Module F

1
1
2
Securing Home Computersvulnerabilities,
threats, and controlsHarris County Library
Presentation

• Dr. Wayne Summers
• TSYS School of Computer Science
• Columbus State University
• wsummers_at_ColumbusState.edu
• http//csc.ColumbusState.edu/summers

3
OUTLINE

• THE PROBLEM
• Definitions
• Vulnerabilities
• Threats
• Controls
• Conclusions
• QA

4
WHY IS INFORMATION SECURITY IMPORTANT?
5
SQL Slammer (Fall 2002)
5

• It only took 10 minutes for the SQL Slammer worm
  to race across the globe and wreak havoc on the
  Internet two weeks ago, making it the
  fastest-spreading computer infection ever seen.
• The worm, which nearly cut off Web access in
  South Korea and shut down some U.S. bank teller
  machines, doubled the number of computers it
  infected every 8.5 seconds in the first minute of
  its appearance.
• It is estimated that 90 of all systems that fell
  victim to the SQL Slammer worm were infected
  within the first 10 minutes.

6
DHS Fears a Modified Stuxnet Could Attack U.S.
Infrastructure (Wired - July 26, 2011)

• computer worm discovered in June 2010
• initially spreads via Microsoft Windows
• targets Siemens industrial software and
  equipment
• first discovered malware that spies on and
  subverts industrial systems
• first to include a programmable logic controller
  (PLC) rootkit

7
FLAME
7

• A frightening computer virus called Flame is on
  the loose in Iran and other parts of the Middle
  East, infecting PCs and stealing sensitive data.
  Now, the United Nations' International
  Telecommunications Union warns that other nations
  face the risk of attack.
• http//www.pcworld.com/article/256508/the_flame_vi
  rus_your_faqs_answered.html PCWorld    May 30,
  2012

8
FLAME
8

• backdoor Trojan with worm-like features
• point of entry is unknown spear-phishing or
  infected websites are possibilities
• spread through USB sticks / local networks
• can sniff out information from input boxes,
  including passwords hidden by asterisks
• record audio from a connected microphone
• take screenshots of applications, such as IM
  programs
• collects information about nearby discoverable
  Bluetooth devices
• Uploads info to command and control servers

9
Latest News
9

• 2013 will see more Stuxnet and Flame-like
  malware attacks, says AVG-CTO Computing.co.uk-2/
  6/13
• Adobe releases emergency Flash security update
  to address malware attacks on OS X 9To5Mac.com
  2/6/13
• Facebook reveals attack by computer virus US
  News 2/13/13
• Apple Computers Hit by Sophisticated
  Cyberattack NY Times, Bits Blog 2/19/13
• After Facebook and Twitter announced that they
  were breached by sophisticated hackers in recent
  weeks, Apple said it had been attacked

10
What are the risks?

• MALWARE erasing your entire system,
• HACKER breaking into your system and altering
  files,
• HACKER using your computer to attack others,
• HACKER stealing your credit card information
  and making unauthorized purchases.

11
Goals
11

• confidentiality - limiting who can access assets
  of a computer system.
• integrity - limiting who can modify assets of a
  computer system.
• availability - allowing authorized users access
  to assets.

12
Privacy (Confidentiality)

• Limiting who can access your information.

13
Identity Theft

• Using anothers identity for ones benefit
  (usually financial gain)
• social security number (32)
• credit card account numbers
• date of birth
• drivers license
• passport
• mothers maiden name
• addresses

14
Definitions
14

• vulnerability - weakness in the security system
  that might be exploited to cause a loss or harm
  (usually caused by programming errors in
  software.)
• threats - circumstances that have the potential
  to cause loss or harm. (Threats typically exploit
  vulnerabilities.)
• control - protective measure that reduces a
  vulnerability or minimize the threat.

15
Definitions

• Virus - computer program that attaches to other
  programs and replicating itself repeatedly,
  typically without user knowledge or permission.
• Worm - parasitic computer programs that
  replicates
• Trojan Horse - claims to be one thing while in
  fact doing something different behind the scenes.
• Zombie - PC that has been infected with a virus
  or Trojan horse that puts it under the remote
  control of an online hijacker.
• Time bomb - malicious action triggered at a
  specific date or time
• Spam - unsolicited or undesired bulk email
• Phishing - using social engineering techniques to
  fraudulently acquire other peoples personal
  information
• Keyloggers - malicious programs that record the
  key strokes a user types.

16
Vulnerabilities reported
16
Year 1995 1996 1997 1998 1999 2000
Vulnerabilities 171 345 311 262 417 1090

• The number of attacks is now so large and their
  sophistication so great, that many organizations
  are having trouble determining which new threats
  and vulnerabilities pose the greatest risk and
  how resources should be allocated to ensure that
  the most probable and damaging attacks are dealt
  with first. Exacerbating the problem is that most
  organizations do not have an Internet-wide view
  of the attacks. http//www.sans.org/top-cyber-sec
  urity-risks/

Year 2000-2009 2010-2012 1999-2012
Vulnerabilities gt40,000 gt17,000 gt50,000
17
Vulnerabilities
17

• How many of you patch your software when
  requested?
• How many of you access the Internet from home?
• Wireless networks have become pervasive.
• How many of you have wireless networks at home?
• How many of you use wireless networks when you
  are on the road?
• How many of you have web-enabled cell phones?
• How many of you have networked PMPs?

12/15/2020
Columbus State University
18
Vulnerabilities
18

• Todays complex Internet networks cannot be made
  watertight. A system administrator has to get
  everything right all the time a hacker only has
  to find one small hole. A sysadmin has to be
  lucky all of the time a hacker only has to get
  lucky once. It is easier to destroy than to
  create.
• Robert Graham, lead architect of Internet
  Security Systems

19
Types of Threats
19

• interception - some unauthorized party has gained
  access to an asset.
• modification - some unauthorized party tampers
  with an asset.
• fabrication - some unauthorized party might
  fabricate counterfeit objects for a computer
  system.
• interruption - asset of system becomes lost or
  unavailable or unusable.

20
Malware and other Threats
20

• Malware 403 million new variants of malware were
  created in 2011, a 41 increase of 2010 Symantec
  - http//www.symantec.com/security_response/
• 1987-1995 boot program infectors
• 1995-1999 Macro viruses (Concept)
• 1999-2003 self/mass-mailing worms (Melissa-Klez)
• 2001-??? Megaworms blended attacks (Code Red,
  Nimda, SQL Slammer, Slapper)
• 2005-??? Organized Crime
• 2010-??? Nation States

21
Social Engineering
21

• we have met the enemy and they are us - POGO
• Social Engineering getting people to do things
  that they wouldnt ordinarily do for a stranger
  The Art of Deception, Kevin Mitnick

22
PayPal Phishing Site Arrives as Attachment
23
IRS Phish
23
12/15/2020
Columbus State University
24
24

• E-mail from "Microsoft security_at_microsoft.com
• Virus? Use this patch immediately !
• Dear friend , use this Internet Explorer patch
  now!
• There are dangerous virus in the Internet now!
• More than 500.000 already infected!
• 
  
• Vigilantes Go on the Offensive to Bait Net Crooks
• http//www.npr.org/templates/story/story.php?story
  Id4716843
• Scambaiter - http//www.419eater.com/

25

• Privacy is the future. Get used to it.
• (Marc Rotenberg, Director, Electronic Privacy
  Information Centre - EPIC) (Fortune, 2001).

26
Who is Wayne Summers?

• Google.com
• http//csc.columbusstate.edu/summers/ (resume)
• Linked.com, Jigsaw, ZoomInfo, EduCause
• Math geneology
• Naymz.com, classmates.com
• Blogger.com
• peoplefinders.com
• Age, Cities, parents, spouse, and childrens
  names ages

27
peoplefinders.com

• Comprehensive Background Report
• Name SUMMERS, WAYNE
• Everything you need to know, all in one report.
• Aliases Maiden Names
• Birth Date
• Address History
• Phone Numbers
• Marriages Divorces
• Relatives neighbors
• Property ownership
• and much more...
•    39.95
• Click below to find out how to get this product
  for FREE.

28
Who is Wayne Summers?

• Whitepages.com
• Home address
• Map of neighborhood
• Neighbors home values (zillow.com)
• http//www.123people.com
• Photos
• Phone s
• Email address
• Blogs

29
Other personal data websites

• Addresses.com
• AnyWho.com
• Google
• InfoSpace
• Intelius
• MySpace
• PeopleFinders.com

• PublicRecordsNow.com
• USA People-Search
• US Search
• WhoWhere.com
• Yahoo!
• ZabaSearch
• ZoomInfo
• SPOKEO.com (Social Network Aggregator)

30
Future ID Theft Privacy Issues

• Minority Report Mall Scene (36 sec)
• Minority Report Scene Gap Store (16 sec)
• April 9, 2008 (Computerworld) RFID keeps tabs on
  Vegas bartenders -- and soon could track you too
• The Smart Card Alliance isn't too keen on
  proposed enhanced driver licenses that the
  Department of Homeland Security is working on
  with several states bordering Canada and Mexico.
  The long range-reading RFID technology suggested
  by DHS raises privacy, security, and operational
  functionality issues, says the alliance.

31
Xanboo Online home watch
32
32

• You have zero privacy anyway. Get over it.
• (Scott McNealy, CEO, Sun Microsystems, 1999)

12/15/2020
Columbus State University
33
Controls
33

• Reduce and contain the risk of security breaches
• Security is not a product, its a process
  Bruce Schneier Using any security product
  without understanding what it does, and does not,
  protect against is a recipe for disaster.
• Security is NOT JUST installing a firewall.
• 80-90 of any/all security issues are INTERNAL (
  not the outside world )
• There always is someone out there that can get in
  ... if they wanted to ...

34
Computer Protection (Defense in Depth)
34

• Protect yourself
• Install firewalls, antivirus, anti-spyware
• Properly configure all devices
• Monitor logs
• Removed unneeded cookies
• Disable or secure file shares
• Use browser protection and search engines with
  URL safety rating
• Know what you are doing
• Do not enter personal information on a website
  over a non-encrypted connection
• Do not run programs of unknown origin
• Read EULAs
• THINK before you click

Property has its duties as well as its
rights. Thomas Drummond (1797-1840)
12/15/2020
35
Computer Protection (Defense in Depth)
35

• Keep patches up to date
• AV and security software
• Operating System
• Application software
• Browsers
• BACKUP- BACKUP- BACKUP

12/15/2020
36
USE STRONG PASSWORDS
36

• Online passwords are so insecure that one per
  cent can be cracked within 10 guesses, according
  to the largest ever sample analysis.
  http//www.cam.ac.uk/research/news/online-insecuri
  ty/
• POLICY
• Minimum length of six-ten characters
• at least three of the following lowercase alpha,
  uppercase alpha, digit, and special character.
• Alpha, number and special characters must be
  mixed up.
• Do not use "dictionary" words.

37
Home Network
37

• how many of you
• protect your wireless device with a password?
• encrypt the data in your wireless device?
• employ any type of security with your wireless
  device?
• employ security with your wireless network?

12/15/2020
Columbus State University
38
Safe Guards
38

• E-mail
• should be considered like a postcard
• Dont transmit personal data unless it is
  encrypted
• Social networks (Facebook, Myspace) are open to
  others
• Dont post personal data that could be used for
  identification
• Dont post anything you would be ashamed of

12/15/2020
Columbus State University
39
What Else Can You Do?

• Do not give your personal information out over
  the phone or Internet.
• Take all outgoing mail to a U.S. Postal Service
  mail box.
• Use a P.O. Box for all incoming mail.
• Buy a document/credit card/CD crosscut shredder.

40
Credit Security

• Use one credit card exclusively for Internet
  purchases.
• Monitor activity on all credit cards closely.
• Checking your credit history at least twice a
  year.
• Your can buy identity theft recovery insurance.

41
10 Tips to Prevent Identity Theft
41

• avoid spoofed websites where phishing is the
  gateway
• If you arent familiar with the eTailer dont
  even bother clicking the links
• make sure the address you end up at is in fact
  the actual domain of the eTailer
• always look for HttpS is the address bar
  signifying its a secure page
• Beware of emails coming for eBay scammers
• look at the eBayers history
• pay close attention to your credit-card
  statements
• Dont use a debit-card online
• Avoid paying by check
• Do business with those you know like and trust
• http//www.bloggernews.net/123204

12/15/2020
Columbus State University
42
42

• The most potent tool in any security arsenal
  isnt a powerful firewall or a sophisticated
  intrusion detection system. When it comes to
  security, knowledge is the most effective tool
• Douglas Schweizer The State of Network
  Security, Processor.com, August 22, 2003.

Knowledge is power Nam et ipsa scientia
potestas est Francis Bacon (1561-1626)
43
Resources
43

• http//www.sans.org
• http//www.cert.org
• http//www.cerias.purdue.edu/
• http//www.linuxsecurity.com/
• http//www.linux-sec.net/
• http//www.microsoft.com/security/
• Cuckoos Egg Clifford Stoll
• Takedown Tsutomu Shimomura
• The Art of Deception Kevin Mitnick
• 19 Deadly Sins of Software Security Howard,
  Leblanc, Viega
• http//www.us-cert.gov/reading_room/

44
Conclusions
44

• Security is, I would say, our top priority
  because for all the exciting things you will be
  able to do with computers.. organizing your
  lives, staying in touch with people, being
  creative.. if we don't solve these security
  problems, then people will hold back. Businesses
  will be afraid to put their critical information
  on it because it will be exposed. Bill Gates

12/15/2020
Columbus State University
45
COMPUTER SECURITY AWARENESS WEEK(http//infosec.c
olumbusstate.edu/)October / November 2013
45
ACCENTUATE THE POSITIVE
46
Questions?

• Dr. Wayne Summers
• CSU Center for Information Assurance Education
• TSYS School of Computer Science
• Columbus State University
• wsummers_at_ColumbusState.edu
• http//csc.columbusstate.edu/summers/workshop.html

12/15/2020
Columbus State University