Personal Data Security in a Digital World

Editor's Notes

• #2: 0:20Talking about risks inherent in loss or exposure of personal data, and some of the threats and attacks in particular that are related to the rising ubiquity of smartphones and wireless networking
• #3: 0:33Key pointsRisks of Data Insecurity & impacts of Identity TheftFailure of single-factor, or password-based authenticationWhat is strong authentication, or Multi-Factor AuthenticationSome new attacks targeted toward the Mobile world
• #4: 3:30Let’s set the baseline for our talk. There’s a lot of chatter about id theft these days. Define terms.The FTC says: Identity theft occurs when someone uses your personally identifying information (or PII), like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.Pretty general description4 main Types of ID Theft Financial (using another's identity to obtain lines of credit, buy stolen goods) Medical (using another's identity to obtain medical care or drugs) – can be worse than financial fraud. Imagine if someone uses your id to get medical treatment, and now your history says that you’re an AB- diabetic with an array of drug allergies. Next time you end up in the emergency room things could go very badly for you Criminal (posing as another person when apprehended for a crime) = prostitution, dealing drug, obvious severe consequences Identity cloning (using another's information to assume his or her identity in daily life, “Don Draper” ) It’s important to note that ID Theft doesn’t just happen when someone snags your wallet at the coffee shop. Big business. Lot of money to be made, and criminal organizations are very aware of that factTop 3 areas of growth for organized crime: Drugs, human trafficking, identity theft.Why? Relatively easy, low riskGain access to large volumes of personal information through data breachEither resell the records to other id thieves to exploit like petroleum suppliers selling crude oil to be refined into diesel, or make use themselves. Data entry warehouseBuy up drives, laptops, backup tapes, pay break-ins, grind through to harvest data into dbNow cracking and spoofing wifi networks to harvest data,New theoretical attacks published exploiting smartphone vulnerabilities, cellular network spoofing, and trojan horse phone apps
• #5: 4:44 From my context, we deal with these situations every day. We have protected over a million people who have had their personal information exposed in corporate data breaches. Chances are many of you have received notifications from your credit card company or your healthcare provider or university that you data had been lost or stolen.We deal with many cases of ID theft, and we help people discover when it’s happening and help them resolve it, so we get a lot of interesting case studies.Derrick – nursing student and Iraq veteran, EMT in the military, paramedic afterwards, dedicated to helping other people. Unknowingly had his identity stolen while serving overseas, and thief generated a long list of crimes from unpaid speeding tickets and revoked drivers license to felony check fraud.As a result, Derrick twice during routine traffic stops was arrested, once as the driver and once as a passenger. We were able to clear up the contamination of his identity, and all charges were dismissed, but the state still held him responsible for the court and attorney fees, fines, tow fees, bond and the cost to have a new license issued. Fortunately as a customer of ours he was covered by the ID theft insurance policy we provide and didn’t have to go out of pocket for all those expenses, but these can very significant hardships to a person without protection, or the ability to do the investigative work necessary to prove their innocenceCustomer used an iPhone app (pastie.org) to transfer documents from his desktop to his iPhone. One of docs was password list, something thought would be useful have on his phoneWhat didn’t realize app created web site where all transferred docs were publicly available. Thieves who knew where to look able take over almost all accounts, including iTunes, Amazon, American Express, PayPal, and First Tennessee Bank.When tried to take over Debix account, with two-factor mobile authentication, was immediately alerted to the takeover attempt and able to deny it in real time. Then called Debix investigation team who were able to help recover his accounts and update his credentialsCustomer Christopher ordered a ChildScan for his teenage daughter Caitlin through our AllClear ID consumer service. Thought he was just being proactive, didn’t expect to discover that this daughter’s identity had been used to open 42 accounts over 13 years.Common scenario, coyotes bring illegal immigrants, set them up with children’s ssns, don’t get used for yearsIn this case, 3 mortgages, several car loans, credit cards, and multiple accounts in collections.Our investigations team was able to get all the fraudulent accounts closed and the credit damage removed from her identity, just in time for her college applications.Months or even years, Until it was cleared up, job, apt, car
• #6: 0:30There are a lot of scary stories and statistics out there about id theft, but at heart I’m an engineer, so the thing I find most interesting is analyzing how things work, and sometimes how they fail to work.At the end of the day identity theft cases have one thing in common: A failure to differentiate real people from thieves. Ultimately, banks and corporations are doing a poor job at determining that you are who you say you are. That is what allows identity theft to continue.
• #7: 10:53How data is most commonly protectedHost of known attacks against passwordsBrutus, outside inLog and analyze source domainsLock after x attemptsOnce networks have been penetrated, and contents of db or key files harvested, you certainly hope that passwords have not been stored in the clearExpect them to be hashedJohn-the-ripper used to detect weak linux passwordsRecent network breakins have highlighted one thing, people are going to pick bad passwordsGawker – Lifehacker, Gizmodo, KotakuPassword reuse
• #8: 2:25Palin – Where did you meet your husband? Wasilla High SchoolStreet you grew up on? Houston, NASA, manonthemoon
• #9: 4:34Multi-factor – something you have and something you knowATM card + PINBroken when you don’t need card presentBiometricspromising, but not yet prevalentReplay attack, you can change a compromised password, but you can’t change your fingerprintsSecure tokenJob, World of Warcraft, PayPal, bank, credit card, etcDebix uses Cellphone as thing you have. When you sign up, register your phone number, define a PIN, and record “voicekey”
• #10: 1:20In the past, the most common avenues of data breaches have been theft of physical hardware (computers with spreadsheets and databases, backup tapes)or network penetration, exposing database contentsIn the last few years, a new avenue has opened up, one that rests in the hands of the end consumer, and which is used to broadcast personal information across wireless and mobile networks at an unprecedented rate. http://www.pewinternet.org/Reports/2011/Smartphones.aspx
• #11: 3:30How secure is your data? Where is your data going?Several studies over the last year showed surprising results on the amount of personal data that your phone is leaking without your knowledgeNot just “rogue” appsCarrierIQ was not pleased with Eckharts report and threatened legal action unless he retracted his data and issued a public apology, but has since withdrawn their cease and desist and issued an apology to him
• #12: 3:30Ever since iOS 4, iPhones and iPads continuously monitor and store your location with timestamp in a unencrypted text fileCharlie Miller discovered it was possible to create Trojan Horse iphone apps that could innocuously pass the apple app review, then download and execute additional, unverified and potentially malicious code. When he notified Apple about the existence of the bug, Apple promptly terminated Miller’s developer license.
• #13: In addition to smartphones themselves, wireless networks are found everywhere todayCoffee shop, airport, campus, even getting an oil changeConvenience, great feature to offer, but comes with its own set of risksLet’s look at how they are securedWEP – Wireless Equivalent PrivacyProcess is to capture enough network packets to allow a cracking tool to extract and reassemble the network keyWPA – Wifi Protected Access
• #14: IMSI – International Mobile Subscriber IdentityDisabling encryption – could generate a warning, but carriers have turned these warnings off an all handsets, to prevent “confusing” customers
• #15: Circle over a target, someone’s house, starbucks, university campusComplete mobile wireless & cellular surveillance packageNothing new invented hereAll payload components were off-the-shelfWiFi cracking has been around a long timeGSM cell tower spoofing attack published at DefCon 2010Not restricted to corporate espionage or government surveillanceIndivuduals with modest budgets can launch very sophisticated attacks targetted at intercepting and harvesting personal information