Casualties of Cyberwarfare - NYSTA TANE Issues Forum - Feb 1, 2017
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
NYSTA TANE Issues Forum
Casualties of
Cyberwarfare
Feb 1, 2017
Jon Brown
Sr. Technology Leader
Vantage Point Solutions (605) 995-1777
2211 N. Minnesota St. FAX: (605) 995-1778
Mitchell, SD 57301 Jon.brown@vantagepnt.com
Before you Drop that Landline . . .
Landline Household Wireless Only
>5 Alcoholic Drinks per 17.0% 31.3%
Day (in last year)
A Current Smoker 14.1% 22.2%
Serious Psychological 3.0% 4.0%
Distress (last 30 days)
No Health Insurance 14.9% 25.8%
Received Flu Vaccine 47.9% 32.8%
Has Been Tested for 31.8% 44.6%
HIV
Wireless Substitution: Early Release Estimates from the National Health
Survey, January-June 2013 (CDC)
Page 2
Ever wonder…….
3
America’s worst Nightmare
Page 4
The Infamous Threats of 2016
5
Be careful who you search
for…
• McAfee says search for Jimmy Kimmel
carries a 19 percent chance of landing
on a website known for spyware or virus.
• Other “dangerous celebs” include Flo
Rida, Bruce Springsteen, Chelsea
Handler and Christina Aguilera
6
Where are we vulnerable?
• Top threats for 2016
• Mobile malware (grew by 33% in 2 Qtrs)
• Virtual currencies (Ransomware)
• Cybercrime and Cyberware
• Social attacks (50 – 100M FB accounts are duplicates)
• PC and server attacks
• “Gray” payloads
• Attacks on the cloud
7
Free Stuff is Good!
• Wide Open Wireless Access
Points
• We setup this Wi-fi hotspot to
see if people would join
• 70 people joined within the first
10 minutes
• Why is this a problem?
8
RAM Scraping
• Recent Breaches in big-box stores
• Alberton’s, Supervalu, American
west, Target, Home Depot, Jimmy
Johns
• How are they hacking Point-of-Sale
box?
• More than a dozen of RAM scrapers
Available on the Market
• Target’s huge hit via HVAC account.
9
CryptoLocker
• GameOver Zeus and Cryptolocker
• Encrypts the users files
• The only way to recover is to pay for the private key to
unlock
• Since 2013, over 200,000 people have been hit with this
resulting in over $100 million losses
• Federal prosecutors also announced charges against 30-
year-old Evgeniy Bogachev, who they say led a gang of
cyber criminals in Russia and Ukraine that was running
Gameover Zeus.
10Ransomware and Bitcoin
• Hacker and ransomware
currency
• Daily mining from garage
to basement to kitchen
11Credit Debit or Donation?
• Recent attacks increasing in taking
sensitive information.
• What is this information worth?
• On the black market, each credit card
number is worth approx. $102
• Obamacare site, while difficult for
legitimate users, proved to be easy prey
for Hackers
12Medical Records Safe right?
• Reports that 90 percent of hospitals have
lost patient data or had a compromise
• Last year, 201 incidents resulted in 2.1
million records
• Hackers sell the information and it is
used to submit fraudulent claims to
Medicare etc.
• Each record is worth around $50 on
the black market
• Most recent attack? User had “flappy birds”
on their payment terminal and the install
installed malware
13Are We Too Social?
• Twitter
• Instagram
• Facebook
• Instant Messenger
• Skype
• Ask.fm
• Blogger
• Google+
14Let’s Be Honest…
• We really have no clue how
secure our apps are
• Apps all Tie together more than
you realize
• Google Drive, Picasa,
myDlink.com etc.
• Google Now Location Detection
recommending reviews for bar you
just walked into
• Creepy Applications
15But Are We REALLY Qualified?
• Do you ever actually understand what your
phone is asking for permissions when you
install an app?
• Mobile Device Permissions
• User-granted Permissions
• Restricted Permissions
• Developer-Driven Permissions
• App Permissions
• GPS location
• Full Network Access
16You have been endorsed….
• How many people here use Facebook?
• How many people using Facebook actually read and
understood the disclaimer?
• How many people even knew there was a disclaimer?
• The Facebook disclaimer is currently 9110 words and
requires at least a sophomore in college level of education to
understand
• I would like you to join my network… LinkedIn
• 7895 words on their disclaimers
• Clearly there are some risks if they need THAT much CYA.
17The Newest Identity Theft Tools for
2017
18Top Threats 2017
• 780 Million
• Number of wearable
devices by 2019
• 24.4 Billion
• Number of IP Connected
devices by 2019
• 200 Million
• Number of Connected
Cars on the road by 2020
19Yup… Still Effective…
20Can you hear me now?
• Robocall Scam to use your
voice to authorize purchases
• Tips to avoid this scam:
• Don’t answer the phone
from numbers you don’t
know.
• Don’t confirm your number
over the phone.
• Don’t give out personal
information.
• Don’t answer questions.
21Cars Garage Doors and Everything Else wireless
2223
24
Why did the Rubber Ducky Cross the Road?
To literally WALK through all your Security Efforts
25Acoustical Hacking
• Acoustic
cryptanalysis
• Attacks on keyboards
keypads and even
cooling fans
26Easy Access to Webcams
27Hacking under $50
28Locking up your breaks. There’s an app for that • Chrysler Vehicles, equipped with Uconnect is a feature on hundreds of thousands of cars • Uconnect’s cellular function lets anyone who knows the IP gain access from anywhere • Dashboard Hijacking, lower speeds, kill engine, disable breaks, engage breaks, and highjack the wheel if in reverse • A patch was release but requires drivers to install via USB
Trust me……
30Social Engineering
• We are able to obtain extremely
sensitive data just by asking for it
• Recent request for W2
Database Compromise
• On most occasions, we gain
control of 2 machines out of 10
(only takes one)
• By far THE most dangerous of all
attacks
31You have been tagged…
32How to Protect Yourself
33How to protect yourself
• Secure Wireless
• Turn your Wi-Fi and Bluetooth off when
now using them.
• Many Routers have the ability to have
Wi-Fi turned off in the evening
• Disable WPA
• Two Factor authentication
• Google, Twitter etc. prompts for a
second code to log in from an
unknown machine
• Don’t use same password for all accounts
34What Can You Do Cont.
• Never log into a site from a link
within an email. Always go to the
site to verify it is actually who they
say they are
• Be cautious and verify people
before giving out information.
(Bank social engineering)
• Keep your machines Up-to-date
• Invest in data backup protection
35What Can You Do Cont.
• Disable GPS Geotagging on mobile apps
• This includes Instagram, Facebook, Google+ etc
• Facebook places “sent from location” on chats
• Lock down Webcams if you use them, they
are extremely easy to find online if wide
open
• ALWAYS look at the certificate warnings and
avoid sites with invalid or expired certificates
• Could be man in the middle attack
• Always use secure protocols when on
“community” Wi-Fi
• Educate yourself.. when in doubt, ask
someone that might know
36Rise of the Machines
37Final Thoughts
• Recognize we are all part of the
problem and part of the solution
• Exercise your Cyber-
Citizenship/Cyber-hygiene
• Implement and incorporate training for
employees on security awareness
• Offer Cyber Security awareness to
communities
• W2 company offering training
• Participate in Cyber Initiatives.
• The Rise of the Machines will change
our world
38Questions?
The END
You can also read
