attackers.Its not like your going to come face-to-face with the hackers that often (if ever). But you do encounter your systems everday... that is your strength.
16Typosquatting Virtual Reference Typosquatters have websites with popular mispellings for namesIn 2006 several cybersquatters displayed content from and links back to askaquestion.ab.caIs that GOOD thing or a BAD thing?Shortly after TAL launched the new “AAQ 2.0” interface, they saw a sharp increase in the number of questions coming into the system. We were seriously worried about the ability of the Alberta Library community to keep up with the volume if it continued to grow and so we started to analyse where the questions were coming from. In particular we were interested in the source of “guest” questions: questions that came from non-Albertans.One of the things we looked at was the HTTP “referrer” for each question: the URL of the webpage that contained a link to the AAQ website that lead a user to come and ask a question.Most of what we found was not interesting, but we did find a strange type of security problem. We found that many questions were coming in from “typosquatter” sites.Tyopsquatters are the people who register domains (website addresses) that are the common mispellings of popular websites. For example, the website for the Calgary Public Library is “calgarypubliclibrary.com” (singluar). But there is a typosquatter with a website of “calgarypubliclibraries.com” (plural). That site contians nothing except advertisements. The typosquatter gets paid when those ads are displayed or clicked. The typosquatters try to customize their site to have menus with keywords that are similar to what would be on the real website (in this case related to the word “calgary” and “library”).Users were getting lost trying to find the library and inadvertantly finding their library's reference service. The security issue is that the typosquatter gets paid for confusing people and leading them (sometimes) back where they meant to go. Libraries have a mission to organize information: the typosquatter introduces chaos and makes money in the middle of choas and order. (infoscum).
17Student Sent a Prank Overdue Notice First overdue notice:According to our records, the following library material is overdue. Pleaserenew or return as fines may be accruing. Currently you owe $ If youdo not pay by 10/10/2008, your University degree will be immediatelyrevoked.If you wish to renew, you may do so using this link to My Account atContact the circulation desk at the above library if you have any questions.Thank you.1 call number:Z 699 A1 A61 v ID: $30.00Annual review of information science and technology.[Washington, etc.] American Society for Information Science [etc.]due:8/31/2008,23:592 call number:Z 699 A1 A61 v ID: $21.00....Recently I was involved in a brief security issue relating to a library fines notice.A student came to a circulation desk with a printout of an he received. It appeared to be from our ILS and appeared to be an overdue fines notice. The student was quite upset because it claimed he owed hundreds of dollars for books he had never taken out.The notice further threatened to revoke his degree if he did not pay immediately and return the overdue books.The note looks very much like a genuine notice. It had the correct formatting, the correct subject line, the same “From:' address as our notices.The only thing that was out of place was the threat of punishment.The circulation staff did the right thing and looked up his records in the ILS. He did not have those books out and did not owe fines. But due to the genuine look to the notice and the severity of the threat, the student persisted and wanted an explanation.The circ staff forwarded this to the IT team that manages the ILS and they noticed that it was NOT proper notice from our system. So it went to management and to me (security analyst). We immediately realized that someone must have forged this (*anyone* can send an that appears to be from someone else... there is no authentication in ).By the time we got to this the culprit had already confessed. It was a prank. The prankster apologized but wanted to know why we allow people to forge these important s (we don't “allow” it... its out of our control which they obviously knew. I recommend that all ILS vendors support S/MIME digital signatures... these digitally sign and so users can verify 100% who the sender was.
18Library Patron Records Exposed When I start to think about ILS security I either get angry, anxious, or depressed. ILS system have virtually no security and the ILS databases contain a treasure trove of personal information. In the context of Alberta libraries I am in a unique position: I have seen in to almost ALL Alberta libraries ILS databases (at the raw database level). This was not as a hacker of course, but as a legitimate part of consulting work I have done for libraries.Most libraries focus on “ILS privacy” through discussion of issues such as protecting patron records in the physical presence of the circulation desk (don't let people see the screen, verify people's identity before you tell them what on the screen etc.).The threats are far more complex. This slide shows a few entries from a “data loss database”. This is a database of publicly disclosed incidents where data was exposed through hacking, lost backups, not shredding paper, etc. Libraries get hit and the information disclosed goes far beyond what we need to keep to run the circulation desk.Here is a brief run-down of the weak IT practices in the ILS:1) The critical data is not encrypted (SSNs, credit cards, passwords)2) The connection between the circ application and the circ server is notEncrypted. Neither is the connection from the circ server to the database.3) Too much information is kept in the database (more than is needed)4) All users have access to all information (should be based on transactional need).
19Libraries are Attractive Targets Lots of Bandwidth+Lots of UsersOpen NetworksWeak I.T. PracticesLibraries represent a unique type of target to hackers. No one thing about libraries is unique, but in combination they are somewhat unique.First, libraries offer public access computers. Cybercafes, hotels, and others do this too, but libraries offer LOTS of public access computers and typically have a mandate to provide a few restrictions as possible. Library PACs are typically free to use.Libraries have LOTS of users. If hackers need a target rich with users (for social engineering attacks, identity theft, etc.) then libraries fit the bill. A large corporation also has LOTS of users, but libraries have more than one user per computer, so the ratio of users that can be reached with a single compromised computer is very high.Libraries hold the private records for a LOT of people. Large corporations and government also have private records. Libraries typically have weak I.T. Systems. In particular ILS systems are extremely poor at protecting the privacy of users.Libraries have LOTS of bandwidth. Libraries have to host servers and have to provide bandwidth for all those PAC stations. Lots of companies have bandwidth, but libraries have bandwidth on networks where the emphasis on access and openness.The most unique thing about libraries is that they provide restricted access to valueable licensed information (“databases”). There is a whole underworld of professors and doctors that hack libraries just to get free access to databases.
20Turkish Defacers Attack Museum Greeting Cards I was asked to analyze an incident involving a Museum/Archive's website. This Archive/Museum had recently started to digitize a particular collection and wanted to promote the digital materials. To do this they decided to offer an “electronic greeting card” website. The idea was that users could use the website to send an message to another user that contained an image from the digital collection.The staff in charge were given no budget (of course) so they looked around quickly and found a free program that would do what they needed. They installed it and customized it with the images from the collection and “went live” with it.A week or so later I go called because the site was “defaced” as shown in the slide. This incident demonstrates what I mean when I talk about “weak IT practices”. This isn't an insult but a reality of our world. In this case that means that the staff didn't perform due diligence when selecting the software (because no budget means NO TIME to spend on it either). They should have asked a few basic questions (not unlike what you'd do to select a reference source): what is the reputation of this software? Is it maintained and updated regularily? Have there been security problems with it? How were those handled? In this case a quick look at the website for the greetin card program showed that the software had not been updated in years and the support forum for the software was filled with current message titled things like “I installed it and got Hacked! Help!” (lots of those). The site was completely discontinued (to do that no budget thing). In the end it cost the install time, the cleanup and investigation, and the museum got nothing in return and a bit of embarassment on top of it (because people may have seen the defaced site).
21Wordpress Spam Link Injection Another defacement I worked on was MUCH more serious. This incident cost weeks of time for multiple people. Like the last incident it highlights weak IT practices. In this case the software had a good reputation and was regularily maintained but the website maintainers did not install patches on a regular basis (again, no time budgeted into for regular maintenance and/or priority going to new projects and not regular mainanence). Personally, I would rather avoid an incident than clean one up... it is just plain cheaper.In this case the library had many wordpress blogs. There was a known vulernability in wordpress and it had be fixed but in this library the fix had not been installed.An attacker was defacing a large number of sites with this hack. They were “injecting” links into vulnerable blogs. The links however were not visible to normal viewers. So library staff didn't SEE evidence of the hack. They only suspected a problem when, during a routine clean-up, they found some weird PHP files on the server. They looked suspicious and immediately recognized the files as a secret backdoor that would let the attacker do anything he wanted on the server (run any program he wanted). Further investigation found widespread backdoors in other web applications on that server. The injected links were only visible to google when it indexed the site... the hackers were stealing our reputation to boost there own (if someone with good google rank links to someone else, that person's rank goes up). It helps typosquatters make money.Another weak IT practice was that this web server was running lots of software and there was just one user account on the system... hacking one application gave full access too all applications and to ALL databases... some database not related to the blogs contained information from the ILS... the hackers potentially had access. Logfile analysis revealed that it was unlikely that anything was disclosed.
22Library GIS Station Hacked Here is an incident found on a mailing list. It is a fairly common problem that occurs when you don't keep your systems patched regularily.A library's geographical information system computer got hacked. The hackers used it to share MP3 files (probably via a peer-to-peer filesharing network).Keep your systems up-to-date.In the next slide I'll talk about a really interesting (scary, funny) incident I dealt with were a database server got hacked because it wasn't patched and someone used it to share files.
23Hacked to Serve Illicit French Movies ?One Monday morning I got an from our upstream Internet provider telling us that one of our servers was being blocked for excessive bandwidth usage. I was shocked because the server was used only for software development and wasn't currently in use. There was a copy of MS SQL on the server that was not patched and was easily exploitable... the hackers had full control over our server.When I investigated I found that the hard disk was nearly full and when I searched I found over 20GB of movie files in a directory. Further investigation showed that these were being shared using a P2P (peer-to-peer) filesharing network (hence the high bandwidth usage).Interestingly all of the movie files had titles that we in French language. Now, perhaps it is just my mind here, but for this incident, everything in French just sounded dirty to me.I naturally assumed the worst and began to wonder exactly what kind of movies would someone need to upload to a hacked server? I was really beginning to think that once I examined one of these files I was going to probably have to involve the police.I held my breath, and double-clicked and was SHOCKED by what I saw more than I expected. [next slide!]An unpatched server was compromised and used to distributed 20 GB of videos with French language titles. The problem was discovered when the server was blocked for excessive bandwidth usage.
24French Puppet Videos!The videos turned out not to be pornographic as we had assumed but quite innocent: French Language Puppet Videos.Despite the “innocence” of this incident, it still took us 7 hours to clean up the server. Factor in the damage caused by the server being blocked for over 24 hours due the high bandwidth usage.In many ways we were lucky that the incident was not much worse. They “0wn3d” our server with this attack and could have run anything on it. Fortunately, the server was a development server with no “real” data on it.Given that many libraries have a mission of preservation, we could have help the hackers find a legitimate host for these videos (assuming copyright clearance etc.).We must also consider the possibility that this was not innocent at all but espionage. Steganography is the science of hiding data inside other data files. Secret information could be stored inside a video file. Anyone finding the video would not suspect that there is another file hidden inside the video.Various research indicates that between 1% and 10% of JPEG images on the Internet contain stegnographic hidden messages.The server was distributing 20 GB of French Puppet Videos. The cleanup time was 7 hours. If they had just asked we would have probably found someone to host the videos for them!
25Trends in Cybercrime Will Affect Libraries Every factor already mentioned+Hacker's desire to make moneyLibraries represent a unique type of target to hackers. No one thing about libraries is unique, but in combination they are somewhat unique.First, libraries offer public access computers. Cybercafes, hotels, and others do this too, but libraries offer LOTS of public access computers and typically have a mandate to provide a few restrictions as possible. Library PACs are typically free to use.Libraries have LOTS of users. If hackers need a target rich with users (for social engineering attacks, identity theft, etc.) then libraries fit the bill. A large corporation also has LOTS of users, but libraries have more than one user per computer, so the ratio of users that can be reached with a single compromised computer is very high.Libraries hold the private records for a LOT of people. Large corporations and government also have private records. Libraries typically have weak I.T. Systems. In particular ILS systems are extremely poor at protecting the privacy of users.Libraries have LOTS of bandwidth. Libraries have to host servers and have to provide bandwidth for all those PAC stations. Lots of companies have bandwidth, but libraries have bandwidth on networks where the emphasis on access and openness.The most unique thing about libraries is that they provide restricted access to valueable licensed information (“databases”). There is a whole underworld of professors and doctors that hack libraries just to get free access to databases.
26Hackers are motivated by Money DefacementPropagandaBragging RightsReputation HijackingAd RevenueStealing Sensitive InfoRansomDirect Financial GainInformation LeaksEnable other AttacksSheraz(2008) OWASP 3.0] argues that motivation for incididents breaks down to about 50% money, and 50% political. His pie chart doesn't quite reflect that, but if you think about what “defacement” and “stealing sensitive info” means, you can see how it breaks down.I personally, see much more impact from attacks motivated by money and I see that growing rapidly.However libraries have a special exposure to politically motivated attacks. We often preserve or display special collections. Sometimes those collections are controversial. Think about who steals your books and why? Sometimes they want to keep it, sometimes they want to sell it, but many times they just want to deny access to other people to the content. The same motivation applies to our online information.LOCKSS (Lots of Copies Keeps Stuff Safe) faces these problems head on. When you presever a collection with LOCKSS historical revisionists will find it hard to secretly delete or modify a collection or item.Prior to the Olympics in Bejing, there was controvesy of China's human rights. There was also a backlash from ex-pat Chinese who created a Denial of Service against CNN whom they felt was spreading lies about China. At one University I know, their museum had a chinese display at this time. They were seriously worried about someone defacing the physical materials. What if it had been an online collection or display? Would the library/museum/university been cyberattacked?Types of Cyberattacks by VolumeShezaf (2008)
27Library Phonelines Hacked Let's talk about money as a motivation again.Here we see that slide from before about a library who suffered a large bill in a telephone hack (if your using VOIP: Voice Over IP... get used to seeing this kind of thing).This sounds like a lot but $15,000 isn't much when it comes to cybercrime. At OWASP 3.0 one presenter showed a cheque that was issued to someone who makes money off of click fraud (making sites full of ads and fraudulently getting people or programs to click on the ads to make money). The cheque for for one month's pay and it was for half of a million dollars. Granted... this was one of the big guys... so what is a small guy? $10,000 per month? [OK... nobody quit their day job... your supposed to be on the good guys side].At these levels the bad guys are HIGHLY motivated to do anything that will make money. I argue that libraries are a more attractive target than most other environments. I argue this is because we have lots of users (some attacks rely on large number s of people hoping or two will get duped). We have lots of computers (some attacks need lots of computers to launch “distributed” coorindated attacks). We have lots of bandwidth (always needed). And we have weaker IT practices than other insitutions (we can change that in time).Even if we are a slightly more attractive target that means we will see more damage than others. As the stewards or mostly public funds, with limited budgets, and unlimited demands, we MUST protect ourselves if we intend to fulfill our institutional missions.
28Phishing & Spear-phishing From:To: <undisclosed recipients>Subject: (TRANSFER CONTACT)My Dear,It`s me Mrs. Anita Johnson Ross, please I have been waiting for you tocontact me regarding your willed fund of ($3,500,000.00) (Three million fivehundred thousand dollars) but i did not hear from you since the last time.Well I finally went and deposited the fund in a bank, as I will be going infor an operation any moment from now. I hope you are aware that I have beendiagnosed for cancer about 2 years ago, that was immediately after the deathof my husband before I was touched by God to donate from what I haveinherited from my late husband to you for the good work of God than allow myrelatives to use my husband hard earned funds ungodly.What you have to do now is to contact the Bank as soon as possible to knowwhen they will Transfer the money to you to start the good work of the lordas initially arranged, and to help the motherless less privilege also for theassistance of the widows according to (JAMES 1:27). For your information, Ihave paid all the Charges, Insurance premium and Clearance Certificateshowing that it is not a Drug Money or meant to sponsor Terrorism in your Country.The only money you have to send to the Bank is the account opening fee due tomy method of deposit. Again, don't be deceived by anybody to pay any othermoney except account opening charges.Please kindly contact the bank on Tel: /Fax:OR via withyour full names contact telephone/fax number and your full address and tellthem that I have deposited the sum of ($3,500,000.00) in the Unit account ofthe bank and you are the present beneficiary to the sum. I will inform thebank immediately that I have WILL-IN that amount to you for a specific work.Let me repeat again, try to contact the Bank as soon as you receive this mailto avoid any further delay and remember to pay them their account set up feefor their immediate action. I will also appreciate your utmostconfidentiality in this matter until the task is accomplished as I don't wantanything that will jeopardize my last wish. Also I will be contacting you byas I don'twant my relation or anybody to know because they are always around me.Yours Faithfully,Mrs. Anita Johnson RossThis slide shows a typical phishing . The looks like a “nigeria” scam. The bad guy wants you to contact them and accept a transfer of money. In fact they will ask you for as much personal information as they can get (Bank accounts, ID numbers, phone numbers, birth dates, etc.). They will then use that information to drain your accounts, steal money from you, take out a mortgage in your name, or do whatever they can.Spear-phishing is the same thing except they target you specifically because they already know something about you. If you call the phone number in the , you will find that it is a real . If you ask for Mrs. Ross there will be someone there answering to that and how knows about the .I was once working in a library, fixing a PAC station in a public area, when I overheard a young person nearby talking on his phone. He had his open on the PAC station in front of him. He asked for a “Mr. Smith” and said it was regarding a “transfer of funds.” He was put on hold and then speak to Mr. Smith. He said it was regarding the he received about the “transfer of funds” and said he wasn't expecting such a transfer but wanted to know what he needed to do. After a longer pause, the young person began to list a series of numbers... clearly account and phone numbers... I rushed over and put my hand in front of the screen to get his attention and said, “You know thats fraudulent right?” After a few seconds of explanation he told Mr. Smith, “I'll have to call you back.” The young person said to me, “Well, it's a lot of money but not... not a LOT of money you know?” (it was about 8 million UK pounds). The student was wealthy and world traveller and regularily got large transfers from his family.... he nearly got speared!
29DNS PoisoningThe cyberbrowse owner gets paid $$$ when people view or click on ads.We found that Big Public Library's DNS servers were being poisoned to misdirect browsers to the cyberbrowse websiteHere is another example of a hack that relies on the fact that libraries have lots of computers and lots of users.I was consulting for a large library organization. We had a website that was used by many other libraries and had somewhere near 50,000 visits each day.One afternoon I got a phone call, “Big Public Library says that something is wrong with our website. Everytime someone visits our homepage, they get some other site called XXX”.I check the website, and found no problems. I checked our server logs and found no problems. I checked a whole lot of things and everything was fine.“I can't find a problem. Is this a CURRENT issue?” I'll find out. A few minutes later I got a call, “It's OK now.” I asked, “what was the problem?” They don't know but its gone now. Has anyone else reported this? Is it just this one library who has the problem. It was just this one library.Now, I'm really worried. The problem just went away. Sometimes little problems happen and your website can be down. This kind of problem never occurs. A voice in my head said, “DNS cache poisoning” but I laughed at the voice... that's an archiac problem that was solved years ago.Long story short, someone was “poisoning” the DNS servers of Big Public Library and changing them so that whever users went to sites that got a lot of traffic, they would see banner ads instead. The attacker made money every time the ads were shown. He would only run the attack for short periods so people would overlook it. Given the number of users at the library, he made MONEY.
30How DNS Works Get the webpage from 18.104.22.168 6 Your PC What is the IP for1The IP for hotmail.comis5YourDNSServerRememberhotmail.comIsDNS Cache4When you want to visit a website you use its “name” (e.g. But computers don't use names... they use numbers (IP addresses. e.g ). DNS (Domain Name System) is a system that converts names to addresses. Just like the phone book... you have a name but you want to know the address. DNS helps you convert one to the other.Normal DNS works like this. You put “www.hotmail.com” into your browser. Your computer doesn't know what address is associated with the name hotmail.com so it asks a DNS server to look up that name. If the DNS server doesn't already know, it will find an “authoritative” DNS server that knows the answer. Your DNS server will cache a copy of the answer just in case you need to look it up again in the future. Then the DNS server tells your computer the address, and your browser can connect to the website.That's the way it is supposed to work.What is the IP for3The IP is2Hotmail'sDNSServer
31How DNS Poisoning Works Get the webpage fromYourPC5What is the IP for3cyberbrowse.comThe IP for hotmail.comis4Rememberhotmail.comIsYourDNSServerDNS Cache2DNS Cache Poisoning occurs when someone sneaks bad information into the cache of a DNS server. Imagine that you had a phone book at your reference desk. Imagine that someone comes up and asks to use it, but they've got a magic eraser and they change one of the entries so that anyone looking for “crystal autoglass” gets the address for “bob's autoglass” instead. Everyone else who comes to lookup that name will get the wrong address from now on. If there are a LOT of people coming to look up the address for Crystal Autoglass, then Bob's Autoglass could benefit by making such a change.In a DNS Cache Poisoning attack, a bad guy has control over a hostile DNS server. He waits for your DNS server to lookup some name (any name). He gives back the answer, but he also gives back an extra unrelated answer... he says, “hotmail.com is this IP address”... you never asked to lookup hotmail but he gave the answer anyways... and now your DNS server caches that fake information.The next time you need to lookup hotmail.com, your DNS server thinks it already has the answer so it doesn't ask the AUTHORITATIVE hotmail.com DNS server... it just uses the poisoned information.Now your browser goes to the wrong IP address and gives you a site that it thinks is hotmail.com but IS NOT. The bad guy could do anything with that fake site... he might just display ads and make a quick buck. He might display a site that looks just like hotmail.com and steal your password. Better hope it isn't your BANK's website that he's faking!The IP forIs !!!1Hotmail'sDNSServerHostileDNSServer
32Cyberbrowse attack was widespread In 2003, others suffered from the cyberbrowse DNS PoisoningMany mistook the attack for a problem with their own computersThe cyberbrowse attacks were exactly like this and were very widespread. You scan still find forum posts from 2003 that describe people who were affected but didn't know what was going on. I knew someone in charge of DNS at Shaw at the time and after I told them what to look for they found that they had been a vicitim and were able to close the problem up.Cyberbrowse, from what I could tell, was targeting victims by hand and changing targets and victims often. They would pick a victim with a lot of users (a library is perfect, and ISP is good too) and then pick a website popular to that group and then poisoned the victims DNS server so that anyone trying to visit the popular website would see the cyberbrowse ads.I think this old (2003) example shows how popular libraries can be as targets. They have lots of users and lots of computers. Enough to make us more attractive as a target than other types of organizations... enough to make it profitable for the bad guy to spend his time targetting us as opposed to his other choices.This means we are MORE likely to be targetted than other types of organizations for some types of attacks. The myth that “nobody would want to hack a library” needs to be lost and forgotten. We need to address the issues that make us a target so that we can guarantee that we will be able to continue to provide access to our users.I spoke with Shaw Bigpipe and confirmed that they were under attack for months but didn't know it was an attack.
33The Crimeware Supply Chain How SPAM Makes MoneyViruses create botnets (networks of thousands of slave computers)Botnet owners pay to have viruses distributedSpammers pay botnet owners to send spamBut spamming requires accounts, which are protected by CAPTCHAsBotnet owners pay CAPTCH breakersHow Credit Card Theives WorkViruses steal credit card and identity infoCard information is sold to othersCarders use stolen cards to purchase itemsR ers ensure shipped items can be obtainItems may be sold Stealing from your Bank AccountBanks accounts are broken into“Money Mules” accept payments to their own accounts and then pay the theivesCriminals want to make money and a great deal of the things we see day-to-day as annonyances are actually extremely profitable criminal enterprises. Why do you get so much SPAM? Because it's easy? Yes, but not really. The volume of SPAM is so high because it is so profitable. Cybercrime isn't simple one-off hacks, it is a sophisticated organized criminal industry with complete supply-chain management, ongoing development, with budgets bigger than we have.For example, affiliate marketing is currently popular for recruiting specialists to perform the different parts of the criminal undertaking needed to make money. Some people steal credit cards, some people buy stuff with cards, other people handle the physical delivery and disposal of goods, other launder the money. These are called carders, r ers, and money mules.I wish I had better slides for this, but I've got a few screenshots that show examples of sites that recruit various parts of the “supply chain”
34Breaking CAPTCHAs Pays This pays about $2/1000 CAPTCHAs broken occording to a presentation at OWASP 3.0From Dancho Danchev's Blog:
35Affiliate Marketing Pays for Viruses This slide shows one site that recruits people “distribute” a fake anti-virus program. The program is actually a virus or (in the best case) a harmless program that pretends to find viruses on your computer and then charges you to remove them. Everytime someone pays for the fake program, the distributor gets 45% of the sale price.There are dozens and dozens and dozens of sites like this. Many of the “distributors” actually distribute other viruses with the fake anti-virus. Each program that they trick you into downloading comes with some kind of kick-back. Some of the viruses steal your information and they get paid for it.It gives criminals a strong incentive to find ways to trick you into downloading viruses because the more people that are targeted means the more chance that someone might get infected and the more pay the will collect.This is also why we see SOOOO many copies of the same virus or similar viruses. Because different affilaties are in competition to distribute the same viruses to us... so we get slammed by the sam SPAM from lots of different criminals.
36Cybercrime has grown to include complete supply chain management From F-Secure Blog:This screenshot shows the website of someone who works for UPS or who knows some people who do. They can “r ” fraudelently purchased goods. But they need carders to buy the goods and have them shipped. Once shipped the “r s” working at UPS will intercept them so that they can disposed of (sold, cashed in etc).This helps bypass problems when a credit card can only be used to purchase items to be shipped to the billing address. The r er steps in, and the fraudulently purchased goods never get delivered to address associated with the credit card... the bad guy gets them instead.
38No virus news is NOT good news ProblemsOld anti-virus programs cannot detect the latest types of virusesViruses released today cannot be detected until tomorrowViruses come in clusters: you might only detect on when you are infected with 5No anti-virus program can detect all viruses“Solutions”Update your anti-virus software, not just the definitionsPeform a full-antivirus scan every few daysCompletely reformat any computer on which a virus is detectedScan with several different online scanners (f-secure, trend at home, stinger).
39Questions Asked 2008-10-23 Questions: What are the top 3 things we can do today to secure our networksAnswers:1) Keep your anti-virus up-to-date (both definitions & software) and do nightly or weekly scans (see next slide)Use “separation of concerns” in your network: separate (physically or virtually) those things that do not need to access each other. Use different passwords for every web application instead of a shared one. Make sure that servers that don't need to connect cannot connect.Automated Monitoring (I failed to give this as an example, but it my biggest ally). This means a lot of things from testing if servers and services are up to monitoring and charting bandwidth, CPU, and RAM usage. Anomolies are a very strong way to determine if you have a security issue