slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Internet Security & Personal Privacy PowerPoint Presentation
Download Presentation
Internet Security & Personal Privacy

Loading in 2 Seconds...

play fullscreen
1 / 172

Internet Security & Personal Privacy - PowerPoint PPT Presentation


  • 240 Views
  • Uploaded on

Internet Security & Personal Privacy Presented by John Bondon Office: Walnut Creek Phone: 925-210-2242 Threats to your Online Privacy Learn … The Truth About Cookies Ways Your Browser Squeals on You Why Hackers love your Home PC What is Malware? The Importance of Strong Passwords

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Internet Security & Personal Privacy' - albert


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Internet Security & Personal Privacy

Presented by

John Bondon

Office:

Walnut Creek

Phone:

925-210-2242

threats to your online privacy
Threats to your Online Privacy

Learn …

  • The Truth About Cookies
  • Ways Your Browser Squeals on You
  • Why Hackers love your Home PC
  • What is Malware?
  • The Importance of Strong Passwords
today s agenda
Today’s Agenda
  • Threats to Personal Privacy on the Internet
  • The Blaster & Nachi Worms
    • Why BC Got Hit? How to Protect Yourself?
    • Why The Internet Went Down in WC
  • How to Protect your Computer Home
  • The Truth About Cookies
  • What You Should Know About FTP
fighting back
Fighting Back …

Best Practices to Secure your Home PC

  • Personal Firewall vs Internet Gateway
  • To Patch or Not To Patch?
  • Simple vs Complex Passwords
  • Donating your PC to Charity...Securely
data security concerns @ bc
Data Security Concerns @ BC
  • Social Engineering: Convenience vs Security
  • The Risks of FTP, POP3, and SMTP
  • The Risks & Abuses of an Anonymous FTP site
  • Why never use FTP for ‘confidential’ documents.
  • How secure is a ‘private’ FTP site?
  • The Truth About Password Protection
why talk about security
Why Talk About Security?
  • On the Need to Educate Users

The art of war is of vital importance to the State.

It is a matter of life and death, a road either to safety or to ruin. Hence it is a subject of inquiry which can on no account be neglected.

why talk about security7
Why Talk About Security?

In this day and age when everyone and everything has to be connected to the Internet for some reason or another, there comes a point when there is more technology than people that truly understand it.

When few people truly understand what they are defending, your defenses wear thin, and it only takes a small few who understand what they're attacking to defeat the plans of many.

blaster lovsan
Blaster / Lovsan
  • Infected 500,000+ computers globally
  • One of the most widespread of 2003
  • Exploits to Remote Procedure Call (RPC) Vulnerabilities in Windows
    • MS03-026
      • Attacks ports 135, 139, 445, or 593
    • MS03-039
      • Send malformed message to create Buffer Overflow in RPCSS service
  • Does Not Delete Data, but Can Bring Down Entire Network
nachi msblast
Nachi / MSBLAST
  • Removes Blaster
  • Scans for other infectedmachines to fix via ICMP
  • Applies an appropriate patchto each infected computer it finds.
  • The worm is designed to retire January 1, 2004.
  • ONE Nachi infected machine connected via VPN was all it took to bring down our entire Walnut Creek Internet circuit!
how to prevent blaster nachi from infecting you
How to Prevent Blaster & Nachi from Infecting YOU
  • Use a Firewall
  • Keep your Windows OS Up-To-Date
  • Keep you Anti-Virus Software Up-to-Date
the truth about hackers
The Truth About Hackers
  • Why Hackers Hack
  • How Hackers Hack
  • Why Home PCs are More Interesting Targets
  • The Real Threat to the Corporate Network
has brown caldwell even been hacked
Has Brown & Caldwell Even Been Hacked?
  • YES! 
  • Anonymous FTP Site
    • Targeted Weekly
    • Files Have Been Deleted by Upset Hackers
    • Typically Used for File Swapping
  • At Least 3 DMZ Web Servers
    • Compromised Over 2 Years Ago
    • Someone Had Full Admin Rights Remotely
firewall for protection
Firewall for Protection
  • Protocol Inspection
    • UDP, TCP, or ICMP?
  • Port Blocking:

80 http/web

443 SSL/https

25 SMTP/email

110 POP3/email

20-21 FTP

135–139 NetBios/RPC

software based firewalls personal firewalls
Software Based Firewalls:Personal Firewalls
  • Provides added application level protection
  • Can block trojans talking outbound
  • Requires Technical Knowledge of Firewall and TCP/IP concepts, & OS applications
  • Creating wrong rule could easily break functionality!
  • Can be difficult for average user to troubleshoot
hardware based firewalls internet gateways routers
Hardware Based Firewalls:Internet Gateways & Routers
  • Easy to Setup – virtually Plug & Play!
  • Will protect several machines at once
  • Can not block at application level
  • Does NOT protect against malware
  • Wireless models often don’t provide Firewall protection on wireless side 
  • Beware the DMZ Zone!
software firewall examples
Software Firewall Examples
  • Windows XP ICF (inbound ONLY)
  • ZoneAlarm (recommended)
  • Tiny Personal Firewall (recommended)
  • Sygate Personal Firewall
  • Most Anti-Virus software now includes a personal firewall built-in as well
  • Use GRC.COM’s “Leak Test” to test your Personal Firewall
hardware firewall examples
Hardware Firewall Examples
  • Linksys BEFSR41 or BEFSX41
  • Linksys Wireless-G VPN Broadband Router
  • DLINK DI-804HV w/VPN
  • DLINK DI-624 Xtreme Wireless
tips for wireless routers
Tips for Wireless Routers
  • Typically Not Protected by Firewall
  • Enable 128-bit WEP Encryption
  • Require WEP Connections
  • Change Default Configuration Settings
    • ESSID
    • WEP key
    • Administrator password
    • Channel
demo port scans

DEMO: Port Scans

How Hackers Really Hack

try this at home how secure are you
TRY THIS AT HOME:How Secure Are You?
  • The Shields-UP! Test
  • Symantec Security Check
windows messenger service
Windows Messenger Service
  • NetBIOS / RPC
    • Latest Threat
      • MS03-043
ways to get into your pc
Ways to get into your PC
  • Windows OS (Operating System)
  • Port Vulnerabilities
  • HTML (email/web)
  • Direct X
  • Windows Media Player
  • Active X
  • Java or VB scripting
  • MS Virtual Machine (VM)
  • MS Office (macros/VBA scripting)
  • Application Software (PCA, Netscape, etc)
a word regarding viruses trojans and worms
A Word Regarding Viruses, Trojans, and Worms
  • Viruses vs Worms vs Trojans
    • Cell Phone Viruses – They DO Exist!
  • Proper Configuration
    • Files Types
    • Joke Programs
  • Keeping Up-to-date
    • Scan Engine
    • Virus Definitions
windows configuration tips
Windows Configuration Tips
  • Show Hidden Files
  • Don’t Hide Known File Extensions
  • Turn Off File & Print Sharing
  • Disable port 445 by disabling Netbt
to patch or not to patch
To Patch or Not to Patch?
  • Why Patch? How Frequent?
  • The Risks of Patching
  • Passing the Buck: Who’s Fault Is It?
  • Where Obtain Updates?
    • Windows Update Service
    • Microsoft Critical Update Notification
    • The Promise of SUS
slide27

Internet Security & Personal Privacy: Part Two

Presented by

John Bondon

Office:

Walnut Creek

Phone:

925-210-2242

what we covered in part one november 2003
What We Covered In Part One (November 2003)
  • Personal Firewalls: Software vs. Hardware
  • Windows Configuration Tips
  • Viruses, Trojans, & Worms
  • To Patch or Not to Patch?
  • The Truth About How Hackers Hack
  • Ways Your Machine Can Be Compromised
  • A Review of the Blaster & Nachi Worms

Replay available at: http://www.bc.com/Security/

today s agenda29
Today’s Agenda
  • How to Protect Yourself from Identity Theft
  • The Risks of Spyware, Adware, & Dialers
  • How Marketers Track you Online
  • The Truth about Privacy Seals
ways to get into your pc30
Ways to get into your PC
  • Windows OS (Operating System)
  • Port Vulnerabilities
  • HTML (email/web)
  • Direct X
  • Windows Media Player
  • Active X
  • Java or VB scripting
  • MS Virtual Machine (VM)
  • MS Office (macros/VBA scripting)
  • Application Software (PCA, Netscape, etc)
greymagic security advisory gm 001 ie
GreyMagic Security Advisory GM#001-IE
  • Execute commands without Active Scripting or ActiveX
  • Object runs in the “My Computer” Zone
  • Any application that hosts the WebBrowser control (5.5+) if affected:
    • Microsoft Internet Explorer
    • Microsoft Outlook
    • Microsoft Outlook Express
  • Patched by MS02-047 (August 22, 2002)
browser vulnerabilities
Browser Vulnerabilities
  • http://browsercheck.qualys.com/

Cookie Discosure

Clipboard Reading

Program Execution

File Execution

Web Page Spoofing

Security Zone Spoofing

Hard Drive Access

your privacy at risk
Your Privacy At Risk
  • Email & Web Scams
  • Real Viruses
  • Phony Hoaxes
  • Spyware
  • Dialers
  • Default PC Configuration
    • NetBIOS enabled on a Broadband connection
    • Other services running w/o your knowledge?
  • Identity Theft
your privacy at risk34
Your Privacy At Risk

Privacy activist Richard Smith has discovered a web bug embedded in the page on which surfers land when they mis-type a web address.

This web bug, set by internet advertising company Overture, sets a cookie and can be used to track surfers for five years before it expires.

the gator corporation
The Gator Corporation

Products: Gator / Offer Companion / Trickler / GAIN

Threat: Adware & Spyware

Upon visit of some Gator related pages, it tries to download and install.

slide36

According to Tribune Media Services

"Gator tracks the sites that users visit and forwards that data back to the company's servers.Gator sells the use of this information to advertisers who can purchase the opportunity to make ads pop up at certain moments, such as when specific words appear on a screen.It also lets companies launch a pop-up ad when users visit a competitor's Web site."

slide37

Privacy Statement

  • Some information we may collect, use, and associate with your Anonymous ID includes:
  • which web pages your computer views
  • how much time is spent at those sites
  • Your response to the ads we display
  • Standard web log information
  • System settings
  • What software is on your computer
slide38

Privacy Statement (continued)

  • Some information we may collect, use, and associate with your Anonymous ID includes:
  • Your first name
  • Country
  • Five digit ZIP code
  • Your GAINware usage characteristics and preferences
slide39

Information associated with your Anonymous ID is used in any of three ways:

  • to offer assistance (e.g. knowing when to offer help filling in a form or adjust your computer's clock),
  • b) to select and deliver installation files for optional new GAINware and/or third party software applications, and
  • c) to deliver advertisements and information to you on behalf of our advertisers who are often competitors of the web sites you are viewing.
your privacy at risk40
Your Privacy At Risk
  • Email & Web Scams: phishing
    • Incidents Increasing
    • Internet Scam Artists claim as many as 1 in 10 recipients will fill out the forms!
  • Look Like the Real Thing!
    • from real companies like eBay, Citibank or America Online
    • Ask for credit card numbers, Social Security numbers, and other critical personal data.
web page spoofing url phishing
Web Page Spoofing (URL Phishing)
  • Bug in Windows Internet Explorer (does not affect Mac versions of IE)
  • No Patch or fix currently available!
  • Can’t Trust the address listed in URL!
  • DEMO PAGE: http://i.dslr.net/symantec/worse2.html
protecting yourself from web page spoofing phishing
Protecting Yourself from Web Page Spoofing/Phishing
  • Never enter sensitive data into a form that you were directed to from an email message, or that you are not 100% sure is safe
  • No Patch or fix currently available!
  • Can’t Trust the address listed in URL!
common paypal email scam
Common PayPal Email Scam
  • Asks for your Personal Information
  • Creates Urgency (Do it TODAY!)
  • Looks Official (same look as website)
paypal email scam

PayPal Email Scam

Dear PayPal member,

We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.

paypal email scam45

PayPal Email Scam

To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.

IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.

august 29 2003 example
August 29, 2003 Example
  • e-mail message allegedly sent by security@microsoft.com
  • subject line or heading containing the words "Use This Patch Immediately" (or similar).
  • File Attachment labeled PATCH.EXE.
  • Typically the body of these deceptive messages includes text similar to the following:

Dear Friend, use this Internet Explorer patch now!There are dangerous viruses on the Internet now!More than 500,000 already infected!

august 29 2003 example47
August 29, 2003 Example
  • Content of that attachment is not a Windows patch, but the "Dumaru" internet worm. 
  • Dumaru is a mass-mailing worm that uses the e-mail addresses in your address book to distribute itself to other computers via the internet.
  • This worm could be used to send SPAM from your e-mail accounts, or to spoof your e-mail addresses so that SPAM appears to be coming from your accounts when in fact it is not.
  • Microsoft never e-mails patches or Windows updates to users of its software, so you should immediately delete such e-mail messages.
your privacy at risk48
Your Privacy At Risk
  • Dialers
    • Aka “modem hijacking”
      • Alyon Technologies
        • Porn dialer
        • Installed without users permission or knowledge
        • Dials expensive porn sites, charges appear on long distance phone bill. (@4.99/min!)
        • FBI warns can lead to identity theft
your privacy at risk49
Your Privacy At Risk
  • Adware
    • Could be the Cause of those Annoying Pop-Up/Under Ads on your Computer
    • Way More Common Than You Think!
  • Spyware
    • More Common Than You Think!
    • Tracks Your Internet Behavior
    • Most Anti-Spyware is Trojan-ware!
    • Trusted: Ad-Aware or Spy-Bot
list of software containing spyware
List of Software Containing Spyware
  • Search Google for

Spyware Infested Software

http://virgolamobile.50megs.com/spyware/spyware.htm

Spybot Search & Destroy “Threats” page

anti spyware you can trust
Anti-Spyware You Can Trust
  • OptOut http://grc.com
  • Ad-Aware http://lavasoftusa.com/
  • Spybot http://spybot.eon.net.au/
where to get ad aware 6
Where To Get Ad-Aware 6?
  • http://www.bc.com/security/lavasoft/
  • http://lavasoft.element5.com/software/adaware/
tips for using ad aware 6
Tips for Using Ad-Aware 6
  • Configuration Settings
  • Obtaining Updates Behind a Proxy
  • The Prefs.ini Configuration File

[WebUpdate]

Doproxy=1

ProxyAddr=proxy.bc.com

ProxyPort=80

a technical solution to combat pesky spies hosts
A Technical Solution to Combat Pesky Spies: HOSTS
  • Download HOSTS.TXT file to your Computer. Save as HOST (no extension).
  • Save HOSTS file in proper Windows directory:
    • XP\2000 - C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    • Windows 2K - C:\WINNT\SYSTEM32\DRIVERS\ETC
    • Windows 98\ME - C:\WINDOWS
in the web we trust doubleclick
In The Web We Trust:DoubleClick
  • Doubleclick & Abacus Direct merge
  • Created the Abacus Online division
    • Offered targeted ads based on database of 100 Million profiles
    • The technology tracked people online anonymously and then served ads based on personal tastes
  • Another Division: PredictiveMail:
    • A Combined e-mail and direct-mail marketing service
doubleclick is spying on you
DoubleClick is Spying on You
  • Every time you use the Internet, DoubleClick is placing a bar code on your back -- a user I.D. -- so that it can identify your interests, habits and preferences. Because DoubleClick secretly implants additional surveillance files as you surf the Internet, DoubleClick is continually adding detailed personal information about you to its data banks. The average consumer has no idea that their on-line movements are being spied upon; this amounts to little more than a secret, cyber wiretap.
what is the risk of profiling
What is the Risk of Profiling?
  • Banner ad network profiling of users is potentially more problematic because the ad networks can observe what users are doing at allWeb sites in their networks, not just a single site.
what is the risk of profiling58
What is the Risk of Profiling?
  • A new study by the California HealthCare Foundation revealed that DoubleClick served banner ads to eight of the 21 leading health Web sites, including www.webmd.com, www.drkoop.com, and www.healthcentral.com.  These sites pass on to DoubleClick a "URL address" revealing that the unnamed visitor went to the "diabetes" page (i.e. drkoop.com/conditions/diabetes/)  However, the study said, "registering with a site can turn what was an anonymous profile into an identifiable profile." 
  • All 21 sites reviewed gave visitors the opportunity to provide personally identifiable information.  But most of the health sites' privacy policies either failed to mention profiling or talked about it in vague terms.
what is the risk of profiling59
What is the Risk of Profiling?
  • DoubleClick's Abacus Online Alliance, designed to match online visitors' profiles to a database of 88 million consumers' offline purchasing habits
  • Abacus is the largest proprietary database of consumer, retail, business-to-business, publishing and online transactions used for target marketing purposes.
your privacy at risk60
Your Privacy At Risk

Identity Theft now the Fastest Growing White Collar Crime.

identity theft
Identity Theft
  • Last Year, 7M US Adults victim
  • Increase of 80% over 2002; 1.9% ‘01
  • phisher Web site & Email scams
  • GARTNER: thieves stand only a one in 700 chance of exposure or arrest
identity theft62
Identity Theft

Impact

85% of victims find out thru adverse situation.

19,178/day or 799/hour or 13.3/minute

(the number of Victims July 2002-2003)

High Emotional Impact on Victims.

identity theft63
Identity Theft

Average Cost to Recover

600+ hours (over several years)

Over $1400 personal expenses

identity protection tips
Identity Protection Tips
  • Check your Credit Report often.
  • Use a low-credit limit credit card online.
  • Do NOT use Debit Cards.
  • Consider using a “Disposable Credit Card”.
  • Use Personal Information When Necessary (don’t volunteer license, SSN, maiden name, etc.)
  • If you lose something, report it!
identity protection tips65
Identity Protection Tips
  • Use Email Wisely
  • Get “off-line”.
  • Watch Who’s Around You
  • Use Disposable Credit Cards & Email
  • Review Privacy Policies; opt-out.
  • Don’t fall to Social Engineering.
protect your child s id
Protect Your Child’s ID!
  • Kids Can Be A Victim Too!
  • May not discover for 10-15 years
  • Perpetrator is often a family member
  • Identity Cloning (aka “Clean Slate”)
privacy seals
Privacy Seals
  • The Big Three: What Do They Do?
privacy seals68
Privacy Seals
  • TRUSTe
    • Most Widely Recognized Brand
    • Verifies only that a company has a privacy statement
    • Offers No Opinion as to whether the policy is any good
    • Until recently, never took action against companies that violated their own Privacy Policies
    • Only revokes seal in event of non-payment!
privacy seals69
Privacy Seals
  • BBBONLINE
    • Similar to TRUSTe
    • Only verifies a Web site has a Privacy Policy
    • Doesn’t comment on Policy itself
    • Does Not Verify Compliance of Policy
privacy seals70
Privacy Seals
  • WebTrust
    • Least Known & Most Protective
    • Full-Blown Audit by licensed CPA
    • Only a Few Dozen Companies have passed the WebTrust audit.
part three wednesday may 19 th 2004
Part Three: Wednesday, May 19th, 2004
  • What You Should Know About FTP
  • Passwords 101 & How to Crack ‘em
  • Password Protection vs. Encryption
  • More of your questions answered!
slide72

Internet Security & Personal Privacy: Part Three

Presented by

John Bondon

Office:

Walnut Creek

Phone:

925-210-2242

today s agenda73
Today’s Agenda
  • What You Should Know About FTP
  • Passwords 101 & How to Crack ‘em
  • Password Protection vs. Encryption
  • The SAFE Way to Donate Your PC
a final word about cookies
A Final Word About Cookies
  • What They Are
  • Why We Use Them
  • When They Become Dangerous
  • How to Delete Them
  • Should You Block Them?
which file transfer protocol ftp server should i use
Internal FTP

ftp://ftp.bc.com

For Sharing files between offices & BC Staff.

Or when file size exceeds email limit.

Not visible externally.

External (Public) FTP

ftp://ftp.brwncald.com

Appropriate for Sharing Files with Clients.

Or when file size exceeds email limit.

Publicly Accessible via the Internet.

Which File Transfer Protocol (FTP) Server Should I Use?
ftp file transfer protocol anonymous or private
FTP (File Transfer Protocol):Anonymous or Private?
  • Anonymous Public FTP site: ftp://ftp.brwncald.com
  • Why BC’s Public FTP site was a Frequent Target by Hackers
  • Why “Password Protected” Really Means “Not Protected”
  • Advantages & Limitations of a Private FTP site
what you should know about a private ftp site
What You Should Know About a “Private” FTP Site

Pros

  • Requires Username / Password
  • Not Accessible by Anonymous Logins
  • Files Are Not Automatically Deleted

Cons

  • Username & Password sent in Clear Text
  • Transmissions not Encrypted
password protected files
Password Protected Files
  • What It Really Means
  • Risks of Sharing Sensitive Password Protected Documents via FTP
  • When Is It Appropriate?
  • How to Crack Password Protection
password cracking
Password Cracking
  • Internet Passwords
  • ZIP Files
  • PWL files
  • MS Office
alternative technologies
File EncryptionAlternative Technologies

PGP MD5 RC4 AES 3DES

  • Encrypts the data (scrambles contents of file).
  • Input data is combined with key to create ciphertext.
  • Much more difficult to hack or compromise.
  • Beware Disaster Recovery Pitfalls!
alternative technologies81
Secure FTP

Secure Email

Alternative Technologies
  • Requires Extensive Configuration
  • Need to Obtain Digital Certificate from Certificate Authority
  • Digital Certificates Need to be Installed on both the Receiving PC AND the Transmitting PC
a word about passwords
A Word About Passwords

DEMO: Brute Force Password Cracking

  • Social Engineering
  • The Case for Strong Passwords
  • What is a Complex Password?
  • Should All BC Staff be Required to use Complex Passwords?
  • Password versus Passphrase
do the math then pick a strong password
Do the Math, thenPick a Strong Password
  • 4-digit password = 10,000 combos

(10 x 10 x 10 x 10 = 10,000)

  • 5-digit = 100,000 combinations

(10 x 10 x 10 x 10 x 10 = 100,000)

  • 6-digit = 1 Million combinations!

(10 x 10 x 10 x 10 x 10 x 10 = 1,000,000)

use letters and numbers
Use Letters AND Numbers!
  • 4-character = 1,679,616 combos

(36 x 36 x 36 x 36 = 1,679,616)

  • 5-character = 60,466,176 combos

(36 x 36 x 36 x 36 x 36 =60,466,176)

  • 6-character = 2,176,782,336

That’s over 2 Billion possible combinations!

(36 x 36 x 36 x 36 x 36 x 36 =2,176,782,336)

password cracking methods
Password Cracking Methods
  • Dictionary Attack

Reveals the Weakest Passwords. Very Fast.

  • Dictionary/Brute Hybrid Crack

Tests for variations of words in the Dictionary. (ie. “JohnnyBoy99” or “water!”)

  • Brute Force Attack

Slowest method. Finds stronger passwords. (ie. “asdfas%21d” or “4jsdu889”, etc.)

tips for effective passwords
Tips for Effective Passwords
  • Use both Letters AND Numbers
  • Make it CaSe SenSiTive
    • Use combination of UPPER & lower case characters
  • Include special characters to the mix
  • Make it Memorable
      • Avoid Dictionary Words
      • NEVER Write it Down!
which is the better password

Which is the Better Password?

Exhibit A

C4g7#djM1Z2

Exhibit B

Beavis was a Butthead.

how to secure your data before donating your pc
How to Secure Your Data Before Donating Your PC
  • Delete Any Sensitive or Private Files
  • Use a File Shredder to Permanently Delete Those Files!
  • Or Consider Removing the Hard Drive
harvesting old hard drives
Harvesting Old Hard Drives
  • 158 used hard drives (HDD) purchased at 2nd hand computer stores & EBay
  • 129 drives still functioned
    • 69 still had RECOVERABLE FILES!
    • 49 had SIGNIFICANT PERSONAL DATA!
      • Medical correspondence
      • Love letters
      • Pornography
      • Credit card numbers
file shredding
File Shredding .
  • When Delete Doesn’t Mean Delete
  • How a File Shredder Works
part four wednesday november 24th 2004
Part Four: Wednesday, November 24th, 2004
  • How to Send Secure Email
  • Secure FTP Explored
  • Methods for Encrypting Files
  • How to Conceal Drawings like a Terrorist!
  • More of your questions answered!
slide92

Internet Security & Personal Privacy: Part Four

Presented by

John Bondon

Office:

Walnut Creek

Phone:

925-210-2242

what we covered in part one november 200393
What We Covered In Part One (November 2003)
  • Personal Firewalls: Software vs. Hardware
  • Windows Configuration Tips
  • Viruses, Trojans, & Worms
  • To Patch or Not to Patch?
  • The Truth About How Hackers Hack
  • Ways Your Machine Can Be Compromised
  • A Review of the Blaster & Nachi Worms

Replay available at: http://www.bc.com/Security/

what we covered in part two february 2004
What We Covered In Part Two (February 2004)
  • How to Protect Yourself from Identity Theft
  • The Risks of Spyware, Adware, & Dialers
  • How Marketers Track you Online
  • The Truth about Privacy Seals

Replay available at: http://www.bc.com/Security/

what we covered in part three may 2004
What We Covered In Part Three (May 2004)
  • Why Email & FTP Are NOT “secure”
  • Passwords & How to Crack Them
  • File Encryption
  • File Shredders

Replay available at: http://www.bc.com/Security/

identity theft addendum
Identity Theft Addendum

Place a free security alert on your credit report.  This also entitles you to a free credit report.

Contact one or all of the credit agencies below:

Experian            888-397-3742

Equifax          800-525-6285

Trans Union        800-680-7289

identity theft addendum97
Identity Theft Addendum
  • FREEZE your CREDIT!
    • Benefits
      • More effective than Credit Alert.
    • Negatives
      • Only available in a few states.
      • Not free. Charge to freeze and unfreeze.
      • Does NOT opt you out of pre-approved credit offers. 
identity theft addendum98
Identity Theft Addendum
  • How Can I Opt Out of all those Pre-Approved Credit Offers???
      • Phone 1-888-5-OPT-OUT
      • Good for 2 years or permanently!
how public is your figure
How Public is Your Figure?
  • Many companies now sell your personal data obtained from public domain information sources -- CHEAP!
        • Examples:
        • ZABASEARCH
how public is your figure100
How Public is Your Figure?

What Information is Available for Sale?

20 Year Address History

Current Telephone Numbers

Bankruptcies

Legal Judgments

Current/Previous Home & Property Ownership

Names and Addresses of Relatives

Current and Previous Roommates and Neighbors

Liens

how public is your figure101
How Public is Your Figure?
  • Can I Be Removed from the public domain?
      • Use a P.O. Box
        • Fill out a CHANGE OF ADDRESS
      • Request in writing to be removed
      • File all public records in name of your corporation, trust, or d.b.a.
junk email thought you had it bad
JUNK EMAIL – Thought YOU Had It Bad?
  • Receives 4 Million Emails PER DAY!
  • “Most of it SPAM”
  • MS has special technology that just filters spam intended for Gates
  • Several Employees dedicated to making sure nothing unwanted gets into Bill’s Inbox
bc fights spam feb 03
BC Fights SPAM (Feb. ’03)
  • How Did They Get My Email Address?
  • Why you should never UN-Subscribe
  • Don’t Open or Read your Junk Email!
  • How To Read Internet Mail Headers
  • Anti-Spam Technologies
  • How to Out Smart a Spam Filter
  • How BC Fights Spam

Replay available at: http://www.bc.com/Spam/

today s agenda104
Today’s Agenda
  • How to Send Secure Email
  • Secure FTP Explored
  • How to Spy on Someone
  • The Easy Way to Encrypt Files
  • How to Conceal Drawings like a Terrorist!
the art of spying
The Art of Spying
  • How to Spy on Someone’s Computer Activity
  • Steal passwords!
  • Monitor IM, chat, and ICQ messages and web surfing activity
  • Teens/Kids or spouse, co-worker, etc.
key loggers
Key Loggers
  • Records every key stroke/press
  • Some models can capture screen shots
  • Monitor IM, chat, and ICQ messages
  • Monitor web surfing and AOL activity
  • Can be Software or Hardware!
key loggers108
Key Loggers
  • Software
    • Guardian Monitor Pro $60
  • Typically Stores Data:
  • Writes to a log file hidden amongst valid system files
  • Emails keystroke information
  • Transmits information over network
key loggers109
Key Loggers
  • Hardware
    • KeyGhost KeyLogger ~ $90 – 150
    • Keylogger Keyboard~ $130
  • Advantages
    • Will not slow down the computer
    • Hard to detect
    • Easy to install
introducing pki public key infrastructure
Introducing PKI:Public Key Infrastructure
  • PKI Defined
  • Certificate Authorities
  • Digital Certificates
  • Private vs Public Keys
history of pki public key infrastructure
History of PKI(Public Key Infrastructure)
  • The Problem(prior to 1976)
    • All encryption keys symmetric
    • Required a separate key for each person you wanted to communicate with
    • Key Management Nightmare!
      • At one time, loading cipher books onto a ship of the US Navy required a forklift!
history of pki public key infrastructure113
History of PKI(Public Key Infrastructure)
  • The Solution
    • Make the encryption method asymmetric
    • The way that you lock doesn't need to be the way that you unlock
      • the key for encrypting the message would be different from the key for decrypting it
    • Need central management infrastructure
history of pki public key infrastructure114
History of PKI(Public Key Infrastructure)
  • Public Key Encryption (PKE)
    • the brainchild of two Stanford mathematicians
      • Whitfield Diffie
      • Martin Hellman
    • Published their discovery in 1976
    • Lacked an infrastructure
    • Failed to work in “real world”
history of pki public key infrastructure115
History of PKI(Public Key Infrastructure)
  • Public Key Infrastructure (PKI)
    • Another team of mathematicians from MIT found a way to apply Diffie and Hellman's theories
      • Ronald L. Rivest
      • Adi Shamir
      • Leonard M. Adleman
    • The RSA Encryption method was born!
history of pki public key infrastructure116
History of PKI(Public Key Infrastructure)
  • RSA Encryption Method
    • Based on prime numbers
      • no easy way to reduce number back to its prime numbers
      • the larger the number, the more difficult it is to reduce the number
    • User can publicly distribute one of the keys, while keeping the other key private
    • PKI was born!
pki defined public vs private key
PKI Defined:Public vs. Private Key
  • Public Key
    • is an encryption-only key
    • used to make any message secret
    • can never be used to reveal the contents of a message
  • Private Key
    • is a decryption-only key
digital certificates
Digital Certificates
  • Certificate Authorities (CA)
    • VeriSign
    • IPSCA
    • Thawte
    • CAcert.org
  • Digital Certificates
    • SSL Server Certificates
    • Code Signing Certificates
    • Personal S/MIME Certificates
digital certificates121
Digital Certificates
  • Certificate Revocation List (CRL)
    • A certificate is revoked if:
      • discovered that the CA had improperly issued a certificate
        • to the wrong person, with the wrong public key
        • to an ineligible person or entity
      • the private key corresponding to the public key contained in the certificate may have been compromised
digital certificates certificate revocation list crl
Digital CertificatesCertificate Revocation List(CRL)
  • certificate for Microsoft was mistakenly issued to an unknown individual
    • had successfully posed as Microsoft
    • Certificate issued by the CA contracted to maintain the ActiveX 'publisher certificate' system (VeriSign).
digital certificates certificate revocation list crl123
Digital CertificatesCertificate Revocation List(CRL)
  • Microsoft finally saw the need to patch their cryptography subsystems so they would actually check certificates being used against a CRL.
  • As a short term fix, a patch was issued for the relevant Microsoft software (most importantly Windows) specifically listing the two certificates in question as 'invalid'
slide124

Personal Email Certificates

  • Digitally Sign Messages
  • Encrypt your Email – S/MIME
  • Authentication to a Web Server
    • Certificate Based Authentication
slide125

Web Server Certificates

  • SSL (Secure Sockets Layer)
  • Encrypt Web Transactions
  • Based on Hierarchy of “Trust”
    • Keep Root Certificates Up-To-Date
slide126

Web Server Certificates

  • Typical Error Messages
    • What Does It Mean?
slide127

Web Server Certificates

  • Typical Error Messages – Say What?
slide128

Web Server Certificates

  • Red Flag! Buyer BEWARE!
slide129

Web Server Certificates

  • Root Certificates
sending secure encrypted files and message via email

Sending Secure/Encrypted Files and Message via Email

Peter wishes to send Ann his resume confidentially via e-mail.

sending secure encrypted files and message via email131

Sending Secure/Encrypted Files and Message via Email

Peter encrypts his message using Ann's public key.

Since Ann is the only person holding the corresponding private key, she alone can decrypt the message.

sending secure encrypted files and message via email132

Sending Secure/Encrypted Files and Message via Email

Ann replies, encrypting her message using Peter's public key.

Peter then uses his private key to decrypt and read Ann's reply. 

secure ftp
Secure FTP
  • Safe guards login credentials, as well as, files in transit
  • Possible encryption algorithms used include:
    • DES
    • 3DES
    • CAST-128
    • Blowfish
    • AES-128
    • SSL
    • and others.
file encryption
Popular MethodsFile Encryption

PGP MD5 RC4 AES 3DES

  • Encrypts the data (scrambles contents of file).
  • Input data is combined with key to create ciphertext.
  • Much more difficult to hack or compromise than password protecting the file.
  • Beware Disaster Recovery Pitfalls!
easy file encryption winzip version 9
Easy File Encryption: WinZip Version 9
  • Easy to Use
  • supports 128-bit AES encryption
  • Recipient needs 9.0 to decode
s teganography
Steganography

What Do You See?

s teganography138
Steganography

A Picture Can Hide a Million Words

part five tuesday may 22 nd 2007
Part Five: Tuesday, May 22nd, 2007
  • Online Safety Tips for Kids & Teens
  • Ideas for Protecting Portable Data
  • What You Should Know About FTP
  • How to encrypt confidential data
kids teens
Kids & Teens
  • Educate your kids
    • Dangerous Behaviors
    • Giving up Privacy
    • Financial Risk
    • Harassment and Bullying
tips for kids teens
Tips for Kids & Teens
  • Keep Your Identity Private
  • Never Get Together with Someone You “Meet” Online
  • Never Respond To E-Mail, Chat Comments, Instant Messages that are Hostile, Belligerent, Inappropriate Or In Any Way Make You Feel Uncomfortable
kids teens145
Kids & Teens
  • IM Safer.com
    • Allows monitoring of unlimited Instant Messaging accounts
    • Sends alert email within 90 seconds
    • Looks for predator
tips for laptop safety
Tips for Laptop Safety
  • Set CMOS password
  • Disable CD-ROM and floppy drive bootup
portable data laptops notebooks
Portable Data – Laptops/Notebooks
  • Preventing Data Loss – Separate
    • Don’t carry master copies of data you don’t need
    • Carry only necessary or disposable data
    • Old or irreplaceable data should be
      • offloaded to a fixed system (server or desktop)
      • Copied to backup media
      • Archived according to company procedure
portable data laptops notebooks149
Portable Data – Laptops/Notebooks
  • Securing Portable Data –Encrypt
    • Don’t rely on operating system (local) access controls (ie. NTFS permissions)
      • Easily defeated
    • No substitute for encryption
      • File Level Encryption
      • Volume Level Encryption
      • Partition Level Encryption
portable data laptops notebooks150
Portable Data – Laptops/Notebooks
  • Encrypting Data
    • Volume Level Encryption
      • PGP (PGPDisk, TrueCrypt)
      • Negatives
        • Restore
        • “Seepage”
          • Unencrypted files strewn across drive in temp folders
          • Virtual Memory, disk caching, & other OS processes may also expose data by using unencrypted areas of disk to store data
portable data laptops notebooks151
Portable Data – Laptops/Notebooks
  • Encrypting Data
      • BETTER EXAMPLE: Mac OS X
        • File Vault
          • ENTIRE Home Directory and all settings encrypted
          • 128-bit AES encryption
          • Includes VM, and temporary as well as working directories
portable data laptops notebooks152
Portable Data – Laptops/Notebooks
  • Encrypting Data
    • Partition or Device Level Encryption
      • Encrypts everything, minimizing seepage
        • Single password or key protects all data
        • Problematic for backups and restores
        • Adversely affects performance
    • File Level Encryption
      • AES (WinZip 9.0 +)
      • DFS
      • PGP
portable data laptops notebooks153
Portable Data – Laptops/Notebooks
  • Windows EFS
    • Available in Windows XP
    • Requires NTFS file system
    • not available in Home Edition
    • Consequences of losing personal key can be catastrophic
    • Copying encrypted files to FAT file system will lose encryption
home beaconing laptop phone home
Home Beaconing – Laptop Phone Home
  • What Happens if your Laptop is Stolen?
      • PC PHONE HOME
        • Contacts you in the event PC is stolen via email
          • Does not appear in task manager or listed as a process
          • If key files are deleted, will respawn itself
          • will survive an OS reload!
          • Physical location can be ascertained via IP address.
which file transfer protocol ftp server should i use155
Internal FTP

ftp://ftp.bc.com

For Sharing files between offices & BC Staff.

Or when file size exceeds email limit.

Not visible externally.

External (Public) FTP

ftp://ftp.brwncald.com

Appropriate for Sharing Files with Clients.

Or when file size exceeds email limit.

Publicly Accessible via the Internet.

Which File Transfer Protocol (FTP) Server Should I Use?
ftp file transfer protocol anonymous or private156
FTP (File Transfer Protocol):Anonymous or Private?
  • Anonymous Public FTP site: ftp://ftp.brwncald.com
  • Why BC’s Public FTP site was a Frequent Target by Hackers
  • Why “Password Protected” Really Means “Not Protected”
  • Advantages & Limitations of a Private FTP site
ftp file transfer protocol
Tips & TricksFTP (File Transfer Protocol)
  • Browser configured to use "Passive Mode" FTP, which is not supported
  • User has upgraded to Internet Explorer version 7, which not longer auto redirects
  •         to Windows Explorer for FTP URL's.
file encryption158
Popular MethodsFile Encryption

PGP MD5 RC4 AES 3DES

  • Encrypts the data (scrambles contents of file).
  • Input data is combined with key to create ciphertext.
  • Much more difficult to hack or compromise than password protecting the file.
  • Beware Disaster Recovery Pitfalls!
easy file encryption winzip version 9159
Easy File Encryption: WinZip Version 9
  • Easy to Use
  • Supports 128-bit AES encryption
  • Recipient needs 9.0 to decode
tips for wireless routers160
Tips for Wireless Routers
  • Typically Not Protected by Firewall
  • Enable 128-bit WEP Encryption
  • Use WPA Encryption instead
  • Change Default Configuration Settings
    • ESSID
    • WEP/WPA key
    • Administrator password
    • Channel
new tips for wireless routers updated
NEW Tips for Wireless Routers (updated)
  • Use encryption
    • 128-bit WEP Encryption (minimum)
    • WPA-AES Encryption preferred
  • Enable MAC Address Filtering
  • Change Default Configuration Settings
    • ESSID
    • WEP/WPA key
    • Administrator password
    • Channel
the problem with wep
The Problem with WEP
  • Easily hackable
  • Difficult to change encryption key
  • Difficult to configure at times
introducing wpa
Introducing WPA
  • Generally thought to be more secure than WEP
the problems with wpa
The Problems with WPA
  • PSK poor authentication choice
    • Highly vulnerable if PSK is not long and changed frequently
    • Easier to crack them WEP!
  • RC4 streaming encryption algorithm
    • Has to “restart” RC4 at beginning of each transmission
    • Vulnerable to a variety of attacks
implementing wpa
Implementing WPA
  • Use WPA2 – AES whenever possible!
  • When PSK is only choice use longest passphrase possible
    • 64-digit hexadecimal number best!
  • May need to upgrade router firmware
  • May require a Windows Update
    • KB893357
    • KB815485
802 11i robust security
802.11i – Robust Security
  • Easily hackable
  • Difficult to change encryption key
  • Difficult to configure at times
demo virtualization as security
DEMO: Virtualization as Security
  • Run an ENTIRE “virtual” computer inside your real (“physical”) computer!
  • If virtual machine compromised, low risk of host machine being infected.
  • Virtual PC (from MS) now FREE!
  • Download pre-built “appliances”
got questions
Got Questions

http://www.bc.com/Security/

slide170

References

Internet Privacy for DummiesbyJohn Levine, Ray Everett-Church, and Gregg Stebben

Protect Yourself Online byMatthew Danda

Know the Rules Use the Toolsavailable athttp://judiciary.senate.gov/privacy.htm

slide171

References

Hacking Exposed: 4th EditionbyStuart McClure, Joel Scambray, and George Kurtz

Maximum Mac OS X Security

by John & William C Ray

slide172

For More Information

http://www.bc.com/Security/

http://grc.com/

http://sans.org/

http://www.firewallguide.com