1. Security Awareness: Security Tips for Protecting Ourselves Online Wednesday, February 10th, 2010 Brian Allen ballen@wustl.edu Network Security Analyst, Washington University in St. Louis http://nso.wustl.edu/presentations/

2. Let’s Talk About… Zeus (And Other Bots That Steal Money) Home Wireless Router Security: Facebook/Social Network Security: Password Security: AV Products: Laptop Security: Browsing with Firefox Addons: Online Banking:

3. Three Notable Zeus Attacks in the Past Year Bullitt County, Kentucky: July 2009 -$415,000 http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html Western Beaver School District, PA Jan 2009 -$219,000 http://www.courier-journal.com/blogs/bullitt/2009/07/bullitt-not-alone-in-online-thefts.html Duanesburg Central School District, NY: Jan 2010 -$3Million http://www.duanesburg.org/news/0910/cybercrime.htm

4. How Zeus Works 1.Hackers send phishing emails with a link to download the zeus bot to the victim’s computer 2.The zeus bot has a keylogger which captures the victim’s bank credentials 3.The criminal logs in to bank's website using that information, and transfers money to the "Customer Service Specialist" AKA Money Mule 4.The Mule then receives instructions on how to wire the money internationally, keeping a generation commission (money stolen from someone else's bank account!) for themselves

5. Zeus Facts 3.6 Million bots in the US as of Sep 2009 http://www.networkworld.com/news/2009/072209-botnets.html For Computers with up-to-date AV, 55% still were infected by Zeus http://www.trusteer.com/files/Zeus_and_Antivirus.pdf Sold on the Underground Economy and Used by Criminal Organizations

6. What Can Zeus Do? The majority of the time a keylogger is activated Replace the web form on a search page to ask for additional information: card numbers, pin numbers, SSNs, answers to security questions, etc. Real-time screenshots can be taken from infected machines It can “phone home” and update itself

7. ZEUS Website/Phish Examples

21. #1 Way To Prevent Infection Do Not Click On Suspicious Links and Attachments In Emails If there are questions about a particular email, ask first.

22. Tokens Are Not Perfect Zeus can create a direct connection between the infected computer and the attacker’s, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection. Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives. By connecting through the victim's PC or Internet connection, the bad guys can avoid raising any suspicions.

23. Requiring Two People is not Perfect - The attackers somehow got the Zeus Trojan on the county treasurer's PC, and used it to steal the username and password the treasurer needed to access e-mail and the county's bank account. - The attackers then logged into the county's bank account by tunneling through the treasurer's Internet connection. - Once logged in, the criminals changed the judge's password, as well as e-mail address tied to the judge's account, so that any future notifications about one- time passphrases would be sent to an e-mail address the attackers controlled. - They then created several fictitious employees of the county (these were the 25 real-life, co-conspirators hired by the attackers to receive the stolen funds), and created a batch of wire transfers to those individuals to be approved. - The crooks then logged into the county's bank account using the judge's credentials and a computer outside of the state of Kentucky. When the bank's security system failed to recognize the profile of the PC, the bank sent an e-mail with the challenge passphrase to an e-mail address the attackers controlled. - The attackers then retrieved the passphrase from the e-mail, and logged in again with the judge's new credentials and the one-time passphrase. Once logged in, the crooks were able to approve the batch of wire transfers.

24. Note the NY Attack Started on a Fri On Friday, Dec. 18, an unauthorized electronic transfer of $1,862,400 was made from a Duanesburg Central School District NBT Bank account to an overseas bank.

25. January 5, 2010 Dear Parents and Community Members, The Duanesburg Central School District announced today that it is working closely with the Federal Bureau of Investigation and New York State Police to investigate unauthorized electronic transfers of school district funds from its NBT Bank account. The district first learned of the fraudulent activity on Tuesday, Dec. 22, when contacted by an NBT bank representative, questioning the validity of a request for an electronic transfer of funds to multiple overseas accounts that day. Upon confirming with the district that the transfer was not authorized, the bank immediately cancelled the pending transaction, which totaled approximately $759,000. After further review, it was discovered that an additional $3 million in unauthorized electronic transfers to various overseas banks had already been executed over the previous two business days, between December 18-21. Both district officials and the bank immediately contacted the FBI, which opened an investigation along with state police. To date, $2.5 million of the stolen funds have been recovered by NBT Bank, working with several overseas financial institutions. Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered. However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds. To prevent any district bank accounts from being further compromised, the district closed all of its bank accounts and established new ones with restricted online access. The district is cooperating fully with the ongoing investigation by the FBI and New York State Police. Additional details may be found on the district Web site at www.duanesburg.org. As soon as more information becomes available, it will be posted on the Web site. Sincerely, Christine Crowley Superintendent. Letter Sent Out After NY Attack http://www.duanesburg.org/news/0910/communityltr010510.pd

26. Questions So Far?

27. Facebook Privacy Settings

37. pics1

39. Twitter Users Are Targets Too

40. Twitter Phish 1 of 2

41. Twitter Phish 2 of 2

42. Password Topics

43. Parents’ Password Cracked On First Try The Onion News Feb 27, 2002 REDONDO BEACH, CA – Nick Berrigan, 14, successfully hacked into his parents’ AOL account on the first try Tuesday, correctly guessing that “Digby” was their password. “They actually used the dog’s name,” said Berrigan, deactivating the parental controls on his AOL account. Experts advise parents to secure Internet accounts with any password besides the name of a family pet

44. Free Password Managers 1.Password Safe: www.schneier.com/passsafe.html – Bruce Schneier’s Project 2.KeePass: keepass.info 3.LastPass: lastpass.com - Firefox Plugin 4.Mac KeyChain: 5.PassPack: www.passpack.com –An online password manager

45. Commercial Password Managers ● 1Password - 1passwd.com ● Keeps track of all web passwords, automates sign-in, guards from identity theft for $39.95 ● Roboform - www.roboform.com ● $29.95 for the Professional version

46. Some Key Threats to Passwords ● Brute force or dictionary attacks ● Keystroke loggers ● Social engineering/Phishing

47. Three KeePass Features 1.Require two factor authentication to access your keepass database

48. KeePass – Opening the Database

49. KeePass – The Main Interface

50. KeePass – Individual Entry

51. A Few KeePass Features 1.Require two factor authentication to access your keepass database 2.Drag and drop username and passwords into forms

52. Drag & Drop

53. A Few KeePass Features 1.Require two factor authentication to access your keepass database 2.Drag and drop username and passwords into forms 3.Autotype username and passwords into forms – a bit advanced

54. Some Solutions ● You really need two factor authentication to protect the password database ● Don't trust any machine other than your own to enter a password that protects anything sensitive ● Using a machine you don’t trust? Carry a Live CD of your favorite version of linux and boot off that

55. Long Password Expirations Can Be Good 1. Prevention of brute force password theft primarily comes from having strong passwords, not from regularly changed passwords 2. Strong passwords are more likely to be remembered if they are not changed often

56. Extra Long Password Expirations Could Be Bad ● We assume users will share their passwords: ● with Students ● with Staff ● with Friends ● with Family, etc. ● Putting a ceiling on the life of a password will keep these from lasting forever

58. Antivirus I look for: – the fastest – update themselves automatically – have an easy to use interface Symantec Endpoint AVG = http://free.avg.com AntiVir = http://www.free-av.com Avast = http://www.avast.com

59. Symantec Endpoint (Symantec 11)

60. From CNET.com Editor Reviews AVG Popularity: * Total downloads 227,792,675 * Downloads last week 1,737,919 AntiVir Popularity: * Total downloads 61,994,231 * Downloads last week 905,902 Avast Popularity: * Total downloads 60,978,532 * Downloads last week 737,028

61. AVG Interface

62. AVG Will Check Every Email

63. Avira Interface

64. AVAST Interface

65. Home Wireless Router Tips Change Default Password Firewall is on by Default WPA2, not WPA or WEP MAC Address Filtering Leave SSID on No personal info in SSID like Smith_Family

66. Change The Default Password

67. Firewall Is On By Default

68. WPA2

69. MAC Address Filtering

70. Home Wireless Router Tips Change Default Password Firewall is on by Default WPA2, not WPA or WEP MAC Address Filtering Leave SSID on No personal info in SSID like Smith_Family

72. Laptop Tracking Software/Encryption

73. Key Questions to Consider How hard is it to disable or remove the software? Who will have access to the collected data? – A department? – The company? – Individuals? What type of data is collected? How many laptops are lost or stolen every year?

74. LoJack Pros Very difficult to disable Asset tracking The company, only with the user’s permission can log in to: – Take pictures – Erase the hard drive Will work with police to recover the laptop

75. LoJack Bios Compatibility Asus Dell Gammatech Getac Gateway General Dynamics HP Fujitsu Lenovo (IBM Thinkpad) Motion Computing Panasonic Toshiba

76. LoJack Cons Bios compatibility does not include Macintosh – 40% student machines are Macs Most Expensive - $49 per laptop The company can get access into laptops, although it is only to be initiated by the owner after it is reported stolen

77. Laptop/USB Encryption USB Hardware Encryption – IronKey $$$ Laptop/USB Encryption – TrueCrypt (Free!)

78. FireFox Addon: AdBlock Plus

79. The Top Firefox Addon (By Far)

80. Without AdBlock Plus

81. With AdBlock Plus

82. Online Banking Tips Never type your bank url into a browser Or click on a url that looks like your bank Always let Google find it for you – Should be the first link

83. MINT.COM - Discussion

84. Trends, Transactions, Etc.

85. Is It Safe? They Say: – Mint does not require any personally identifiable information – Sensitive numbers are not sent to or stored by Mint.com – Mint provides a strictly “read only” view of your transaction information – VeriSign Security Seal

86. Thank You! Brian Allen ballen@wustl.edu http://nso.wustl.edu