Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Personal Data Security in a Digital World
1. Personal Data Security in a Digital World
Alex Davis
Vice President of Engineering
AllClear ID
2. Key Points
• Risks of Data Insecurity & Identity Theft
• The Old Standby: Failure of the password
• Multi-Factor Authentication
• Mobile Risks
2
3. What is Identity Theft?
FTC: Identity theft occurs when someone uses
your personally identifying
information, like your name, Social Security
number, or credit card number, without your
permission, to commit fraud or other crimes.
• Types:
– Financial
– Medical
– Criminal
– Identity Cloning
Source: FTC.gov
5. Why does Identity Theft happen?
Failed Authentication
Source: FTC.gov
6. The Old Standby: Failure of the Password
• Brute force dictionary attacks (Brutus)
• Hash-based dictionary attacks (John-the-Ripper)
• People use terrible passwords
– Top 3 Gawker passwords:
o 123456
o password
o 12345678
– Top 3 rootkit.com (HBGary) passwords:
o 123456
o password
o rootkit
– 25 Worst Passwords of 2011
• http://tinyurl.com/badpassword
• Best Practice: Password generator/repository
– PasswordSafe http://passwordsafe.sourceforge.net/
– Keepass http://keepass.info/
7. The Old Standby, Round 2: Challenge Questions
• When easy enough for you to answer, thieves can answer too
• When difficult enough to defeat thieves, defeats you
• Examples:
– Sarah Palin email hack
– “Mother’s Maiden Name”
• Best Practice:
If you have to use them, come up with an answer that is not directly related to the
question.
7
9. The Rise of the Smartphones
• In 2011, 83% of adults have cell phones
• 42% are smart phones
• 62% for ages 25 – 34
• 68% of smartphone users go online with it every day
• 25% use it as their primary internet access
Sources:
http://www.pewinternet.org/Reports/2011/Smartphones.aspx
http://blog.nielsen.com/nielsenwire/online_mobile/generation-app-62-of-mobile-users-25-34-own-smartphones/
9
10. Mobile Risks: Android Phones
• Study by Penn State, Duke University and Intel Labs of 30 of the most popular Android apps found half of
them were misusing personal information, sending unauthorized info to advertisers.
– http://appanalysis.org/
• Recent study by Dasient security company of 10,000 Android apps shows 8% sending personal data to
unauthorized servers, some including sending unauthorized SMS messages to contacts
• Mobile “drive by” attack demonstrated. Malicious website installs unauthorized code that can exploit
further vulnerabilities, in this case eavesdropping on Skype conversations
– http://www.dasient.com/
• Android developer Trevor Eckhart reported on discovery of pre-installed software by CarrierIQ on Sprint
and Verizon phones that monitors, collects, and sends personal usage data, including: websites
visited, search terms used, location data, “demographic data” (gender, age, sports fan, frequent diner, pet
owner, etc)
– http://androidsecuritytest.com/
10
11. Mobile Risks: iPhones
• When iOS 4 was released in 2010, iPhones and iPads started storing up to a year’s
worth of your timestamped location information in a unencrypted text file
• Security researcher Charlie Miller discovered a “trojan horse” iPhone app exploit
to download and execute unrestricted code
• Even official financial apps aren’t always safe (http://viaforensics.com/appwatchdog/)
– Wells Fargo stored passwords unencrypted on the phone
– Bank of America app left answers to security questions in plain text on phones
– USAA stored account and transit numbers, balances and payments
– PayPal stored transaction histories unencrypted, including email addresses for
both parties
11
12. Mobile Risks: Wireless Networks
• WEP Encrypted Networks
– Can be cracked in 15 minutes with a standard Linux laptop
1. Airmon-ng – set network card in monitoring mode to access network data without being on
the network
2. Airdump-ng – capture wireless data packets
3. Aireplay-ng – inject additional network traffic to speed analysis
4. Aircrack-ng – extract WEP key from captured packets. Key can be extracted from 10k – 40k
packets
• WPA/WPA2-PSK Encrypted Networks
– Stronger security but vulnerable to dictionary attacks, takes longer to crack
depending on password strength
1. Airmon-ng & Airdump-ng as above
2. Aireplay-ng – force deauthentication/reauthentication to speed cracking attempts
3. Aircrack-ng – use pre-generated password dictionary to attack network password
12
13. Mobile Risks: Cellular Networks
• GSM Networks (ATT&T, T-Mobile) are vulnerable to “IMSI Catchers”
– Spoofs a cellular base station. Intercepts, records, and re-transmits voice calls and text messages
– Typically costs hundreds of thousands of dollars, only available to law enforcement and intelligence
agencies
– Security Researcher Chris Paget in 2010 was able to build a laptop-based IMSI Catcher from scratch
for $1500 (most of the cost was the laptop)
– Encrypted calls are no help, the “base station” can simply tell the phone to turn off encryption.
– Intercepts outbound calls only, incoming calls will go straight to voicemail
13
14. Putting it together: “Aerial Cyber Apocalypse”
Richard Perkins and Mike Tassey
http://rabbit-hole.org/
DIY Spy Drone
• Surplus army target practice drone
bought online
• 6 ft long, 14 lbs
• 22,000 ft max altitude
• Up to 45 minute flight time
• GPS & Google Maps
pre-programmed flight path
Payload – all off-the shelf parts!
• HD Camera
• 32 Gb onboard storage
• Wi-Fi hotspot spoofing and penetration
• 340 million word dictionary for
brute-forcing passwords
• 4G T-Mobile card
• Spoof GSM cellphone tower to intercept, decrypt, and record calls and text messages
Total project cost: about $6000
14
15. Increasing Awareness
• Identity Theft is A) big business, B) damaging, C) caused by a failure to
identify the authentic user
• A strong authentication solution is required
• The rising ubiquity of smartphones and wireless networks provide
enormous increases in convenience and capability, but also introduces
significant new vectors of attack to obtain and expose private information.
“Often the hardest part of cryptography is getting people to use it…It's hard
to build a system that provides strong authentication on top of systems that
can be penetrated by knowing someone's mother's maiden name.” – Bruce
Schneier, Applied Cryptography
Source: ITRC
Hinweis der Redaktion
0:20Talking about risks inherent in loss or exposure of personal data, and some of the threats and attacks in particular that are related to the rising ubiquity of smartphones and wireless networking
0:33Key pointsRisks of Data Insecurity & impacts of Identity TheftFailure of single-factor, or password-based authenticationWhat is strong authentication, or Multi-Factor AuthenticationSome new attacks targeted toward the Mobile world
3:30Let’s set the baseline for our talk. There’s a lot of chatter about id theft these days. Define terms.The FTC says: Identity theft occurs when someone uses your personally identifying information (or PII), like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.Pretty general description4 main Types of ID Theft Financial (using another's identity to obtain lines of credit, buy stolen goods) Medical (using another's identity to obtain medical care or drugs) – can be worse than financial fraud. Imagine if someone uses your id to get medical treatment, and now your history says that you’re an AB- diabetic with an array of drug allergies. Next time you end up in the emergency room things could go very badly for you Criminal (posing as another person when apprehended for a crime) = prostitution, dealing drug, obvious severe consequences Identity cloning (using another's information to assume his or her identity in daily life, “Don Draper” ) It’s important to note that ID Theft doesn’t just happen when someone snags your wallet at the coffee shop. Big business. Lot of money to be made, and criminal organizations are very aware of that factTop 3 areas of growth for organized crime: Drugs, human trafficking, identity theft.Why? Relatively easy, low riskGain access to large volumes of personal information through data breachEither resell the records to other id thieves to exploit like petroleum suppliers selling crude oil to be refined into diesel, or make use themselves. Data entry warehouseBuy up drives, laptops, backup tapes, pay break-ins, grind through to harvest data into dbNow cracking and spoofing wifi networks to harvest data,New theoretical attacks published exploiting smartphone vulnerabilities, cellular network spoofing, and trojan horse phone apps
4:44 From my context, we deal with these situations every day. We have protected over a million people who have had their personal information exposed in corporate data breaches. Chances are many of you have received notifications from your credit card company or your healthcare provider or university that you data had been lost or stolen.We deal with many cases of ID theft, and we help people discover when it’s happening and help them resolve it, so we get a lot of interesting case studies.Derrick – nursing student and Iraq veteran, EMT in the military, paramedic afterwards, dedicated to helping other people. Unknowingly had his identity stolen while serving overseas, and thief generated a long list of crimes from unpaid speeding tickets and revoked drivers license to felony check fraud.As a result, Derrick twice during routine traffic stops was arrested, once as the driver and once as a passenger. We were able to clear up the contamination of his identity, and all charges were dismissed, but the state still held him responsible for the court and attorney fees, fines, tow fees, bond and the cost to have a new license issued. Fortunately as a customer of ours he was covered by the ID theft insurance policy we provide and didn’t have to go out of pocket for all those expenses, but these can very significant hardships to a person without protection, or the ability to do the investigative work necessary to prove their innocenceCustomer used an iPhone app (pastie.org) to transfer documents from his desktop to his iPhone. One of docs was password list, something thought would be useful have on his phoneWhat didn’t realize app created web site where all transferred docs were publicly available. Thieves who knew where to look able take over almost all accounts, including iTunes, Amazon, American Express, PayPal, and First Tennessee Bank.When tried to take over Debix account, with two-factor mobile authentication, was immediately alerted to the takeover attempt and able to deny it in real time. Then called Debix investigation team who were able to help recover his accounts and update his credentialsCustomer Christopher ordered a ChildScan for his teenage daughter Caitlin through our AllClear ID consumer service. Thought he was just being proactive, didn’t expect to discover that this daughter’s identity had been used to open 42 accounts over 13 years.Common scenario, coyotes bring illegal immigrants, set them up with children’s ssns, don’t get used for yearsIn this case, 3 mortgages, several car loans, credit cards, and multiple accounts in collections.Our investigations team was able to get all the fraudulent accounts closed and the credit damage removed from her identity, just in time for her college applications.Months or even years, Until it was cleared up, job, apt, car
0:30There are a lot of scary stories and statistics out there about id theft, but at heart I’m an engineer, so the thing I find most interesting is analyzing how things work, and sometimes how they fail to work.At the end of the day identity theft cases have one thing in common: A failure to differentiate real people from thieves. Ultimately, banks and corporations are doing a poor job at determining that you are who you say you are. That is what allows identity theft to continue.
10:53How data is most commonly protectedHost of known attacks against passwordsBrutus, outside inLog and analyze source domainsLock after x attemptsOnce networks have been penetrated, and contents of db or key files harvested, you certainly hope that passwords have not been stored in the clearExpect them to be hashedJohn-the-ripper used to detect weak linux passwordsRecent network breakins have highlighted one thing, people are going to pick bad passwordsGawker – Lifehacker, Gizmodo, KotakuPassword reuse
2:25Palin – Where did you meet your husband? Wasilla High SchoolStreet you grew up on? Houston, NASA, manonthemoon
4:34Multi-factor – something you have and something you knowATM card + PINBroken when you don’t need card presentBiometricspromising, but not yet prevalentReplay attack, you can change a compromised password, but you can’t change your fingerprintsSecure tokenJob, World of Warcraft, PayPal, bank, credit card, etcDebix uses Cellphone as thing you have. When you sign up, register your phone number, define a PIN, and record “voicekey”
1:20In the past, the most common avenues of data breaches have been theft of physical hardware (computers with spreadsheets and databases, backup tapes)or network penetration, exposing database contentsIn the last few years, a new avenue has opened up, one that rests in the hands of the end consumer, and which is used to broadcast personal information across wireless and mobile networks at an unprecedented rate. http://www.pewinternet.org/Reports/2011/Smartphones.aspx
3:30How secure is your data? Where is your data going?Several studies over the last year showed surprising results on the amount of personal data that your phone is leaking without your knowledgeNot just “rogue” appsCarrierIQ was not pleased with Eckharts report and threatened legal action unless he retracted his data and issued a public apology, but has since withdrawn their cease and desist and issued an apology to him
3:30Ever since iOS 4, iPhones and iPads continuously monitor and store your location with timestamp in a unencrypted text fileCharlie Miller discovered it was possible to create Trojan Horse iphone apps that could innocuously pass the apple app review, then download and execute additional, unverified and potentially malicious code. When he notified Apple about the existence of the bug, Apple promptly terminated Miller’s developer license.
In addition to smartphones themselves, wireless networks are found everywhere todayCoffee shop, airport, campus, even getting an oil changeConvenience, great feature to offer, but comes with its own set of risksLet’s look at how they are securedWEP – Wireless Equivalent PrivacyProcess is to capture enough network packets to allow a cracking tool to extract and reassemble the network keyWPA – Wifi Protected Access
IMSI – International Mobile Subscriber IdentityDisabling encryption – could generate a warning, but carriers have turned these warnings off an all handsets, to prevent “confusing” customers
Circle over a target, someone’s house, starbucks, university campusComplete mobile wireless & cellular surveillance packageNothing new invented hereAll payload components were off-the-shelfWiFi cracking has been around a long timeGSM cell tower spoofing attack published at DefCon 2010Not restricted to corporate espionage or government surveillanceIndivuduals with modest budgets can launch very sophisticated attacks targetted at intercepting and harvesting personal information