1 / 51

Topics in Internet Security

Topics in Internet Security. STC Training Tuesday, August 23 2011 Brian Allen, CISSP brianallen@wustl.edu Network Security Analyst, Washington University in St. Louis http ://nso.wustl.edu/presentations/. Let’s Talk About. Email Security Password Managers PNA Examples Phishing Examples

snowy
Download Presentation

Topics in Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Topics in Internet Security STC TrainingTuesday, August 23 2011 Brian Allen, CISSPbrianallen@wustl.eduNetwork Security Analyst,Washington University in St. Louishttp://nso.wustl.edu/presentations/

  2. Let’s Talk About • Email Security • Password Managers • PNA Examples • Phishing Examples • Top Ten Security Tips • Virus Example and Case Study

  3. Business School NSS Internet Law School NSO Arts & Sciences Medical School Decentralized Campus Network NSS = Network Services and Support NSO = Network Security Office Library Social Work Art & Architecture Engineering School

  4. Password Managers

  5. Free Password Managers • KeePass – I use this one • Called KeePassX for the Mac • Password Safe • I Use Dropbox.com to store my KeePass file so I can always access it

  6. KeePass

  7. KeePass

  8. Email Security

  9. Email Security Tip #1 • Do not click on links in emails

  10. Email Security Tip #2 • See Tip #1

  11. Spam Product Supplier Accountant Seller 1 Seller 2 Seller 3 Spammer3 Spammer1 Spammer1 Spammer3 Spammer2 Spammer2 Spammer1 Spammer3 Spammer2

  12. Where Does Spam Originate?Why Do We Care? • Spam = Bots (Large armies of infected machines sending out spam) • Bots = Sophisticated Malware • Sophisticated Malware = Organized Crime • More than 89% of all email messages were spam in 2010 - Symantec

  13. Spam is Big Business • Rates for one million email addresses: $25 to $50 http://www.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf • 10,000 malware installations: $300–$800 • Sending 100 million emails per day: $10,000 per month http://www.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf • Cutwail’s profit for providing spam services: $1.7 - $4.2 million since June 2009 – Aug 2010 • How much do the spammers gross per day? $7000 http://www.wired.com/magazine/2011/02/st_equation_spamprofits/

  14. CBL Breakdown By Country Country Count %total %cumu Rank Infect % India 1253890 18.80 18.80 1 4.465% Vietnam 565839 8.48 27.28 23.306% Brazil 479491 7.19 34.47 30.857% Indonesia 392814 5.89 40.36 4 3.163% Pakistan 383319 5.75 46.10 57.688% Russia 358142 5.37 51.47 60.912% China 222761 3.34 54.81 70.075%

  15. One Cause Of This Problem • Many machines in these countries are running pirated copies of Windows. • They are not getting security updates. • They are vulnerable and get infected. • Also, it can take a long time to download updates.

  16. Underground Economy • Spammers also are involved in: • CAPTCHA solving • Email harvesting • Custom software • Bulletproof hosting • Proxys

  17. Spam Volume • From Jul 30- Aug 25, 2010 security researchers infiltrated the Cutwail spam network and discovered 87.7 billion emails were successfully sent

  18. Spam Content • The Zeus/SpyEyeBanking Trojan Typically Uses: • Greeting card • Resume • Invitation • Mail delivery failure • Receipt for a recent purchase

  19. Spam Volume on WUSTL Ironports - Feb 2011

  20. Department of Justice Disrupts International Cyber Crime Rings Distributing Scareware • June 22, 2011 • ”Today the Department of Justice and the FBI, along with international law enforcement partners, announced the indictment of two individuals from Latvia and the seizure of more than 40 computers, servers and bank accounts as part of Operation Trident Tribunal, an ongoing, coordinated enforcement action targeting international cyber crime. The operation targeted international cyber crime rings that caused more than $74 million in total losses to more than one million computer users through the sale of fraudulent computer security software known as scareware.”

  21. Phishing Examples

  22. Phishing Email

  23. Real or Phish? <http://michaelkellett com/ez/wustl.html>

  24. Real or Phish?

  25. Real or Phishing Site?

  26. Emails, Like Postcards, Are Not Encrypted Contact me to discuss encryption options for storing or sending sensitive information

  27. Social Security Number Email 1 From: BOB [BOB@WUSTL.EDU] Sent: Friday, April 01, 2011 12:54 PM To: ALICE [ALICE@NOTWUSTL.COM] Subject: Registration Request ALICE: Couldn't remember if I had already sent this request or not. Please register CHARLIE ( 111-11-1111 ) for the session Thank you BOB

  28. Social Security Number Email 2 From: BOB [BOB@WUSTL.EDU] Subject: FW: University talk To: ALICE@NONWUSTL.EDU, CHARLIE@NOTWUSTL.COM Date: Monday, April 4, 2011, 12:57 PM Dear Ms. ALICE and CHARLIE, I sent this e-mail a couple of weeks, but I haven't heard back from you yet, so I thought that I would send it again. Also, my SSN is 222-22-2222 and my home address is: 1234 Oak Ave. St. Louis, MO 63130

  29. Top 10 Security Tips

  30. Top 10 Security Tips For Everyone I • Make sure the Windows Firewallis turned on • Make sure all accounts on your computer have good passwords • Make sure Windows Automatic Updates is on • Install an Anti-Virus software package. Microsoft is now providing their Security Essentials anti-virus/anti-spyware for free to home users: http://www.microsoft.com/Security_Essentials

  31. Top 10 Security Tips For Everyone II • I use Firefox with AdBlock Plus • Run Secunia Personal Software Inspector (www.secunia.com). It is free, and it will tell you when you need to update your other software (Adobe, Java, Quicktime, RealPlayer, etc). • Educate yourself on Phishing and don’t become a victim (Google: “phishing quiz”)

  32. Top 10 Security Tips For Everyone III • Don’t click on links in e-mail. • Don’t give out your password to anyone, for any reason, especially in an e-mail! • Never enter your password into a site that is not using HTTPS.

  33. Passive Network Appliance

  34. When We Met • July 3, 2009 • One of Patrick’s students came to work for me as a student lackey worker PNA is Born • First mention of PNA to me was Mar 18, 2010 • PNA was installed at WUSTL Aug 11, 2010 • It monitors our primary ISP link

  35. Security Data I Rely On • I use flowlogs to look for: • Scanners • Spammers • Connections to known bot C&C IP addresses • Suspicious IRC traffic • ad-hoc incidents (i.e. Law enforcement) • I also look for: • Connections to known bot C&C hostnames in DNS • NMAP every IP address, every port (a LOT of data)

  36. Strange Printer Scan

  37. Strange Printer Scan Returns

  38. Hacker’s IP Addresses • December 2010 -> well known local IT shop had a data breach • I was able to get the hacker’s two IP addresses that were used to log into their network • I used PNA to check if those IP addresses were anywhere on our network in the past week • They were not

  39. Infected Laptop

  40. Infected Laptop • Owner’s Response: “Hello, Thanks for the update! Yea this machine is hosed! I knew it was bad but, I didn't know it was that bad. I am in the midst of transferring all of my stuff to a new machine because I needed to reformat this laptop anyway. I can't get wireless signal either...lol!Thanks,”

  41. Infected RedHat Server • Forensics -> four key hacker IP addresses • Who else were these hackers talking to on campus? • Two other machines were compromised

  42. Infected Lab Machine

  43. Law Enforcement Incident • Person threatening/harassing a student • LE provided: IP address, General time frame • Using PNA we could tell them every time that suspect talked to a WUSTL machine

  44. Bot Example $ nslookup 64.74.223.41 ** server can't find 41.223.74.64.in-addr.arpa.: NXDOMAIN • What to do? • Passive DNS can help WU nslookup X = 64.74.223.41

  45. Passive DNS Within PNA • PNA can optionally collect passive DNS data • It can look at all outgoing DNS traffic • Notify security community • Google it to get more info, who owns it? • Add it to my blackhole DNS server nslookup irc.berthabig.info=64.74.223.41

More Related