SlideShare a Scribd company logo

Security Primer

Alison Gianotto, profile picture
Alison Gianotto

Social engineering is manipulating people into divulging confidential information or performing actions. Hacking involves breaking into networks, while cracking means working around licenses. Phishing fools victims into entering information on fake websites. Today, hacking is often backed by organized crime for financial gain. Malware like viruses, worms and Trojans can harm systems. Passwords are vulnerable to attacks, so strong, unique passwords and password managers are recommended. Social engineering is a significant threat, as it tricks people rather than exploiting technical vulnerabilities.

Technology
1 of 36
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Social Engineering & Security Primer AKA “People are bastard covered bastards with bastard-filling.”
Hacking, Cracking, Phishing, Zombies - OMGWTFSRSLY? Hacker: someone who breaks into computer networks for legitimate or illegitimate reasons. (This definition has changed over time and still means a few different things.) Cracker: someone who reverse-engineers computer software for the purpose of embedding spyware/malware or working around commercial licenses (“Warez”). Phishing: attempting to acquire information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
WARNING! The word “hacker” does not inherently imply illegal or unethical behavior. The negative connotation came years later, as “hacker” originated as a positive term for people who kick ass at computers and/or coding. Hackers get very upset when this word is misused. Very. Upset.
Malicious Hacking Has Grown Up Years ago, hacking was often done for just fun and bragging rights. Today, hacking is a lucrative industry often backed by organized crime. LOTS of $$$ to be made stealing identities, credit card info, etc.
Why Hackers Hack To steal/sell identities, credit card numbers, corporate secrets, military secrets Fun, Excitement and/or Notoriety Political (“Hacktivism”) Revenge Blackhat SEO
White Hat vs Black Hat White Hat: The Good Guys. Grey Hat: The (Mostly) Good Guys Black Hat: The Bad Guys This is over-simplified, of course, but you get the gist,
Virus Self-replicating program that infects a system without authorization. They can install keyloggers, download, delete or alter files, render a system unusable or worse. Travels from computer to computer. (No, they cannot spread to humans. Yet.)
Worm Similar to a virus, but can self- replicate without human interaction. Takes advantage of network transport protocols - can send thousands of copies of itself.
Worm Example A worm sends a copy of itself to everyone in your e-mail address book. The worm then replicates and sends itself out to everyone listed in each of the recipient’s address book. And so on, and so on.
Trojan Horse Masquerades as useful software such as anti-virus, video codecs, browser plugins, etc. Victims are tricked into opening Trojan Horse files because they appear to be receiving legitimate software or files from a legitimate source.
Macs are NOT Immune Trojans frequently appear as fake video codec downloads, rogue anti-virus (“scareware”), and attachments in emails such as phony receipts.
Email Attachments Spoofed emails that contain malware attachments frequently appear to come from Amazon.Com, PayPal, E-Bay, iTunes, and Banks. They often use the scare tactic that the recipient’s account has been suspended or compromised.
Botnets (AKA “Zombie Armies”) Infected computers become part of a controlled “army” of infected machines. They can be used to send SPAM, viruses, or to initiate a DDoS (Distributed Denial of Service) attack on a website or network that can cause the website or network to stop responding altogether.
Phishing Phishing attacks attempt to trick users into entering their login/credit card/SS#/etc into a fake version of a legitimate site so the sensitive data can be saved and used later by the attacker. Many phishing attacks originate from e-mails and can be VERY convincing.
What’s the Point? Phishers capture login information even for non- financial sites because they know that MANY PEOPLE RE-USE THE SAME LOGINS FOR MULTIPLE WEBSITES. *cough*Gawker*cough*
Platform Agnostic Since Phishing scams take advantage of vulnerabilities in the human condition instead of vulnerabilities in technology, ALL users are at risk, whether they are on Mac, PC, Linux, etc. same password for email + forgotten password request= access to hijack any account
SSL Different browsers indicate that your connection is secure (encrypted) in different ways. Becoming familiar with how each browser indicates a healthy SSL connection will help you avoid being fooled. NOTE: Just because an SSL connection is legit, that doesn’t mean the site is. Be skeptical.
Phishing & Smartphones Smartphone users are particularly vulnerable to phishing attacks because the browser takes up the whole screen, and doesn’t provide as much information about a page as a desktop browser. This makes it easier to trick users into thinking the site is real.
Case Study: Stanley Mark Rifkin In 1978, a computer tech stole $10.2 million dollars from Security Pacific Bank using only social engineering. Talked his way into room where daily wire transfer security code was posted and memorized it. Called the bank, impersonating an authorized employee and requested a transfer of $10.2 million to his swiss bank account. Because he was able to talk his way into learning the daily code, the transfer went through without a hitch. The woman who performed the transfer thanked him before hanging up.
“Social Engineering”? The act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. Trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face-to-face with the victim. Social Engineering attacks are commonly executed over the phone or through email.
419 Scams Nigerian Bank Scams (also called 419 scams after the section of Nigerian law it violates) are a type of advance-fee scam. See: 419eater.com scambaiter.com “Message number 419” by MC Frontalot
Things to Watch For “Hi, I’m having a problem using the XYZ website. It’s not working in my browser. I’m using IE7, what browser are you using?” Attacker can then target the attack based on vulnerabilities in the browser. “I’m having a problem using the website. Let me send you a link to the page I’m having trouble with.” Link contains malware/ phishing payload. “This is John Smith from XYZ Software Vendor. There was a critical security patch released that we need you to install or you are at risk of massive data loss.”
Good Habits Shred ALL paper documents that contain intellectual property, financial or account information. Every time. If someone you do not recognize claims to be a new superintendent or maintenance worker, call downstairs to confirm before letting them in. If someone calls or walks in claiming to be a representative or worker from a company but you do not know them personally, call the company to confirm their identity and meeting.
PAY ATTENTION An attacker targets users of a website myfantasyfootballleague.com by finding people who post on the forums. The attacker sends them an email claiming a new feature or compromised account, directing them to myfantasyfootballeague.com, which they own. Note the missing third “l”. Victim clicks and is phished, hijacked or tricked into downloading malware.
Case Study: Video Rental Shop Attacker Tom calls Jennifer at XYZ Video, claiming to be the manager of a different branch, asking if they have a copy of a video they can’t find. Tom does this repeatedly over several weeks, building up a rapport with Jennifer and establishing the pretext. Tom then calls saying he has a customer of Jennifer’s shop that forgot his membership and credit card but would like to rent from Tom’s store. Jennifer provides that information to Tom to be helpful.
Attackers Will Research Their Targets After looking up the domain name records of a website, an attacker knows that someone named James Li is the technical contact. Tom calls James. “Hi, this is Bob Dickins from LuckyRegister. We have detected fraudulent activity on your account and we need you to reset your password.” Vacation messages in email and voicemail can alert an attacker that you are out of town, giving them information that may help them sound legitimate to other people in the company
USB Keys A very easy and often successful attack is to leave a poisoned USB key out where people can find it. Who doesn’t want a free USB drive? The poisoned USB key infects the computer or entire network once it’s plugged in.
Social Media - Make sure your profiles are locked down so only friends can see your information - Turn OFF geotagging on images in your Smartphone.
Location Services Be careful using location services such as Foursquare, Facebook Places, etc if your social media accounts are open to anyone.
Gawker Passwords 307: trustno1 303: baseball 302: gizmodo 2516: 123456 300: whatever 2188: password 297: superman 1205: 12345678 276: 1234567 696: qwerty 266: sunshine 498: abc123 266: iloveyou 459: 12345 262: fuckyou 441: monkey 256: starwars 413: 111111 255: shadow 385: consumer 241: princess 376: letmein 234: cheese 351: 1234 318: dragon
ALL Passwords Are Crackable Using an eight-core Xeon-powered system, Duo Security brute- forced 400,000 password hashes of the 1.3 million stolen from Gawker, cracking the first 200,000 in under an hour. 15 of the accounts for which it had cracked password encryption belonged to people working at NASA, nine were assigned to users employed by Congress, and six belonged to employees of the Department of Homeland Security. 2009 RockYou hack: “123456" was the most common password in the collection posted on the Web by hackers, followed by "12345," "123456789," "password" and "iloveyou"
There is NO Excuse for Shitty Passwords Anymore 1Password and LastPass both allow you to: generate long, highly random passwords that are unique to each website you log into store the passwords in a database and auto-fill sync that database across your iphone, ipad, other computers, etc.
Password Tips Don't use only letters or only numbers. Don't use names of spouses, children, girlfriends/boyfriends or pets Don't use phone numbers, Social Security numbers or birthdates. Don't use the same word as your log-in, or any variation of it. Don't use any word that can be found in the dictionary — even foreign words. Don't use passwords with double letters or numbers.
Password Tips Use the first letters of the words in a favorite line of poetry or a verse of song. "Hail, hail the lucky ones, I refer to those in love" becomes "H,hTL0,IR2t1L." EVERY SINGLE WEBSITE you have an account with should use a different password. You have no idea how secure their websites are, so you should assume they are not secure at all.
Passwords are like underwear - they should never be shared with friends and should be changed often!
Alison L. Gianotto snipe@snipe.net http://www.snipe.net http://www.un-hacker.com

More Related Content

PDF
Five habits that might be a cyber security risk
K. A. M Lutfullah
 
PDF
Phishing
Deepak Kumar (D3)
 
PPT
Ia 124 1621324160 ia_124_lecture_02
ITNet
 
PPTX
My presentation
Devashri Balinge
 
PPTX
Phishing demo
Jennifer Leone Thompson
 
PPTX
secure from Phishing Hacking and Keylogger
Abhishek Hirapara
 
PDF
An overview study on cyber crimes in internet
Alexander Decker
 
PPTX
Name parul
Parul231
 
Five habits that might be a cyber security risk
K. A. M Lutfullah
 
Phishing
Deepak Kumar (D3)
 
Ia 124 1621324160 ia_124_lecture_02
ITNet
 
My presentation
Devashri Balinge
 
Phishing demo
Jennifer Leone Thompson
 
secure from Phishing Hacking and Keylogger
Abhishek Hirapara
 
An overview study on cyber crimes in internet
Alexander Decker
 
Name parul
Parul231
 

What's hot (20)

PPTX
Cyber crime
Durban Chamber of Commerce and Industry
 
PPTX
Cyber crime
srishtig993
 
PPT
Users guide
Darren Thomas
 
PPTX
Anti phishing
Shethwala Ridhvesh
 
PDF
Emp tech las-week-2
Joemer Mabagos
 
PPTX
Cyber security tips in Banking in Nepal
Resham Acharya
 
PPTX
Hacking Presentation v2 By Raffi
Shawon Raffi
 
PPTX
A presentation on Phishing
Creative Technology
 
PDF
Phishing exposed
tamfin
 
PPTX
Phishing attack, with SSL Encryption and HTTPS Working
Sachin Saini
 
PPT
UW School of Medicine Social Engineering and Phishing Awareness
Nicholas Davis
 
PPT
Strategies to handle Phishing attacks
Sreejith.D. Menon
 
PPTX
Anatomy of a Spear Phishing Attack
Mark Mair
 
PDF
What is Phishing? Phishing Attack Explained | Edureka
Edureka!
 
PPTX
Seminar
Kavis Pandey
 
PDF
Cybersecurity Awareness Infographics
NetLockSmith
 
PDF
Social Engineering
Vinay Bhargav
 
PPT
Phishing
Jayaseelan Vejayon
 
PPTX
Cybersecurity Awareness
JoshuaWisniewski3
 
PPTX
Information security
Alfred Thompson
 
Cyber crime
Durban Chamber of Commerce and Industry
 
Cyber crime
srishtig993
 
Users guide
Darren Thomas
 
Anti phishing
Shethwala Ridhvesh
 
Emp tech las-week-2
Joemer Mabagos
 
Cyber security tips in Banking in Nepal
Resham Acharya
 
Hacking Presentation v2 By Raffi
Shawon Raffi
 
A presentation on Phishing
Creative Technology
 
Phishing exposed
tamfin
 
Phishing attack, with SSL Encryption and HTTPS Working
Sachin Saini
 
UW School of Medicine Social Engineering and Phishing Awareness
Nicholas Davis
 
Strategies to handle Phishing attacks
Sreejith.D. Menon
 
Anatomy of a Spear Phishing Attack
Mark Mair
 
What is Phishing? Phishing Attack Explained | Edureka
Edureka!
 
Seminar
Kavis Pandey
 
Cybersecurity Awareness Infographics
NetLockSmith
 
Social Engineering
Vinay Bhargav
 
Phishing
Jayaseelan Vejayon
 
Cybersecurity Awareness
JoshuaWisniewski3
 
Information security
Alfred Thompson
 
Ad

Viewers also liked (7)

PDF
Security Bootcamp for Startups and Small Businesses
Alison Gianotto
 
PDF
Walking Dead
Luluk Westwood
 
PPTX
Nenuco
Nádia Marques
 
PPT
Managing in the Public Sector - The Rules are Changing: John Oxley
ukactive
 
PDF
KW Careers: Driving Your Business Through Technology
Keller Williams Careers
 
PPTX
Oh Dear God Not Again! Gobi Capital @ Georgian College
Gobi
 
PDF
Home for sale at aliana july 21 2011
Champions Real Estate Group
 
Security Bootcamp for Startups and Small Businesses
Alison Gianotto
 
Walking Dead
Luluk Westwood
 
Nenuco
Nádia Marques
 
Managing in the Public Sector - The Rules are Changing: John Oxley
ukactive
 
KW Careers: Driving Your Business Through Technology
Keller Williams Careers
 
Oh Dear God Not Again! Gobi Capital @ Georgian College
Gobi
 
Home for sale at aliana july 21 2011
Champions Real Estate Group
 
Ad

Similar to Security Primer (20)

PPT
Computer Security
tonik
 
PDF
Week3-CyberSecurity 8th Semester important.pdf
MArshad35
 
PPT
Online Self Defense
Barry Caplin
 
PDF
Getting users to care about security
Alison Gianotto
 
PPTX
TheCyberThreatAndYou2_deck.pptx
KevinRiley83
 
PPT
Cyber-Security-20211013105857.ppt
Sukhdev48
 
PPTX
Cyber crime & security
Avani Patel
 
PPTX
Computer / Internet Security WHPL
West Haven Public Library
 
PPTX
Parag presentation on ethical hacking
parag101
 
PPT
Malware from the Consumer Jungle
Jason S
 
PPTX
Cyber Security.pptx
MrAdhit1
 
PPT
C 7
Les Davy
 
PPT
Web Security
Bharath Manoharan
 
PPTX
USG_Security_Awareness_Primer (1).pptx
ssuser59e4b8
 
PPTX
USG_Security_Awareness_Primer.pptx
BilmyRikas
 
PPTX
Awareness Security 123.pptx
RajuSingh730938
 
PPTX
USG_Security_Awareness_Primer.pptx
sumita02
 
PPTX
Security_Awareness_Primer.pptx
Faith Shimba
 
PPTX
Cyber crime types
kiran yadav
 
PPSX
csa2014 IBC
apyn
 
Computer Security
tonik
 
Week3-CyberSecurity 8th Semester important.pdf
MArshad35
 
Online Self Defense
Barry Caplin
 
Getting users to care about security
Alison Gianotto
 
TheCyberThreatAndYou2_deck.pptx
KevinRiley83
 
Cyber-Security-20211013105857.ppt
Sukhdev48
 
Cyber crime & security
Avani Patel
 
Computer / Internet Security WHPL
West Haven Public Library
 
Parag presentation on ethical hacking
parag101
 
Malware from the Consumer Jungle
Jason S
 
Cyber Security.pptx
MrAdhit1
 
C 7
Les Davy
 
Web Security
Bharath Manoharan
 
USG_Security_Awareness_Primer (1).pptx
ssuser59e4b8
 
USG_Security_Awareness_Primer.pptx
BilmyRikas
 
Awareness Security 123.pptx
RajuSingh730938
 
USG_Security_Awareness_Primer.pptx
sumita02
 
Security_Awareness_Primer.pptx
Faith Shimba
 
Cyber crime types
kiran yadav
 
csa2014 IBC
apyn
 

More from Alison Gianotto (8)

PDF
Laravel 5.2 Gates, AuthServiceProvider and Policies
Alison Gianotto
 
PDF
dotScale 2014
Alison Gianotto
 
PDF
LonestarPHP 2014 Security Keynote
Alison Gianotto
 
PDF
MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
 
PDF
Failing well: Managing Risk in High Performance Applications
Alison Gianotto
 
PDF
DNS 101 for Non-Techs
Alison Gianotto
 
PDF
Facebook Timeline for Pages
Alison Gianotto
 
ZIP
Twitter 101: 140 characters. Don't be a douche.
Alison Gianotto
 
Laravel 5.2 Gates, AuthServiceProvider and Policies
Alison Gianotto
 
dotScale 2014
Alison Gianotto
 
LonestarPHP 2014 Security Keynote
Alison Gianotto
 
MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
 
Failing well: Managing Risk in High Performance Applications
Alison Gianotto
 
DNS 101 for Non-Techs
Alison Gianotto
 
Facebook Timeline for Pages
Alison Gianotto
 
Twitter 101: 140 characters. Don't be a douche.
Alison Gianotto
 

Recently uploaded (20)

PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

Security Primer

  • 1. Social Engineering & Security Primer AKA “People are bastard covered bastards with bastard-filling.”
  • 2. Hacking, Cracking, Phishing, Zombies - OMGWTFSRSLY? Hacker: someone who breaks into computer networks for legitimate or illegitimate reasons. (This definition has changed over time and still means a few different things.) Cracker: someone who reverse-engineers computer software for the purpose of embedding spyware/malware or working around commercial licenses (“Warez”). Phishing: attempting to acquire information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
  • 3. WARNING! The word “hacker” does not inherently imply illegal or unethical behavior. The negative connotation came years later, as “hacker” originated as a positive term for people who kick ass at computers and/or coding. Hackers get very upset when this word is misused. Very. Upset.
  • 4. Malicious Hacking Has Grown Up Years ago, hacking was often done for just fun and bragging rights. Today, hacking is a lucrative industry often backed by organized crime. LOTS of $$$ to be made stealing identities, credit card info, etc.
  • 5. Why Hackers Hack To steal/sell identities, credit card numbers, corporate secrets, military secrets Fun, Excitement and/or Notoriety Political (“Hacktivism”) Revenge Blackhat SEO
  • 6. White Hat vs Black Hat White Hat: The Good Guys. Grey Hat: The (Mostly) Good Guys Black Hat: The Bad Guys This is over-simplified, of course, but you get the gist,
  • 7. Virus Self-replicating program that infects a system without authorization. They can install keyloggers, download, delete or alter files, render a system unusable or worse. Travels from computer to computer. (No, they cannot spread to humans. Yet.)
  • 8. Worm Similar to a virus, but can self- replicate without human interaction. Takes advantage of network transport protocols - can send thousands of copies of itself.
  • 9. Worm Example A worm sends a copy of itself to everyone in your e-mail address book. The worm then replicates and sends itself out to everyone listed in each of the recipient’s address book. And so on, and so on.
  • 10. Trojan Horse Masquerades as useful software such as anti-virus, video codecs, browser plugins, etc. Victims are tricked into opening Trojan Horse files because they appear to be receiving legitimate software or files from a legitimate source.
  • 11. Macs are NOT Immune Trojans frequently appear as fake video codec downloads, rogue anti-virus (“scareware”), and attachments in emails such as phony receipts.
  • 12. Email Attachments Spoofed emails that contain malware attachments frequently appear to come from Amazon.Com, PayPal, E-Bay, iTunes, and Banks. They often use the scare tactic that the recipient’s account has been suspended or compromised.
  • 13. Botnets (AKA “Zombie Armies”) Infected computers become part of a controlled “army” of infected machines. They can be used to send SPAM, viruses, or to initiate a DDoS (Distributed Denial of Service) attack on a website or network that can cause the website or network to stop responding altogether.
  • 14. Phishing Phishing attacks attempt to trick users into entering their login/credit card/SS#/etc into a fake version of a legitimate site so the sensitive data can be saved and used later by the attacker. Many phishing attacks originate from e-mails and can be VERY convincing.
  • 15. What’s the Point? Phishers capture login information even for non- financial sites because they know that MANY PEOPLE RE-USE THE SAME LOGINS FOR MULTIPLE WEBSITES. *cough*Gawker*cough*
  • 16. Platform Agnostic Since Phishing scams take advantage of vulnerabilities in the human condition instead of vulnerabilities in technology, ALL users are at risk, whether they are on Mac, PC, Linux, etc. same password for email + forgotten password request= access to hijack any account
  • 17. SSL Different browsers indicate that your connection is secure (encrypted) in different ways. Becoming familiar with how each browser indicates a healthy SSL connection will help you avoid being fooled. NOTE: Just because an SSL connection is legit, that doesn’t mean the site is. Be skeptical.
  • 18. Phishing & Smartphones Smartphone users are particularly vulnerable to phishing attacks because the browser takes up the whole screen, and doesn’t provide as much information about a page as a desktop browser. This makes it easier to trick users into thinking the site is real.
  • 19. Case Study: Stanley Mark Rifkin In 1978, a computer tech stole $10.2 million dollars from Security Pacific Bank using only social engineering. Talked his way into room where daily wire transfer security code was posted and memorized it. Called the bank, impersonating an authorized employee and requested a transfer of $10.2 million to his swiss bank account. Because he was able to talk his way into learning the daily code, the transfer went through without a hitch. The woman who performed the transfer thanked him before hanging up.
  • 20. “Social Engineering”? The act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. Trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face-to-face with the victim. Social Engineering attacks are commonly executed over the phone or through email.
  • 21. 419 Scams Nigerian Bank Scams (also called 419 scams after the section of Nigerian law it violates) are a type of advance-fee scam. See: 419eater.com scambaiter.com “Message number 419” by MC Frontalot
  • 22. Things to Watch For “Hi, I’m having a problem using the XYZ website. It’s not working in my browser. I’m using IE7, what browser are you using?” Attacker can then target the attack based on vulnerabilities in the browser. “I’m having a problem using the website. Let me send you a link to the page I’m having trouble with.” Link contains malware/ phishing payload. “This is John Smith from XYZ Software Vendor. There was a critical security patch released that we need you to install or you are at risk of massive data loss.”
  • 23. Good Habits Shred ALL paper documents that contain intellectual property, financial or account information. Every time. If someone you do not recognize claims to be a new superintendent or maintenance worker, call downstairs to confirm before letting them in. If someone calls or walks in claiming to be a representative or worker from a company but you do not know them personally, call the company to confirm their identity and meeting.
  • 24. PAY ATTENTION An attacker targets users of a website myfantasyfootballleague.com by finding people who post on the forums. The attacker sends them an email claiming a new feature or compromised account, directing them to myfantasyfootballeague.com, which they own. Note the missing third “l”. Victim clicks and is phished, hijacked or tricked into downloading malware.
  • 25. Case Study: Video Rental Shop Attacker Tom calls Jennifer at XYZ Video, claiming to be the manager of a different branch, asking if they have a copy of a video they can’t find. Tom does this repeatedly over several weeks, building up a rapport with Jennifer and establishing the pretext. Tom then calls saying he has a customer of Jennifer’s shop that forgot his membership and credit card but would like to rent from Tom’s store. Jennifer provides that information to Tom to be helpful.
  • 26. Attackers Will Research Their Targets After looking up the domain name records of a website, an attacker knows that someone named James Li is the technical contact. Tom calls James. “Hi, this is Bob Dickins from LuckyRegister. We have detected fraudulent activity on your account and we need you to reset your password.” Vacation messages in email and voicemail can alert an attacker that you are out of town, giving them information that may help them sound legitimate to other people in the company
  • 27. USB Keys A very easy and often successful attack is to leave a poisoned USB key out where people can find it. Who doesn’t want a free USB drive? The poisoned USB key infects the computer or entire network once it’s plugged in.
  • 28. Social Media - Make sure your profiles are locked down so only friends can see your information - Turn OFF geotagging on images in your Smartphone.
  • 29. Location Services Be careful using location services such as Foursquare, Facebook Places, etc if your social media accounts are open to anyone.
  • 30. Gawker Passwords 307: trustno1 303: baseball 302: gizmodo 2516: 123456 300: whatever 2188: password 297: superman 1205: 12345678 276: 1234567 696: qwerty 266: sunshine 498: abc123 266: iloveyou 459: 12345 262: fuckyou 441: monkey 256: starwars 413: 111111 255: shadow 385: consumer 241: princess 376: letmein 234: cheese 351: 1234 318: dragon
  • 31. ALL Passwords Are Crackable Using an eight-core Xeon-powered system, Duo Security brute- forced 400,000 password hashes of the 1.3 million stolen from Gawker, cracking the first 200,000 in under an hour. 15 of the accounts for which it had cracked password encryption belonged to people working at NASA, nine were assigned to users employed by Congress, and six belonged to employees of the Department of Homeland Security. 2009 RockYou hack: “123456" was the most common password in the collection posted on the Web by hackers, followed by "12345," "123456789," "password" and "iloveyou"
  • 32. There is NO Excuse for Shitty Passwords Anymore 1Password and LastPass both allow you to: generate long, highly random passwords that are unique to each website you log into store the passwords in a database and auto-fill sync that database across your iphone, ipad, other computers, etc.
  • 33. Password Tips Don't use only letters or only numbers. Don't use names of spouses, children, girlfriends/boyfriends or pets Don't use phone numbers, Social Security numbers or birthdates. Don't use the same word as your log-in, or any variation of it. Don't use any word that can be found in the dictionary — even foreign words. Don't use passwords with double letters or numbers.
  • 34. Password Tips Use the first letters of the words in a favorite line of poetry or a verse of song. "Hail, hail the lucky ones, I refer to those in love" becomes "H,hTL0,IR2t1L." EVERY SINGLE WEBSITE you have an account with should use a different password. You have no idea how secure their websites are, so you should assume they are not secure at all.
  • 35. Passwords are like underwear - they should never be shared with friends and should be changed often!