Cyber Security Awareness 101 - AFCEA, Emerald Coast Chapter

advertisement
Unclassified
August 14, 2014
Unclassified
Cyber is derived from Ancient Greek (kyber), meaning “to steer”
– Think: to pilot through the information universe.
Cyber Security for AFCEA
2
Unclassified
The U.S. Government defines Cyber Security as
“the prevention of damage to, protection of, and
restoration of computers, electronic
communications systems, electronic
communications services, wire communication,
and electronic communication, including
information contained therein, to ensure its
availability, integrity, authentication,
confidentiality, and non-repudiation (NSPD
54/HSPD 23 and the Comprehensive National
Cyber Security Initiative).
Cyber Security for AFCEA
3
Unclassified

Cyber Security is a set of principles and practices designed to safeguard
your computing assets and online information against threats

It’s protecting your digital and online presence from being used without
your permission. This includes everything from your own computer, tablet
and phone to social networks and email. As our lives become more
dependent and invested in these digital products, it’s essential to keep
them secure

So, what does it mean? Cyber Security begins with you – as an end-user,
you are the first & last line of defense. Therefore, it’s important that you:
1. Create/maintain user-IDs, passwords/passphrases, PIN #’s & Security
Q&As
2. Gain knowledge of security guidelines, policies & procedures; stay up
to date with cyber news – “Knowledge is Power!”
3. Manage your accounts & passwords
4. Secure your computer
5. Protect the data you handle
6. Assess risky behavior online
Cyber Security for AFCEA
4
Unclassified
Cyber Security for AFCEA
5
Unclassified
Botnet
Zombie: Also known as a “bot.” A program that secretly takes over
another Internet- attached computer, using that computer to launch
attacks that are difficult to trace to the zombie’s creator.
Cyber Security for AFCEA
6
Unclassified
What is a Computer Virus?
A malicious program that can “infect” other programs by modifying them;
Modification includes copy of virus program – an infected program can infect other programs.
Virus Stages:
•
•
•
•
Dormant phase: Idle
Propagation phase: Places identical copy of itself into other programs or system areas on the disk.
Triggering phase: Virus activated to perform intended function; Caused by variety of system events.
Execution phase: Malicious function is performed.
Types of Viruses:
• Parasitic: Attaches itself to executable files and replicates. -- When the infected program is executed,
it looks for other executables to infect.
• Memory-resident: Lodges in main memory as part of a resident system program -- Once in memory,
it infects every program that executes.
• Boot sector: Infects boot record (CryptoLocker Ransomware).
– Spreads when system is booted from the disk containing the virus.
• Stealth: Designed to hide itself from detection by antivirus software.
-- May use compression.
• Polymorphic: Mutates with every infection, making detection by
the “signature” of the virus impossible. Mutation engine creates a
random encryption key to encrypt the remainder of the virus.
(Key is stored w/virus)
Cyber Security for AFCEA
7
Unclassified
 Malware is malicious software – a term used for a variety of hostile or intrusive software.
Malware is used to disrupt computer operation, gather sensitive information, or gain access
to private computer systems.
 Malware is designed to ‘blend in’ with normal web traffic (making it difficult to detect)
 It is usually not particularly advanced, but very effective
 Malware includes computer viruses, ransomware, worms, trojans, rootkits, keyloggers,
dialers, spyware, adware, malicious browser objects, rogue security software and other
malicious programs; the majority of active malware threats are usually worms or trojans
rather than viruses.
 Malware is different from defective software, which is a legitimate software but contains
harmful bugs that were not corrected before release. However, some malware is disguised
as genuine software, and may come from an official company website in the form of a useful
or attractive program which has the harmful malware embedded in it along with additional
tracking software that gathers marketing statistics.
 Anti-virus SW, anti-malware and firewalls are relied upon by home users, small, large
organizations and governments around the globe to safeguard against malware attacks which
helps in identifying and preventing further spread of malware in the network.
Malware does not just affect Desktops & Laptops
– Cyber criminals also target Mobile Devices (Smart Phones)
Cyber Security for AFCEA
8
Unclassified
Trapdoor:
Entry point into a program that allows someone who is aware of the trapdoor to gain access. Also used by
programmers to debug and test programs:
-- Avoids necessary setup and authentication.
-- Method to activate program if something wrong with authentication procedure.
Logic Bomb:
Code embedded in a legitimate program set to “explode” when certain conditions are met:
• Presence or absence of certain files. • Particular day of the week. • Particular user running application.
Trojan Horse:
Useful program that contains hidden code that when invoked performs some unwanted or harmful function.
Can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly.
Worms:
Use network connections to spread from system to system.
• Electronic mail facility:
-- A worm mails a copy of itself to other systems
• Remote execution capability:
-- Executes a copy of itself on another system
• Remote log-in capability:
-- Logs on to a remote system as a user, then uses commands to copy
itself from one system to the other.
Cyber Security for AFCEA
9
Unclassified




APT = Advanced Persistent Threat
Reality: Not always that advanced
◦ Only as advanced as they need to be
◦ Unlikely to be detected by Anti-Virus (AV) or Intrusion
Detection Systems (IDS)
Generally assumed to be nation-state or statesponsored intrusion sets
Persistent targeting is the most significant characteristic
◦ Unlike opportunistic viruses, worms, and botnets, APT
attempts to get and maintain access and retrieve data
from a select list of targets, rather than all of the
Internet
Cyber Security for AFCEA
10
Unclassified





Extensive reconnaissance
◦ Attend same conferences as target; Browse websites to trojanize
content; Follow target through social media
Spear phishing and Targeted E-mails with Trojans
Sources of information on personnel, processes, units, organizations
◦ Major SharePoint websites full of PDFs, Office Documents, etc
◦ Frequent social media posts
◦ Extensive personnel contact information
◦ Extensive insight available from FedBizOps
 Key personnel
 Design criteria
 Information on sensitive facilities
Malware
Other techniques
◦ Twitter feeds
◦ Google chat
◦ MSN messenger
◦ * see Mandiant ‘APT1’ report
Cyber Security for AFCEA
11
Unclassified
1.
You are an attractive target to hackers. Don’t ever say
“It won’t happen to me.”
2.
Practice good password management. Use a strong
mix of characters, and don’t use the same PW for
multiple sites. Don’t share your PW with others, don’t
write it down, and definitely don’t write it on a post-it
note attached to your monitor.
3.
4.
5.
Back up your data regularly, and make sure your antivirus software is always up to date, install patches
ASAP.
Never leave your devices unattended. If you need to
leave your computer, phone, or tablet for any length of
time—no matter how short—lock it up so no one can
use it while you’re gone. If you keep sensitive info on a
flash (thumb/pony) drive or external hard drive, lock it
up as well.
Always be careful when clicking on attachments or
links in email. If unexpected or suspicious for any
reason, don’t click on it. Double check the URL of the
website the link takes you to: bad actors often take
advantage of spelling mistakes to direct you to a
harmful site. Can you spot a phony website? Try this
Phishing Quiz: http://www.opendns.com/phishing-quiz/
Cyber Security for AFCEA
6.
Sensitive browsing, such as banking or shopping,
should only be done on a device that belongs to you,
on a network that you trust. Whether it’s a friend’s
phone, a public computer, or a cafe’s free WiFi—your
data could be copied or stolen.
7.
Be conscientious of what you plug in to your computer.
Malware can be spread through infected flash drives,
external hard drives, and even smartphones.
8.
Watch what you’re sharing on social networks.
Criminals can befriend you and easily gain access to a
shocking amount of information—where you go to
school, where you work, when you’re on vacation, your
birth date, address—that could help them gain access to
more valuable data.
9.
Offline, be wary of social engineering, where someone
attempts to gain information from you through
manipulation. If someone calls or emails you asking for
sensitive information, it’s okay to say no. You can always
call the company directly to verify credentials before
giving out any information.
10. Monitor accounts for any suspicious activity. If you see
something unfamiliar, it could be a sign that you’ve been
compromised.
12
Unclassified
Password Security: Your computer password (PW) is your first, last, and best line of defense against
damaging intrusions. Without a well-chosen PW or set of PWs, any other security measures
protecting your data are essentially useless.
Never share your PWs! Avoid creating an insecure password by meeting these requirements:
 10+ character minimum. The longer your PW, the more secure. Use a combination of upper and
lowercase letters, including special characters such as ‘~!@#$%^?.
 Don’t use obvious items of personal info (names, birthdates, SS#’s, phone #’s street address, etc).
Avoid English words or combos, e.g., “NVCCgirl,” “cooldude,” “kittykat” or “ninjawarrior”.
~2myuIG-cw!
 Uses acronyms for unusual phrases that you invent, e.g., “
for: “ about 2 more years until I Graduate – can’t wait! ”
” which stands
 Change it often. Every 90 days is ideal – but at least twice annually. It usually takes a hacker quite
some time to crack a long, complex PW. If you change your PW every 90 days, chances of it being
cracked are even more slim.
 When it comes to physical PW security, never record it
anywhere close to the computer (on post-its, pull-out trays
in desks, inside drawers, under shelves, etc.) Have a lot of
PWs? You may wish to use a secure Password Manager.*
Most systems have one.
* (Check out the one on your Smart phone)
Cyber Security for AFCEA
13
Unclassified
What is anti-virus software?
 Picture an alarm system on a house. Anti-virus (AV), like an alarm, protects your system
against known threats, and alerts you when one of these threats enters your computer.
However, just like an alarm, this doesn’t make you invulnerable to attacks. There are times
when it may detect the threats too late or the threats may bypass it altogether. Overall
though, it is a great way to help secure your computer with little work required from you.
How does anti-virus work?
 Most common - automatically scheduled scans. These scans look at each individual file on
your computer and compare them against a known signature. If the file, or part of the file,
matches a signature, the AV software (SW) alerts the user and will attempt to quarantine the
file. Outside of scheduled scans, some AV SW also supports active scanning. With active
scanning, files are compared against the same set of signatures every time the file is
accessed. This allows the antivirus to check files in-between the scheduled scans.
Where do I get anti-virus?
 Good AV may seem expensive, but there are a lot of ways to get it for free. Many workplaces
and educational institutions offer employees and students free AV SW for home use. Contact
your work/school IT helpdesk. Many internet providers/cable companies offer AV as part of
your subscription. Not available? Symantec Norton 360 or McAfee programs are among the
most popular.
Free anti virus for home use:
https://www.acert.1stiocmd.army.mil/Antivirus/Home_Use.htm
Cyber Security for AFCEA
14
Unclassified
Evolving Threats:
 Viruses aren't the only type of hazard. Security attacks continue to surface in myriad other ways. Many of you
now use broadband to remain online full time. Hackers love to target "always-on" users, and are continually
developing new ways to infiltrate well-connected home computers. Turn your system off when not in use.
Security Updates Are Vital:
 Security SW is only as good as the intel available at the time of development. Virus writers, hackers and other
“bad guys” are constantly coming up with new attack modes. Stay alert!
Evolving Protections:
 As threats evolve, so do anti-threat technologies. However, the latest technology and intel have to make their
way from the development lab to your desktop. That's where program updates come into play.
Patching & Automatic Updates:
 The maker of your operating system (OS) (e.g., Microsoft or Mac) develops system updates on a regular basis.
A patch can be an upgrade (adding increased features), a bug fix, a new hardware driver or update to address
issues such as security, basic functionality or stability problems. Along with your Anti-Virus SW, ensure you
have an Internet Security program to retrieve the latest spam definitions and Web filter updates. Up-to-date
spam definitions help thwart unsolicited advertising schemes, and Web filter updates help prevent your
children from stumbling across websites with inappropriate content.
Do your part:
 Make it a habit to check your provider’s website for security advisories; take
advantage of the Live or Automatic Updates. Configure SW to alert you when
critical updates are available, set it to run automatically on a predefined schedule.
Check for updates to your OS and Security SW
at least once a week to safely stay ahead of the curve.
Cyber Security for AFCEA
15
Unclassified
What is a firewall?

Picture a series of doors on the outside of a house. Doors allow those who live inside to come and go as
they please while preventing intruders from entering. A firewall is the “door” to your computer or
network. The firewall looks at people (systems) trying to connect to your computer and decides whether
to let them in or keep them out. Without the firewall, anyone could come into your computer w/out your
permission.
Why do I need a firewall?

If your house had no doors, you’d have no privacy, and all your belongings would be at the risk of those
who walk through your house. Without anything to block incoming connections from unauthorized
computers, everyone could take your files and watch what you do on the computer.
How does a firewall work?

A firewall looks at all the connections coming and going from your computer, and decides whether to
allow them through or to block them. How? By looking at a list of rules called an Access Control List (ACL).
The ACL is like a list a bouncer would have at a club so he would know who to let in and who to keep out.
If a computer trying to access yours is on the list, it’s allowed through. Otherwise, the computer is blocked
before it even gets a peek at what is going on inside.
Where do I get a firewall?

Some computers already have a firewall installed when you buy them – but check. You may also see some
“premium” options offered as part of security SW and AV packages.
Firewall: Ensure you never turn it off,
no matter ‘who’ comes knocking.
Cyber Security for AFCEA
16
Unclassified

Even the most secure password or online safety measures can be compromised if
you step away from your computer while logged in. Make sure that you always
limit incidental (other’s) access to your machine: log off or lock your computer
when you leave your desk or the room and lock your room or office.

While all computers are valuable to those looking to commit digital crimes, never
forget that your computer equipment is also a target for theft. If you can, lock
your laptop and any other easily portable equipment to a desk or other hefty
object using a security cable (available in most college Student Stores).

Keeping your computer and information safe using encryption software, antivirus,
antispyware and a firewall are vital. However, it’s far too easy for someone to
simply walk away with your computer.

Physical security is easy and inexpensive,
considering the peace of mind that it brings.
Cyber Security for AFCEA
17
Unclassified
Cyber Security for AFCEA
18
Unclassified
A cheap way to avoid an expensive disaster

How much is it to buy a backup drive? About $75.00. Backup software? Usually included or $30 or less. Not
losing your data? Priceless.
How do I backup my computer?
 We store our digital lives online - photos, music, movies, much more. Backing up is making a copy of data
and/or program files and keeping that copy in a safe, separate place. If you can’t retrieve or lose access to
your data, you can recover it from a backup source copied elsewhere.
 3 most common causes of data loss: Malware, hard drive failure & accidental deletion.
Backups typically take 1 of 2 forms:
1. Copying your data. If you copy pictures from your digital camera and burn those images to a CD for safekeeping, you’ve backed them up. Similarly, if you regularly take the contents of your “My Documents”
folder tree and copy it to another machine or burn it to CD, you’ve backed up those files. They’re safely
stored in another location in addition to the original.
2. Imaging your system. This makes a copy of everything; your data, SW programs, settings – even the
operating system itself.

Both types of backups share a common characteristic. Whatever you backup, do so by a) making a copy, and
then b) placing that copy somewhere else. If your data is in only one place, there are no copies of that data,
and you’re not backed up.

Find an appropriate storage device capable of storing all of the data you need to backup - at least twice the
size of the hard drive. An external hard drive is the best - or backup to the cloud. (A partition on the same
computer is less safe - the system remains susceptible to viruses and hard drive failure.
If your computer is stolen – so is your backup.
* Check out Symantec’s Norton 360
and Carbonite
Cyber Security for AFCEA
19
Unclassified

Phishing is an online con game by tech-savvy con artists and identity thieves. They use malicious
web sites, email and instant messages to trick people into divulging sensitive information, such
as bank and credit card accounts.

Phishers attempt to gain personal by employing social engineering techniques. Emails are
crafted to appear as if sent from a legitimate organization or known individual. These emails
attempt to entice users to click on a link that will take the user to a fraudulent website that
appears legitimate. (Or to open an attachment that will launch malware.) The user may be asked
to provide personal data, such as account usernames and PWs, that can further expose them to
future compromises. Fraudulent websites may also contain malicious code.

ALWAYS check the website BEFORE CLICKING in any email you receive. Be wary of every
attachment you receive – THINK: Do you REALLY need to view/open it? Is it vital?

Beware of scams. Don't respond to email, instant messages, texts or calls asking for your PW.
Never disclose your PW to anyone, even if solicited by what looks like a familiar organization.
Malicious links can infect your computer or take you to web pages designed to steal your data.
Only click on links from trusted sources. Never click on a mystery link unless you have a way to
independently verify it’s safe. This includes tiny URLs
– like the one’s found in Twitter.
-- US CERT: http://www.us-cert.gov/report-phishing
-- NORTON: http://us.norton.com/security_response/phishing.jsp
Cyber Security for AFCEA
20
Unclassified
Cyber Security for AFCEA
21
Unclassified
Web Vigilance — Trust No One:
 Protect your personal privacy, remain forever vigilant and protective of your PW and other
personal info. Hackers look for computers that are easy to crack and can be used for their own
purposes. Strong PWs reduce the risk of getting hacked. Hackers will always choose a machine
without a PW first, because it is far easier to get into.
 Do not allow a program to run on your computer unless you completely trust its source.
 Never give out your credit card #’s, social security #, or any personal info on an unfamiliar site
or site that isn’t secured by Secure Socket Layer (SSL) encryption. Look for the lock icon in your
web browser.
Identity Theft is big business – don’t let them get into yours.
Email Concerns:
 Never open attachments sent by a stranger. Be wary of those sent by family & friends, too.
Avoid opening any attachment if it’s simply “funny” or entertaining. Don’t forward them,
either. Think: Is this info VITAL for you to view, or for others to read/have for their own
benefit? If so, copy and paste the data into the body of the email – or give a good explanation
re what the link or attachment is about. If not, save your own time and don’t waste theirs –
don’t send! These kinds of attachments frequently double as a Trojan horse: a program that
will distract you (or simply become invisible) while another computer user gains control of
your computer.
 Create a separate web-based free email account to receive newsletters, junk
mail and other unimportant email. Never respond to unsolicited email,
because doing so may confirm your existence to a SPAM-mail provider.
Cyber Security for AFCEA
22
Unclassified
WiFi HotSpots – Beware:
Free WiFi hotspots are provide access to the internet in airports, coffee
shops, supermarkets, hotels, book stores, etc. Here, you may be putting your
personal information at risk. Hackers can set up a fake WiFi hotspot and just
wait for an unsuspecting person to attach to it so they can gather data.
What You Can Do:
Access only encrypted websites while on public hotspots. Look for ‘https’
at the beginning of a web address. Read tips on using public WiFi:
http://www.onguardonline.gov/articles/0014-tips-using-public-wi-fi-networks
Ensure Wi-Fi is disabled when not in use.
Read Daniel Berg’s “9 Tips to Stay Safe on Public WiFi” for Laptops:
http://blog.laptopmag.com/9-tips-to-stay-safe-on-public-wi-fi
See Session Hacking in Backup slides
Cyber Security for AFCEA
23
Unclassified
1. Lost/Stolen Smart phone: Immediately contact your service provider (e.g., T-Mobile, AT&T, Sprint).
Keep your provider phone # in your wallet, in your car and in your home for ease of access.
2. Wiping Contents: Settings should be set to wipe or remove contents after 10 unsuccessful login
attempts; this ensures protection of data, should it fall into the wrong hands. Check if remote
wiping is available. Note: remote wiping will often NOT wipe the SDRAM chip on the smart phone.
3. Passwords: Use a strong PIN, password, or passphrase to protect the contents. Use Caps, small
case and special keys in all your PWs; and use data encryption if supported.
4. Disposal: Erase all personal information securely and remove the SIM card and Memory card (if
one) before returning it to your service provider, giving it to another, or disposing of it.
5. Updates: Ensure both your operating system and applications are up to date to help protect
against known threats.
6. Email and the Web: Use SSL encryption (https://) for browsing and webmail when possible. These
services entail the same threats on a smartphone as they do on any computer, including phishing
attacks, malicious websites, infected attachments, and scams.
If you receive an email that sounds too good to be true or looks
suspicious, do not respond to it or click on any embedded links
it contains. Limit your browsing to well-known and trusted websites.
Cyber Security for AFCEA
24
Unclassified
7. Wireless Networks: Your smartphone may connect automatically to wireless networks without your
knowledge. If connected to a public Wi-Fi hotspot, it's probably also being used by other people;
someone could eavesdrop on your connection. Keep optional network connections (e.g., WiFi and
Bluetooth) turned OFF except when specifically using them.
8. Applications (Apps): Install only needed Apps and ensure obtained from a vendor that has vetted it
(like Samsung, Blackberry or Apple’s iPhone App Stores). You risk creating potential vulnerabilities by
installing software (SW), and installing a malicious backdoor utilized by hackers to appear as a legitimate
App, which sends sensitive info (e.g., SS#, credit card info, UserIDs/PWs, etc) while appearing to function
normally. Don’t rush to install a new App. Wait until it has established a good reputation .
9. Documentation: Read the documentation and terms of service for each App before you install it. Apps
often require you to grant permission to the vendor to collect, use, and sell personal info - about you,
device usage, and your geographic location. Don’t give them access to your Contacts!
10.Posting Images to Facebook & Social Networks: Smart phones use geo-tagging, which tags photos
with the time, date and GPS latitude and longitude. Change social-networking settings to PRIVATE so only
people you invite into your network can see your photos, etc. Restrict privacy and info to friends. Turn off
GPS settings on your smart phone's camera to prevent it from capturing location info. Remember, Photos
you email travel over the Web as well.
Summary: BE AWARE of potential risks. Take caution when searching the
Internet, opening emails from unknown sources, on social networking sites
like Facebook, Pintrist & Twitter, and clicking on links and opening attachments.
Cyber Security for AFCEA
25
Unclassified
Links of Interest:

Glossary of Key Information Security Terms
http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf

How to Fix a Malware Infected Computer
http://www.techsupportalert.com/content/how-fix-malware-infected-computer.htm

How to Clean An Infected Computer
http://www.techsupportalert.com/content/how-clean-infected-computer.htm

How to Know If Your Computer Is Infected
http://www.techsupportalert.com/content/how-know-if-your-computer-infected.htm

Learn to Write Code – Computer Science - Free tutorials for Beginners!
http://code.org - and - http://code.org/learn

US Department of Homeland Security – Stop. Think. Connect
http://www.dhs.gov/stopthinkconnect - and - http://stopthinkconnect.org/
Remember: ALWAYS practice safe computing!
Cyber Security for AFCEA
26
Unclassified
Cyber Security for AFCEA
27
Unclassified
Cyber Security for AFCEA
28
Unclassified
Incident - Target: In Nov 2013, a group of Eastern European hackers entered Target’s
network through a digital gateway, discovering that Target’s systems were astonishingly open,
lacking virtual walls and motion detectors found in secure networks. ~110 million customers
were affected. ~40 million at US stores had credit and debit card data stolen; hackers also lifted
personal information - including names, addresses, email addresses and phone #s -- for ~70
million.) Protecting Personally Identifiable Information (PII) is vital for your self - and especially
at work. Be vigilant and on guard about protecting your own personal information and
protecting your work site user data.
Incident - Yahoo: Yahoo Mail was hacked – again – in January 2014. The number of accounts
compromised is unknown. Attackers gained access through a third-party database outside of
Yahoo control. Hacks happen, but If you've followed basic security practices and aren’t using
the same login credentials for multiple sites and services, only your Yahoo account should be at
risk. Change log-in credentials for any account that may share your Yahoo password, particularly
if they use their Yahoo email as their login. Also if you use a similar email address as the
username - it’s not a big leap for hackers to think you may be both jdoe@yahoo.com and
jdoe@gmail.com. Lookout for spam as well. Use strong PWs, different for each account. -Remember, cyber security begins with you.
Cyber Security for AFCEA
29
Unclassified
SQL Injection: Databases using structured query language (SQL) rely on specially formatted
queries to locate and return requested data. Human or automated attackers can send requests
that exploit the database's internal codes to alter the query as it's processed. This year alone,
SQL injection was the culprit behind a number of notorious security breaches, such as hacker
group LulzSec's alleged theft of data from the Sony Pictures server. Once again, the solution to
this problem isn't in the user's hands. Well-designed software avoids the problem by weeding
out any queries that don't meet strict standards. Those who create and maintain database
apps are advised to "use whitelisting, not blacklisting," letting only specific data through instead
of keeping only specific data out. That way previously unseen SQL injections won't get through.
Fake Tech-Support Calls: You might get an unsolicited phone call from a tech-support
representative claiming to be from Microsoft or another big-name IT corporation. But the caller
won't be who he claims to be. After warning you that "suspicious activity" has been detected
on your computer, he'll offer to help once you give him the personal information he requires to
get his job done. That job isn't fixing your computer. In fact, he's really just after your personal
information. If you receive a call like this, hang up, call the company the bogus technician
claimed to be from, and report the incident to a legitimate representative. If there really is a
problem, they'll be able to tell you; if not, you just thwarted a data thief.
Cyber Security for AFCEA
30
Unclassified
 Fraudulent SSL Certificates: A Secure Sockets Layer (SSL) certificate reassures your browser that
the site you've connected to is what it says it is. If you're looking at "HTTPS" instead of plain old
"HTTP," you know there's security involved, such as when you log in to your bank account or pay your
phone bill. The most trusted SSL certificates are issued by designated Certification Authorities
worldwide. What happens if that trust between browser and website is exploited? Acquiring or
creating fake SSL certificates is unlawful, but happens often enough that we need to be aware of it. On
multiple occasions in 2011, the discovery of false certificates suggested an attempt to spy on Iranian
citizens as they used Gmail and Google Docs. According security firm F-Secure, foreign governments
are using these techniques to monitor local dissidents.
 Banking Trojans: A Trojan is malicious software that disguises itself as innocent program, counting
on you to download or install it into your system so it can secretly accomplish its malicious tasks. The
infamous ZeuS Trojan and its rival SpyEye take advantage of security holes in your Internet browser to
"piggyback" on your session when you log in to your bank's website. These monsters are in the Ivy
League of computer malware; they avoid fraud detection using caution, calculating inconspicuous
amounts of money to transfer out of your account based on your balance and transaction history.
Financial institutions continue to increase layers of security involved in large transactions, such as
requiring confirmation through "out-of-band" communications. Mobile device digital crooks have lost
no time adapting to the changes. Banking Trojans are able to change the mobile number tied to your
account and intercept that confirmation request. Be careful what and from where you download.
Cyber Security for AFCEA
31
Unclassified
DNS Redirection: Internet service providers (ISPs) such as Time Warner Cable claim they're
trying to help with DNS redirection, but the reality seems to come down to money. Domain Name
System (DNS) redirection overrides your browser's normal behavior when you can't reach a
webpage. Instead of displaying the normal 404 "File Not Found" error, the ISP sends you to a page
of the ISP's choosing usually a page full of paid advertising and links. Innocent though that practice
may be, computer viruses can do the same thing, redirecting your browser to a hostile page the
first time you misspell a domain. With ISPs, you can opt out of their DNS redirection (you'll find
links below all the ads); with viruses, stay on your toes. Make sure you know what your browser's
default 404 page looks like, and take action if you see anything different.
Open DNS Resolvers: Another danger lies in the way some DNS servers are configured. An
"open resolver" can offer information it isn't authorized to provide. Not only are open resolvers
exploited in distributed denial-of-service (DDoS) attacks , but an attacker can "poison" the DNS
cache, providing false information and incorrect resolutions that must be detected to be corrected.
If your browser trips over a case of cache poisoning, the agents in charge of a hostile server can
glean detailed information about your system especially if you're in the middle of an important
transaction. How can typical users solve this dilemma? The chilling answer: They can't. It's up to
Internet service providers to address the problem. (DNS spoofing (or DNS cache poisoning) is a
computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name
server’s cache database, causing the name server to return an incorrect IP address, diverting traffic
to another computer (often the attacker's).
1.
Cyber Security for AFCEA
32
Unclassified
Disguised Filenames: Modern operating systems accommodate speakers of languages such
as Arabic and Hebrew by featuring codes which can reverse the direction of type to display
such languages correctly: written right-to-left instead of left-to-right. Unfortunately, these
"RTL" and "LTR" commands are special Unicode characters that can be included in any text,
including filenames and extensions. Exploiting this fact, a malware purveyor can disguise ".exe"
files as other files with different extensions. Your operating system will display the "disguised"
name, though it still treats the file as an executable launching it will run the program and infect
your computer. Practice caution with any and all files from unknown sources.
Man-in-the-Middle Attacks: While you're still sipping your latte on that unsecured
network, even your encrypted messages may not be all that safe. A Man-in-the-Middle (MTM)
attack occurs when an attacker intercepts communications and proceeds to "relay"
messages back and forth between the lawful parties. While the messaging parties believe
their two-way conversation is private, and might even use a private encryption key, every
message is re-routed through the attacker, who can alter the content before sending it on to
the intended recipient. The encryption key itself can be swapped out for one the attacker
controls, and the original parties remain unaware of the eavesdropper the entire time.
1.
Cyber Security for AFCEA
33
Unclassified
 The “Stuxnet” worm (discovered June 2010) targeted centrifuges at the Iranian Natanz uraniumenrichment plant in a clandestine fashion. Stuxnet blocked the outflow of gas from the cascades of
centrifuges, causing pressure to build up and the equipment to become damaged. It even masked the attack
by looping 21 seconds of the system's sensor values so that the engineers at the facility wouldn't realize
anything was wrong. Until recently, it was believed that Stuxnet simply targeted the centrifuges by causing
them to spin too fast and ultimately break. However, it took a more sophisticated, clandestine approach and
set them up to fail at a later date, thereby further evading detection. Stuxnet contains, among other things,
code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system
does not shut down due to detected abnormal behavior. Such complexity is very unusual for malware. The
worm consists of a layered attack against three different systems – Windows OS & Siemens.
http://en.wikipedia.org/wiki/Stuxnet
 The "Shamoon" virus (Aug 2012) attacked Saudi Arabia's state oil company, ARAMCO - probably the
most physically destructive attack the business sector has seen to date. The virus is sophisticated and a similar
attack days later struck Qatar's natural gas firm, Rasgas. 30,000 + computers it infected (at ARAMCO) were
rendered useless, and had to be replaced. Shamoon included a routine called a "wiper," coded to self-execute,
which replaced crucial system files with an image of a burning U.S. flag. It also overwrote all the real data on
the machine with garbage data. While not new, the scale and speed with which it happened was
unprecedented. Like other malware, it steals information, taking data from Users, 'Documents and Settings',
and 'System32/Drivers' and 'System32/Config' folders on Windows computers. One unusual characteristic,
however, is that it can overwrite the master boot record (MBR) on infected machines, effectively rendering
them useless. Shamoon uses a two-stage attack. First it infects a computer connected to the internet and
turns this into a proxy to communicate back with the malware's command-and-control server. After that, it
branches out to other computers on the corporate network, steals information, then executes its payload and
wipes the machines. Finally, it communicates this to the external command-and-control server.
http://en.wikipedia.org/wiki/Shamoon
Cyber Security for AFCEA
34
Unclassified
 Oligo - indicating a “few,” “little,” or “scant”
-- An oligomorphic engine is generally used by a computer virus to generate a decryptor for itself. It does
this by randomly selecting each piece of the decryptor from several predefined alternatives. The pieces
used to build the decryptor are usually too common to be detected with signatures. Most oligomorphic
viruses aren't able to generate more than just a few 100 different decryptors, so detecting them with
simple signatures is still possible.
 Poly - many
-- Polymorphic code mutates while keeping the original algorithm intact, so the code changes itself each
time it runs, but the function of the code will not change at all (e.g., 1+3 and 6-2 both achieve the same
result (“4”) while using different code. Sometimes used by computer viruses, shellcodes and computer
worms to hide their presence.
 Meta - abstraction from one concept to another; Morph - to transform (an image) by computer
Metamorphosis - a conspicuous, relatively abrupt physical change in body structure through cell growth
and differentiation. Think Caterpillar to butterfly.
-- Metamorphic code outputs a logical equivalent version of its own code under some interpretation.
Used by viruses to avoid pattern recognition of AV software. Metamorphic code is used by some viruses
when they are about to infect new files, so the next generation will never look like current generation.
Mutated code will do exactly the same thing; where the children's binary representation will typically be
completely different from the parent's.
Cyber Security for AFCEA
35
Download