1 / 71

ID Theft: Are County Governments a Threat Or How I d Take Over the World

2. We Already Know How . We already know how to educate the general public on how to use a highly complex technical device safelyIt's calledDriver's EdThe DMVWe already know how to teach the general public to use 2 factor authenticationIt's called an ATM cardWhy aren't we showing home users h

hedda
Download Presentation

ID Theft: Are County Governments a Threat Or How I d Take Over the World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. September 8, 2012 ID Theft: Are County Governments a Threat? Or How I’d Take Over the World Randy Marchany, VA Tech IT Security Office and Lab marchany@vt.edu

    2. 2 We Already Know How We already know how to educate the general public on how to use a highly complex technical device safely It’s called Driver’s Ed The DMV We already know how to teach the general public to use 2 factor authentication It’s called an ATM card Why aren’t we showing home users how to secure

    3. 3 What People Think of Security

    4. 4 Place to Steal Personal Data It is my personal opinion that the PC/MAC OS design will subvert any security architecture. The standard client/server model consists of three parts: the server system (S), the client system (C) and the network (denoted by the straight line). In the old days, hackers attacked the server because that’s where the access was. Good sysadmin practices such as patch maintenance, detection tools, logging tools, etc. helped reduce the threat to the server system. The hacker then shifted their attacks to the network by installing sniffers. This was an attempt to capture the cleartext traffic and hopefully grab userid and password information. The sysadmins countered this threat by installing encryption tools such as Kerberos, SSH or PGP. The hackers are now shifting their attacks to the client systems. If the client is a Unix variant then the same server defense mechanisms could be applied to the client system. However, if the client is a PC or Mac, there is no effective defense because the OS design allows anyone who can access the machine to install a program on it. Viruses are the classic example of this scenario. It’s quite easy to install a trojan program on a PC/Mac client via email attachments. The FBI installed a keystroke recorder on an organized crime figure’s laptop recently. The suspect was using PGP to encrypt his files and the keystroke recorder captured his personal/private key. The files could be decrypted since the private key was no longer “private”. There is no effective security until this basic security flaw in client OS is corrected. IMHO. I presented a paper attacking PC/MAC clients with a keystroke recorder sent via an attachment at the SANS Network Security Conference in 1996. The problem still hasn’t been fixed.It is my personal opinion that the PC/MAC OS design will subvert any security architecture. The standard client/server model consists of three parts: the server system (S), the client system (C) and the network (denoted by the straight line). In the old days, hackers attacked the server because that’s where the access was. Good sysadmin practices such as patch maintenance, detection tools, logging tools, etc. helped reduce the threat to the server system. The hacker then shifted their attacks to the network by installing sniffers. This was an attempt to capture the cleartext traffic and hopefully grab userid and password information. The sysadmins countered this threat by installing encryption tools such as Kerberos, SSH or PGP. The hackers are now shifting their attacks to the client systems. If the client is a Unix variant then the same server defense mechanisms could be applied to the client system. However, if the client is a PC or Mac, there is no effective defense because the OS design allows anyone who can access the machine to install a program on it. Viruses are the classic example of this scenario. It’s quite easy to install a trojan program on a PC/Mac client via email attachments. The FBI installed a keystroke recorder on an organized crime figure’s laptop recently. The suspect was using PGP to encrypt his files and the keystroke recorder captured his personal/private key. The files could be decrypted since the private key was no longer “private”. There is no effective security until this basic security flaw in client OS is corrected. IMHO. I presented a paper attacking PC/MAC clients with a keystroke recorder sent via an attachment at the SANS Network Security Conference in 1996. The problem still hasn’t been fixed.

    5. 5 Passwords ARE the First Defense Bad Password Examples

    6. 6 VNC Viewer works on Windows machines as well. Here I connect to my W2K box from my Unix workstation. The W2K desktop has the beach background. The other windows are my standard Unix windows. Again, the point is that someone at a remote site could see what was being done on your desktop. Is this a bad tool? NO! This is an excellent remote administration and help desk tool. But with power comes responsibility. VNC Viewer works on Windows machines as well. Here I connect to my W2K box from my Unix workstation. The W2K desktop has the beach background. The other windows are my standard Unix windows. Again, the point is that someone at a remote site could see what was being done on your desktop. Is this a bad tool? NO! This is an excellent remote administration and help desk tool. But with power comes responsibility.

    7. 7 This plot shows the rest of the viruses intercepted between 8/15/01 and 4/10/02. We average about 50-100 hits a day with some peaks here and there when a new virus hits.This plot shows the rest of the viruses intercepted between 8/15/01 and 4/10/02. We average about 50-100 hits a day with some peaks here and there when a new virus hits.

    8. 8

    9. 9

    10. 10

    11. 11

    12. 12 Being a VP means you have to lead the way to new technologies. Sometimes, people don’t want to follow you so you have to provide motivation or incentives to them. Those that don’t follow will get the message soon enough. Being a VP means you have to lead the way to new technologies. Sometimes, people don’t want to follow you so you have to provide motivation or incentives to them. Those that don’t follow will get the message soon enough.

    13. September 8, 2012 We have met the enemy and it is vendors…..

    14. 14 It’s Insecure Out of the Box Security vs. Convenience Let the users debug the code OS vendors are starting to see the light Windows XP/2003 with security features enabled Apple OSX Linux systems with firewall enabled Application Vendors still don’t get it Oracle stepped in it http://news.com.com/When+security+researcher+become+the+problem/2010-1071_3-5807074.html

    15. 15

    16. 16 Every laser printer has a www server running on it. They don’t have an adminstrative password set. The vendor documentation strongly recommends setting an administrative password on the printer but in reality, this is not always the case. Look at the control panels on the left side and the top bar of the screen. You can do a lot of things to remotely control this printer if the admin password isn’t set. This is an example of how a vendor product comes already equipped to sabotage your security architecture. In fairness, this vendor does provide the capability to create an admin password but it’s up to the customer to enable this feature. We’ve seen Point-of-Sale Cash register systems based on Windows NT SP3! We’ve seen printer/scanner/plotter systems whose control units are based on the same architectures. Window NT is currently at SP7, in case you didn’t know. There was even the case of a hospital MRI whose control box was backleveled in security patches.Every laser printer has a www server running on it. They don’t have an adminstrative password set. The vendor documentation strongly recommends setting an administrative password on the printer but in reality, this is not always the case. Look at the control panels on the left side and the top bar of the screen. You can do a lot of things to remotely control this printer if the admin password isn’t set. This is an example of how a vendor product comes already equipped to sabotage your security architecture. In fairness, this vendor does provide the capability to create an admin password but it’s up to the customer to enable this feature. We’ve seen Point-of-Sale Cash register systems based on Windows NT SP3! We’ve seen printer/scanner/plotter systems whose control units are based on the same architectures. Window NT is currently at SP7, in case you didn’t know. There was even the case of a hospital MRI whose control box was backleveled in security patches.

    17. 17

    18. 18

    19. 19

    20. 20 It’s Insecure Out of the Box Viruses will never be eliminated Multibillion $ industry to fight them Eliminate the threat, we no longer have multibillion $ industry. Wireless cash register software sending data in the clear Document imaging systems sending data in the clear Govt/LE records digitized by insecure software Printers, copiers based on NT!

    21. September 8, 2012 Why buy the cow when you can get the milk for free?

    22. 22

    23. 23

    24. 24 This is my favorite of the phishing sites. The beauty of this design is in the detail. If you clicked on the privacy pledge or any of the links in the bottom blue bar, you got the real US Bank site. A number of users did this, saw that it was the real US Bank site, figured the request was legit and then proceeded to the next screens.This is my favorite of the phishing sites. The beauty of this design is in the detail. If you clicked on the privacy pledge or any of the links in the bottom blue bar, you got the real US Bank site. A number of users did this, saw that it was the real US Bank site, figured the request was legit and then proceeded to the next screens.

    25. 25 Here’s the next screen. Notice the amount of information it asks from the user. Feel uncomfortable?Here’s the next screen. Notice the amount of information it asks from the user. Feel uncomfortable?

    26. 26 At least we got a ticket number……At least we got a ticket number……

    27. 27 Obtaining Personal Information Public Records can be accessed from anywhere in the world. Local governments are allowing access to sensitive info via the Web without thinking about security.

    28. 28 County Clerks and Identity Theft Making legal docs available on the net w/o good security practices. A secure www site isn’t enough Tom Delay SSN From Public Records Jeb Bush SSN From Public Documents Colin Powell Deed of Trust Colin Powell SSN from Public Records Do County Clerks (by extension, the state legislature) facilitate ID Theft?

    29. 29 What’s Going On Here? We’re spending $$$ to protect sensitive data (SSN) State govt is allowing SSN info to be obtained online Laws need to be coordinated Sometimes the data isn’t where you think it is….

    30. 30

    31. 31 PDA/Smartphones

    32. 32 Motivation People want access to information all the time User expectation of information everywhere and all the time. Rapid evolution to use interconnected networks. Security Challenges Information sharing and security at odds. Laws, regulations, and policies not keeping pace. Stopgap measures.

    33. 33 RFID Technology RFID tags. first “true” pervasive technology. Correlation tracking for inventory mgt Potential misuse by combining user habits with tags tracking data

    34. 34 PDA/RFID Threat Summary Data Disclosure Data Modification Tracking the target Denial of Service Attacks Drain the battery

    35. 35

    36. 36 Battery Power Attack Contrasts

    37. 37 Attack the Client or the Server? Attack the PDA PC, Mac, PDA/Smartphone Clients Your overall security architecture is subverted by PC, Mac, PDA/Smartphone insecurity. Microsoft has become a favorite target of hacker for a number of reasons. Those are of no concern to us now but the fact of the matter is that there a many more Microsoft and Macintosh systems than servers. The inherent insecurity of the client systems subverts any security architecture you can design.Microsoft has become a favorite target of hacker for a number of reasons. Those are of no concern to us now but the fact of the matter is that there a many more Microsoft and Macintosh systems than servers. The inherent insecurity of the client systems subverts any security architecture you can design.

    38. 38 Why PDA Attacks Work Poor Password Selection System Management Training Deficiencies Inadequate User Training External Open Environments affect your network Vendor supplied defects Lack of Mgt. Support to correct problems Faculty members were just starting to use Unix workstations on the Internet in 1990 and we didn’t realize that we needed to setup adequate training for them. Poor passwords allowed the hacker to gain access to the system and create the fake accounts. .rhosts files allowed him to access machines that had stronger passwords for the compromised userids. We failed to train our sysadmins and users on accessing the Internet (remember this was in 1992), having strong passwords and not using r-commands. The last bullet is a familiar lament among system and lab administrators. It was a lot cheaper to purchase machines instead of paying for people to manage them. Some of the system:person ratios were 60:1, 80:1. The 5th bullet is important. The lack of security at your site affect my site. This was true in 1992 and it’s true today.Faculty members were just starting to use Unix workstations on the Internet in 1990 and we didn’t realize that we needed to setup adequate training for them. Poor passwords allowed the hacker to gain access to the system and create the fake accounts. .rhosts files allowed him to access machines that had stronger passwords for the compromised userids. We failed to train our sysadmins and users on accessing the Internet (remember this was in 1992), having strong passwords and not using r-commands. The last bullet is a familiar lament among system and lab administrators. It was a lot cheaper to purchase machines instead of paying for people to manage them. Some of the system:person ratios were 60:1, 80:1. The 5th bullet is important. The lack of security at your site affect my site. This was true in 1992 and it’s true today.

    39. September 8, 2012 Taking Advantage of the Surveillance Society We’ve Become…..

    40. 40

    41. 41

    42. 42

    43. 43

    44. 44

    45. 45

    46. 46 There are tons of Internet sites that have information about individuals. This is one of the online white/yellow page phone directories on the net. You can see the variety of service options available to you. In this example, I entered the name of the individual in the White Pages section of the search engine. I didn’t know what town/city the person lives so I asked it to give me everyone in the state who matches the request. The next slide shows the result.There are tons of Internet sites that have information about individuals. This is one of the online white/yellow page phone directories on the net. You can see the variety of service options available to you. In this example, I entered the name of the individual in the White Pages section of the search engine. I didn’t know what town/city the person lives so I asked it to give me everyone in the state who matches the request. The next slide shows the result.

    47. 47 Here are a couple of names that matched my search request. I have the address and phone number of the person. I see the person I’m looking for in this list.Here are a couple of names that matched my search request. I have the address and phone number of the person. I see the person I’m looking for in this list.

    48. 48 Remember that all of the information displayed so far is public information. There has been NO access to sites that might have sensitive information. You don’t really need that much information to steal someone’s identity.Remember that all of the information displayed so far is public information. There has been NO access to sites that might have sensitive information. You don’t really need that much information to steal someone’s identity.

    49. 49 If I want to know how to get to the person’s address, I have a couple of sites that will give me that information. This is one of the more popular sites. I enter the address in the form on the left side of the screen.If I want to know how to get to the person’s address, I have a couple of sites that will give me that information. This is one of the more popular sites. I enter the address in the form on the left side of the screen.

    50. 50 Here’s is a map of the address. We can zoom in or out depending on how much detail we want.Here’s is a map of the address. We can zoom in or out depending on how much detail we want.

    51. 51 Here they are. Here they are.

    52. 52 This is an example of one of the pay sites on the net. The following slides show some of the information resources available to an “investigator”. Once again, you can build a pretty complete profile on a person using these resources. This site is interesting because it puts all of the links in one place.This is an example of one of the pay sites on the net. The following slides show some of the information resources available to an “investigator”. Once again, you can build a pretty complete profile on a person using these resources. This site is interesting because it puts all of the links in one place.

    53. 53 This page has a number of links that can be used to obtain someone’s telephone records. The SSN link has interesting implications simply because you can build a personal history. You need to pay some $$$ ($35-$150 per search) to use these features but there’s nothing here that would break your bank.This page has a number of links that can be used to obtain someone’s telephone records. The SSN link has interesting implications simply because you can build a personal history. You need to pay some $$$ ($35-$150 per search) to use these features but there’s nothing here that would break your bank.

    54. 54 Some more telephone links but there are the criminal records, property records and DMV searches. Now, most of the data obtained via these sources is subject to the individual site’s privacy policies. You need to know what they are.Some more telephone links but there are the criminal records, property records and DMV searches. Now, most of the data obtained via these sources is subject to the individual site’s privacy policies. You need to know what they are.

    55. 55 The professional license search link is another example of how you can build a profile on someone.The professional license search link is another example of how you can build a profile on someone.

    56. 56 Some other free site for obtaining information about an individual. The aircraft related sites and Coast Guard vessel sites are interesting.Some other free site for obtaining information about an individual. The aircraft related sites and Coast Guard vessel sites are interesting.

    57. 57 The SSN is the primary identification number for most applications. There are numerous documents that describe the SSN numbering scheme.The SSN is the primary identification number for most applications. There are numerous documents that describe the SSN numbering scheme.

    58. 58 This is one of the places that describes the SSN numbering process. The links at the bottom of the page will help verify some information about a particular SSN.This is one of the places that describes the SSN numbering process. The links at the bottom of the page will help verify some information about a particular SSN.

    59. 59 Protect the Data – not the Machine File system encryption Nice but why encrypt everything on the device? Oooh, I encrypted Office CE! Probably will win because people are lazy Data File Encryption Thumb drive encryption

    60. 60

    61. 61 What we would do to take over the world Deep Strike Strategy Local Strike Strategy Use Stealth worms Attack gadgets Pollute LE, Govt identities Wipe out the machines on D-day

    62. 62 Deep Strike Target the data entry process Forget modifying it once it’s in the system Input faults at data entry point Corrupt NCIS/AFIS data Corrupt legal record entry Attack local stock broker systems Someone just “bought” a lot of shares Use to trigger auto buy/sell programs Corrupt in-stream stock quotes Just enough to fly “under the radar” Target hospital/medical wireless nets DDOS them to prevent info transmission

    63. 63 Deep Strike Target RFID Inventory systems DOD, “ Walmarts” Direct shipments elsewhere. Don’t steal it, just redirect it at the critical time Force manual control to slow down the process E-passport, E-Drivers License, E-tags Track your targets Target the compilers, microcode Modify the chip instruction set Change the compilers to add backdoors Ken Thompson’s paper on Trust

    64. 64 Target Security Clearances Target security clearance methodology Question the vetting process means every one that got clearance using that process is suspect Target Military personnel credit ratings Get SSN from county court house www sites Bad credit = revoked security clearances

    65. 65 Deep Strike Target automated public service radio systems Use EAS automated receivers to send fake evacuation messages Evacuate mid size cities, small towns Target stadium or highway display boards “there’s a bomb in the seats” Stress local 911 1 more call than there are ambulances Use cell phones to generate the calls

    66. 66 Deep Strike Target gadgets Not for control but for DDOS Target E-voting systems Target home systems For ID theft and DDOS Use stealth worm capabilities to fly under the radar of IDS, IPS Avoid Blaster-style attacks until needed as a diversion

    67. 67 Deep Strike Erode trust in security mechanisms so they will be ignored For example, businesses will not turn down a sale but they will turn down a security process that is perceived to be corrupted Pick an infrastructure Stock market Credit card Drivers license

    68. 68 Local Strike Target LE, Military for ID pollution Mess up agent’s credit rating so the family can’t buy anything It’s a distraction Repeat for investigative teams/leaders/mgt Attack via Choicepoint, Seisint, etc. Use the tools LE would use Repeat for civilian leadership Legislative, executive, judicial

    69. 69 D-DAY Use the previous setup to create minor distractions “Why are they shipping 30K snowblowers to AZ” Launch real attack Activate bots introduced by stealth worms Wipe out all user data on infected machines

    70. 70 Solutions Need Cyber training, awareness at ALL levels of society ATM Cards prove it can be done Society learned how to use a complex transportation technology (cars) in the past Driver’s license ensure a base level of knowledge of proper use of the technology ATM Cards prove it can be done

    71. 71 Summary Nothing has changed? Users trigger attacks Sysadmins trigger attacks Vendors trigger attacks The order has changed Vendors errors move to the top Mgt errors close second Cause training deficiencies State legislation is moving to the top

More Related