Security Awareness: Security Tips for Protecting Ourselves Online

1. Security Awareness:Security Tips for Protecting Ourselves Online Wednesday, February 10th, 2010Brian Allen ballen@wustl.eduNetwork Security Analyst,Washington University in St. Louishttp://nso.wustl.edu/presentations/

2. Let’s Talk About… • Zeus (And Other Bots That Steal Money) • Home Wireless Router Security: • Facebook/Social Network Security: • Password Security: • AV Products: • Laptop Security: • Browsing with Firefox Addons: • Online Banking:

3. Three Notable Zeus Attacks in the Past Year • Bullitt County, Kentucky: July 2009 -$415,000 • http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html • http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html • Western Beaver School District, PA Jan 2009 -$219,000 • http://www.courier-journal.com/blogs/bullitt/2009/07/bullitt-not-alone-in-online-thefts.html • Duanesburg Central School District, NY: Jan 2010 -$3Million • http://www.duanesburg.org/news/0910/cybercrime.htm

4. How Zeus Works • Hackers send phishing emails with a link to download the zeusbot to the victim’s computer • The zeusbot has a keylogger which captures the victim’s bank credentials • The criminal logs in to bank's website using that information, and transfers money to the "Customer Service Specialist" AKA Money Mule • The Mule then receives instructions on how to wire the money internationally, keeping a generation commission (money stolen from someone else's bank account!) for themselves

5. Zeus Facts • 3.6 Million bots in the US as of Sep 2009 • http://www.networkworld.com/news/2009/072209-botnets.html • For Computers with up-to-date AV, 55% still were infected by Zeus • http://www.trusteer.com/files/Zeus_and_Antivirus.pdf • Sold on the Underground Economy and Used by Criminal Organizations

6. What Can Zeus Do? • The majority of the time a keylogger is activated • Replace the web form on a search page to ask for additional information: • card numbers, pin numbers, SSNs, answers to security questions, etc. • Real-time screenshots can be taken from infected machines • It can “phone home” and update itself

7. ZEUS Website/Phish Examples

21. #1 Way To Prevent Infection • Do Not Click On Suspicious Links and Attachments In Emails • If there are questions about a particular email, ask first.

22. Tokens Are Not Perfect • Zeus can create a direct connection between the infected computer and the attacker’s, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection. • Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives. By connecting through the victim's PC or Internet connection, the bad guys can avoid raising any suspicions.

23. Requiring Two People is not Perfect • - The attackers somehow got the Zeus Trojan on the county treasurer's PC, and used it to steal the username and password the treasurer needed to access e-mail and the county's bank account. • - The attackers then logged into the county's bank account by tunneling through the treasurer's Internet connection. • - Once logged in, the criminals changed the judge's password, as well as e-mail address tied to the judge's account, so that any future notifications about one-time passphrases would be sent to an e-mail address the attackers controlled. • - They then created several fictitious employees of the county (these were the 25 real-life, co-conspirators hired by the attackers to receive the stolen funds), and created a batch of wire transfers to those individuals to be approved. • - The crooks then logged into the county's bank account using the judge's credentials and a computer outside of the state of Kentucky. When the bank's security system failed to recognize the profile of the PC, the bank sent an e-mail with the challenge passphrase to an e-mail address the attackers controlled. • - The attackers then retrieved the passphrase from the e-mail, and logged in again with the judge's new credentials and the one-time passphrase. Once logged in, the crooks were able to approve the batch of wire transfers.

24. Note the NY Attack Started on a Fri • On Friday, Dec. 18, an unauthorized electronic transfer of $1,862,400 was made from a Duanesburg Central School District NBT Bank account to an overseas bank.

25. . Letter Sent Out After NY Attack http://www.duanesburg.org/news/0910/communityltr010510.pd • January 5, 2010 • Dear Parents and Community Members, • The Duanesburg Central School District announced today that it is working closely with the Federal Bureau of Investigation and New York State Police to investigate unauthorized electronic transfers of school district funds from its NBT Bank account. The district first learned of the fraudulent activity on Tuesday, Dec. 22, when contacted by an NBT bank representative, questioning the validity of a request for an electronic transfer of funds to multiple overseas accounts that day. Upon confirming with the district that the transfer was not authorized, the bank immediately cancelled the pending transaction, which totaled approximately $759,000. After further review, it was discovered that an additional $3 million in unauthorized electronic transfers to various overseas banks had already been executed over the previous two business days, between December 18-21. Both district officials and the bank immediately contacted the FBI, which opened an investigation along with state police. • To date, $2.5 million of the stolen funds have been recovered by NBT Bank, working with several overseas financial institutions. • Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered. However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds. • To prevent any district bank accounts from being further compromised, the district closed all of its bank accounts and established new ones with restricted online access.The district is cooperating fully with the ongoing investigation by the FBI and New York State Police. Additional details may be found on the district Web site at www.duanesburg.org. As soon as more information becomes available, it will be posted on the Web site. • Sincerely, • Christine Crowley • Superintendent

26. Questions So Far?

27. Facebook Privacy Settings

37. pics1

39. Twitter Users Are Targets Too

40. Twitter Phish 1 of 2

41. Twitter Phish 2 of 2

42. Password Topics

43. Parents’ Password Cracked On First Try The Onion News Feb 27, 2002 • REDONDO BEACH, CA – Nick Berrigan, 14, successfully hacked into his parents’ AOL account on the first try Tuesday, correctly guessing that “Digby” was their password. “They actually used the dog’s name,” said Berrigan, deactivating the parental controls on his AOL account. • Experts advise parents to secure Internet accounts with any password besides the name of a family pet

44. Free Password Managers 1. Password Safe: www.schneier.com/passsafe.html • Bruce Schneier’s Project 2. KeePass: keepass.info • LastPass: lastpass.com - Firefox Plugin 4. Mac KeyChain: 5. PassPack: www.passpack.com • An online password manager

45. Commercial Password Managers 1Password - 1passwd.com Keeps track of all web passwords, automates sign-in, guards from identity theft for $39.95 Roboform - www.roboform.com $29.95 for the Professional version

46. Some Key Threats to Passwords Brute force or dictionary attacks Keystroke loggers Social engineering/Phishing

47. Three KeePass Features • Require two factor authentication to access your keepass database

48. KeePass – Opening the Database

49. KeePass – The Main Interface

50. KeePass – Individual Entry