Fraudulent Methods for Attacking Bank Networks and Prevention 2014

8/24/2014
1
Aladdin Dandis
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
 Module 1: Introduction
 Module 2: Banking Fraud
 Module 3: Hacking Methodologies and Approach
 Module 4: Scamming
 Module 5: Social Engineering
 Module 6: Malware
 Module 7: Cyber Crimes
 Module 8: Cyber Crime Law
 Module 9: Encryption
 Module 10: Prevention Tips and Measures
 Extra Module: OWASP Top 10

8/24/2014
2
Module 1
 Before we can start securing banking
environment, we need to have a fundamental
understanding of the standard concepts of
security.
 What you are trying to protect
 Why does it needs to be protected
 What you’re protecting it from

8/24/2014
3
 Confidentiality
 Integrity
 Availability
 Confidentiality is the characteristic of a resource
ensuring access is restricted to only permitted users,
applications, or computer systems.
 Confidentiality deals with keeping information,
networks, and systems secure from unauthorized
access.
 There are several technologies that support
confidentiality in an enterprise security
implementation.
 Strong encryption
 Strong authentication
 Stringent access controls

8/24/2014
4
 Integrity is defined as the consistency, accuracy,
and validity of data or information.
 One of the goals of a successful information
security program is to ensure that data is
protected against any unauthorized or accidental
changes.
 Availability describes a resource being accessible
to a user, application, or computer system when
required.
 In other words, availability means that when a user
needs to get to information, he or she has the ability
to do so.
 Typically, threats to availability come in two
types: accidental and deliberate.

8/24/2014
5
 Risk management is the process of identifying, assessing,
and prioritizing threats and risks.
 A risk is generally defined as the probability that an event
will occur.
 A threat, which is defined as an action or occurrence that
could result in the breach, outage, or corruption of a
system by exploiting known or unknown vulnerabilities.
 The goal of any risk management plan is to remove risks
when possible and to minimize the consequences of risks
that cannot be eliminated.
 Risk assessments are used to identify the risks that might
impact your particular environment.
 After you have prioritized your risks, you are
ready to choose from among the four generally
accepted responses to these risks. They include:
 Avoidance
 Acceptance
 Mitigation
 Transfer

8/24/2014
6
 The principle of least privilege is a security
discipline that requires that a particular user,
system, or application be given no more privilege
than necessary to perform its function or job.
 An attack surface consists of the set of methods
and avenues an attacker can use to enter a
system and potentially cause damage.
 The larger the attack surface of a particular
environment, the greater the risk of a successful
attack.

8/24/2014
7
 Social engineering is a method used to gain
access to data, systems, or networks, primarily
through misrepresentation.
 This technique typically relies on the trusting
nature of the person being attacked.
 Security costs money.
 You should also strive to make the security measures
as seamless as possible to authorized users who are
accessing the confidential information or resource.
 If security becomes a heavy burden, users will often
look for methods to circumvent the measures you
have established.
 Training goes a long way in protecting your
confidential information and resources because it
shows users what warning signs to watch for.

8/24/2014
8
 Physical security is the first line of defense.
 There are a number of factors to consider when
designing, implementing, or reviewing physical
security measures taken to protect assets,
systems, networks, and information.
 These include understanding site security and
computer security; securing removable devices
and drives; access control; mobile device
security; disabling the Log On Locally capability;
and identifying and removing keyloggers.
 Access control is the process of restricting access
to a resource to only permitted users,
applications, or computer systems.

8/24/2014
9
 A bank is one of the most vulnerable businesses
around and the security for a bank is much different
than any other type of security.
 Protecting a bank should be the highest priority and
there are many areas that you need to consider.
 A security company can fulfill all of the needs you
may have for a bank and this does require a special
amount of security for the very best option.
 Security for banks is something that cannot be
neglected and the right security can keep this bank
safe for anyone that enters through the doors.
 Armed guards are integral for the safety of your bank and
your patrons.
 Video surveillance is another important area and you do
not want to choose the cheapest security on the market.
 The placement of security cameras is a major
consideration that you need to take.
 A professional will ensure that a camera is placed
wherever money transactions occur and there may be
some other areas where special attention may be needed.
 Some banks may also need to monitor the employees if an
inside theft is detected and this is another area where you
can hire security.

8/24/2014
10
 Defense in depth means
using multiple layers of
security to defend your
assets.
 That way, even if an
attacker breaches one
layer of your defense, you
have additional layers to
keep that person out of
the critical areas of your
environment.
 There are several other goals to keep in mind when
designing a physical security plan:
 Authentication: Site security must address the need to
identify and authenticate the people who are permitted
access to an area.
 Access control: Once a person’s identity has been proven
and authenticated, site security must determine what
areas that person has access to.
 Auditing: Site security must also provide the ability to
audit activities within the facility. This can be done by
reviewing camera footage, badge reader logs, visitor
registration logs, or other mechanisms.

8/24/2014
11
 For the purposes of this lesson, we will break the
physical premises into three logical areas:
 External perimeter
 Internal perimeter
 Secure areas
 The external security perimeter is the first line of
defense surrounding your office.
 Common security measures you may encounter with
respect to an organization’s external perimeter
include the following:
 Security cameras
 Parking lot lights
 Perimeter fence
 Gate with guard
 Gate with access badge reader
 Guard patrols

8/24/2014
12
 The internal security perimeter starts with the building
walls and exterior doors and includes any internal security
measures, with the exception of secure areas within the
building.
 Some of the features you may use to secure an internal
perimeter include the following:
 Locks (on exterior doors, internal doors, office doors, desks,
filing cabinets, etc.)
 Security cameras
 Badge readers (on doors and elevators)
 Guard desks and patrols
 Smoke detectors
 Turnstiles and mantraps
 Areas that not only to restrict external attackers, but
also to limit internal employee access.
 Secure area security technologies include the
following:
 Badge readers and Keypads
 Biometric technologies (e.g., fingerprint scanners, retinal
scanners, voice recognition systems, etc.)
 Security doors
 X-ray scanners and Metal detectors
 Cameras
 Intrusion detection systems (light beam, infrared,
microwave, and/or ultrasonic)

8/24/2014
13
 Computer security consists of the processes,
procedures, policies, and technologies used to
protect computer systems.
 Servers
 Desktop Computers
 Mobile Computers
 Mobile devices are one of the largest challenges
facing many security professionals today.
 Mobile devices such as laptops, PDAs, and
smartphones are used to process information, send
and receive mail, store enormous amounts of data,
surf the Internet, and interact remotely with internal
networks and systems.
 Docking stations
 Laptop security cables
 Laptop safes
 Theft recovery software
 Laptop alarms:

8/24/2014
14
 A removable device or drive is a storage device
that is designed to be taken out of a computer
without turning the computer off.
 Include memory cards, flash drives, floppy disks,
CDs, and DVDs
 Removable devices typically connect to a
computer through a drive, through external
communications ports like USB or Firewire, or, in
the case of memory cards, through built-in or
USB-based readers.
 There are three basic types of security issues
associated with removable storage:
 Loss
 Theft
 Espionage

8/24/2014
15
 A keylogger is a physical or logical device used to
capture keystrokes.
 An attacker will either place a device between
the keyboard and the computer or install a
software program to record each keystroke
taken, and then he or she can use software to
replay the data and capture critical information
like user IDs and passwords, credit card numbers,
Social Security numbers, or even confidential
emails or other data.
 CIA, short for confidentiality, integrity, and
availability, represents the core goals of an
information security program.
 Confidentiality deals with keeping information,
networks, and systems secure from unauthorized
access.
 One of the goals of a successful information
security program is to ensure integrity, or that
information is protected against any
unauthorized or accidental changes.

8/24/2014
16
 Availability is defined as the characteristic of a
resource being accessible to a user, application, or
computer system when required.
 Threat and risk management is the process of
identifying, assessing, and prioritizing threats and
risks.
 A risk is generally defined as the probability that an
event will occur.
 Once you have prioritized your risks, there are four
generally accepted responses to these risks:
avoidance, acceptance, mitigation, and transfer.
 The principle of least privilege is a security discipline
that requires that a user, system, or application be
given no more privilege than necessary to perform
its function or job.
 An attack surface consists of the set of methods and
avenues an attacker can use to enter a system and
potentially cause damage. The larger the attack
surface of an environment, the greater the risk of a
successful attack.
 The key to thwarting a social engineering attack is
employee awareness. If your employees know what
to look out for, an attacker will find little success.

8/24/2014
17
 Physical security uses a defense in depth or
layered security approach that controls who can
physically access an organization’s resources.
 Physical premises can be divided into three
logical areas: the external perimeter, the internal
perimeter, and secure areas.
 Computer security consists of the processes,
procedures, policies, and technologies used to
protect computer systems.
 Mobile devices and mobile storage devices are
among the biggest challenges facing many
security professionals today because of their size
and portability.
 A keylogger is a physical or logical device used to
capture keystrokes.

8/24/2014
18
Module 2
 Fraud encompasses a wide range of irregularities and
illegal acts characterized by intentional deception or
misrepresentation.
 The IIA’s IPPF defines fraud as:
 “… any illegal act characterized by deceit, concealment, or
violation of trust. These acts are not dependent upon the threat
of violence or physical force. Frauds are perpetrated by parties
and organizations to obtain money, property, or services; to
avoid payment or loss of services; or to secure personal or
business advantage.”
 This broad definition of fraud accommodates the fraud
risks, exposures, and threats encountered within IT
departments as well as frauds enabled by the use of
technology.

8/24/2014
19
 An IT fraud risk assessment usually includes the
following key steps:
 Identifying relevant IT fraud risk factors.
 Identifying potential IT fraud schemes and prioritizing
them based on likelihood and impact.
 Mapping existing controls to potential fraud schemes and
identifying gaps.
 Testing operating effectiveness of fraud prevention and
detection controls.
 Assessing the likelihood and business impact of a control
failure and/or a fraud incident.

8/24/2014
20

8/24/2014
21

8/24/2014
22
 Access to Systems or Data for Personal Gain
 The most valuable information desired by individuals perpetrating a
fraud in the IT area resides in the form of digital assets maintained by
the organization.
 Most organizations collect, create, use, store, disclose, and discard
information that has market value to others outside the organization.
 This data can be in the form of employee or customer personal
information, such as government issued identification numbers,
social identification numbers, bank account numbers, credit card
numbers, checking account numbers, bank routing numbers, and
other personal information.
 Whether the perpetrator is an individual with authorized access to
the data or a hacker, this information can be sold to others or used
for personal gain for crimes such as identity theft, unauthorized
purchases on stolen credit cards, counterfeiting of credit cards, or
stealing or diverting money from a bank account.
 Insiders have legitimate access to their organizations’
information, systems, and networks, pose a significant risk
to employers.
 Employees experiencing financial problems may be
tempted to use the systems they access at work every day
to commit fraud.
 Employees motivated by financial problems, greed,
revenge, the desire to obtain a business advantage, or the
wish to impress a new employer, may choose to steal
confidential data, proprietary information, or intellectual
property from their employers.
 Technical employees can use their technical abilities to
sabotage their employers’ systems or networks in revenge
for negative work-related events.

8/24/2014
23
 A database analyst for a major check authorization
and credit card processing company exceeded his
authorized computer access.
 The employee used his computer access to steal the
consumer information of 8.4 million individuals.
 The stolen information included names and
addresses, bank account information, and credit and
debit card information. He sold the data to
telemarketers over a five-year period.
 A U.S. district judge sentenced him to 57 months’
imprisonment and US $3.2 million in restitution for
conspiracy and computer fraud
 Changes to System Programs or Data for Personal
Gain
 If the organization has control breakdowns or
weaknesses in the systems development life cycle,
opportunities exist for fraud.
 The following table “Fraud in Systems Development”
help demonstrate how fraud may occur in each of the
system development phases.

8/24/2014
24
 Completing periodic enterprise wide IT fraud risk assessments.
 Instituting periodic security and fraud awareness training for all
employees.
 Enforcing segregation of duties.
 Restricting access to systems and data on a business need to know.
 Implementing strict password and identity management policies and
practices.
 Logging, monitoring, and auditing employees’ network actions.
 Using extra caution with system administrators and privileged users.
 Using layers of defense against network intrusions.
 Developing an effective incident response plan and assembling an
incident response team.
 Deactivating computer access upon an employee's termination of
employment.
 Collecting and saving forensic data for use in investigations.
 Allowing for secure back-up and recovery processes.
 Implementing good vulnerability management programs.

8/24/2014
25
 As a customer you may be seen as a potential
target for fraudulent activities. However by
arming yourself with information and tools you
can protect yourself from becoming a victim of
the four biggest fraud threats you face
 Electronic fraud
 Identity theft
 Credit/Debit card fraud
 Cheque fraud.
 Credit card and debit card fraud is a crime whereby your
credit or debit card can be reproduced in order to use the
credit balance to obtain a financial advantage.
 The creation and/or alteration of a credit/debit card
occurs when the information contained on the magnetic
strip is reproduced.
 This type of crime is known as ‘skimming’.
 Credit or debit card fraud can also occur when your card is
lost or stolen and used by a third party to purchase goods
with those cards or to remove cash from the cards.
 Credit or debit cards can also be intercepted in transit
while being sent to you. Your cards can also be
compromised by a dishonest merchant who undertakes
unauthorized duplicate transactions on your card.

8/24/2014
26
 Protect your credit / debit card:
 Memorize your personal identification number (PIN). Don't use
the same PIN for all your cards, and don't choose your birth
date or other easily identifiable numbers that might be on
something else in your wallet.
 Check statements and call your credit card issuer immediately if
you see anything suspicious on your bill. You could help the
company uncover fraud—and save yourself from paying
unauthorized charges.
 Do not let your credit card out of your sight at anytime – for
example, at a restaurant – go with the card.
 Card fraud is not applicable in Australia only – be just as vigilant
when travelling overseas, credit card skimming is an
international crime.
 Always sign your card in ink as soon as you receive it.
 Keep track of when new and reissued cards should arrive, and
call the credit card issuer if they don't come on time.
 Make sure your mailbox is secure, and that only you and the
postal carrier have access to it.
 Tear up all credit card receipts and pre-approved credit card
offers into small pieces before you throw them away. Keep your
billing statements in a safe place.
 When you use your credit card online, make sure you are using
a secure website. Look for a small key or lock symbol at the
bottom right of your browser window.
 Never give your card number to strangers or telemarketers who
call you on the phone. Don't give your card number unless you
initiated the call.

8/24/2014
27
 The use of a cheque to get financial advantage by:
 Altering the cheque (payee/amount) without authority
 Theft of legitimate cheques and then altering them
 Duplication or counterfeiting of cheques
 Using false invoices to get legitimate cheques
 Depositing a cheque into a third party account without
authority
 Depositing a cheque for payment knowing that insufficient
funds are in the account to cover the deposited cheque.
 How to protect yourself from cheque fraud
 Reconcile your accounts promptly and regularly
 Never sign blank cheques, and only sign cheques after all details have been
completed.
 Limit the number of signatures to your account to ensure control.
 Ensure that your signature is not with documents that can be accessed by
the general public.
 Keep all cheques secure when not in use to deter theft.
 Don’t leave any gaps in the completion of the payee name, amount in words
and in figures.
 If cheques are lost or stolen contact ANZ immediately and ask them to stop
payment on the cheque.
 Ensure that any invoices are valid before payment.
 Consider using electronic means of payment (if possible) for high value
payments.
 Ensure that your mailbox is secure to protect your inward cheques.

8/24/2014
28
 Includes Email scams and fake websites
 A number of customers from financial institutions have been
targeted with hoax emails. These emails appear to be genuine
bank emails.
 Some emails inform the customer that their security details
and passwords need to be updated by logging into an authentic
looking, but fake website. The purpose of these websites is to
obtain your log on details to access your bank accounts.
 Others communicate security messages and advise you to
install software from the email that checks and removes
viruses. By downloading the software you are in fact tricked
into downloading a virus.
 The Bank will not send you an email asking for your Account
Details, Financial Details, or login details for Phone Banking,
Mobile Banking or Internet Banking.
 Where personal details are obtained to get some sort of
financial or other benefit, leaving you the owner of that
identity often in large debt with a negative credit history
and in some cases with legal implications.
 Your information can be obtained in many ways:
 Theft, including theft of mail from your mailbox at home
 By going through your garbage bins
 Telephone, Fax and Mail scams
 Internet.
 The following can be used to assume your identity:
 Date of birth
 Utilities bills (phone, gas, water and rates notices)
 Address.

8/24/2014
29
Module 3
57
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC 58

8/24/2014
30

8/24/2014
31

8/24/2014
32

8/24/2014
33

8/24/2014
34

8/24/2014
35

8/24/2014
36

8/24/2014
37

8/24/2014
38
Module 4

8/24/2014
39
 Scams are attempts to intentionally mislead a
person, usually with the goal of financial or other
gain.
 Many customers have fallen prey to various
different scams.
 It's important for you to understand how to
recognize scams and avoid them.
 Scams come in all shapes and sizes, it’s good to
understand what the latest and most common scams
affecting Australian consumers are. So here’s some
descriptions of scams and how they work to try and take
your money.
 Job scams
 Mystery shopper scams
 Dating and Bogus friend scams
 Online purchasing scams
 Direct debit scams
 Lottery scams
 Genealogy scams
 Calling scams

8/24/2014
40
 Be wary of various job scams advertised via the Internet.
Bogus overseas companies have been targeting consumers
to act as ‘money transfer agents’ in the sale of goods and
services via methods such as fake job advertisements,
unsolicited emails and online chat rooms.
 ‘Employees’ are asked to use their own bank accounts to
transfer money overseas made from ‘sales’. In fact, they
will be transferring stolen money. In most cases,
employees are instructed to send these funds to Eastern
European countries. Employees are promised a percentage
of the transfer as their commission.
 The fake job advertisement websites look very
professional and convincing.
 Some job advertisements contain malicious software
that allow the job advertiser to access the person’s
computer and collect their personal details,
including bank account details.
 Exercise extreme caution if you receive an email
from any person or company asking for your
personal and banking details.
 Finally, if it sounds too good to be true it probably is.

8/24/2014
41
 You might apply for a job as a mystery shopper
and are sent some money to purchase a few
small goods. Then you are asked to mystery shop
the services of money transfer companies like
Western Union and send money overseas.
 This money is from Internet Banking Fraud,
counterfeit Traveler’s cheques or business
cheques.
 Dating and Bogus Friend scams aim to appeal to
your romantic or compassionate nature. It may
start as a friend request on Facebook from
someone you don’t know or via Internet dating
sites.
 Scammers will attempt to build your trust over
what could be a number of months, revealing
personal information to you, sending you gifts or
promising to visit you.

8/24/2014
42
 Once they’ve gained your trust, they’ll ask you for
money either directly or subtly by telling you of an ill
relative that needs the funds for medical treatment
or how they’re enduring financial hardship and need
some funds. You could lose your money doing this.
 In other cases they may ask you for your
banking/credit card details because they need to get
some money out of the country or want to share
some with you. This may be money laundering.
 There are a range of online purchasing scams for
buyers and sellers alike. Some include:
 Classified ads scams
 Overpayment scams

8/24/2014
43
 Sellers are posing with genuine classified ads for all
sorts of things including pets, rental properties, cars
and bikes with real pictures and details offering
goods at low prices to get your interest.
 Once you’ve responded the seller usually claims to
be travelling or moved overseas and that an agent
will give you the goods once they get your payment.
 A professional looking email receipt for payment is
then sent to you.
 After you’ve paid them you won’t get your goods
and you won’t be able to contact the seller
anymore.
 For rental properties they also claim to be away
overseas and cannot be there to do inspections.
 They may ask you for a deposit to secure it and
even documents proving your identity and bank
details which are then used for identity theft.

8/24/2014
44
 Other scams include overpayment for goods
you’re selling, paying you for example $9000
instead of $900.
 The buyer tells you’ve they’ve made a mistake
entering the information and asks you to send
the difference to them overseas via Western
Union.
 This is another way scammers are laundering
money.
 Direct debit fraud happens when you receive a
couple or even just one small credit to your
account – as small as 1 cent.
 The credit is made with a six digit code, which
once confirmed by the bank allows direct debits
to come from that account.
 Scammers use your compromised Internet
Banking to get this code and go about direct
debiting your account of funds.

8/24/2014
45
 This is when you get a phone call, email or letter
letting you know you’ve won an online lottery or
a lottery draw overseas.
 But before you can get your prize money you are
asked to send them money to claim your prize.
 There is no prize money and the money you send
is lost.
 These happen when you are contacted by
someone letting you know that you are the last
living relative of a wealthy person who has
passed away.
 For you to inherit their fortune you need to pay
some legal fees.
 Again there isn’t any inheritance and the money
you send goes to the scammers.

8/24/2014
46
 Cold calling scams
 Software upgrade calls
 Refund bank charges
 You may be contacted by phone with someone
offering investment opportunities.
 They may have professional looking websites
showing their success.
 Often your first smaller investment receives a good
dividend like 50% over a few months. You will be
given this money making you feel confident that the
investment is legitimate.
 Then you may be asked to invest again and having
built your trust this is usually a larger amount. But
this time you don’t receive any returns and your
money is gone.

8/24/2014
47
 Becoming more common are calls offering free
software upgrades like anti-virus.
 To be eligible for the upgrade they claim you
have to provide your credit card details.
 Once you provide this the fraudsters used the
details to do transactions with your money.
 Customers have fallen prey to another calling scam where
a caller claiming to be from the Office of Fair Trading lets
you know that you’re eligible for a refund of bank charges.
 To be able to start the refund process you’re asked to send
a small amount of money via a money transfer service like
Western Union.
 The fraudsters are also providing a contact number that
seems to look like an Australian phone number. However
they’re using VoIP (Voice over Internet protocol) from an
overseas location to take enquiries and appear as though
they are legitimate.
 There is no bank charges refund and the money you sent is
lost.

8/24/2014
48
 There are steps you can take to protect yourself and make
sure you don’t fall prey to attempts to take your money.
 In this section we give you helpful hints and tips to protect
yourself online.
 Passwords
 Hoax emails
 Protecting your identity
 Protecting your computer
 Using Internet Banking
 Shopping online
 Account aggregation
 Check for malicious software
 Keep passwords, PINs and any other security information
secret including covering your card PIN when using ATMs,
or Internet Banking in a public place. Bank will never ask
you to provide your PIN to a staff member.
 Protect all your other personal information, including
destroying your bank statements securely, collecting your
mail promptly and not providing your details to anyone
you do not trust.
 Keep your computer safe by having up to date security
software, checking you are only using trusted sites for
purchasing items and not opening emails you’re not sure
about.

8/24/2014
49
 Keep your computer browser (e.g. Internet Explorer,
Firefox), and product software (Microsoft
Office/Adobe flash, etc) up to date. Software
providers frequently develop updates and patches to
address new and developing security threats.
 Report anything you are suspicious of immediately,
especially if you think your card has been stolen, a
suspicious transaction is on your bank statement, or
your mail has been accessed by someone.
 When using the Internet, including Internet Banking,
always try to use hard-to-guess passwords.
 Passwords will only keep outsiders out if they are difficult
to guess! Don't share your password, and don't use the
same password in more than one place. If someone should
happen to guess one of your passwords, you don't want
them to be able to use it in a number of places.
 Remember the five golden rules of passwords.
 Do not choose a password that is easily identified with you
(for example, your date of birth, telephone number or
your name or any part of it).

8/24/2014
50
 A password should have a minimum of eight characters, be
as meaningless as possible and use uppercase letters,
lowercase letters and numbers eg xk28LP97.
 Change passwords regularly, at least every 30 days.
 Do not give out your password to anyone! Be wary of
unsolicited calls or emails requesting personal information
or card numbers. Neither Bank nor the police would ask
you to disclose PIN’s or password information.
 Do not write your password down even if it is disguised.
 Delete the email
 If you receive a hoax email, delete the email immediately. Do
not click on any links and do not open any attachments in a
hoax email. Bank will not send you an email or SMS asking you
to verify or provide your account details, financial details, or
login details for Phone Banking, Mobile Banking or Internet
Banking. email and SMS policy is set out below.
 Report the incident
 All hoax email incidents should be reported.
 Scan your computer for viruses
 Many hoax emails contain viruses or Trojan Horses (key logger),
which are downloaded to your computer when you open any
attachments or select any included links. If you have clicked on
any items within the email, run a complete virus check of your
computer. Perform virus scans on your computer regularly.

8/24/2014
51
 Reset your Internet Banking password
 After scanning your computer and ensuring it is free of
viruses or Trojans, reset your Internet Banking password
by calling Internet Banking Helpdesk.
 Email and SMS policy
 Bank will not send you an email or SMS asking you to
verify or provide Account Details, Financial Details, or login
details for Phone Banking, Internet Banking or Mobile
Banking.
 We send emails, and these often contain hyperlinks.
However, if we send you an email with a hyperlink, the link
will take you to a page on our website, where you can find
out more before logging in, applying or downloading.
 Identity theft is where your personal details are obtained
to get some sort of financial or other benefit.
 You can help protect your identity by following these tips:
 Report any loss or theft of documents such as driver license,
credit card or passport immediately.
 Obtain a copy of your personal credit file from a credit bureau
at least every six months to check on the status of your file.
 Keep tax records and other financial documents in a secure
place.
 Cancel all unused or dormant accounts that you may have.
 Secure your mailbox with a padlock where possible.
 Respond only to contact numbers and addresses that exist on
Bank.com.

8/24/2014
52
 Ensure your computer and information protected from
viruses?
 Ensure your virus protection software is always up-to-date.
 A computer virus is a program that attaches itself to another
program, but changes the action of that program so that the
virus is able to spread. Viruses range from harmless pranks that
merely show an annoying message, to programs that can
destroy or disable a computer altogether.
 Anti-virus software is designed to better protect you and your
computer against known viruses, worms and Trojan Horses. A
Trojan Horse is a malicious program disguised as something
harmless, such as a game or a screen saver, but in fact contains
hidden code that allows an intruder to take control of your
machine without your knowledge.
 Being protected includes three things:
 Having protection on your computer.
 Checking for new Internet security protection
software updates daily.
 Scanning all the files on your computer periodically
including incoming and outgoing emails.

8/24/2014
53
 Try using a firewall as a gatekeeper between your
computer and the Internet.
 A firewall is a piece of software or hardware that filters all
Internet traffic between your computer and the outside
world. It works to either block or permit Internet traffic to
and from your computer.
 You can use the Firewall to better protect your home or
business computer and any personal information it holds
from offensive websites, spam and unauthenticated logins
from potential hackers.
 A Firewall is seen to be essential for those that use their
computers online, especially through the use of a cable
modem.
 Is your computer security up-to-date? You should check
your computer security on a regular basis and download
the latest security upgrades.
 Security is essential in protecting your information on the
Internet. To do this, check your software vendors' web
sites on a regular basis for new security upgrades, or use
the automated patching features that some companies
offer. The programs and operating system on your
computer may have valuable features that make your life
easier, but can also leave you vulnerable to hackers and
viruses. You should evaluate your computer security on a
regular basis.

8/24/2014
54
 Be cautious! Do not open email attachments from unknown
sources.
 Email is one of the prime movers for malicious viruses. Regardless of
how enticing the 'subject' or attachment may look, be cautious. Any
unexpected email, especially those with attachments (from someone
you may or may not know), could contain a virus and may have been
sent without that person's knowledge from an infected computer.
Should you receive an email of this kind and you are doubtful of its
legitimacy, delete it.
 Make sure your family members and/or your employees know
what to do if a computer becomes infected.
 It's important that everyone who uses a computer is aware of proper
security practices. People should know how to update virus
protection software, how to download security upgrades from
software vendors and how to create a proper password.
 Ensure you log on to Internet Banking the correct
way.
 Access Internet Banking by entering the correct
website address into the address bar.
 Bank will not send you an email asking for your
account details, financial details, or login details for
Phone Banking, Mobile Banking or Internet Banking.
For assistance with Internet Banking, contact the
Internet Banking Help Desk

8/24/2014
55
 Look for the security features such as the website
address and the 'padlock' symbol at the bottom of
your web browser.
 There are three ways that you can generally verify that you
are logging in to a secure web page, check that:
▪ One, the website address changes from http:// to https://.
▪ Two the url address bar displays “The Bank” in your browser and
this content is shaded green (this may be truncated due to space
restrictions).
▪ Three, a 'padlock' symbol appears on your web browser. The
'padlock' symbol indicates that the page you are on has additional
security. You can double-click the padlock symbol to view the
certificate's details.
 You can verify the authenticity of the 'padlock'.
 Double click on the 'padlock' symbol and ensure that
the certificate:
▪ is issued to www.Bank.com
▪ is issued by VeriSign
▪ has a valid start and expiry date.
 If you receive a warning message (for example name
mismatch, invalid date, untrusted certifying authority
or failed to retrieve revocation list), terminate the
Internet session immediately and contact the Internet
Banking Help Desk

8/24/2014
56
 Do not leave your computer connected (online) when not
in use.
 When leaving your computer unattended, you should either
shut it down or physically disconnect from the Internet
connection. This lessens the chance that someone will be able
to access your computer.
 When viewing or using your personal information on the
Internet, be aware of your environment.
 Care should always be taken in unknown areas to prevent any
other persons viewing your personal information, including
when typing in your passwords or details of account numbers
on the Internet. Be cautious when accessing public computers
or any computers you do not control.
 Using Internet Banking in public places
 Be wary of your surroundings and ensure no one is observing you
when entering in your Customer Registration Number (CRN) or
password.
 Ensure that there is a padlock symbol in the bottom right corner of
your browser.
 Never click the 'save my password/details' option sometimes offered.
 Never change security details such as your password in a public place
(ie libraries, Internet cafes).
 Do not leave your computer unattended or idle for long periods of
time.
 Always log out from your Internet banking session when you have
finished and close the browser.
 Try to use computers that have anti-virus software installed.

8/24/2014
57
 Shopping online can be a convenient and easy way
to shop, but there are also pitfalls to be aware of. To
help you we’ve put together some tips for online
shopping:
 Check whether the online store you’re buying from
is reputable. To do this you can ask for more
information before you use them or check out what
other shoppers say on review sites.
 Never email your financial details. Email isn’t a
secure way of transmitting financial information like
your bank details or credit card numbers.
 If you are making payments through an online
stores’ website, look for signs that the website
protects your data. You should look for a lock
icon on the browser's status bar or a URL for a
website that begins "https:" (the "s" stands for
"secure") on the web page where you enter your
credit card or other personal information.
 Make sure the computer you use for online
shopping has the latest anti-virus software and
firewall protection.

8/24/2014
58
 Keep paper copies of all online receipts, this will
make it easier to check your account.
 Pay with your credit card and you will be
protected by the Bank Fraud Money Back
Guarantee. This means that if you suffer a loss as
a result of a fraudulent transaction on your card,
it will credit your account with the amount of the
loss provided you didn’t contribute to the loss;
and you have notified Bank promptly of the
fraud.
 Unless the account services are provided or
referred to you by Bank, it does not authorize,
promote or endorse the use of account services
offered by parties other than Bank to access your
accounts (including account aggregation services,
such as may be provided by other financial
institutions).

8/24/2014
59
 SSL flaws
 Cryptographic modules flaws
 Cryptographic algorithms flaws
 Cryptographic key leakage
 Time – dependent attacks
 If it looks too good to be true—it probably is.
 ALWAYS get independent advice if an offer involves
significant money, time or commitment.
 Remember there are no get-rich-quick schemes: the only
people who make money are the scammers.
 NEVER send money or give credit card or online account
details to anyone do not know and trust.
 Check your bank account and credit card statements
regularly. If you see a transaction you cannot explain on
your account
 Keep your credit and ATM cards safe.
 Do not share your personal identity number with anyone.
 Do not keep any written copy of your PIN with the card.

8/24/2014
60
Module 5
 Social Engineering (SE) is a blend of science,
psychology and art. While it is amazing
and complex, it is also very simple.
 Definition
 “Any act that influences a person to take an action that
may or may not be in their best interest.”
 We have defined it in very broad and general terms
because we feel that social engineering is not always
negative, but encompasses how we communicate
with our parents, therapists, children, spouses and
others.

8/24/2014
61
 “Social engineering is the act of someone
professing they are someone they are not, in
order to gain access to information or assets they
would not normally have access to.”
 Also referred to as a “con-artist”
 Hackers
 Penetration Testers
 Spies or Espionage
 Identity Thieves
 Disgruntled Employees
 Information Brokers
 Scam Artists
 Executive Recruiters
 Sales People
 Governments
 Everyday People

8/24/2014
62
 There is no patch for human stupidity!!!
 People are the largest vulnerability in any
network!!!
 People are the weakest link in security
 Trust is assumed by many
 Easy to perform
 Non-technical attack
 Little skill is required

8/24/2014
63
 Pretexting - the “story” behind the attack
 A well thought out pretext can bypass almost any
security control
 Attacks traits and human nature
 Planning
 Attackers may plan for days, weeks or months
 Gather information over time
 Reduces chances of being caught
 Gives the attacker a better look at the internal
operation of the target
 Active or passive reconnaissance

8/24/2014
64
 Sympathy
 Examples:
▪ “I'm so sad because….; please make my day better”
▪ Mother passed away this week
▪ First week on the job
 Guilt
 Examples:
▪ “If you don’t do this for me…I can’t do that”
▪ People do not like to feel guilty
 Scarcity
 Examples:
▪ “Get ‘em while there hot!”
▪ Something is in demand, but supplies are low

8/24/2014
65
 Intimidation
 Examples:
▪ “If you don’t give me this information…”
▪ Government official
▪ Big boss
 Consistency
 Examples:
▪ “Business as usual..”
▪ The situation is not out of the norm
 Authority
 Examples:
▪ “I want this information because I have a right to it”
▪ Fire Marshall, OSHA, and other positions of authority
▪ VP, CEO, Executive level employee

8/24/2014
66
 Reciprocation
 Example:
▪ “Do this for me and I will do this for you”
 Confusion
▪ Setting off fire alarms
 Phone-based
 Email-based
 Onsite

8/24/2014
67
 Phone-based
 Very popular attack vector
 May use compromised PBX’s (Private Branch
Exchange)
 Caller-ID can be spoofed to appear local
 Skype, Asterisk and other PBX services make these
attacks easier
 Increased success with each attack
 Low risk of being caught

8/24/2014
68
 Email-based
 Clever worded emails appear legitimate
 “From:” email addresses may not be from who it
appears
 Hard to trace, attacker may be using compromised
email servers
 May redirect victims to legitimate looking websites
 Always verify legitimacy of suspicious emails

8/24/2014
69

8/24/2014
70
 Onsite
 Physical attacks against the organization
 Dumpster diving is an early warning sign
 Piggybacking attempts
 Shoulder surfing
 Custodial staff
 Industry specific attacks
 Onsite
 “Bait” CDs and USB devices
 Dressing the part
▪ “Goodwill” Attacks
▪ Service Provider Uniforms
▪ Props – cell phones, computer case, network devices
▪ Organizations dress code
 Employee Identification

8/24/2014
71
 2003 – Attacks on America Online (AOL)
 2006 – ADP Scam
 2007 – IRS Test
 2007 – HP Scam
 2008 – Brinks Scam

8/24/2014
72

8/24/2014
73
 Implement policies and procedures to help
thwart attacks
 Password policies – Storage, expiration, sharing
 Visitor policy – identify, authorize, escort
 Clean desk policy – lock cabinets/drawers
 ID Verification
 Employee ID
 Drivers Licenses

8/24/2014
74
 Verify work orders with IT and managers
 Implement a sign-in system
 Make copies of IDs
 Develop a retention plan for logs
 Ensure temporary badges are returned
 Secure trash and shred sensitive data
 Make this system easy to use
 Cross-cut vs. strip shredders
 Implement Closed-Circuit TV systems (CCTV)
 Implement access control devices
 Critical access points
 Employee entrances
 Ingress and egress
 Background checks
 Verify background history

8/24/2014
75
 Train employees to never disclose passwords
 Evaluate employee awareness regularly
 Third party testing
 Conduct awareness training
 Cover procedures in the Incident Response Plan
 Employees are “Security Ambassadors”
 Be aware of the risks
 Evaluate your security posture
 Keep employees informed and trained
 Assume nothing, this is a very real attack

8/24/2014
76
Module 6

8/24/2014
77
 Computers compromised by the GOZ botnet may
also be infected with CryptoLocker, a form of
“ransomware.”
 Victim files are encrypted and held “hostage” until the
victim makes payment
 More than 121,000 victims in the United States and
234,000 victims worldwide
 There were approximately $30 million in ransom
payments between September and December 2013

8/24/2014
78

8/24/2014
79
 Blackshades Remote Access Tool (RAT)—allows
criminals to steal passwords and banking
credentials; hack into social media accounts;
access documents, photos, and other computer
files; record all keystrokes; activate webcams;
hold a computer for ransom; and use the
computer in distributed denial of service (DDoS)
attacks.

8/24/2014
80
 Several different types of Blackshades malware
products were available for purchase by other
cyber criminals through a website
 Popular Blackshades RAT could be bought for as
little as $40!
 In addition to its low price, Blackshades RAT was
very attractive because it could be customized by
the criminals who bought it, depending on their
particular requirements.
 Developer of Blackshades:
 Michael Hogue
 Alex Yucel
 Yucel ran his organization like a business
 Hiring and firing employees
 Paying salaries
 Updating the malicious software in response to customers’
requests.
 He employed several administrators to facilitate the
operation of the organization, including a director of
marketing, a website developer, a customer service
manager, and a team of customer service representatives.

8/24/2014
81
 Russian national Aleksandr Andreevich Panin pled
guilty in an Atlanta federal courtroom to a
conspiracy charge associated with his role as the
primary developer and distributor of SpyEye
malware
 Created specifically to facilitate online theft from financial
institutions, many of them in the U.S.
 Infected more than 1.4 million computers—many located
in the U.S.
 Obtaining victims’ financial and personally identifiable
information stored on those computers
 Using it to transfer money out of victims’ bank accounts
and into accounts controlled by criminals.
 From 2009 to 2011, Panin conspired with others,
including co-defendant Hamza Bendelladj to
advertise and develop various versions of SpyEye in
online criminal forums.
 One ad described the malware as a “bank Trojan
with form grabbing possibility,” -designed to steal
bank information from a web browser while a user
was conducting online banking.
 Another ad said that the malware included a “cc
grabber,” which scans stolen victim data for credit
card information

8/24/2014
82
 SpyEye was sold to more than 150 “clients” who paid
anywhere from $1,000 to $8,500 for various versions
of it.
 Once in their hands, these cyber criminals used the
malware for their own nefarious purposes:
 Infecting victim computers
 Creating botnets (armies of hijacked computers) that
collected large amounts of financial and personal
information and sent it back to servers under the control
of the criminals.
 They were then able to hack into bank accounts, withdraw
stolen funds, create bogus credit cards, etc.
Module 7

8/24/2014
83

8/24/2014
84
 Utilized a computer virus that involved the online sale of fraudulent computer
security programs that defrauded Internet users of more than $2 million.
 Sahurovs contacted an online newspaper claiming to work for an online
advertising agency that represented a hotel chain that was seeking to place
advertisements on the paper's website. Sahurovs utilized fraudulent references
and bank accounts to deceive the newspaper into believing he represented a
legitimate advertising agency.
 Sahurovs provided electronic files containing the fictitious hotel advertisements
to the newspaper, which began running the advertisements on its website. He
then replaced the hotel advertisements with a file containing a malicious
computer code, or malware, which infected the computers of people who visited
the website and required them to purchase antivirus software for $49.95 to
regain control of their computers. If the users did not purchase the software, their
computers immediately became inundated with pop-ups containing fraudulent
"security alerts," and all information, data and files stored on the computers
became inaccessible.
 Sahurovs allegedly conducted the same fraudulent advertising and infection
scheme against numerous online businesses.
167

8/24/2014
85
 is wanted for his alleged participation in an Eastern
European cyber crime ring, operating out of New
York, which is known for recruiting money mules to
open bank accounts, cashing out money received
through unauthorized money transfers, and then
transferring the money overseas.
 An arrest warrant was issued for Semenov in the
Southern District of New York on September 29,
2010, after he was charged with conspiracy to
commit bank fraud; conspiracy to possess false
identification documents; and false use of passport.
169
 Involved in an international cybercrime scheme that caused internet
users in more than 60 countries to purchase more than one million
bogus software products, resulting in consumer loss of more than
$100 million.
 Used fake advertisements placed on legitimate companies’
websites, they deceived internet users into believing that their
computers were infected with “malware” or had other critical errors
in order to encourage them to purchase “scareware” software
products that had limited or no ability to remedy the purported
defects.
 They allegedly deceived victims, through browser hijacking, multiple
fraudulent scans and false error messages, into purchasing full paid
versions of software products offered by their company, Innovative
Marketing, Inc. The proceeds of these credit card sales were
allegedly deposited into bank accounts controlled by the defendant
and others around the world, and were then transferred to bank
accounts located in Europe. When customers complained that their
purchases were actually fraudulent software, call center
representatives were allegedly instructed to lie or provide refunds
in order to prevent fraud reports to law enforcement or credit
companies.
170

8/24/2014
86
 Contact
 Via ICQ, Messenger or similar or via email (generic addresses).
 Try & Buy
 Most offer tests or free demos. They also use online sites for
checking algorithms to guarantee the authenticity of the card
details.
 Minimum orders and bulk discounts
 Minimum orders are established (5 or 10 units in the case of
credit card or bank details). There are discounts for bulk buying.
 Specialized online stores
 Once contact has been made, many use online sites set up as
stores for distributing their products (which can’t be accessed
without a username and password).
172

8/24/2014
87
 Methods of payment
 Western Union, Liberty Reserve, WebMoney or similar.
 Customer services and support
 They offer service guarantees. If the product does not work (if the numbers, login credentials
are not valid, etc.), they will be changed for others that are operative.
 Promotion
 These services are mainly advertised through underground forums, although some of the
boldest use social media and have accounts on Facebook and Twitter, etc.
173

8/24/2014
88
 Programmers
 Who develop the exploits and malware used to commit cyber-crimes.
 Distributors
 Who trade and sell stolen data and act as vouchers for the goods
provided by other specialists.
 Tech experts
 Who maintain the criminal enterprise’s IT infrastructure, including
servers, encryption technologies, databases, and the like.
 Hackers
 Who search for and exploit applications, systems and network
vulnerabilities.
 Fraudsters
 Who create and deploy various social engineering schemes, such as
phishing and spam.
175
 Hosted systems providers
 Who offer safe hosting of illicit content servers and sites.
 Cashiers
 Who control drop accounts and provide names and accounts to other
criminals for a fee.
 Money mules
 Who complete wire transfers between bank accounts. The money mules
may use student and work visas to travel to the U.S. to open bank accounts.
 Tellers
 Who are charged with transferring and laundering illicitly gained proceeds
through digital currency services and different world currencies.
 Organization Leaders
 Often “people persons” without technical skills. The leaders assemble the
team and choose the targets.
176

8/24/2014
89
Module 8
178

8/24/2014
90
‫المعلومات‬ ‫نظام‬:‫المعلومات‬ ‫أو‬ ‫البيانات‬ ‫إلنشاء‬ ‫المعدة‬ ‫واألدوات‬ ‫البرامج‬ ‫مجموعة‬
‫إداراتها‬ ‫أو‬ ‫تخزينها‬ ‫أو‬ ‫معالجتها‬ ‫أو‬ ‫تسلمها‬ ‫أو‬ ‫إرسالها‬ ‫أو‬ ،‫إلكترونيا‬.
‫البيانات‬:‫داللة‬ ‫لها‬ ‫ليس‬ ‫التي‬ ‫والصور‬ ‫واألصوات‬ ‫واألشكال‬ ‫والرموز‬ ‫والحروف‬ ‫األرقام‬
‫بذاتها‬.
‫المعلومات‬:‫داللة‬ ‫لها‬ ‫وأصبح‬ ‫معالجتها‬ ‫تمت‬ ‫التي‬ ‫البيانات‬.
‫المعلوماتية‬ ‫الشبكة‬:‫البيانات‬ ‫على‬ ‫للحصول‬ ‫معلومات‬ ‫نظام‬ ‫من‬ ‫أكثر‬ ‫بين‬ ‫ارتباط‬
‫وتبادلها‬ ‫والمعلومات‬.
‫االلكتروني‬ ‫الموقع‬:‫خالل‬ ‫من‬ ‫المعلوماتية‬ ‫الشبكة‬ ‫على‬ ‫المعلومات‬ ‫إتاحة‬ ‫مكان‬
‫محدد‬ ‫عنوان‬.
‫التصريح‬:‫للدخول‬ ‫للجمهور‬ ‫أو‬ ‫أكثر‬ ‫أو‬ ‫شخص‬ ‫إلى‬ ‫العالقة‬ ‫صاحب‬ ‫من‬ ‫الممنوح‬ ‫اإلذن‬
‫نظام‬ ‫استخدام‬ ‫أو‬ ‫إلى‬
‫أو‬ ‫إلغاء‬ ‫أو‬ ‫االطالع‬ ‫بقصد‬ ‫المعلوماتية‬ ‫الشبكة‬ ‫أو‬ ‫الكتروني‬ ‫موقع‬ ‫أو‬ ‫المعلومات‬
‫أو‬ ‫اليها‬ ‫الوصول‬ ‫حجب‬ ‫أو‬ ‫معلومات‬ ‫أو‬ ‫بيانات‬ ‫نشر‬ ‫إعادة‬ ‫أو‬ ‫تغيير‬ ‫أو‬ ‫اضافة‬ ‫أو‬ ‫حذف‬
‫محتوياته‬ ‫تعديل‬ ‫أو‬ ‫إلغائه‬ ‫أو‬ ‫الكتروني‬ ‫موقع‬ ‫تغيير‬ ‫أو‬ ‫األجهزة‬ ‫عمل‬ ‫ايقاف‬.
‫البرامج‬:‫للتنفيذ‬ ‫قابلة‬ ‫مهمة‬ ‫النجاز‬ ‫المعدة‬ ‫الفنية‬ ‫والتعليمات‬ ‫االوامر‬ ‫من‬ ‫مجموعة‬
‫المعلومات‬ ‫أنظمة‬ ‫باستخدام‬.
179
‫المادة‬3-
‫أ‬-‫بأي‬ ‫معلومات‬ ‫نظام‬ ‫أو‬ ٍ‫الكتروني‬ ٍ‫موقع‬ ‫الى‬ ً‫ا‬‫قصد‬ ‫دخل‬ ‫من‬ ‫كل‬
‫يعاقب‬ ، ‫التصريح‬ ‫يجاوز‬ ‫أو‬ ‫يخالف‬ ‫بما‬ ‫أو‬ ‫تصريح‬ ‫دون‬ ‫وسيلة‬
‫أو‬ ‫أشهر‬ ‫ثالثة‬ ‫على‬ ‫تزيد‬ ‫وال‬ ‫أسبوع‬ ‫عن‬ ‫تقل‬ ‫ال‬ ‫مدة‬ ‫بالحبس‬
‫عن‬ ‫تقل‬ ‫ال‬ ‫بغرامة‬(100)‫على‬ ‫تزيد‬ ‫وال‬ ‫دينار‬ ‫مائة‬(200)‫مائتي‬
‫العقوبتين‬ ‫هاتين‬ ‫بكلتا‬ ‫أو‬ ‫دينار‬.
‫ب‬-‫الفقرة‬ ‫في‬ ‫عليه‬ ‫المنصوص‬ ‫الدخول‬ ‫كان‬ ‫إذا‬(‫أ‬)‫المادة‬ ‫هذه‬ ‫من‬
‫حجب‬ ‫أو‬ ‫إتالف‬ ‫أو‬ ‫إفشاء‬ ‫أو‬ ‫تدمير‬ ‫أو‬ ‫إضافة‬ ‫أو‬ ‫حذف‬ ‫أو‬ ‫إلغاء‬ ‫بهدف‬
‫أو‬ ‫توقيف‬ ‫أو‬ ‫معلومات‬ ‫أو‬ ‫بيانات‬ ‫نسخ‬ ‫أو‬ ‫نقل‬ ‫أو‬ ‫تغيير‬ ‫أو‬ ‫تعديل‬ ‫أو‬
‫أو‬ ‫إلغائه‬ ‫أو‬ ‫الكتروني‬ ‫موقع‬ ‫تغيير‬ ‫أو‬ ‫معلومات‬ ‫نظام‬ ‫عمل‬ ‫تعطيل‬
‫انتحال‬ ‫أو‬ ‫صفتـــه‬ ‫انتحال‬ ‫أو‬ ‫إشغاله‬ ‫أو‬ ‫محتوياته‬ ‫تعديل‬ ‫أو‬ ‫إتالفه‬
‫ثالثة‬ ‫عن‬ ‫تقل‬ ‫ال‬ ‫مدة‬ ‫بالحبس‬ ‫الفاعل‬ ‫فيعاقب‬ ‫مالكه‬ ‫شخصية‬
‫عن‬ ‫تقل‬ ‫ال‬ ‫بغرامة‬ ‫أو‬ ‫سنة‬ ‫على‬ ‫تزيد‬ ‫وال‬ ‫أشهر‬(200)‫دينار‬ ‫مائتي‬
‫على‬ ‫تزيد‬ ‫وال‬(1000)‫العقوبتين‬ ‫هاتين‬ ‫بكلتا‬ ‫أو‬ ‫دينار‬ ‫ألف‬.
180

8/24/2014
91
‫المادة‬4-
▪‫الشبكة‬ ‫طريق‬ ‫عن‬ ً‫ا‬‫برنامج‬ ً‫ا‬‫قصد‬ ‫استخدم‬ ‫أو‬ ‫نشر‬ ‫أو‬ ‫ادخل‬ ‫من‬ ‫كل‬
‫أو‬ ‫إضافة‬ ‫أو‬ ‫حذف‬ ‫أو‬ ‫إلغاء‬ ‫بهدف‬ ،‫معلومات‬ ‫نظام‬ ‫باستخدام‬ ‫أو‬ ‫المعلوماتية‬
‫التقاط‬ ‫أو‬ ‫نسخ‬ ‫أو‬ ‫نقل‬ ‫أو‬ ‫تغيير‬ ‫أو‬ ‫تعديل‬ ‫أو‬ ‫حجب‬ ‫أو‬ ‫إتالف‬ ‫أو‬ ‫إفشاء‬ ‫أو‬ ‫تدمير‬
‫تشويش‬ ‫أو‬ ‫إعاقة‬ ‫أو‬ ‫معلومات‬ ‫أو‬ ‫بيانات‬ ‫على‬ ‫االطالع‬ ‫من‬ ‫االخرين‬ ‫تمكين‬ ‫أو‬
‫موقع‬ ‫تغيير‬ ‫أو‬ ‫إليه‬ ‫الوصول‬ ‫أو‬ ‫معلومات‬ ‫نظام‬ ‫عمل‬ ‫تعطيل‬ ‫أو‬ ‫إيقاف‬ ‫أو‬
‫أو‬ ‫صفته‬ ‫انتحال‬ ‫أو‬ ‫إشغاله‬ ‫أو‬ ‫محتوياته‬ ‫تعديل‬ ‫أو‬ ‫إتالفه‬ ‫أو‬ ‫إلغائه‬ ‫أو‬ ‫الكتروني‬
‫يعاقب‬ ‫التصريح‬ ‫يخالف‬ ‫أو‬ ‫يجاوز‬ ‫بما‬ ‫أو‬ ‫تصريح‬ ‫دون‬ ‫مالكه‬ ‫شخصية‬ ‫انتحال‬
‫عن‬ ‫تقل‬ ‫ال‬ ‫بغرامة‬ ‫أو‬ ‫سنة‬ ‫على‬ ‫تزيد‬ ‫وال‬ ‫أشهر‬ ‫ثالثة‬ ‫عن‬ ‫تقل‬ ‫ال‬ ‫مدة‬ ‫بالحبس‬
(200)‫على‬ ‫تزيد‬ ‫وال‬ ‫دينار‬ ‫مائتي‬(1000)‫العقوبتين‬ ‫هاتين‬ ‫بكلتا‬ ‫أو‬ ‫دينار‬ ‫ألف‬
.
‫المادة‬5-
▪‫عن‬ ‫مرسل‬ ‫هو‬ ‫ما‬ ‫على‬ ‫بالتنصت‬ ‫أو‬ ‫باعتراض‬ ‫أو‬ ‫بالتقاط‬ ً‫ا‬‫قصد‬ ‫قام‬ ‫من‬ ‫كل‬
‫تقل‬ ‫ال‬ ‫مدة‬ ‫بالحبس‬ ‫يعاقب‬ ‫معلومات‬ ‫نظام‬ ‫أي‬ ‫أو‬ ‫المعلوماتية‬ ‫الشبكة‬ ‫طريق‬
‫عن‬ ‫تقل‬ ‫ال‬ ‫بغرامة‬ ‫أو‬ ‫سنة‬ ‫على‬ ‫تزيد‬ ‫وال‬ ‫شهر‬ ‫عن‬(200)‫وال‬ ‫دينار‬ ‫مائتي‬
‫على‬ ‫تزيد‬(1000)‫العقوبتين‬ ‫هاتين‬ ‫بكلتا‬ ‫أو‬ ‫دينار‬ ‫ألف‬.
181
‫أ‬-‫نظام‬ ‫أي‬ ‫أو‬ ‫المعلوماتية‬ ‫الشبكة‬ ‫طريق‬ ‫عن‬ ‫تصريح‬ ‫دون‬ ‫قصدا‬ ‫حصل‬ ‫من‬ ‫كل‬
‫أو‬ ‫بالبيانات‬ ‫أو‬ ‫االئتمان‬ ‫ببطاقات‬ ‫تتعلق‬ ‫معلومات‬ ‫أو‬ ‫بيانات‬ ‫على‬ ‫معلومات‬
‫االلكترونية‬ ‫المصرفية‬ ‫أو‬ ‫المالية‬ ‫المعامالت‬ ‫تنفيذ‬ ‫في‬ ‫تستخدم‬ ‫التي‬ ‫المعلومات‬
‫ال‬ ‫بغرامة‬ ‫أو‬ ‫سنتين‬ ‫على‬ ‫تزيد‬ ‫وال‬ ‫اشهر‬ ‫ثالثة‬ ‫عن‬ ‫تقل‬ ‫ال‬ ‫مدة‬ ‫بالحبس‬ ‫يعاقب‬
‫عن‬ ‫تقل‬(500)‫على‬ ‫تزيد‬ ‫وال‬ ‫دينار‬ ‫خمسمائة‬(2000)‫بكلتا‬ ‫أو‬ ‫دينار‬ ‫ألفي‬
‫العقوبتين‬ ‫هاتين‬.
‫ب‬-ً‫ا‬‫قصد‬ ‫معلومات‬ ‫نظام‬ ‫أي‬ ‫أو‬ ‫المعلوماتية‬ ‫الشبكة‬ ‫طريق‬ ‫عن‬ ‫استخدم‬ ‫من‬ ‫كل‬
‫أو‬ ‫بالبيانات‬ ‫أو‬ ‫االئتمان‬ ‫ببطاقات‬ ‫تتعلق‬ ‫معلومات‬ ‫أو‬ ‫بيانات‬ ‫مشروع‬ ‫سبب‬ ‫دون‬
‫االلكترونية‬ ‫المصرفية‬ ‫أو‬ ‫المالية‬ ‫المعامالت‬ ‫تنفيذ‬ ‫في‬ ‫تستخدم‬ ‫التي‬ ‫المعلومات‬
‫تخص‬ ‫خدمات‬ ‫أو‬ ‫أموال‬ ‫أو‬ ‫معلومات‬ ‫أو‬ ‫بيانـات‬ ‫على‬ ‫لغيـــره‬ ‫أو‬ ‫لنفسه‬ ‫للحصول‬
‫عن‬ ‫تقل‬ ‫ال‬ ‫وبغرامة‬ ‫سنـــة‬ ‫عن‬ ‫تقـل‬ ‫ال‬ ‫مدة‬ ‫بالحبس‬ ‫يعاقب‬ ‫االخرين‬(1000)
‫على‬ ‫تزيد‬ ‫وال‬ ‫دينار‬ ‫ألف‬(5000)‫دينار‬ ‫آالف‬ ‫خمسة‬.
‫من‬ ‫المواد‬ ‫في‬ ‫عليها‬ ‫المنصوص‬ ‫الجرائم‬ ‫على‬ ‫العقوبة‬ ‫تضاعف‬(3)‫الى‬(6)‫من‬
‫أو‬ ‫عمله‬ ‫أو‬ ‫وظيفته‬ ‫تأديته‬ ‫أثناء‬ ‫منها‬ ‫أي‬ ‫بارتكاب‬ ‫قام‬ ‫من‬ ‫كل‬ ‫بحق‬ ‫القانون‬ ‫هذا‬
‫منهما‬ ٍ‫ي‬‫أ‬ ‫باستغالل‬.
182

8/24/2014
92
‫أ‬-ً‫ا‬‫قصد‬ ‫المعلوماتية‬ ‫الشبكة‬ ‫أو‬ ‫معلومات‬ ‫نظام‬ ‫طريق‬ ‫عن‬ ‫نشر‬ ‫أو‬ ‫أرسل‬ ‫من‬ ‫كل‬
‫أو‬ ‫فيها‬ ‫يشارك‬ ‫إباحية‬ ً‫ال‬‫أعما‬ ‫يتضمن‬ ‫مرئي‬ ‫أو‬ ‫مقروء‬ ‫أو‬ ‫مسموع‬ ‫هو‬ ‫ما‬ ‫كل‬
‫يعاقب‬ ‫العمر‬ ‫من‬ ‫عشرة‬ ‫الثامنة‬ ‫يكمل‬ ‫لم‬ ‫لمن‬ ‫الجنسي‬ ‫باالستغالل‬ ‫تتعلق‬
‫عن‬ ‫تقل‬ ‫ال‬ ‫وبغرامة‬ ‫اشهر‬ ‫ثالثة‬ ‫عن‬ ‫تقل‬ ‫ال‬ ‫مدة‬ ‫بالحبس‬(300)‫دينار‬ ‫ثالثمائة‬
‫على‬ ‫تزيد‬ ‫وال‬(5000)‫دينار‬ ‫أالف‬ ‫خمسة‬.
‫ب‬-‫في‬ ‫المعلوماتية‬ ‫الشبكة‬ ‫أو‬ ‫معلومات‬ ‫نظام‬ ‫باستخدام‬ ً‫ا‬‫قصد‬ ‫قام‬ ‫من‬ ‫كل‬
‫أعمال‬ ‫أو‬ ‫أنشطة‬ ‫ترويج‬ ‫أو‬ ‫نشر‬ ‫أو‬ ‫طباعة‬ ‫أو‬ ‫عرض‬ ‫أو‬ ‫معالجة‬ ‫أو‬ ‫حفظ‬ ‫أو‬ ‫إعداد‬
‫هو‬ ‫من‬ ‫أو‬ ‫العمر‬ ‫من‬ ‫عشرة‬ ‫الثامنة‬ ‫يكمل‬ ‫لم‬ ‫من‬ ‫على‬ ‫التأثير‬ ‫لغايات‬ ‫إباحية‬
‫يعاقب‬ ،‫جريمة‬ ‫ارتكاب‬ ‫على‬ ‫تحريضه‬ ‫أو‬ ‫توجيهه‬ ‫أو‬ ،‫عقليا‬ ‫او‬ ‫نفسيا‬ ‫معوق‬
‫عن‬ ‫تقل‬ ‫ال‬ ‫وبغرامة‬ ‫سنتين‬ ‫عن‬ ‫تقل‬ ‫ال‬ ‫مدة‬ ‫بالحبس‬(1000)‫تزيد‬ ‫وال‬ ‫دينار‬ ‫ألف‬
‫على‬(5000)‫دينار‬ ‫االف‬ ‫خمسة‬.
‫ج‬-‫لغايات‬ ‫المعلوماتية‬ ‫الشبكة‬ ‫أو‬ ‫معلومات‬ ‫نظام‬ ‫باستخدام‬ ً‫ا‬‫قصد‬ ‫قام‬ ‫من‬ ‫كل‬
‫او‬ ‫نفسيا‬ ‫معوق‬ ‫هو‬ ‫من‬ ‫أو‬ ‫العمر‬ ‫من‬ ‫عشرة‬ ‫الثامنة‬ ‫يكمل‬ ‫لم‬ ‫من‬ ‫استغالل‬
‫المؤقتة‬ ‫الشاقة‬ ‫باألشغال‬ ‫يعاقب‬ ، ‫اإلباحية‬ ‫األعمال‬ ‫أو‬ ‫الدعارة‬ ‫في‬ ،‫عقليا‬
‫عن‬ ‫تقل‬ ‫ال‬ ‫وبغرامة‬(5000)‫على‬ ‫تزيد‬ ‫وال‬ ‫دينار‬ ‫أالف‬ ‫خمسة‬(15000)‫خمسة‬
‫دينار‬ ‫ألف‬ ‫عشر‬.
183
‫للدعارة‬ ‫للترويج‬ ‫معلومات‬ ‫نظام‬ ‫أي‬ ‫أو‬ ‫المعلوماتية‬ ‫الشبكة‬ ‫باستخدام‬ ً‫ا‬‫قصد‬ ‫قام‬ ‫من‬ ‫كل‬
‫عن‬ ‫تقل‬ ‫ال‬ ‫وبغرامة‬ ‫اشهر‬ ‫ستة‬ ‫عن‬ ‫تقل‬ ‫ال‬ ‫مدة‬ ‫بالحبس‬ ‫يعاقب‬(300)‫وال‬ ‫دينار‬ ‫ثالثمائة‬
‫على‬ ‫تزيد‬(5000)‫دينار‬ ‫االف‬ ‫خمسة‬.
ً‫ا‬‫الكتروني‬ ً‫ا‬‫موقع‬ ‫انشأ‬ ‫أو‬ ‫المعلوماتية‬ ‫الشبكة‬ ‫أو‬ ‫المعلومات‬ ‫نظام‬ ‫استخدم‬ ‫من‬ ‫كل‬
‫إرهابية‬ ‫بأعمال‬ ‫تقوم‬ ‫جمعية‬ ‫أو‬ ‫تنظيم‬ ‫أو‬ ‫لجماعة‬ ‫دعم‬ ‫أو‬ ‫إرهابية‬ ‫بأعمال‬ ‫القيام‬ ‫لتسهيل‬
‫المؤقتة‬ ‫الشاقة‬ ‫باألشغال‬ ‫يعاقب‬ ‫تمويلها‬ ‫أو‬ ،‫أفكارها‬ ‫إلتباع‬ ‫الترويج‬ ‫أو‬.
‫أ‬-‫أو‬ ‫الكتروني‬ ‫موقع‬ ‫إلى‬ ‫التصريح‬ ‫يجاوز‬ ‫أو‬ ‫يخالف‬ ‫بما‬ ‫أو‬ ‫تصريح‬ ‫دون‬ ً‫ا‬‫قصد‬ ‫دخل‬ ‫من‬ ‫كل‬
‫متاحة‬ ‫غير‬ ‫معلومات‬ ‫أو‬ ‫بيانات‬ ‫على‬ ‫االطالع‬ ‫بهدف‬ ‫كانت‬ ‫وسيلة‬ ‫باي‬ ‫معلومات‬ ‫نظام‬
‫أو‬ ‫العامـــة‬ ‫السالمة‬ ‫أو‬ ‫للمملكة‬ ‫الخارجية‬ ‫العالقات‬ ‫أو‬ ‫الوطني‬ ‫األمن‬ ‫تمس‬ ‫للجمهور‬
‫عن‬ ‫تقل‬ ‫ال‬ ‫وبغرامة‬ ‫أشهر‬ ‫أربعة‬ ‫عن‬ ‫تقل‬ ‫ال‬ ‫مدة‬ ‫بالحبس‬ ‫يعاقب‬ ‫الوطني‬ ‫االقتصــاد‬
(500)‫على‬ ‫تزيد‬ ‫وال‬ ‫دينار‬ ‫خمسمائة‬(5000)‫دينار‬ ‫أالف‬ ‫خمسة‬.
‫ب‬-‫الفقرة‬ ‫في‬ ‫إليه‬ ‫المشار‬ ‫الدخول‬ ‫كان‬ ‫إذا‬(‫أ‬)‫البيانات‬ ‫تلك‬ ‫إلغاء‬ ‫بقصد‬ ، ‫المادة‬ ‫هذه‬ ‫من‬
‫فيعاقب‬ ، ‫نسخها‬ ‫أو‬ ‫نقلها‬ ‫أو‬ ‫تغييرها‬ ‫أو‬ ‫تعديلها‬ ‫أو‬ ‫تدميرها‬ ‫أو‬ ‫إتالفها‬ ‫أو‬ ‫المعلومات‬ ‫أو‬
‫عن‬ ‫تقل‬ ‫ال‬ ‫وبغرامة‬ ‫المؤقتة‬ ‫الشاقة‬ ‫باألشغال‬ ‫الفاعل‬(1000)‫على‬ ‫تزيد‬ ‫وال‬ ‫دينار‬ ‫ألف‬
(5000)‫دينار‬ ‫آالف‬ ‫خمسة‬.
184

8/24/2014
93
‫أ‬-‫حقوق‬ ‫ومراعاة‬ ‫النافذة‬ ‫التشريعات‬ ‫في‬ ‫المقررة‬ ‫واألحكام‬ ‫الشروط‬ ‫مراعاة‬ ‫مع‬
‫من‬ ‫إذن‬ ‫على‬ ‫الحصول‬ ‫بعد‬ ،‫العدلية‬ ‫الضابطة‬ ‫لموظفي‬ ‫يجوز‬ ،‫الشخصية‬ ‫عليه‬ ‫المشتكى‬
‫الدالئل‬ ‫تشير‬ ‫مكان‬ ‫أي‬ ‫إلى‬ ‫الدخول‬ ،‫المختصة‬ ‫الحكمة‬ ‫من‬ ‫أو‬ ‫المختص‬ ‫العام‬ ‫المدعي‬
‫يجوز‬ ‫كما‬ ، ‫القانون‬ ‫هذا‬ ‫في‬ ‫عليها‬ ‫المنصوص‬ ‫الجرائم‬ ‫من‬ ‫أي‬ ‫الرتكاب‬ ‫استخدامه‬ ‫الى‬
‫في‬ ‫الدالئل‬ ‫تشير‬ ‫التي‬ ‫والوسائل‬ ‫واألنظمة‬ ‫والبرامج‬ ‫واألدوات‬ ‫األجهزة‬ ‫تفتيش‬ ‫لهم‬
‫قام‬ ‫الذي‬ ‫الموظف‬ ‫على‬ ‫األحوال‬ ‫جميع‬ ‫وفي‬ ،‫الجرائم‬ ‫تلك‬ ‫من‬ ‫أي‬ ‫الرتكاب‬ ‫استخدامها‬
‫المختص‬ ‫العام‬ ‫المدعي‬ ‫إلى‬ ‫ويقدمه‬ ‫بذلك‬ ‫محضرا‬ ‫ينظم‬ ‫أن‬ ‫بالتفتيش‬.
‫ب‬-‫الفقرة‬ ‫مراعاة‬ ‫مع‬(‫أ‬)‫و‬ ،‫الحسنة‬ ‫النية‬ ‫ذوي‬ ‫االخرين‬ ‫حقوق‬ ‫ومراعاة‬ ‫المادة‬ ‫هذه‬ ‫من‬
‫جريمة‬ ‫بأي‬ ‫يشتركوا‬ ‫لم‬ ‫ممن‬ ‫االتصاالت‬ ‫قانون‬ ‫أحكام‬ ‫وفق‬ ‫لهم‬ ‫المرخص‬ ‫باستثناء‬
‫واألدوات‬ ‫األجهزة‬ ‫ضبط‬ ‫العدلية‬ ‫الضابطة‬ ‫لموظفي‬ ‫يجوز‬ ،‫القانون‬ ‫هذا‬ ‫في‬ ‫عليها‬ ‫منصوص‬
‫أو‬ ‫عليها‬ ‫المنصوص‬ ‫الجرائم‬ ‫من‬ ‫أي‬ ‫الرتكاب‬ ‫المستخدمة‬ ‫والوسائل‬ ‫واألنظمة‬ ‫والبرامج‬
‫والبيانات‬ ‫المعلومات‬ ‫على‬ ‫والتحفظ‬ ‫منها‬ ‫المتحصلة‬ ‫واألموال‬ ‫القانون‬ ‫هذا‬ ‫يشملها‬
‫منها‬ ‫أي‬ ‫بارتكاب‬ ‫المتعلقة‬.
‫ج‬-‫تعطيل‬ ‫أو‬ ‫وتوقيف‬ ‫والوسائل‬ ‫األدوات‬ ‫و‬ ‫األجهزة‬ ‫بمصادرة‬ ‫الحكم‬ ‫المختصة‬ ‫للمحكمة‬
‫الجرائم‬ ‫من‬ ‫أي‬ ‫ارتكاب‬ ‫في‬ ‫مستخدم‬ ‫الكتروني‬ ‫موقع‬ ‫أو‬ ‫معلومات‬ ‫نظام‬ ‫أي‬ ‫عمل‬
‫الجرائم‬ ‫تلك‬ ‫من‬ ‫المتحصلة‬ ‫األموال‬ ‫ومصادرة‬ ‫القانون‬ ‫هذا‬ ‫يشملها‬ ‫أو‬ ‫عليها‬ ‫المنصوص‬
‫الجريمة‬ ‫مرتكب‬ ‫نفقة‬ ‫على‬ ‫المخالفة‬ ‫بإزالة‬ ‫والحكم‬.
185
‫الجرائم‬ ‫من‬ ‫أي‬ ‫ارتكاب‬ ‫على‬ ‫التحريض‬ ‫أو‬ ‫التدخل‬ ‫أو‬ ‫باالشتراك‬ ً‫ا‬‫قصد‬ ‫قام‬ ‫من‬ ‫كل‬ ‫يعاقب‬
‫لمرتكبيها‬ ‫فيه‬ ‫المحددة‬ ‫بالعقوبة‬ ‫القانون‬ ‫هذا‬ ‫في‬ ‫عليها‬ ‫المنصوص‬.
‫الشبكة‬ ‫باستخدام‬ ‫نافذ‬ ‫تشريع‬ ‫أي‬ ‫بموجب‬ ‫عليها‬ ‫معاقب‬ ‫جريمة‬ ‫أي‬ ‫ارتكب‬ ‫من‬ ‫كل‬
‫يعاقب‬ ،‫ارتكابها‬ ‫على‬ ‫حرض‬ ‫أو‬ ‫تدخل‬ ‫أو‬ ‫أشترك‬ ‫أو‬ ‫معلومات‬ ‫نظام‬ ‫أي‬ ‫أو‬ ‫المعلوماتية‬
‫التشريع‬ ‫ذلك‬ ‫في‬ ‫عليها‬ ‫المنصوص‬ ‫بالعقوبة‬.
‫الجرائم‬ ‫من‬ ٍ‫ي‬‫ا‬ ‫تكرار‬ ‫حال‬ ‫في‬ ‫القانون‬ ‫هذا‬ ‫في‬ ‫عليها‬ ‫المنصوص‬ ‫العقوبة‬ ‫تضاعف‬
‫فيه‬ ‫عليها‬ ‫المنصوص‬.
‫القضاء‬ ‫أمام‬ ‫عليه‬ ‫المشتكى‬ ‫على‬ ‫الشخصي‬ ‫والحق‬ ‫العام‬ ‫الحق‬ ‫دعوى‬ ‫إقامة‬ ‫يجوز‬
‫أنظمة‬ ‫باستخدام‬ ‫القانون‬ ‫هذا‬ ‫في‬ ‫عليها‬ ‫المنصوص‬ ‫الجرائم‬ ‫من‬ ‫أي‬ ‫ارتكبت‬ ‫إذا‬ ‫األردني‬
‫أو‬ ‫فيها‬ ‫المقيمين‬ ‫بأحد‬ ‫أو‬ ‫مصالحها‬ ‫من‬ ٍ‫ي‬‫بأ‬ ً‫ا‬‫اضرار‬ ‫الحقت‬ ‫أو‬ ‫المملكة‬ ‫داخل‬ ‫معلومات‬
‫فيها‬ ‫المقيمين‬ ‫األشخاص‬ ‫أحد‬ ‫من‬ ‫ارتكبت‬ ‫او‬ ، ‫جزئيا‬ ‫أو‬ ‫كليا‬ ، ‫فيها‬ ‫الجريمة‬ ‫آثار‬ ‫ترتبت‬.
‫القانون‬ ‫هذا‬ ‫أحكام‬ ‫بتنفيذ‬ ‫مكلفون‬ ‫والوزراء‬ ‫الوزراء‬ ‫رئيس‬.
186

8/24/2014
94
Module 9
 Confidentiality
 Render the information unintelligible except by authorized entities
 Integrity
 Data has not been altered in an unauthorized manner since it was
created, transmitted or stored
 Authentication
 Verify the identity of the user or system that created information
 Authorization
 Upon proving identity, the individual is then provided with the key or
password that will allow access to some resource
 Non-repudiation
 Method by which the sender of data is provided with proof of
delivery and the recipient is assured of the sender's identity
188

8/24/2014
95
 Cryptography
 Science of hiding the meaning of communication
 Cryptographic Algorithm
 Procedures that turn readable data into an unreadable format
 Today this takes place through complex mathematical formulas
 Cryptology
 Study of cryptography and cryptanalysis
 Cryptographers work in the field of cryptology
 Key Clustering
 When two keys generate the same ciphertext from the same
plaintext
189
 Cipher
 Something that transforms characters or bits into an
unreadable format
 Usually used as another name for an algorithm
 Cryptanalysis
 Science of studying and breaking encryption mechanisms
 Understanding categories and methods of attacks
 Violating authentication scheme
 Breaking cryptographic protocols
▪ White and black hat
190

8/24/2014
96
 Cryptosystem
 Encompasses all of the necessary components for encryption
and decryption
▪ Software
▪ Protocols
▪ Algorithms
▪ Keys
▪ PGP is just one example of a cryptosystem
 Plaintext
 Readable format
 Decrypted data
 Encryption Decryption
 Unreadable format
 Encrypted data
191
 Work Factor
 The time, effort, and resources necessary to break a
cryptosystem
 Effort and time needed to overcome a protective
measure
 Goal of encryption is to make the work factor too high
for a compromise to be attempted or accomplished
 Symmetric Cryptography
 Two Instances of the Same Key
▪ One key used for encryption and decryption processes
▪ Sender and receiver use the same key
192

8/24/2014
97
 The Code Book
 Substitution cipher
 Transposition cipher
 Monoalphabetic substitution
 Scytale cipher
 Caesar cipher
 Mary Queen of Scots
 Benedict Arnold
 Enigma and Turing
 Windtalkers
 Lucifer
 Cryptanalysis. Trying to figure out the message without the key.
 Algorithm. Set of mathematical rules that dictate enciphering and
deciphering. Not part of the encryption process, widely known.
 Key. The key is the secret part of the process. An algorithm contains a
keyspace, which is a range of values that can be used to construct a
key. Key is random values within the keyspace range. The larger the key
space, the more values can be used, and some think the safer the key,
although Schneier disagrees.
 Keyspace: Possible values to construct keys
 Plaintext. The original data.
 Ciphertext. Message after key is used following the algorithm to the
message, transforming it so eavesdroppers cannot figure it out.

8/24/2014
98
 Encipher: Transform data into unreadable format
 Decipher: Transform data into readable format
 Work factor: Definition of the amount of time,
effort and resources necessary to break a crypto
system.
 Strength of encryption comes from: Algorithm,
secrecy of key, length of key, initialization vectors,
and how they all work together.
 Improper protection of the key can seriously
weaken crypto. (2600 discussion)
 Goals of Crypto systems: confidentiality,
authenticity, integrity, nonrepudiation
 Crypto system: The hardware and software that
implement the crypto transformations

8/24/2014
99
 Substitution cipher
 Transposition cipher
 Running and concealment cipher
 Stream and Block Ciphers
 A little bit different: Steganography
 NSA
 Clipper Chip
 FBI and Wiretapping

8/24/2014
100
 Symmetric: Faster than asymmetric, hard to
break with large key, hard to distribute keys, too
many keys required, cannot authenticate or
provide non-repudiation.
 Includes: DES, Triple DES, Blowfish, IDEA, RC4,
RC5, RC6, AES
 Asymmetric cryptography: Better at key
distribution, better scalability for large systems,
can provide authentication and non-repudiation,
slow, math intensive
 Includes: RSA, ECC, Diffie Hellman, El Gamal,
DSA, Knapsack, PGP

8/24/2014
101
 Called Public Key Cryptography
 Use asymmetric algorithm for protecting
symmetric encryption keys
 Use asymmetric for protecting key distribution
 Use secret key for bulk encryption requirements
 Just don’t let the secret key travel unless it was
asymmetrically encrypted!
 Uses best advantages of each approach
 Comprehensive approach to establishing a level
of security
 PKI as an amalgam of approaches
 Infrastructure
 Provides authentication, confidentiality,
nonrepudiation, integrity
 Specific protocols are not PKI, but an overarching
architecture

8/24/2014
102
 Public Key Certificate
 Registration Authority
 Structure of Certificates
 Trusted Organization
 Can be internal or external to the organization
 Entrust, Verisign
 Certification Revocation Lists
 Can be provided by browser
 Has message been altered?
 Hash, hash function
 One way hash
 Message digest
 Create a fingerprint of a message
 Message can be altered either intentionally or
unintentionally

8/24/2014
103
 Hash value encrypted with the sender’s private
key
 Act of signing means encrypting message’s hash
value with private key
 Ensures that message was not altered and also
came from Bob
 Ensures integrity, authentication, and non-
repudiation
 DSS
 Asymmetric
 RSA
 ECC
 Diffie Hellman
 El Gamal
 Digital Signature
 Symmetric
 DES, 3DES
 Blowfish
 IDEA
 RC4
 SAFER

8/24/2014
104
 MD2
 MD4
 MD5
 SHA
 HAVAL
 What does a good cryptographic hash function
have?
 What is a one time pad?
 Perfect encryption
 Random
 Integrated into some applications
 High security
 But, have to distribute pad (like German High
Command with submarines and Enigma codes)

8/24/2014
105
 Principles
 Key length
 Storage
 Random
 More used, shorter its lifetime
 Escrow
 Destroy at end of lifetime
 Software less expensive
 Hardware more expensive
 Software slower throughput
 Hardware faster throughput
 Software more easily modified
 High end solutions will be hardware

8/24/2014
106
 MIME
 S/MIME
 PEM
 MSP
 Phil Zimmerman
 Free
 Download
 Implement
 Use on email
 Print message encoded and decoded
 Web of Trust

8/24/2014
107
 HTTP
 S-HTTP
 HTTPS
 SSL
 SET
 SSH
 IPSec
 Ciphertext Only Attack
 Know Plaintext Attack
 Chosen Plaintext Attack
 Man In the Middle Attack
 Dictionary Attack
 Side Channel

8/24/2014
108
Module 10
 1. Never reply to emails, phone calls, or text
messages that request your personal information
 Bank will never contact you by phone or email to ask for
your account numbers, PIN numbers, or any other
confidential information.
 Bank only asks you for confidential information to verify
your identity when you initiate contact with us.
 To contact us online, type bank.com on your Internet
browser.
 Do not click on links or cut and paste links that are sent in
emails. To contact us by phone, dial one of the toll-free or
local numbers listed online or in your account statement

8/24/2014
109
 2. Make a list of the contents of your wallet
 Make a list of every ATM or debit card, credit card, driver’s
license number and other forms of ID you carry in your
wallet or purse.
 Keep the list in a safe place at home and update it
regularly.
 You will need this list if your wallet or purse is ever lost or
stolen.
 Never carry your SSN in your wallet or purse. Also, never
carry in your wallet any paper onto which you’ve jotted
down PINs, passwords, or login information.
 3. Sign up for Security Alerts
 When you sign up for a free service from any security
specific website, you’ll receive automatic text
messages or email alerts whenever is given
instructions for changes to your account, including:
▪ Address, email or phone number changes
▪ PIN number change
▪ Request for an additional or replacement ATM/check card or
credit card

8/24/2014
110
 4. Go paperless
 Sign up for free Online Statements and Internet Bill
Pay
 5. Monitor your paper statement, bills, and
online accounts
 Check the transactions listed on your bank
statements, credit card bills, utility bills, and online
accounts regularly for unauthorized transactions.
 If you spot something suspicious, report it
immediately

8/24/2014
111
 6. Only do business with companies you know
and trust
 When making online transactions, be sure the website
uses secure encryption.
 7. Protect your PC with up-to-date anti-virus
software

8/24/2014
112
 8. Be cautious when sharing a computer
 If you use a shared computer – such as a library or lab
computer – or share a computer with roommates, log
out and clear cookies after every computer session.
 9. Password protect your electronics
 Enable the password feature on your cellphone, laptop, Kindle,
iPad, or any electronic devices that contain personal
information about you – including, phone numbers, banking
information – anything you don’t want in the hands of
strangers. If your password-protected device is lost or stolen,
your personal information is not immediately accessible to
others.
 Additionally, most devices have “remote wipe” capability that
allows you to erase addresses, phone numbers, emails, photos
and other sensitive content on a lost or stolen phone. Wiping a
lost or stolen phone restores the device it to its factory settings.
Refer to the manufacturer’s website to learn specifics for your
device.

8/24/2014
113
 10. Watch your Postal mail
 Missing bills or statements may indicate someone is
tampering with your mail or your identity.
 To prevent mail fraud:
▪ Consider going paperless for your banking needs.
▪ If you will be away from home for 3 - 30 days, sign up for
“Hold Mail Service.” The Post Office has a forwarding service
if you will be gone more than 30 days.
▪ Call Postal Service or submit a “Mail Hold” request online.

8/24/2014
114
Extra Module
 Attackers can potentially use many different
paths through your application to do harm to
your business or organization. Each of these
paths represents a risk that may, or may not, be
serious enough to warrant attention.

8/24/2014
115
 Injection flaws, such as SQL, OS, and LDAP
injection occur when untrusted data is sent to an
interpreter as part of a command or query. The
attacker’s hostile data can trick the interpreter
into executing unintended commands or
accessing data without proper authorization.

8/24/2014
116
 Application functions related to authentication
and session management are often not
implemented correctly, allowing attackers to
compromise passwords, keys, or session tokens,
or to exploit other implementation flaws to
assume other users’ identities.
 XSS flaws occur whenever an application takes
untrusted data and sends it to a web browser
without proper validation or escaping. XSS allows
attackers to execute scripts in the victim’s
browser which can hijack user sessions, deface
web sites, or redirect the user to malicious sites.

8/24/2014
117
 A direct object reference occurs when a
developer exposes a reference to an internal
implementation object, such as a file, directory,
or database key. Without an access control check
or other protection, attackers can manipulate
these references to access unauthorized data.
 Good security requires having a secure
configuration defined and deployed for the
application, frameworks, application server, web
server, database server, and platform. Secure
settings should be defined, implemented, and
maintained, as defaults are often insecure.
Additionally, software should be kept up to date.

8/24/2014
118
 Many web applications do not properly protect
sensitive data, such as credit cards, tax IDs, and
authentication credentials. Attackers may steal or
modify such weakly protected data to conduct
credit card fraud, identity theft, or other crimes.
Sensitive data deserves extra protection such as
encryption at rest or in transit, as well as special
precautions when exchanged with the browser.
 Most web applications verify function level
access rights before making that functionality
visible in the UI. However, applications need to
perform the same access control checks on the
server when each function is accessed. If
requests are not verified, attackers will be able to
forge requests in order to access functionality
without proper authorization.

8/24/2014
119
 A CSRF attack forces a logged-on victim’s browser
to send a forged HTTP request, including the
victim’s session cookie and any other
automatically included authentication
information, to a vulnerable web application.
This allows the attacker to force the victim’s
browser to generate requests the vulnerable
application thinks are legitimate requests from
the victim.
 Components, such as libraries, frameworks, and
other software modules, almost always run with
full privileges. If a vulnerable component is
exploited, such an attack can facilitate serious
data loss or server takeover. Applications using
components with known vulnerabilities may
undermine application defenses and enable a
range of possible attacks and impacts.

8/24/2014
120
 Web applications frequently redirect and forward
users to other pages and websites, and use
untrusted data to determine the destination
pages. Without proper validation, attackers can
redirect victims to phishing or malware sites, or
use forwards to access unauthorized pages.
Thank You

Fraudulent Methods for Attacking Bank Networks and Prevention 2014

More Related Content

What's hot (20)

Similar to Fraudulent Methods for Attacking Bank Networks and Prevention 2014 (20)

More from Aladdin Dandis (12)

Recently uploaded (20)

Fraudulent Methods for Attacking Bank Networks and Prevention 2014