1. Protecting your self and your
data in the cyber age
Stephen Cobb, CISSP
Security Researcher, ESET NA
2. Back then*: very few people cared about
computer security
*Published 1991. Note that the publisher added “complete” to the title.
3. But now: we’re all computer users
*Go to StaySafeOnline.org for more about STOP | THINK | CONNECT
4. Our Agenda: Cybersecurity for all
• Answers to questions, such as:
– What are the risks of online banking?
– What about identity theft?
– Can hackers get to those home security cameras
we just installed?
– How to properly secure home routers
– How to protect our children on social media such
as Facebook
• But first:
– Why is there so much cybercrime?
12. How does cybercrime pay?
1. First, criminals steal information and sell it
on the black market
• Low risk, high reward
2. Then different criminals buy the stolen
data and commit fraud, e.g.
• Charge your accounts
• Get your tax refund
• Riskier than #1
• But still safer than robbing banks
13. Who are the players in these underground
markets?
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)
BEWARE WORK
AT HOME SCAMS!
15. • See the movie Blackhat?
• The bad guys used a RAT
• Remote Access Tool
• Here’s a RAT’s eye view of an
infected computer:
• access to your microphone,
webcam, files, passwords, and
everything else…
16. Your card data sold here
• Carding sites
• Sold as card “dumps”
• E.g. McDumpals
• A real website
• Priced by
– Freshness
– Balance
– Type
– Location
20. YOUR NAME, PHYSICAL ADDRESS,
PHONE, EMAIL, EMPLOYER
YOUR DATE OF BIRTH,
MEDICAL RECORD NUMBER,
SOCIAL SECURITY NUMBER,
DRIVER’S LICENSE DETAILS
YOUR INSURANCE PROVIDER,
PLAN TYPE, PAYMENT INFO,
CREDIT CARD, BANK ACCOUNT
PATIENT HISTORY, BLOOD TYPE,
ALLERGIES, SYMPTOMS, MEDICAL
CONDITIONS, PRESCRIPTIONS,
GENETIC DATA
ELECTRONIC HEALTH RECORD L1: Basic personal: stolen to
sell to spammers and for data
mining, profiling, appending
L2: Non-public identifiers: sold
for various kinds of identity
theft such as tax ID fraud
L3: Financial data: sold for
financial fraud, billing scams,
theft of funds
L4: Medical data: sold for use
in medical ID fraud, billing
fraud, drug and service
theft and abuse
Electronic health records are targeted for
general and medical ID theft
21. So, what are the risks and defensive
measures for…
• Online banking
• Identity theft
• Internet cameras
• Home networks
• Social media
• And more…
*This is my dog, because about now we need some cheering up.
22. Risks of online banking?
• Relatively low risk, some benefits
• Improved tracking of transactions
• Account alerts
– Withdrawals
– Purchases
– Dollar limits
– Location limits
• But guard your credentials!
23. Watch where you use your cards
• Fringe websites
– Major source of infection
• Dodgy ATMs
– Skimmers
• Support scams
• Many others
*Published 1991. Note that the publisher added “complete” to the title.
24. How to protect against ID theft
• Recognize the different types
of identity theft
– Payment card fraud
– New account fraud
– Tax identity fraud
• Guard your credentials
– Account numbers
– User names, passwords
25. Guard SSNs and account info
• Who has their Social Security Card on
them right now? Why?
• Don’t give the number out unless you
absolutely have to
• Put a Security Freeze on your children’s
credit (before the bad guys do)
• Shred paper mail that shows SSN or bank
account numbers
26. Password protect all your devices
• They often have access to a lot of your
identity data
• Laptops, smartphones, tablets
• Don’t share devices
• Know how to
lock/track devices
27. Run antivirus on all devices
• A good antivirus suite will not only block
malicious files, but also
– Stop phishing, intercept bad
URLs, block
inappropriate
content
– Plus firewall,
anti-theft,
education
28. Can someone really hack our home
security system and watch those cameras
we just installed?
• If you connect them to the internet and
don’t change the default password?
• Maybe!
• Research the model
• Google name + hacked
29. How to secure home routers
• Home routers are being targeted
• Make sure firmware is up-to-date
• Change the default password
• Hint: it may be “password”
• And anyone can find out that default
password…
30.
31. Securiing home routers
• Use WPA encryption
• Don’t use WEP encryption
• Change the default SSID
• Hide the SSID
32. Social media risks?
• Scams, fake offers, fake people
• It can seem so real because our friends
are there: we tend to trust social media
• But it may be abused by “friends”
• If you are a parent
and/or guardian
– Have the social
media conversation
sooner rather than later
– Poor choices can lead
to very bad outcomes
33. Staying safe on social media
• Monitor their accounts
• Review privacy & security settings
• Use a social media scanner
• “Think before you post”
– Good advice for all of us
34. Stay safe online!
• A website full of security tips and advice
for everyone:
– www.StaySafeOnline.org
35. Use the web to stay up to date
• IdentityTheft.gov
• IdTheftCenter.org
• KrebsOnSecurity.com
• WeLiveSecurity.com
FYI – $50 million is more than the total loot from a year’s worth of bank robberies in America.
And the entire budget of the FBI is about $8 billion.
.
Using various tools and websites, some of which we will look at in a moment, criminals can quickly and efficiently mount a cybercrime operation, purchasing all of the ingredients, and selling or “fencing” their ill-gotten gains, like your company’s banking credentials, or you customers’ credit cards.
Not just Russians
Who was the hero played by? Chris Hemsworth
Note: these are actual screenshots. There is no legal issue with displaying these. Meet McDumpals, an online market where criminals who have stolen payment card data sell it to crooks who then use it for fraudulent purchases. People who know this is the face of cybercrime today tend to take security more seriously.
$8.40 to $6.80 Show typical operations at an online data mart, and some prices. Krebs and others who track prices note rapid declines when large new data collections are put on the market (e.g. Target) and also decline over time as data ages.
This series of screenshots shows typical operations at an online data mart, and some prices. Krebs and others who track prices note rapid declines when large new data collections are put on the market (e.g. Target) and also decline over time as data ages.