Security Awareness: Security Tips for Protecting Ourselves Online Wednesday, February 10th, 2010 Brian Allen Network Security Analyst, Washington University in St. Louis
Let’s Talk About… Zeus (And Other Bots That Steal Money) Home Wireless Router Security: Facebook/Social Network Security: Password Security: AV Products: Laptop Security: Browsing with Firefox Addons: Online Banking:
Three Notable Zeus Attacks in the Past Year Bullitt County, Kentucky: July $415, Western Beaver School District, PA Jan $219,000 Duanesburg Central School District, NY: Jan $3Million
How Zeus Works 1.Hackers send phishing s with a link to download the zeus bot to the victim’s computer 2.The zeus bot has a keylogger which captures the victim’s bank credentials 3.The criminal logs in to bank's website using that information, and transfers money to the "Customer Service Specialist" AKA Money Mule 4.The Mule then receives instructions on how to wire the money internationally, keeping a generation commission (money stolen from someone else's bank account!) for themselves
Zeus Facts 3.6 Million bots in the US as of Sep For Computers with up-to-date AV, 55% still were infected by Zeus Sold on the Underground Economy and Used by Criminal Organizations
What Can Zeus Do? The majority of the time a keylogger is activated Replace the web form on a search page to ask for additional information: card numbers, pin numbers, SSNs, answers to security questions, etc. Real-time screenshots can be taken from infected machines It can “phone home” and update itself
ZEUS Website/Phish Examples
#1 Way To Prevent Infection Do Not Click On Suspicious Links and Attachments In s If there are questions about a particular , ask first.
Tokens Are Not Perfect Zeus can create a direct connection between the infected computer and the attacker’s, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection. Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives. By connecting through the victim's PC or Internet connection, the bad guys can avoid raising any suspicions.
Requiring Two People is not Perfect - The attackers somehow got the Zeus Trojan on the county treasurer's PC, and used it to steal the username and password the treasurer needed to access and the county's bank account. - The attackers then logged into the county's bank account by tunneling through the treasurer's Internet connection. - Once logged in, the criminals changed the judge's password, as well as address tied to the judge's account, so that any future notifications about one- time passphrases would be sent to an address the attackers controlled. - They then created several fictitious employees of the county (these were the 25 real-life, co-conspirators hired by the attackers to receive the stolen funds), and created a batch of wire transfers to those individuals to be approved. - The crooks then logged into the county's bank account using the judge's credentials and a computer outside of the state of Kentucky. When the bank's security system failed to recognize the profile of the PC, the bank sent an with the challenge passphrase to an address the attackers controlled. - The attackers then retrieved the passphrase from the , and logged in again with the judge's new credentials and the one-time passphrase. Once logged in, the crooks were able to approve the batch of wire transfers.
Note the NY Attack Started on a Fri On Friday, Dec. 18, an unauthorized electronic transfer of $1,862,400 was made from a Duanesburg Central School District NBT Bank account to an overseas bank.
January 5, 2010 Dear Parents and Community Members, The Duanesburg Central School District announced today that it is working closely with the Federal Bureau of Investigation and New York State Police to investigate unauthorized electronic transfers of school district funds from its NBT Bank account. The district first learned of the fraudulent activity on Tuesday, Dec. 22, when contacted by an NBT bank representative, questioning the validity of a request for an electronic transfer of funds to multiple overseas accounts that day. Upon confirming with the district that the transfer was not authorized, the bank immediately cancelled the pending transaction, which totaled approximately $759,000. After further review, it was discovered that an additional $3 million in unauthorized electronic transfers to various overseas banks had already been executed over the previous two business days, between December Both district officials and the bank immediately contacted the FBI, which opened an investigation along with state police. To date, $2.5 million of the stolen funds have been recovered by NBT Bank, working with several overseas financial institutions. Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered. However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds. To prevent any district bank accounts from being further compromised, the district closed all of its bank accounts and established new ones with restricted online access. The district is cooperating fully with the ongoing investigation by the FBI and New York State Police. Additional details may be found on the district Web site at As soon as more information becomes available, it will be posted on the Web site. Sincerely, Christine Crowley Superintendent. Letter Sent Out After NY Attack
Questions So Far?
Facebook Privacy Settings
pics1
Twitter Users Are Targets Too
Twitter Phish 1 of 2
Twitter Phish 2 of 2
Password Topics
Parents’ Password Cracked On First Try The Onion News Feb 27, 2002 REDONDO BEACH, CA – Nick Berrigan, 14, successfully hacked into his parents’ AOL account on the first try Tuesday, correctly guessing that “Digby” was their password. “They actually used the dog’s name,” said Berrigan, deactivating the parental controls on his AOL account. Experts advise parents to secure Internet accounts with any password besides the name of a family pet
Free Password Managers 1.Password Safe: – Bruce Schneier’s Project 2.KeePass: keepass.info 3.LastPass: lastpass.com - Firefox Plugin 4.Mac KeyChain: 5.PassPack: –An online password manager
Commercial Password Managers ● 1Password - 1passwd.com ● Keeps track of all web passwords, automates sign-in, guards from identity theft for $39.95 ● Roboform - ● $29.95 for the Professional version
Some Key Threats to Passwords ● Brute force or dictionary attacks ● Keystroke loggers ● Social engineering/Phishing
Three KeePass Features 1.Require two factor authentication to access your keepass database
KeePass – Opening the Database
KeePass – The Main Interface
KeePass – Individual Entry
A Few KeePass Features 1.Require two factor authentication to access your keepass database 2.Drag and drop username and passwords into forms
Drag & Drop
A Few KeePass Features 1.Require two factor authentication to access your keepass database 2.Drag and drop username and passwords into forms 3.Autotype username and passwords into forms – a bit advanced
Some Solutions ● You really need two factor authentication to protect the password database ● Don't trust any machine other than your own to enter a password that protects anything sensitive ● Using a machine you don’t trust? Carry a Live CD of your favorite version of linux and boot off that
Long Password Expirations Can Be Good 1. Prevention of brute force password theft primarily comes from having strong passwords, not from regularly changed passwords 2. Strong passwords are more likely to be remembered if they are not changed often
Extra Long Password Expirations Could Be Bad ● We assume users will share their passwords: ● with Students ● with Staff ● with Friends ● with Family, etc. ● Putting a ceiling on the life of a password will keep these from lasting forever
Antivirus I look for: – the fastest – update themselves automatically – have an easy to use interface Symantec Endpoint AVG = AntiVir = Avast =
Symantec Endpoint (Symantec 11)
From CNET.com Editor Reviews AVG Popularity: * Total downloads 227,792,675 * Downloads last week 1,737,919 AntiVir Popularity: * Total downloads 61,994,231 * Downloads last week 905,902 Avast Popularity: * Total downloads 60,978,532 * Downloads last week 737,028
AVG Interface
AVG Will Check Every
Avira Interface
AVAST Interface
Home Wireless Router Tips Change Default Password Firewall is on by Default WPA2, not WPA or WEP MAC Address Filtering Leave SSID on No personal info in SSID like Smith_Family
Change The Default Password
Firewall Is On By Default
WPA2
MAC Address Filtering
Home Wireless Router Tips Change Default Password Firewall is on by Default WPA2, not WPA or WEP MAC Address Filtering Leave SSID on No personal info in SSID like Smith_Family
Laptop Tracking Software/Encryption
Key Questions to Consider How hard is it to disable or remove the software? Who will have access to the collected data? – A department? – The company? – Individuals? What type of data is collected? How many laptops are lost or stolen every year?
LoJack Pros Very difficult to disable Asset tracking The company, only with the user’s permission can log in to: – Take pictures – Erase the hard drive Will work with police to recover the laptop
LoJack Bios Compatibility Asus Dell Gammatech Getac Gateway General Dynamics HP Fujitsu Lenovo (IBM Thinkpad) Motion Computing Panasonic Toshiba
LoJack Cons Bios compatibility does not include Macintosh – 40% student machines are Macs Most Expensive - $49 per laptop The company can get access into laptops, although it is only to be initiated by the owner after it is reported stolen
Laptop/USB Encryption USB Hardware Encryption – IronKey $$$ Laptop/USB Encryption – TrueCrypt (Free!)
FireFox Addon: AdBlock Plus
The Top Firefox Addon (By Far)
Without AdBlock Plus
With AdBlock Plus
Online Banking Tips Never type your bank url into a browser Or click on a url that looks like your bank Always let Google find it for you – Should be the first link
MINT.COM - Discussion
Trends, Transactions, Etc.
Is It Safe? They Say: – Mint does not require any personally identifiable information – Sensitive numbers are not sent to or stored by Mint.com – Mint provides a strictly “read only” view of your transaction information – VeriSign Security Seal
Thank You! Brian Allen