Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

2014.10_Cybersecurity - Indico

advertisement 
Computer security, Internet privacy:
What should we worry about?
Sebastian Lopienski
CERN Deputy Computer Security Officer
Polish Teachers Programme, October 2014
Disclaimer
What follows are my opinions
and not necessarily those of CERN.
Sebastian Lopienski
2
A cloud hack
Digital life of a “Wired” journalist destroyed in one hour:
(http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking)
– Amazon, Apple, Google, Twitter accounts compromised
– all Apple devices wiped-out remotely
Sebastian Lopienski
3
A cloud hack
How??
– call Amazon and add a new credit card
• needed: name, billing address, e-mail address
– call again, say you lost password, and add a new e-mail
• needed: name, billing address, current credit card
– reset password - get the new one to this new e-mail address
– login and see all registered credit cards (last 4 digits)
– call Apple, say you lost password, and get a temp one
• needed: name, billing address, last 4 digits of a credit card
– reset Google password - new one sent to Apple e-mail
• (Apple e-mail was registered as an alternate e-mail)
– reset Twitter password - new one sent to Google e-mail
• (Google e-mail was linked to the Twitter account)
Sebastian Lopienski
4
A cloud hack
Multiple security flaws and issues:
• Interconnected accounts
– Which one of your accounts is the weakest link?
• Our full dependence on digital
– digital information, devices, cloud services etc…
• Very weak identity check procedures
–
–
–
–
… and often not even followed correctly
some procedures have changed as an outcome of this case
enable 2-step authentication (Google, LinkedIn, Apple, …)
“security“ questions with answers often trivial to find
(remember Sarah Palin’s yahoo account hack in 2008?)
5
Sebastian Lopienski
From http://www.bizarrocomics.com
Sebastian Lopienski
6
E-mail account before e-bank account?
From http://elie.im/blog/security/45-of-the-users-found-their-email-accounts-more-valuable-than-their-bank-accounts
Sebastian Lopienski
7
Passwords lost, or easy to guess…
–
–
–
–
–
–
–
–
–
–
password
welcome
qwerty
monkey
jesus
love
money
freedom
ninja
writer
Sebastian Lopienski
From http://www.zdnet.com/the-top-10-passwords-fromthe-yahoo-hack-is-yours-one-of-them-7000000815/
• Top 10 words used in passwords
8
Outline
• Where we are?
• Who are they?
• What is ahead?
Sebastian Lopienski
9
Vulnerabilities
Sebastian Lopienski
10
Trying to sell a Yahoo XSS for 700$
Sebastian Lopienski
11
Selling a Command Execution
vulnerability in MS Office for $20k
Sebastian Lopienski
12
Vulnerability market shift
• Finding vulnerabilities – difficult, time consuming
• Selling to vendors, or publishing (mid 2000s)
– limited money - 1s-10s thousands$,
e.g. Mozilla up to $3000, Google up to $3133.7 
– vulnerabilities eventually patched (good!)
• Selling to underground (late 2000s)
–
–
–
–
busy and active “black market”
more profitable – 10s-100s thousands of USD
sometimes buyers are governments or their contractors
used in 0-day exploits (no patch)
Sebastian Lopienski
13
Botnets
From http://www.f-secure.com/weblog/archives/00002430.html
(networks of infected machines)
Sebastian Lopienski
14
Outline
• Where we are?
• Who are they?
• What is ahead?
Sebastian Lopienski
15
Who are they?
criminals
hacktivists
governments
motivation:
motivation:
motivation:
profit
ideology,
revenge
control,
politics
Sebastian Lopienski
16
Criminals
Usual stuff:
• Identity theft
• Credit-card frauds
• Malware targeting e-banking, e.g. Zeus, Gozi etc.
• Scareware, e.g. fake AV, fake police warnings
• Ransomware: taking your data hostage (soon: accounts?)
• Mobile malware, e.g. sending premium rate SMSes
• Denial of Service (DoS)
• Spam
• etc.
Sebastian Lopienski
17
From symantec.com
2-in-1: Scare and demand ransom
Sebastian Lopienski
From http://www.zdnet.com/sopa-reincarnates-to-hold-your-computer-hostage-7000005684
18
From http://www.bangkokpost.com
Cyber criminals
Thai police have arrested Algerian national Hamza Bendelladj –
wanted by the FBI for allegedly operating the Zeus botnet
(e-banking malware)
Sebastian Lopienski
19
From krebsonsecurity.com
Gangsters…
A hacker nicknamed “vorVzakone”,
allegedly related to Gozi malware
Sebastian Lopienski
20
From krebsonsecurity.com
… employing “mules”
“Become a foreign agent in the US” advertisement
Sebastian Lopienski
21
Hacktivists
Attacking to protest, to pass the message etc.
Sebastian Lopienski
22
The Anonymous, LulzSec, …
… many groups, varying agendas,
from ideologists to criminals
Sebastian Lopienski
23
Do you know this guy?
Sebastian Lopienski
24
Aaron Swartz
A software developer,
an open-access activist
– 2001 (aged just 14!): helped developing RSS
– 2002: working with Tim Berners-Lee on semantic web
– 2008: released 20% of the Public Access to Court Electronic
Records (PACER) database of United States federal court
– 2011: arrested for retrieving scientific articles from JSTOR,
believed in open access to results of publicly-funded research,
risked 35 years of prison / $1m fine sentence
– 2012: campaigned against the SOPA
– 2013: committed suicide
(because of the ongoing criminal investigation?)
Sebastian Lopienski
25
Google – a freedom activist?
Sebastian Lopienski
https://www.google.com/takeaction/
26
…but governments?
Sebastian Lopienski
27
Spying on (some) citizens
• Israel demands e-mail passwords at borders
• German police infects criminals’
PCs with Trojans/backdoors
– buying surveillance code
and services for 2M EURO (!)
– or developing in-house
– unfortunately, full of security holes
Sebastian Lopienski
28
From http://www.f-secure.com/weblog/archives/00002423.html
Network encryption? Infect computers or go after services
• Syrian activists’ PCs infected with Trojans/backdoors
• Tibetan rights activists often targeted
PRISM mass online surveillance program
Sebastian Lopienski
29
Privacy vs. control
“If you are doing nothing wrong,
then you shouldn’t worry if we watch you.”
“If I am doing nothing wrong,
then you shouldn’t be watching me!”
Cryptography/encryption (HTTPS) is still a good defense
Sebastian Lopienski
30
From F-Secure
Agencies & contractors turning offensive
Sebastian Lopienski
31
Agencies & contractors turning offensive
From http://www.f-secure.com/weblog/archives/00002372.html
• Northrop Grumman looks for "Cyber Software Engineer"
for “an Offensive Cyberspace Operation mission"
Sebastian Lopienski
32
Stuxnet
(the worm that targeted Iranian uranium-enriching centrifuges, discovered 2010)
Estimated development effort:
10 man-years
Result: sabotage
30,000 Iranian computers infected, some HW
damage, nuclear program set back by ~2 years
Cui bono?

(New York Times, June 2012: a joint US-Israel operation
“Olympic Games” started by Bush and accelerated by Obama)
Sebastian Lopienski
33
Outline
• Where we are?
• Who are they?
• What is ahead?
Sebastian Lopienski
34
Does Stuxnet make us all more vulnerable?
35
Sebastian Lopienski
http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12
Thank you
Sebastian Lopienski
36
Related documents
God our Father, help us to put forth our best effort, to
God our Father, help us to put forth our best effort, to
Media Contact - Saint Sebastian Parish
Media Contact - Saint Sebastian Parish
index
index
paper_CA2003_abstract.doc
paper_CA2003_abstract.doc
Johann Sebastian Bach
Johann Sebastian Bach
File - Saint Sebastian School
File - Saint Sebastian School
ACLS Cover Page - Florida Heart CPR
ACLS Cover Page - Florida Heart CPR
Sebastian Fredua Bonsu is a studying for a diploma in Computer
Sebastian Fredua Bonsu is a studying for a diploma in Computer
from Theory to Implementation Sebastian Lopienski, CERN IT Dept
from Theory to Implementation Sebastian Lopienski, CERN IT Dept
from Theory to Implementation Sebastian Lopienski, CERN IT Dept
from Theory to Implementation Sebastian Lopienski, CERN IT Dept
Download
advertisement