It Could Happen To You - Protecting Privacy Tim Hoffman, MS, CISSP, ISP, C|EH, GCIH, ITIL, CCSK, CTT+, Security+ - THA Security's

Page created by Shirley Burgess
 
CONTINUE READING
It Could Happen To You - Protecting Privacy Tim Hoffman, MS, CISSP, ISP, C|EH, GCIH, ITIL, CCSK, CTT+, Security+ - THA Security's
It Could Happen To You
                                       Protecting Privacy
                    Tim Hoffman, MS, CISSP, ISP, C|EH, GCIH, ITIL, CCSK, CTT+, Security+…

© Tim Hoffman & Associates, LLC 2020
It Could Happen To You - Protecting Privacy Tim Hoffman, MS, CISSP, ISP, C|EH, GCIH, ITIL, CCSK, CTT+, Security+ - THA Security's
Agenda
                                          o Community Changes Everything
 — Overview – Qualifications
                                          o Privacy Right
 — Laptop Lounge and Alida Connection
                                          o Top Threat of the Day: CYBER CRIME
 — Privacy – What Is It ?
                                          o DARKNET FULLZ Google Search
 — Right of Privacy – PERSONAL AUTONOMY
                                          o Staying Anonymous
 — Good Old Days
                                          o Finding Information
 — Our World Has Changed (I and II)
                                          o Who Has Our Information: EVERYONE
 — Social Media Addiction
 — We Give Our Data Away For Free         o Identity Theft (Financial)

 — Legal Residual Risks in Social Media   o Identity Theft (Medical)

                                          o Let’s Get Technical
© Tim Hoffman & Associates, LLC 2020
Overview - Qualifications
     — President/CEO – Alida Connection

     — Lead Information Security Engineer UCSF and for Center for Digital Health Innovation

     — EVP ISSA Colorado Springs - Fellow

     — Former US Navy Cryptologic Officer - part of the Intelligence Community
       — Director of Threat at NSA spending time in Off-Line Crypto, Signals Intelligence/SIGSEC and
             Taught Electronic Warfare – Radio Fingerprinting – Mensuration
             — Mensuration, a branch of mathematics that deals with measurement of various
               parameters of geometric figures

     — Co-Author of technical series
       — Network+ Certification Guide, TCP/IP for Windows NT 4.0, TCP/IP for Windows 2000,
             Microsoft Proxy Server 2.0, UBS Warburg Rollout Policy

     — MS, CISSP, ISP, C|EH, GCIH, ITIL, CCSK, CTT+, Security+…

© Tim Hoffman & Associates, LLC 2020
Laptop Lounge and the Alida Connection
    — This presentation will not:
      — Make you thinner.
      — Put $12,000,000 in your bank account.
      — Help you find the LOVE of your life.

    — If you are receiving many advertisements in email for Cialis and Viagra – this discussion may
        be for you.

© Tim Hoffman & Associates, LLC 2020
PRIVACY – What Is It?
  — Privacy (from Latin: privatus) is the ability of an individual or group to seclude
      themselves, or information about themselves, and thereby express themselves selectively.
      When something is private to a person, it usually means there is something to them
      inherently special or sensitive.

  — The domain of privacy partially overlaps security, including for instance the concepts of
      appropriate use, as well as protection of information. Privacy may also take the form
      of bodily integrity.

  — Privacy may be voluntarily sacrificed, normally in exchange for perceived benefits and very
      often with specific dangers and losses, although this is a very strategic view of human
      relationships. In the business world, a person may volunteer personal details (often for
      advertising purposes) in order to gamble on winning a prize. Personal information which
      is voluntarily shared but subsequently stolen or misused can lead to identity theft.

© Tim Hoffman & Associates, LLC 2020
Right of Privacy: PERSONAL AUTONOMY
  — The right of privacy has evolved to protect the freedom of individuals to choose whether or not to
      perform certain acts or subject themselves to certain experiences.

  — This personal autonomy has grown into a 'liberty' protected by the Due Process Clause of the
      14th Amendment.

  — This liberty is narrowly defined and generally only protects privacy of family, marriage,
      motherhood, procreation, and child rearing.

  — There have been attempts to further extend the right of privacy under other Amendments (1st,
      4th, and 5th) to the U.S. Constitution; however, a general right to personal autonomy has yet to
      take hold beyond limited circumstances.
      — Source: Cornell Law

  — In the 1940s we assumed everyone was honest – good citizens.

  — What are our assumptions today?
© Tim Hoffman & Associates, LLC 2020
Good Old Days
       — Those who cannot remember the past are condemned to repeat it.
       — Analogy - SLOW - versus - FAST - and LOCAL versus GLOBAL.
       — Investigations - Information Collection - Step-by-Step
       — Privacy by Design – everything was local – so choices were limited
       — Data was collected and used locally A background check for Government work was
            a lengthy process – one element at a time.
            —   Local Agency Check (Police Records) –
            —   National Agency Check (ENT – NAC or NAC)
            —   SBI – SSBI and beyond (nuclear programs etc.)

       — Name – Address – Phone – Family & Relatives – Mother’s Maiden Name - SSN –
            DOB – Past Addresses – Place of Employment – Real Property – Marriage – Divorce
            – Voter Registration – Civil Court and Public Filings – Permits – Licenses – Church
            Affiliations – Tax Filing – Donations – Credit Report – Credit Cards – Phone Bills –
© Tim Hoffman & Associates, LLC 2020
Our World Has Changed
    — Computing Power (speed, hard drive storage and memory)
    — Everyone has a cell phone / smart phone
    — Everything is immediate and digital - Travel, Medical records, Credit Card
    — Department of Homeland Security save 75 years of exit and entry to the US
    — Google – stores 100 Years of every Newspaper in the US
    — Every Twitter tweet turned over to the Library of Congress
    — Optical Character Readers can scan thousands of sheets every day
    — Google mapped every WI-FI node in North America
    — Creation of new Search Models and new video to text - translators
    — Precision Target Marketing – merchants want to sell stuff
© Tim Hoffman & Associates, LLC 2020
Our World Has Changed
    —   There is no forgetting – everything you have ever done
        — Every Rant – post – picture – ticket – newsgroup – telephone call and Every Bit and Byte of Activity

    —   Everything is forever cached – indexed – and stored for posterity

    —   No privacy any more – no shame –

    —   LinedIn – Name Address Phone

    —   Sexual Orientation

    —   What you did last night – life casting – real reality

    —   Where you are going on vacation (and your children)

    —   Blippy.com – putting your entire set of purchases online

    —   GPS is always on – Everyone wants to know everything about you

    —   Augmented Reality (facial recognition – building - landmark recognition)

    —   Picasa now has Built in Facial Recognition

    —   Tag everything – right ?
© Tim Hoffman & Associates, LLC 2020
Social Media Addiction

© Tim Hoffman & Associates, LLC 2020
We Give Our Data Away For Free
    — Before computers were used as primary tools - people used anonymity to
        protect their privacy. Are you anonymous today? No - today anonymity is close
        to non-existent for anyone alive.

    — Cyber crime is increasing exponentially – Nation State Sponsored.
    — Once you give your data to a company who does it belong to?
    — What’s in your account?
                                           Facebook        Google Drive
    — Identify theft is rampant.
                                           Twitter         AWS (Amazon)
    — Ever tried to delete?                Tumblr          Azure (Microsoft)
                                           Foursquare      Box
    — Look at Wayback at
                                           Pinterest       DROPBOX
          archive.org
                                           Shutterfly      iCloud
© Tim Hoffman & Associates, LLC 2020
                                           Instagram       …
Community Changes Everything
     — Today – Everyone has a megaphone

     — The end of Forgetting is here – all communications are permanent and indelible

     — Data points exist on everything that is put online in any format

     — Social media means:
       — Everyone talks
       — Everyone listens
       — Everyone remembers
       — EVERYTHING !

     — The line between personal and professional – private and public is a BLUR !

     — Social media creates both internal and external legal risks that did not exist before.
© Tim Hoffman & Associates, LLC 2020
Legal Residual Risks in Social Media
        — Disclosure of RESTRICTED (Confidential/SECRET) information
        — Trademark Infringement
        — Copyright Infringement
        — Defamation
        — E-Discovery
        — Endorsements
        — Privacy and Publicity RIGHTS
        — HR Issues

© Tim Hoffman & Associates, LLC 2020
Privacy Right
        — Privacy is one of the most widely sought of rights and among rights most
            valued

        — The TO DO LIST:
            — Consider what you reveal about personal details to strangers or just-met
                “friends” (think social engineering)
            —   Beware of web sites that offer rewards and prizes
            —   Be aware of home computer and device security
            —   Examine privacy policies
            —   Use encryption everywhere possible (look for the lock)

        — The NOT DO LIST:
          — Do not reveal personal information inadvertently
          — Do not reply to spammers - for any reason
© Tim Hoffman & Associates, LLC 2020
Top Threat of the Day: CYBER CRIME
        In the evolution of CYBER CRIME - In days past –

        — Perhaps a teenager or a couple friends got together with some energy drinks or a
            Mountain Dew and set out to find a web server with vulnerabilities they could exploit
            for fun.
             Cyber Crime Today –

        — Lone criminal is still out there but the predominant form of threat is the organized
            group of cyber criminals who are intent on hacking for profit.

        — Many of the groups that do this are made up of highly skilled professionals who seek
            financial gains.

        — Credit cards are worth a dollar ($1) each

        — Medical Record with some history is worth up to $214 (Ponemon Institute)

© Tim Hoffman & Associates, LLC 2020
DARKNET FULLZ Google Search
      —   Hello I'm hacker and seller and I offer stuff for serious carders.
          If you need CVV or ***** (track1/track2 original), or something else I will be glad to help you.
          Always in stock Us , EU , UK , CN database of *****, COB's, Full Info, CVV's...
          ***** - include original track1/track2, also have some ***** with card holder info (ZIP , SSN , MMN , CVV2)
          CVVs - include CC#, CVV2, EXP.DATE, full name, full address.
          My service is well-known, and verified at carding forums. I am a verified seller at these sites:
          Netcarding.ru
          OffCarding
          DarkNet
          CardingWorld
          I do shopping to any address in US and UK,I shop iphones,laptops,perfums and more,Laptop is 100$,Iphone is
          100$,Normal phone is 80$.............
          Come for more deal
          Contact me if u want buy: sellcvv_good14
          1 Visa card..........3$
          1 master card..........3$
          1 amex card..........5$
          1 Dicover card..........5$
          1 Company card..........8$
          1 Uk Card Nornal CC..........5$
          1 Uk Card With DOB ..........20$
          1 Track 1& 2 CC..........30$

      —   Look up Black Market Reloaded – Google Search – find the guide for staying anonymous.

© Tim Hoffman & Associates, LLC 2020
Staying Anonymous

© Tim Hoffman & Associates, LLC 2020
Finding Information
       — Oh Ngo! Consumer Credit Company Experian, Which Sells ID Theft
           Protection, Duped by Cybercriminal into Selling Credit Card and Other Data
           on Millions of Americans.
       — Hieu Minh Ngo (We presume Ngo pronounces his name “No” – hence our
           headline) ran an underground service called Superget info. This registration-
           free site made it possible for cybercriminals to look up full Social Security
           numbers, birthdays, drivers’ license records and financial information on
           millions of Americans. Payment to the site was made via WebMoney and other
           virtual currencies.
       — Brian Krebs in KrebsOnSecurity did a painstaking, lengthy investigation, which
           turned into a rather lengthy piece. Find his full piece at krebsonsecurity.com.

       — Each SSN search on Superget.info returned consumer records that were
           marked with a set of varying and mysterious two- and three-letter “sourceid:”
           identifiers, including “TH,” “MV,” and “NCO,” among others. …(The)
           abbreviations matched data sets produced by Columbus, Ohio-based
           USInfoSearch.com.

© Tim Hoffman & Associates, LLC 2020
Who Has Our Information: EVERYONE
    — Web search engines - the current listing:
        Abbreviations for abbreviations
        ABC Search engine - every search starts with ABC
        About for guidance, not guesswork
        Academic Search. It's from Microsoft, so it's got to be great. Hasn't it?
        Acronym finder - for over 750,000 human edited definitions
        Addictomatic Great for quick results in a modular format.
        Alexa is good for finding information on the top 100k sites
        AllPlus - meta search and discovery engine
        Answers is the world's leading Q&A site
        AOL Search no, I didn't think it was still going, but it is
        Around People Finder. UK, US, Australia, Europe emphasized.
        Ask (Jeeves) still limping along, shadow of its former self
        Ask if you want the US/global version
        Azoos is the brightest yellow search engine out there
        Bananaslug Run a search and include a random word, to see what you get!
        BASE for academic search. 56 million+ documents

© Tim Hoffman & Associates, LLC 2020
Who Has Our Information: EVERYONE
    — BBC Video Nation, with categories, features and local information
        Behold for flickr images
        Betterwhois gets you good accurate information on domains
        Bing. Microsoft's faint Google lookalike.
        Biographies.net is an excellent source to identify biographical information.
        Blekko is a good alternative to the big 3. Definately try it.
        Blindsearch to compare results of major engines
        Blinkx is a video search engine, with 35 million hours of it!
        Blippex is for private searching. They don't track you.
        Carrot2 is a clustering engine – to focus on a subject area you're not sure of
        ChaCha allows you get other people to help with your search
        Clipblast searches for videos for you. Not personally stunned by it.
        Cluuz A visual search engine
        Collarity for personalized searching across different types of data
        CompletePlant for 70k of searchable databases. Good for deep web
        Country search engines is my list of 4,000 engines for 200+ countries
        Creative Common search. Great for finding stuff you're allowed to use.
        CriticalPast for vintage stock footage and royalty free material.
        DailyEarth US newspaper emphasis.
© Tim Hoffman & Associates, LLC 2020
Who Has Our Information: EVERYONE
       — Dailymotion for videos - emphasis on UK based content
           Daybees the worlds largest events search engine, so they say.
           Definitions is good for thousands of definitions
           Deepdyve for deep web searching
           Digital Librarian; a librarian's choice of the best of the web
           DMOZ for a hierarchical directory, old but still good
           Dogpile for multi-search of Google, Yahoo, Ask & Bing (GYAB)
           Draze to compare Google, Yahoo and Bing
           FindThatFile for documents, audio, video, zip, archives and so on.
           FinQoo is an underwhelming meta search engine
           Galaxy is a directory based search engine
           Gigablast is a good second string search engine.
           DuckDuckGo is a family safe engine
           Eatbydate tells you if food is safe to eat. Could save your life! Maybe.
           Ehow searches for crafty type material and 'how to' stuff.
           Entireweb is a free text search engine
           Exalead is an excellent alternative to Google
           Excite is there, but does anyone use it any more?
© Tim Hoffman & Associates, LLC 2020
Who Has Our Information: EVERYONE
    — Info Service is quirky and very colorful. Odd directory though
        Internet Archive to see all those old pages!
        Intute for academic resources. First class service
        Irazoo search, win gift cards. I want to search, not win $5
        Iseek is a clustering search engine; very good too
        Ixquick is an excellent meta search engine
        Izito Combines 'all' search engines. Err, no, it doesn't.
        Jurn is a curated academic search engine indexing 4.5k free ejournals in the
        arts
        Kedrix Why search when you can mearch?
        KidsClick is web search for children by librarians
        KidRex is another children's safe search engine
        Kngine styles itself as a Web 3 semantic web search engine
        Knowem? Search over 550 social networks for brand and user names
        Lanyrd Need to find a conference, event or speaker? This'll help out
        Librarians' Internet Index is a brilliant resource

© Tim Hoffman & Associates, LLC 2020
Who Has Our Information: EVERYONE
    — LocateTV find shows, actors and movies
        Lyrics is a great search engine to find those song lyrics. V. Good.
        Lycos is still out there, but getting old and creaky
        Macroglossa Visual search engine Upload image, see what it finds
        Mahalo for social search, human created information resources
        Mamma is the mother of all meta search engines
        MetaCrawler is a meta search engine
        Millionshort all the results, except the top million or so. Interesting take
        on search.
        MrSapo Multi search engine, lots of options, very sparse SERP though.
        Monstercrawler for a GYAB search
        Motherpipe - no tracking, no cookies, just search
        Mundusearch for web, sounds, lyrics, music and video
        MyAllSearch You can choose from Google, Yahoo, Bing, Ask (Jeeves),
        Yandex, Lycos, Metacrawler, Entireweb and DuckDuckGo.
        Newseum 772 front pages from 80+ countries.
        Newslookup Latest news headlines, emphasis on US but also global
        content
© Tim Hoffman & Associates, LLC 2020
Who Has Our Information: EVERYONE
       — Newsmap Great tool; news arranged by color and size.
           NewsNow Emphasis on the UK news.
           Numberfetch for landline and free phone numbers
           OAIster for academic material that's otherwise hard to find
           OmniMedicalSearch is a top notch medical search engine
           Oolone is a graphic search engine; quite pleasing to look at and
           use.
           Opening TV Themes. Yes, you will lose hours of your life happily
           humming
           Panabee for comparing results from different search engines
           Pepesearch for free text and directory search. Not impressed
           Phrases.net for common phrases, casual expressions and idioms
           Pipl People finder. Good as the rest, which means not any better.
           PolyMeta is an intelligent meta search and clustering engine
           PublicRadioFan for searching for radio stations.
           Qrobe for Google, Yahoo/Bing and Ask
           Questfinder is a selective web directory
© Tim Hoffman & Associates, LLC 2020
Who Has Our Information: EVERYONE
    — Quixey Want apps? This has apps in abundance!
        Quotes.net for famous and not so famous quotations
        Quintura for visual search in a word/tag cloud for children.
        RealMoneyPoker offers an online Texas Hold'em legality search engine
        Redz for visual search - an arch of webpage thumbnails
        References is a good source of reference resources
        ReferrerCode - An Online Games Bonus Code Search Engine
        Re-QUEST is a directory based engine
        Rhymes.net finds words that rhyme, with translation / pronunciation as well.
        RocketNews Bit of a dud - very repetition, but global
        ScienceHack for science videos verified by 'a scientist'
        Scour to search socially, see community votes and comments
        Searchbug for people and company search in the US
        Search is a multi search engine. Not stunned by it
        Searchboth lets you compare results for 9 different engines
        Searchbots is a 'build your own' resource
        Searchdazzle puts 4 engines on one page.
        Searchhippo is another multi-search engine that doesn't excite me
        SearchLion covers Web, images, news, video, blogs, twitter. Blended approach.
        SearchMedia is a UK medical search engine for professional
© Tim Hoffman & Associates, LLC 2020
Who Has Our Information: EVERYONE
    — Searchthenet is a multi-search engine - 20 engines offered
         SearchtheWeb is a directory engine which fails to impress
         Sency for real time, what's happening this moment information
         Similar-site finds similar sites to that which you provide
         Similarsites finds similar sites to that which you provide
         Similicio.us finds similar sites to that which you provide
         Silobreaker is the #1 news site out there, bar none
         Siteslike is a find similar sites engine
         SlideFinder searches for PowerPoint presentations
         Slider is a full text search engine that searches DMOZ
         SmartLinks provides quick links in a directory structure
         SnapBird for Twitter searching
         Snappyfingers is a Q&A database, searching FAQs.
         Socialmention* A king of real time social media search and analysis
         Soovle for Google, Wikipedia, Answers, YouTube, Ask, Yahoo, Amazon
         Soundclips for uh.. clips of y'know, sounds and stuff.
         SoundJax for clips of sounds. Loads of sounds.
         Soungle for even more sounds.
         Spacetime 3D looks very similar to Redz; visual search engine
         Spezify for multi-search visual results
© Tim Hoffman & Associates, LLC 2020
Who Has Our Information: EVERYONE
       — Sputtr - lots of tiles for multi searching.
           Stilltasty is a food date/edibility search engine
           Surfcanyon is a general engine
           Sunsteam is a directory engine, now 10 years old
           Sweetsearch evaluated sources designed for students
           Symbols is about signs, flags, glyphs, excellent arrangement, top resource
           Synonyms net is the webs most comprehensive synonym resource
           TeacherTube for safe and education YouTube videos
           Technorati for blog search
           TellyAds has over 17K recent TV ads available to search.
           The Net 1 is a directory engine
           The Paperboy Front pages of newspapers. Great for news freaks.
           TopSite Find the best 10 top websites for almost any subject
           Topsy Want tweets? They have 425 billion of them. The place to go to search Twitter
           Trooker is a great video search engine resource
           Trovando - first class multi search engine, though some choices are very outdated now.
           True Knowledge allows you to ask questions on the web, just as if you were talking to
           another human being. Renamed as Evi
           Turboscout is an excellent multi search engine
           USZip provides excellent factual information on US zip code locations.
           Vimeo is another YouTube lookalike video search engine
© Tim Hoffman & Associates, LLC 2020
Who Has Our Information: EVERYONE
   — Wayback machine to go way back to 1996 for examples of archived pages.
       Invaluable
       WebCrawler is a meta engine for GYAB
       Web-Search is a multi search engine that offers 18 resources
       WebWorld for quality sites on the web, in a directory style
       Whostalkin Who is talking, not stalking. Though as its a social media engine,
       who knows?
       Wink People Finder. Emphasis on US, but over 400 million profiles
       Wolfram Alpha is a computational search engine; good but different!
       Worldcat find 2 billion items in libraries near you. (Near being a relative term)
       Worldnews News from around the world. Fancy that.
       WWW Virtual Library for directory listing of virtual libraries
       Yabigo searches Yahoo, Bing and Google
       Yahoo needs no introduction either.

© Tim Hoffman & Associates, LLC 2020
Who Has Our Information: EVERYONE
    — Yandex is Russian based, but don't let that put you off, it's a good alternative
         to Google
         Yippy is 'family friendly' which means badly censored to the point of being
         actively unhelpful.
         Yometa takes the results from Google, Yahoo and Bing and displays them in
         a Venn diagram
         YouTube is for videos, but you knew that already
         Zakta is a personalized search engine resource
         Zanran helps you to find ‘semi-structured’ data on the web.
         Zapmeta searches all the major engines
         Zeekly for private searching. Nothing kept or stored, including IP addresses
         10x10 100 words and pictures that define the time. Unique and interesting.
         123 people is a UK people search engine
         48ers Real time social search.
© Tim Hoffman & Associates, LLC 2020
Types of Identity Theft
        — Value to the thief

© Tim Hoffman & Associates, LLC 2020
Identity Theft (Financial)
     — Identity Theft typically causes us to think about people stealing our credit cards and
         bank accounts and then we are left with fallout in the form of making repairs for a
         year or two on Credit Reports.

     — This is called financial identity theft. We hear about data breaches like TJ Maxx (47.5
         million credit cards) and Heartland Payment Systems (130 million credit cards)
         regularly now.

     — We have pretty much lost faith in the financial institutions that should protect our
         information and we are probably thinking about better ways to protect ourselves.
         When an identity thief gets access to your bank account, you will want to read up on
         the Electronic Funds Transfer Act (EFTA).

     — VISA – Master Card – Home Depot – UPS – Michael’s – Target – Sony - GoodWill

© Tim Hoffman & Associates, LLC 2020
Identify Theft (Medical)
   — Medical Identity Theft is described by the World Health Organization as “the
        information crime that can kill you.” It’s not just the most dangerous form of
        identity theft, it’s also one of the hardest to fix. There are very specific areas
        you will want to look into when you are a victim of medical identity theft, and
        they are in general vastly different from dealing with any other type of identity
        theft.
   — Medical Information Bureau (MIB) Group, Inc is a cooperative data exchange
        formed by the North American life insurance industry in 1909.
   — (As a side-note, there is a lot of misinformation concerning the the Medical
        Information Bureau (MIB) when it comes to medical identity theft. Keep in
        mind that, despite the name of the organization, MIB Group has almost
        nothing to do with medical identity theft – although if you are a victim of
        insurance identity theft you may want to consider checking your free MIB
        report.)

© Tim Hoffman & Associates, LLC 2020
Let’s Get Technical
           — As our networks increase in speed, complexity, and nuance:
             — How do we include appropriate security measures?

           — Can you identify current Passive Attacks
             — Network Wiretapping - Port scanner - Idle scan

           — Can you identify current Active Attacks
             — Denial-of-service attack – Spoofing - Man in the middle - ARP poisoning -
                   Smurf attack
                 Buffer overflow - Heap overflow - Format string attack - SQL injection - cyber
                 attack -
                 Heartbleed (Open SSL)

© Tim Hoffman & Associates, LLC 2020
© Tim Hoffman & Associates, LLC 2020
You can also read