Developer Data Modeling Mistakes: From Postgres to NoSQL
Why My E Identity Needs Protection
1. Why My Electronic Identity
Needs to be Protected!
Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is
given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires
written permission from the author. Videos and specific graphics presented are not for public distribution.
2. Session Guide
Erwin “Chris” Louis Carrow
IT Audit Director; M.Div., MSIS, BM, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA,
LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!)
Board of Regents, University System of Georgia; Officeof Internal Audit and Compliance
270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax
Email: erwin.carrow@usg.edu http://www.linkedin.com/in/thebishop
http://twitter.com/ecarrow
What I Do? Just a “Glorified Geek”
High level – IT Evaluations University System Wide
General focus – Lack granularity of detail regarding day to
day operations
Validate Assurance or Identify Vulnerabilities / Exploitation
Bottom line: Challenging Others to Apprehend IT Security
and Operational Efficiency
3. Session Agenda
Key Takeaways and Introductions
Basic Terminology, Context, &
Methodology
Strategic Protection of YOUR and
OTHERS Personal Information
What to Do to Be Safe / Limit Risk
Q&A
4. Key Takeaways
At the end of this session you should be able to:
Understand the RISK with YOUR and OTHERS
Electronic Identity;
Understand the Motivation for Exploitation of
YOUR or OTHERS PERSONAL INFORMATION
Identify Practical Considerations and Resources
to mitigate associated RISK;
Apply Basic Precautions to mitigate potential
LOSES;
5. Terminology, Context, & Who are
the Key Players
People – Good (solution oriented), Bad (problem producers),
and Indifferent (folks who don’t care /understand the problem)
Technology – Good (well managed), Bad (poorly managed),
and Indifferent (don’t care or understand the problem)
Services – The Internet (Home, Work, or Public environment),
and associated resources, e.g., ISP, FaceBook, Games, email, etc.
YOU – “Part of the S0lution” or “Part of the Problem,” e.g., a
Recipient (“Poor Slob” that GOT HIT), Participant
(inadvertently contributed either “for” or “against”), or Initiator
(Johnny or Jill Hacker)?
Specific or Potential Risks – Governments, Commerce, Health
Organizations, Organized Crime Syndicates, Due Negligence,
Hacker Exploits - Phishing attempts, Social Network
vulnerabilities, etc.
6. What is E-Identity and
Identity Theft?
E-Identity: an online informational profile about
YOU and OTHERS!
Identity theft: the criminal act of stealing your
personal information to clone your identity with
the intent to use it without your knowledge or
permission to commit fraud or other crimes.
7. You are Identified by…
What You Do Online or Otherwise!
Commodities
Banking / Income Tax Filing
Gaming
Purchases
Services: Hospitals, Gas Stations, etc.
Voyeur Site Participation (Porn)
Communication
Voice
Email
Chat
Video Conferencing
9. Threats and the Facts
(Commercial - part 1)
October 19, Help Net Security - (International) Kaspersky download site hacked, redirecting users to fake AV. October 17, the Kaspersky’s
USA download site provided download links that redirected users to a malicious Web page where windows telling them their computer was
infected were popping up and they were encouraged to buy a fake AV solution. Source: www.net-security.org
October 19, V3.co.uk - (International) RealPlayer receives critical security update. Real Networks has issued a security update for RealPlayer,
addressing flaws in versions …. vulnerabilities ranging from buffer overflow and injection flaws to issues that could allow an attacker to
remotely execute code on a targeted system. Source: www.v3.co.uk/v3/news
October 18, Computerworld - (International) ‘Unprecedented wave’ of Java exploits hits users, says Microsoft. Microsoft said October 18 that
an “unprecedented wave” of attacks are exploiting vulnerabilities …. attempts to exploit Java bugs …. “IDS/IPS vendors ... have challenges with
parsing Java code,” … the performance impact on a network IPS could be crippling. [So] the people that we expect to notice increases in
exploitation might have a hard time seeing this. Call it Java-blindness.” Source: www.computerworld.com
July 19, SCADA System’s Hard-Coded Password Circulated Online for Years - malware that targets command-and-control software installed
in critical infrastructures uses a known default password that the software maker hard-coded into its system.…. SCADA, short for “supervisory
control and data acquisition,” systems are programs installed in utilities and manufacturing facilities to manage the operations. SCADA
…potentially vulnerable to remote attack by malicious outsiders who might want to seize control of utilities for purposes of sabotage,
espionage or extortion. “Default passwords are and have been a major vulnerability for many years,” said Steve Bellovin, …“It’s irresponsible to
put them in, in the first place…. If that’s the way the Siemens systems works, they were negligent.” Siemens did not respond to a request for
comment. Source: www.wired.com
October 20, Softpedia - (International) Fake Firefox and Chrome warning pages distribute malware. Security researchers warn a new
malware distribution campaign uses fake versions of the malicious site warnings commonly displayed by Firefox and Google Chrome. Security
researchers from F-Secure now warn malware pushers are increasingly abusing the trust users associate with these warnings to infect them.
Malicious Web sites that mimic both Firefox’s “Reported Attack Page” alert, as well as Chrome’s “this site may harm your computer” warning,
have been spotted. The pages look exactly the same as the real thing, except for a button that reads “Download Updates,” suggesting that
security patches are available for the browsers. The executable files served when these buttons are pressed install rogue antivirus programs …
the users who land on these latest sites discovered by F-Secure are also exposed to drive-by downloads via a hidden IFrame, which loads the
Phoenix exploit kit. Source: news.softpedia.com
October 20, Trusteer - (International) Trusteer reports hackers improve Zeus Trojan to retain leadership in crimeware race. Trusteer reported October
20 it has captured and analyzed a new version (2.1) of the Zeus financial malware. New capabilities include: URL matching based on a full
implementation of the Perl Compatible Regular Expressions (PCRE) library. This allows much more flexibility for Zeus’s configuration to define targets.
Source: www.trusteer.com
10. Threats and the Facts
(Personal - part 2)
Personal Experience of Identity Theft (3 official separate times) – and
recently hacked this month at a military installation!
64x -8 process, 16 gigs RAM, 2x ½ Terabyte HD, Dual Booted – Windows 7
Pro and SUSE Linux, and multiple other system bells and whistles (bleeding
edge laptop technology – do not recommend)
Attacked and hacked while operating in Windows 7 environment through the
Chrome Browser – used a java / real player /buffer memory overflow exploit
and then attempted to migrate and embed in the OS’s
Gained currently loaded browser credentials and passwords – Google Email
account compromised (Google notified me and stated someone in Greece had
accessed my account) at the same time of identified problem
Locked up the system, scrambled system settings (date changed to year 2076),
locally used IDS/IPS rendered partially ineffective, polluted other partitions –
both Linux and Windows
Uncertainty of future protection due to complexity and immaturity of
hardware and malware software protection
11. More of the Same “Threats and the
Facts” – But, What are the Results?
Privacy Right Clearinghouse
Chronology of Data Record Breaches 13,678,437 (460 events,
2010) and 510,619,382 since January 2005 that have been
reported [www.privacyrights.org/ar/ChronDataBreaches.htm]
Ponemon –HRH 2008 Privacy Breach Index Survey (Sept 2008)
Self evaluation of overall performance of organization: -- 9%
gave an “A” -- 31% gave a “B” -- 26% gave a ”C” -- 29% gave a “D”
– 5% gave a “F” [www.HRH.com/privacy]
80 % believed their organizations experienced information
system data breaches and loss of customer and personal
information
50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other
criminal activity;
36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31% 9
or more
12. The Various Ways whereby YOUR
Information is … LOST (data Leakage)
Physical loss (PHYS) - Lost, discarded or stolen non-electronic records, such
as paper documents
Portable device (PORT) - Lost, discarded or stolen laptop, PDA, smart-
phone, portable memory device, CD, hard drive, data tape, etc
Stationary device (STAT) - Lost, discarded or stolen stationary electronic
device such as a computer or server not designed for mobility.
Hacking or malware (HACK) - Electronic entry by an outside party, malware
and spyware.
Payment Card Fraud (CARD) - Fraud involving debit and credit cards that is
not accomplished via hacking. For example, skimming devices at point-of-
service terminals.
Unintended disclosure (DISC) - Sensitive information posted publicly on a
website, mishandled or sent to the wrong party via email, fax or mail.
Insider ( INSD) - Someone with legitimate access intentionally breaches
information - such as an employee or contractor.
Unknown or other (UNKN)
13. The Basic Method to Exploit ...
YOUR E-Identity
Identify Social / Cultural “Normalcy” and associated “Common Denominators” where
potential gain or benefit may exist on the Internet or in the real world
Voice / Chat / Email / Tweet has become the primary “Means of Communication”
Browser Based Culture and Community, e.g., On-line Gaming (Entertainment), Banking
(financial), Social Networks (Socialization), pornography sites (22% of all Internet based
revenue), etc.
Marketing from Data Warehouses – Services (medical Google, Microsoft, Government
Entities (regardless of intentions, you are a customer, beneficiary, or potential threat)
Non-electronic communication or storage methods, e.g., stealing stuff with your name and
other information on it
Exploit “Common Denominators” by …
Identify and Predict potential Outcomes from Your INFORMATION [ANY FRINGE
FANS?]
Making it look like normal expected activity
Browser based exploits – Social networks, social engineer, harvest information, or capitalize on browser
technology vulnerabilities
Email based exploits – Phishing
Browser, Email, and Web Site exploitation are all used in conjunction
Obscure and confuse the real with the Counterfeit!
Their Objective …, is to recreate a Counterfeit “Normalcy” that attracts and is utilized
by YOU!!!!
FOR ORGANIZATIONAL (Terrorist) or PERSONAL (Theft, Malice, or Vendetta) GAIN
14. Legal Implications?
I am not a lawyer – this is strictly opinion (disclaimer)!
Privacy Laws – Still very immature in the practical
governance and implementation of standards
Case Law – On going implications in who is to be held
responsible for breaches (Internet is complexity)
Victim – The individual has to initiate action that may
prove too costly or ineffective to pursue
The government and big corporate entities very
seldom will be held legally liable – Spin City
Bottom-line – Who really cares for YOUR interests and
is YOUR advocate (cynical reality)?
15. Why Pick-on Little old ME?
How do thieves steal identities?
Common methods thieves use to steal identities: Dumpster Diving, Phishing, Address Change,
Old Fashioned Stealing, hacking, & False Pretext
What do thieves do with stolen identities?
Thieves use stolen identities to:
-Open new credit card accounts, change your billing address, run excessive charges on your accounts, pay the minimum
amounts due, and drain your accounts.
-Open new phone or wireless accounts, set up utility services, open new bank accounts and write bad checks, take out
loans, clone your ATM or debit cards to make electronic withdrawals.
-Get driver's licenses, government benefits, file fraudulent tax returns, receive medical services
-Give your personal information to police during an arrest, Have dual identities to hide their real identity from the
Homeland Security Department.
What are the signs of identity theft?
Look for signs or evidence to determine whether your identity has been compromised:
-Evidence of bank or credit card accounts being opened in your name without your knowledge or approval.
-Evidence of charges deducted from your accounts that you did not initiate.
-Evidence of inaccurate information (e.g. wrong personal information, SSN, address, name, initials, or employers, etc) on
your credit reports.
-Not receiving your credit card bills, bank statements, or other personal mail for no apparent reasons; or receiving credit
cards that you did not apply for.
-Receiving calls or letters from collection agencies or businesses asking you to pay the cost of goods or services that you
did not buy, or being denied credit or offering you less favorable terms for no apparent reason, e.g. high interest rate.
16. How Do I Respond? - Apathy, Acceptance, Anger,
or … an Attitude of Rebellion and Resolve!
What should I do if my personal information has been compromised in a data breach?
For tips on what to do if your personal information has been exposed due to a security breach, read our
guide athttp://www.privacyrights.org/fs/fs17b-SecurityBreach.htm.
Are there resources for businesses and other organizations on how to avoid having sensitive data breached?
Learn about security and privacy protection practices for your workplace.
"Guide to Protecting the Confidentiality of Personally Identifiable Information," National Institute of Standards and
Technology. Special Publication 800-122. (April 2010) http://ssrn.com/abstract=1671082.
"How Global Organizations Approach the Challenge of Protecting Personal Data," from Accenture (released April 27, 2010)
https://microsite.accenture.com/dataprivacyreport/Pages/default.aspx and
https://microsite.accenture.com/dataprivacyreport/Documents/Accenture_Data_Privacy_Report.pdf
"Forrester Consulting Study, “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk,”
(April 2010) sponsored by RSA and Microsoft, available at www.rsa.com/CorporateSecrets. For press release,
seehttp://www.microsoft.com/Presspass/press/2010/apr10/04-05MSRSAPR.mspx?rss_fdn=Press%20Releases.
"Data Breach and Incident Readiness Planning Guide" from the Online Trust Alliance (January 2010).
https://www.otalliance.org/resources/Incident.html
"Security & Privacy -- Made Simpler,"from the Better Business
Bureau www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf
“Protecting Personal Information: A Guide for Business,”from the Federal Trade
Commission.www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf
“Information Security Handbook,”from the National Institute of Standards and Technology
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
“Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace,” from the Privacy Rights Clearinghouse
www.privacyrights.org/ar/PreventITWorkplace.htm
The California Office of Privacy Protection has developed a series of Recommended Practices. Several of the guides may be helpful in
protecting your business whether or not you are located in California.
www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf
www.privacyprotection.ca.gov/res/docs/pdf/ssnrecommendations.pdf
17. A Response with Rebellion and Resolve!
Know Yourself – Know Your Enemy!
The Art of War (Chinese: 孫子兵法; pinyin: Sūn Zǐ Bīng Fǎ) is a Chinese military treatise
that was written during the 6th century BC by Sun Tzu.
Two Possible not Recommended Responses to the Challenge
Freak Out: Embrace Hopelessness, Hide, Ignore, Deny, and Play
Computer games until the Inevitable Occurs
Idealistic and Unrealistic: Do the “Don Quixote (To Dream the
Impossible Dream and Fight the Impossible Fight)” - Wear yourself
out Fighting Windmills by shooting at whatever pops its head out!
Third Approach “How do you Eat the Elephant standing in the corner,
Instead of Avoiding it?” Take ONE BITE at a time by…
Assess the level of risk you are willing to incur
Strategize a response
Be deliberate and not apathetic or indifferent
Be practical / understand it is not just about you (or ME)
Be an advocate or part of a culture that supports secure practices
Test and monitor the process with identifiable outcomes
19. Your Risk Profile, Probability, & Impact
Risk “reality” is just a
“Click” or
“Communiqué” away!
Am I important, and if so
why?
Why would someone want
my information?”
If I commit (“C”) to
providing my information
what could be the outcome?
Is the “C” cost to high?
How will the “C” possibly
impact OTHERS?
20. The “Life Cycle” of Security,
the Process, Provisioning & Potential
Exploitation – the Weakest Link? People!
21. What to Do to Be Safe…?
Protect Yourself and Others?
Hardware – Stay off of the Bleeding Edge (very costly), OS updates;
Latest version of Browser / Email Clients and ensure they are patched
(from the right vendors); Dedicated systems per functional risk
Software – Anti-virus / Anti-Malware, Host level IDS –IPS, Security
BrowserApps, Plug-in filters, etc. (buy from reputable vendor)
Head-ware, e.g., “Common Sense” that is not too common
Don’t “Bank Online” (personal opinion and choice), limit on-line purchases, etc.
– every transaction has an associated risk!
Don’t share personal identifiable information of any type or form online without
assessing the risk!
Have fun, be cautious, and educate yourself regarding the risk
Remember, once it is on the Internet “it belongs to everyone.” Is it something you
really wanted to share?
Assess non-Internet exchanges and communications, e.g., bill paying and US
Postal Service
For everything you do information is being collected. Ask the various
organization you do business with about their Privacy Policies and how they are
protecting your information!
22. Thank You for Your Participation -
Any Questions?
Understand EVERYONE is collecting
Information about YOU – Their
OBJECTIVE is PREDICTABILITY
YOUR and OTHERS E-Identity is a
marketable commodity!
Take the necessary Precautions,
Preventive measures, and Practice safe
exchange of information
Hold Everyone Accountable for what
they have been entrusted!
Expect CONFLICT regardless of the
approach you take.
23. Oops, Forgot
– One Possible Solution!
Current practical challenges are virtualization and distribution
25. Helpful Resources
USGBOR Information Security Reporting Process
http://www.usg.edu/infosec/incident_management/ Twitter:
http://twitter.com/usginfosec/
Internet Alert Dashboard To report cyber infrastructure incidents or to request
information, please contact US-CERT at sos@us-cert.gov or visit their Website:
http://www.us-cert.gov. Information on IT information sharing and analysis can
be found at the IT ISAC (Information Sharing and Analysis Center) Website:
https://www.it-isac.org/
US-CERT: us-cert.gov/cas/tips/st06-003.html
StaySafeOnline: staysafeonline.info/practices/index.html
CyberSmart.org: www.ccybersmart.org/downloads/pdf/SocialNetworkGuide.pdf
GetNetWise: www.getnetwise.org
OnGuard Online: onguardonline.gov/socialnetworking_youth.html
TechMission, Inc. Safe Families: www.safefamilies.org/socialnetworking.php
Join my FaceBook “Mafia War” Family (beware it is a social networking
experiment) http://www.facebook.com/TheBishopOfOZ
Data Leakage http://ilpubs.stanford.edu:8090/968/1/leakage_tkde_final.pdf