Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Accessing Public WiFi: Security Issues

advertisement 
A Few Miscellaneous Topics on
Security
Sankar Roy
1
Acknowledgement
In preparing the presentation slides and the
demo, I received help from
• Professor Simon Ou
• Professor Gurdip Singh
• Professor Eugene Vasserman
2
Agenda
•
•
•
•
Password cracking
Information gathering (reconnaissance)
Spoofed emails or phone calls
Threats through emails
– phishing attack
– other attacks
• Risks of swiping a credit card in an untrusted place
• Security concerns associated with RFID tags
3
Password-based Security
• We use passwords everywhere
– email accounts, bank accounts, social networking
sites, personal computers, and so on…
• What makes a good password
– long but should be easy for you to remember
– should be very difficult for the attacker to guess
4
Good or Bad Passwords?
7@Ack
i love soccer
07deserteagle
chuck#0123
5lakers5
oliveoil7
john1
eagle1900
beethoven5th
PTL!1g1M05
Pizza
qwerty123
dhx@yahoo.com
justin_bieber_sux!
h.o.u.s.e
{T@!4u2N9^}&
$trongPassword
WeRtheChamp10n
!ILh2dW&%D@etF1 zeppelinIV
5
Password Cracking
• How long is good enough?
– we can compute the password strength
– use alphanumeric letters, big case, and small case
– use special characters
• Dictionary attack
– the attacker first tries a list of frequently used passwords
– then, she may try all possible combinations (brute-force)
• Social engineering to aid in cracking
– information gathering can work if, as an example, a family
member or pet’s name is used as the password
– you may leak your secret while responding to a fake email
or phone call
6
Password Crackers Tools
• Hydra, Medusa
– can crack network logon passwords (e.g. FTP,
HTTP, VNC, POP3)
• Ophcrack
– Pre-computed Rainbow tables can reduce cracking
time
• Top 10 Password Crackers:
– http://sectools.org/crackers.html
7
Information Gathering
The attacker can employ several techniques
1. Uses Internet search engines and social networks
– collect names, address, login names, email addresses, host
machine’s names, etc.
– automated tools available, e.g. theHarvester
2. Sends information requests via fake email or phone
– and waits for response from a potential victim
3. Does dumpster diving
4. Buys information from the black market
8
TheHarvester: An Automated Miner
• A tool for gathering e-mail accounts, user names and hostnames from
different public sources.
• It supports multiple sources:
– Google, Bing, LinkedIn, etc.
– Caution: the attacker can use all sources
• An example:
– Using this tool a SPAMer can collect your email address (e.g. from
your public webpage)
• Anti-Harvesting methods
– Address munging (e.g. instead of alice@abc.com publish “alice at abc dot com")
– Using images to display part or all of an email address
9
Spoofed Email
• Email system does NOT provide “sender
authentication”
– in a spoofed email, the sender’s address is altered
– receiving an email proves nothing about the
actual sender
• Spoofed email sending software is available
– which is used in sending SPAM or phishing email
10
Let’s do a Hands-on Activity
• Note: there are some websites via which
anybody can send a spoofed email to anybody
• Let’s test one of them to understand how easy
it is for the attacker to send a fake message
• Caution: this activity is only for the testing
purpose. It is a crime to send a phishing email.
11
Gmail Ways to Detect Email Spoofing
• Sender Policy Framework (SPF) is an email
validation system
– allows administrators of a domain D to specify
which hosts are allowed to send email from D
– checks authorization of the sender’s IP addresses
using the DNS system
• DomainKeys Identified Mail (DKIM) is a way
to digitally sign emails
– verifies if the email was actually sent by a
particular domain D as claimed in the email.
12
How to Check the Authentication
Information of a Message on Gmail
Acknowledgement: Gmail’s User Guide
13
Phone Caller Id Spoofing
• Makes a phone call appear to have come from
any number the caller wishes
• Most common spoofing method is through
the VoIP system
• Open source tools e.g. Asterisk, FreeSWITCH
can be used for spoofing
14
Email Threats
• Security risks include
– phishing scams
– links (in body) or attachments have malware
• Nowadays these risks are high
– bad guys can hire a SPAM sending botnet to
launch a large-scale attack
– millions of valid email addresses are available for
sale in the underground black market
15
Phishing Attack: An Example Email
Subject: E-mail Security Alert!
From: Kansas State University <notifications@ksu.edu>
Date: Tue, 18 Dec 2012 06:14:01 +0900 (JST)
Access to your e-mail account is about to expired.
Please Click here
<http://sevenes.com/zboard/ksu/>
to restore access to your e-mail account.
We apologise for any inconvenience and appreciate your understanding.
Regards, Kansas State University
Acknowledgement: K-State IT Security Threats Blog
16
Phishing Attack: Another Example
Acknowledgement: FraudWatchInternational.com
17
More on the Phishing Attack
• Fake email messages apparently coming from a
trusted person or institution (e.g. a bank)
– trick people into passing secret information such as
passwords, credit card numbers and bank account
numbers.
• A phishing email can have links to
– fake login pages impersonating financial institutions
– malware, virus, spyware, etc.
18
Countering Phishing Attack
• Remember that the institution (e.g. your bank or
KSU) will never ask for your secret through emails
• Be suspicious when you receive an email; know that
the email sender address can be spoofed
• Avoid clicking any link in such emails
– double check if the link URL name is fishy
– visit only https links; do not proceed if you get a bogus
certificate warning
• Do not respond to any such email; call them if unsure
• Always use the latest versions of web browsers
19
How to Recognize a Fraudulent Email?
• Train yourself by studying several resources
which are available on the KSU ITS website
• Some resource examples are
– Anti-Phishing Working Group
www.antiphishing.org
(http://www.antiphishing.org/resources/Educate-YourCustomers/)
– Looks Too Good To Be True
www.lookstoogoodtobetrue.com
20
Examples of Phishing Scams
•
•
•
•
•
•
•
Advance fee scam
Job offer scam
Nigerian scam
Beneficiary of a will scam
Over-paying (Craigslist) scam
Charitable donation scam
Facebook friend scam
Acknowledgement: K-State ITS
21
Spear Phishing
• A more targeted method of phishing
– only known members of the targeted institution
receive the email
• Email addresses are acquired by
– joining a mailing list
– buying a list from a hacker
– guessing email addresses based on the general
format e.g. abc123@k-state.edu
22
Threats via Email Attachment
• Email attachment may contain malware
– worms, virus, Trojan horses, etc.
– which can seriously damage your computer
• Do not open any suspicious attachment
– it can trigger/execute the malware
– just delete such emails
• Install an anti-virus software on your computer
– ensure that it scans all attachments automatically
before you open them
– Anti-virus “Trend Micro Security” is available to Kstaters
23
Risks of Swiping a Credit Card in an
Untrusted Place
• An ATM skimmer can steal the card secret
– later the bad guys collect the data from the skimmer device
– difficult to detect: it blends in with the cash machine in form and color
• Typically two components build a skimmer
– a device that fits over the card acceptance slot and steals the data stored
on the card’s magnetic stripe
– a pinhole camera built into a false panel that thieves can fit above or
beside the PIN pad.
• Risk Mitigation
– try to avoid using ATMs in unknown non-standard places
– frequently check your credit card transactions and report fraud, if any
24
Basics of RFID Technology
• The tracking system has three components:
– a scanning antenna
– a RFID tag programmed with information
– a transceiver to interpret the data
• A RFID tag can be read
– from a distant place (up to 300 feet)
– no need to be in the line of sight (unlike a barcode)
• RFID tags have NO batteries
– so, it remains usable for long time
25
RFID Tags: Security and Privacy Concerns
• A thief with a scanner can activate the RFID tag
and read its contents
– example: if someone walks by your bag of books with a
"sniffer”, that person can get a complete list of books.
• Concern with RFID devices in a company badge
– example: a RF field may make the RFID chip in the
badge spill the badge secret, allowing the thief access.
26
Summary
• We discussed a few common security issues.
• We presented the standard countermeasures to
mitigate the risks
• This was the last class of CIS 490
• Thanks a lot for your time and cooperation
27
Related documents
The following malicious email was received by members of the
The following malicious email was received by members of the
Don't let this happen to you!
Don't let this happen to you!
Highly-Optimized Provably
Highly-Optimized Provably
Network Security - Information Technology at the Johns Hopkins
Network Security - Information Technology at the Johns Hopkins
Internet Safety - CFFinfo
Internet Safety - CFFinfo
Presentation - myroyalmail
Presentation - myroyalmail
Security Awareness for ISACA
Security Awareness for ISACA
Download
advertisement