Karen McDowell, Ph.D.

, GCIH
Information Security, Policy, and Records Office (ISPRO)
karenm@virginia.edu
June 2013

ANATOMY OF A HACK

Step 1: Do Reconnaissance
Successful hackers are excellent

researchers, diligent, and persistent

They study our websites, our entries
on social media, and other available
information
This stage is non-intrusive.

Step 2: Attract the Victim

Send a spear-phishing email
Trick the victim into clicking on a

link and giving away their PII

Attacker is usually interacting with
the system within five minutes of
person clicking on email

Step 3: Gain Control

Install custom-made malicious software,

exploiting a vulnerability* in the system

Attempt to gain administrator
credentials to go deeper into the
network
Establish one or more back doors to
communicate with a command and
control server (C&C)

*Good reason to keep your computers and programs current and backed up!

Step 4: Exfiltrate Data & Conscript

Exfiltrate intellectual property and/or

your credentials to the C&C servers

Conscript your computer for later use
in other attacks like DDoS
The theft of intellectual property in
the US in the past year alone is
measured in terabytes* of data

Overall: Cloak Source

Hackers routinely penetrate major

universities, routing attacks through

them.
Decentralized universities are porous
and create perfect proxies.
University employees are prime
targets.

Where was the antivirus?

Unfortunate that Symantec is taking

a lot of heat for failing to detect NYT

Antivirus is well known to be only a
speed bump, yet you gotta have it.
Hackers also use zero-day attacks*,
which no antivirus can detect

*attack that exploits a previously unknown vulnerability in a computer application

Crack passwords
Hackers cracked and stole the

corporate passwords for many Times

employees
Gained access to the personal
computers of 53 employees, most of
them outside The Timess newsroom
Over 3-month period installed 45
pieces of custom malware

What did we learn?

The Times wisely allowed the hack to go

on for 3 months to learn the attackers

methods and to prevent a return
Good news! Companies under attack
are taking the crucial step to pool their
resources
RSA Conference February 2013

Recent Major Attacks

EMCs computer security unit RSA
US Chamber of Commerce
Wall Street Journal
New York Times
Apple & Microsoft
Facebook & Twitter
Federal Reserve
Reuters & Sony
Google

The RSA Hack: A Cautionary Tale

The Human is the Weakest Link

Attack Vectors
Spear phishing email messages
Phone calls target you at home
USB Sticks left lying around anywhere
Weak passwords, vulnerable machines
Drive-by-Downloads
Coupon Bars (there has to be a better

way to do this)

Iranian Elections & US Bank Attacks

Dear User,
Add an alternate email address to your
account. You can use this to sign into your
account, reset your password, and more
Click on this link:
https://accounts.google.com/b/0/EditUsrInfo

You Are a Target!

Username & Passwords
Email Harvestings
Financial
Extortion (Ransomware)
Identity Hijacking
Botnets
Virtual Goods

How Can I Spear-Phish You?

Let me count the ways!
Average more than one a week
Someone always responds
All hackers need is one response

Notice the https://

30

Courtesy of Yale University

Wire Transfer Phish

Dont Be a Victim!
Realize you are a target
Know your adversarys tricks
Take control of your online presence
Forward to abuse@virginia.edu
Just dont click on it

Dont respond
DELETE

What You Can Do!

Check our

Current Security Alerts & Warnings

page and subscribe to the RSS Feed,
or
Follow us on Twitter, and/or
Email abuse@virginia.edu for an
answer or simply to report it.
Delete the questionable email by all
means!

Vishing, VOIP, Smishing, QRishing

Telephone tech support scams
Your account needs updating
Register for free prizes!
Your credit card has been deactivated

QR Codes and QRishing

Do You Wanna Be a Money Mule?

Money Mule Offer Flatters Me

Part II of the Same Offer

Password Guesser
out.12920:join: Oct 21 14:36:33 Guessed akovacs (/usr1/bin/badpasswd in !
maxwell.passwd) [morrison] .AB8KhkzFZkCc
out.12920:join: Oct 21 14:36:33 Guessed dsummers (/usr1/bin/badpasswd in!
maxwell.passwd) [w0mbat] /P8idUdpMO/6Q
out.12920:join: Oct 21 14:36:33 Guessed crockett (/usr1/bin/badpasswd in!
maxwell.passwd) [bxxxsxxx] 2ULXddBrRGI.I
out.12920:join: Oct 21 14:36:33 Guessed jlucas (/usr1/bin/badpasswd in !
maxwell.passwd) [stealth] 6KIIfIlFO0qP6
out.12920:join: Oct 21 14:36:33 Guessed cminton (/usr1/bin/badpasswd in !
maxwell.passwd) [Faustus] 6hiuZITiFmlX.!

Courtesy of Indiana University

Passphrases are just words

Easy to remember
My son only calls me when he needs

money (without spaces)

If I won the lottery, I would quit
working (w/o spaces)
Avoid famous sayings or quotes, like
Give me liberty or give me death",
To be or not to be-25"
Four score and seven years ago"

Not less than 20 Characters

Mixed characters (number, letter, symbol)
I hope you all are enjoying this

conference in 2013! without quotes

My son only contacts me when he wants

money!! with or without spaces

Can you 35 tell the difference between a

phish and a fish?

Length or Complexity?
Length is much more powerful.
First letter of each word
My Prius uses too much gas in the

winter for the password MPu2m8it*

Add 3-4 character extensions to this

root passphrase, like BoA! or Wf#

Easy to Do

Skype Calls from Anyone?

Three Golden Rules

Verify unsolicited communication.
Maintain strong passwords.
Create a different password from

each account.

Hacks on Hacks
Zappos and LinkedIn, etc.
Hackers steal passwords, send you a

spear-phishing message purporting

to be from hacked company
Click here to reset your password!

Hackers for Hire

Pavel Vrublevsky
Owner of Russian payments firm ChronoPay

Anything Can Be Spoofed

http://www.spoofcard.com/
Allows users to call people while

displaying a fake name

Tor.com allows you to anonymize
Wireless hot spots in hotel, airports,
coffee shops, and other public places
Firesheep, Kismet, other software lets
anyone impersonate you

Defense-in-Depth on Mobile
Verify SMS/text messages

independently to avoid smishing

Take initiative to update system and
application software
Know Remote wipe option
3/4G is safer than local wireless
hotspots
Disable or at least be aware of GPS
and geotagging

Smishing
GATEWAY BANK
ALERT: Your card
starting with 4138*
has been
DEACTIVATED .
Please contact us at
804-414-7700.

Android, Blackberry, iPhone

Passcode
Enable at least 4 digits

Dont use 1234, or 0000, 2580, 5555, etc.

Exceeding the number of allowed password

attempts deletes all data

Auto-Lock
Locks the screen after a pre-set time period

of non-use (consider 30 minutes or less)

Passcode-lock enhances auto-lock

Are Market Place Downloads Safe?

Do not click Install

before you review.

Do you want this
app to have so much
access to your
information?
Think before you
app!

Tips to Protect Mobile Devices

Click with care many tempting

offers duplicate the look and feel of

legit sites
Do not respond to security alerts or
password request emails on your
smart phone. They are usually
fraudulent.
Install an app security scanner on
your phone or iPad

Mobile Phone Protection

Lookout Mobile Security
https://www.lookout.com/

McAfee Mobile Security

https://www.mcafeemobilesecurity.com/

products/android.aspx

Verizon Mobile Security

http://www.verizon.com

Vipre Mobile Security

http://www.vipremobile.com/

Greatest Threat to Smart Phones?

About 113 smartphones are stolen or

lost every minute in the US, with many

of the thefts turning violent.
In 2012, 1.6 million Americans were
victimized for their smartphones
These crimes have led to severe injuries

and the loss of life

Secure Out Smartphones there is a

technical solution a kill switch

iPhone, iPad Security Settings

iPhone: General tab > Restrictions >

Enable Restrictions > Select

Enable "Ask to join networks
function on iPhone
iPad: Enable Data Protection
Settings > General > Passcode

Find my iPhone/iPod/iPad
Find my iPhone requires Apple iCloud

account and recent device

Add other, older devices, once an
account is setup
http://www.apple.com/icloud/features/
find-my-iphone.html

Android Security Settings

Internet > More > Settings > Block

Pop-up Windows and Clear Cache,

Cookie data often.

Uncheck Remember Form Data Enable

Location and Remember Passwords

Always browse with https:// if you

login using any credentials

Wireless Network Tips

Use WPA2 encryption on router
Change the default SSID
Change the default login and

password
Create strong passwords for all
devices including printers
Install an alternate DNS provider

Free Annual Credit Report

Check your free annual credit report

http://annualcreditreport.com
Not freecreditreport.com
Check personal data for accuracy
You will not receive a credit score, unless
you pay for it
Dont use a Debit card online!

Unforgettable from Australia

Stay One Click Ahead and Outsmart
the Scammers

We are the Weakest Links

http://www.securingthehuman.org/resources/ncsam

STOP.THINK.CONNECT

stopthinkconnect.org