20100224 Presentation at RGIT Mumbai - Information Security Awareness

Rajiv Gandhi Institute of Technology
February 24, 2009

Information Security … the profession;
concepts, risks and more..

Presented by:

Dinesh O Bareja
CISA, CISM, ITIL

Open Security Alliance
(www.opensecurityalliance.org)

About Me Warming Up
Dinesh Bareja
BA, CISA, CISM, ITIL, BS 7799 (LA, Imp)

Engaged in continuous study and learning

Work in Information Security consulting, advisory and technical
services; identifying emerging opportunities; strategic business
planning; training, mentoring and awareness & more…

Past life (pre-.com) was spent in mfg, trdg, exports.
.
Co founder of Indian Honeynet Project, Open Security Alliance and
actively involved with DSCI and other Information Security groups.

RGIT, Mumbai 02/24 www.opensecurityalliance.org

A Starting Thought Warming Up

..... every human endeavour operates partly in
light and partly in shadow; and, especially, in those
fields that delve deeply into shadow, some
succumb to temptation.
- Richard Power (Computerworld)


Covering your mistakes  Warming Up


Some more (simpler) thoughts Warming Up
• We have sidewalks but cannot walk on them !
• In parks they say … keep off the grass!
• Cars at home… but driving is a killer
• Using computers …. and there is the risk of
everything going wrong
• …..

• Rules… rules and more rules !!


My Rules Warmed Up
• Don‘t be shy … ask questions (we have a lot of time)
• Feel free to interrupt me
• Nod intelligently even if you fall asleep
• Correct me if I make a mistake (remember I am in a continuous learning
mode)
• Hijack this presentation and change it into a debate !
• Don‘t take notes, this slide deck will be available on our website (or on
the college file server)
• There is no test at the end of this session  You get marks for being a
good and interactive audience
• Finally – please make sure your cellphones are in shivering mode ! It is
bad manners to make any odd sounds when people around you are
trying to learn something


• The What and Why of
Information Security
• Information Security Domains
and Concepts
• Standards, Guidelines and
Frameworks
Proposition
• Infosec Profession / Careers

• Risks and Awareness


… What …
Preserving authorized
restrictions on access and
disclosure, including
means for protecting
personal privacy and
for proprietary information
protecting information
and information
systems from
Guarding against
improper information
unauthorized access, Confidentiality modification or
Ensuring timely destruction, and
use, and reliable includes ensuring
access to and information non-
disclosure, repudiation and
use of
disruption, information. authenticity;

modification, or
destruction
Availability Integrity


CIA… in more detail

• Confidentiality — Sensitive information must be available only to a set of
predefined individuals. Unauthorized transmission and usage of information
should be restricted. For example, confidentiality of information ensures that a
customer's personal or financial information is not obtained by an unauthorized
individual for malicious purposes such as identity theft or credit fraud.
• Integrity — Information should not be altered in ways that render it incomplete
or incorrect. Unauthorized users should be restricted from the ability to modify
or destroy sensitive information.
• Availability — Information should be accessible to authorized users any time
that it is needed. Availability is a warranty that information can be obtained with
an agreed-upon frequency and timeliness. This is often measured in terms of
percentages and agreed to formally in Service Level Agreements (SLAs) used
by network service providers and their enterprise clients.
• Continuity — Information should be continuously available to the business
user and this is ensured thorough appropriate business continuity and disaster
preparedness.


The Need for IT Security, Governance

Security Keeping
IT Running
Aligning Managing
IT with Complexity
Business

Regulatory
Value/Cost
Compliance

Organizations require a structured approach for managing these and other challenges.

© ISACA

Why Information Security

• Ensure Availability of Business
• Take care of the risk of loss of Confidentiality,
Integrity and Availability of Information Assets
• Protect Data and Information Systems
• Brand and Reputation Loss
• Increased Productivity through best practices
• Higher levels of assurance
• Competitive advantage
• Enable Business Continuity and Disaster Recovery
And for this we need Security Controls

Security Controls
Computer security is often divided into three distinct master categories, commonly referred to as controls:
– Physical
– Technical
– Administrative
Physical Controls - is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to
sensitive material. Examples of physical controls are:
• Closed-circuit surveillance cameras
• Motion or thermal alarm systems
• Security guards
• Picture IDs
• Locked and dead-bolted steel doors
• Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods used to recognize individuals)
Administrative Controls - define the human factors of security. It involves all levels of personnel within an organization and determines
which users have access to what resources and information by such means as:
• Training and awareness
• Disaster preparedness and recovery plans
• Personnel recruitment and separation strategies
• Personnel registration and accounting
Technical Controls - use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure
and over a network. Technical controls are far-reaching in scope and encompass such technologies as:
• Encryption
• Smart cards
• Network authentication
• Access control lists (ACLs)
• File integrity auditing software


Key Information Security Program Elements

Technology Process

People


Key Information Security Program Elements
- Training
Technology - Awareness Process
- HR Policies
- Background Checks
- Roles /
responsibilities
- Mobile Computing
- Social Engineering
- Social Networking
- Acceptable Use
- Policies
- Performance Mgt

- System Security - Risk Management
- UTM. Firewalls - Asset Management
- IDS/IPS - Data Classification
- Data Center - Info Rights Mgt
- Physical Security - Data Leak Prevention
- Vulnerability Assmt - Access Management
- Penetration Testing - Change Management
-Application Security - Patch Management
- Secure SDLC - Configuration Mgmt
- SIM/SIEM - Incident Response
- Managed Services - Incident Management
People


Essential Information Security Practices

• MANAGEMENT COMMITMENT
• RISK MANAGEMENT
• ASSET INVENTORY AND MANAGEMENT
• CHANGE MANAGEMENT
• INCIDENT RESPONSE AND MANAGEMENT
• CONFIGURATION MANAGEMENT
• TRAINING AND AWARENESS
• CONTINUOUS AUDIT
• METRICS AND MEASUREMENT


Essential Information Security Practices

• VULNERABILITY ASSESSMENT
• PENETRATION TESTING
• APPLICATION SECURITY TESTING
• DEVICE MANAGEMENT
• LOG MONITORING, ANALYSIS AND MANAGEMENT
• SECURE DEVELOPMENT


Defining Information Assets

Tangible or intangible corporate assets

• Hardware
• Software
• Data
• Intellectual Property
• Patents
• Processes
• Device Configurations
• Plans
• Designs / Blueprints


Risk Management

• Risk is defined in ISO 31000 as the effect of uncertainty on objectives
(whether positive or negative).
• Risk management : the identification, assessment, and prioritization of
risks followed by coordinated and economical application of resources
to minimize, monitor, and control the probability and/or impact of
unfortunate events or to maximize the realization of opportunities.
• Risks can come from uncertainty in financial markets, project failures,
legal liabilities, credit risk, accidents, natural causes and disasters as
well as deliberate attacks from an adversary.
• Strategies to manage risk :
– Avoidance (eliminate, withdraw from or not become involved)
– Reduction (optimise - mitigate)
– Sharing (transfer - outsource or insure)
– Retention (accept and budget)


Information Risks, Threats, Vulnerabilities

• Web Application • Botnets
Vulnerabilities • Spam / Targeted mails
• Social Networks
• Malware / Virus • Murder
• DDOS attacks (Denial of • Reputation Loss
Service) • Scams
• Phishing, Vishing, Spear- • Identity Theft
Phishing
• Privacy Violation
• Social Engineering
• Insider Threat
• Software Vulnerabilities
• Wireless

The driver … Malicious Motivation

Criminal
Intent
Coercion

Greed

Show Off
Revenge

Attack
Curiosity


Hackers ‗n‘ Crackers

• During the 1960s, the word "hacker" grew to prominence describing a
person with strong computer skills, an extensive understanding of how
computer programs worked, and a driving curiosity about computer
systems.
• True hackers are computer programming enthusiasts who pushed
computer systems to their limits without malicious intent and followed a
hacker code of ethics.
• They believed technical information should be freely available to any
person, and they abided by a code of ethics that looked down upon
destroying, moving, or altering information in a way could cause injury
or expense.
• Hacking, however, soon became nearly synonymous with illegal
activity. Negative publicity surrounding hackers continued to grow.


Hackers ‗n‘ Crackers

• While the first incidents of hacking dealt with breaking into phone
systems, hackers also began diving into computer systems as
technology advanced.
• Hacking became increasingly problematic during the 1980s and as a
result, in the US the Computer Fraud and Abuse Act was created,
imposing more severe punishments for those caught abusing computer
systems. In the early 1980s, the FBI made one of its first arrests
related to hacking.
• As a result, several hacker groups coined the term 'cracker' in 1985 to
define a person who broke into computer systems and ignored hacker
ethics; however, the media continued to use the word hacker.


Profiling …. the color of your hat !
Black Hat

Also known as crackers these are the
White Hat ones to watch out for, they send and
Also known as friendly hackers are always make viruses, destroy data, and
using their knowledge for good reasons deface websites along with other
illegal activity and break into peoples
machines. This type of hacker has a
bad reputation.

Grey Hat …
Are borderline white/black hats. They Not to forget the
sometimes prank unsuspecting users and hatless…..
cause general mayhem. While they think
this kind of activity is harmless, they may - Script Kiddies
face long periods of jail time if they ever get - The Hobbyist
found out.
- Insider
- Countries


• Information Security is
implemented in organizations
based on Standards, Guidelines,
Frameworks,
• Other factors are Laws and
Regulations, Customer
requirements Standards etc
• All require the adoption of best
practices


Common Standards / Frameworks / Guidelines / Regulatory

• ISO:27001 – 2005  IT Act and applicable Criminal /
• PCI-DSS Civil legislation
• CobiT  HIPAA
• BS:25999  GLBA
• ISO 2000  Sarbanes Oxley
• ITIL  Basel II
• Clause 49 (SEBI Guideline,  PCAOB
Government of India)  SAS 70
• CTCL  Privacy Laws (e.g.PIPEDA)
• NERC-CIP  … many more…..
• Data Protection Act


• ISO 27001, BS 25999, CobiT, IIL
or ISO 20000

• These are the most widely used
and recognized standard for
Information Security globally
ISO 27001, CobiT etc
• Form the foundation of security
for various other framework and
regulatory requirements


ISO 27001: 2005

• ―Information security is the protection of
information from a wide range of threats in order to
ensure business continuity, minimize business risk,
and maximize return on investments and business
opportunities.‖


ISO 27001 Fundamental Principles

Maintain and Establish ISMS
Improve the Context and Risk
ISMS Assessment

Act Plan
Development,
Improvement
and
Maintenance
Cycle

Check Do
Monitor and Design and
Review the Implement the
ISMS ISMS

ISO 27001 Fundamental Principle

Act Plan

Check Do

ITIL ®

• The Information Technology Infrastructure Library (ITIL) is a set of
concepts and practices for managing Information Technology (IT)
services (ITSM), IT development and IT operations.
• ITIL gives detailed descriptions of a number of important IT practices
and provides comprehensive checklists, tasks and procedures that any
IT organization can tailor to its needs. ITIL is published in a series of
books, each of which covers an IT management topic.
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement


CobiT® : Control Objectives for Information and related Technology

• IT resources are managed by IT processes to achieve IT
goals that respond to the business requirements. This is
the basic principle of the COBIT framework, as illustrated by
the COBIT cube.
 Business-focused
 Process-oriented
 Controls-based
 Measurement-
driven

© IT Governance Institute


CobiT Framework
BUSINESS OBJECTIVES AND
GOVERNANCE OBJECTIVES

C O B I T
ME1 Monitor and evaluate IT FRAMEWORK
PO1 Define a strategic IT plan.
performance. INFORMATION
PO2 Define the information
ME2 Monitor and evaluate
architecture.
internal control.
Efficiency Integrity PO3 Determine technological
ME3 Ensure compliance with
Effectiveness Availability direction.
external requirements.
Compliance PO4 Define the IT processes,
ME4 Provide IT governance. Confidentiality
organisation and
Reliability relationships.
MONITOR PLAN PO5 Manage the IT investment.
AND AND PO6 Communicate management
EVALUATE ORGANISE aims and direction.
IT PO7 Manage IT human resources.
DS1 Define and manage service RESOURCES PO8 Manage quality.
levels.
PO9 Assess and manage IT risks.
DS2 Manage third-party services.
PO10 Manage projects.
DS3 Manage performance and
capacity.
DS4 Ensure continuous service. Applications
Information
DS5 Ensure systems security. AI1 Identify automated solutions.
Infrastructure
DS6 Identify and allocate costs. People AI2 Acquire and maintain
DS7 Educate and train users. application software.
DELIVER ACQUIRE
DS8 Manage service desk and AND AI3 Acquire and maintain
AND
incidents. SUPPORT IMPLEMENT technology infrastructure.
DS9 Manage the configuration. AI4 Enable operation and use.
DS10 Manage problems. AI5 Procure IT resources.
DS11 Manage data. AI6 Manage changes.
DS12 Manage the physical AI7 Install and accredit solutions
environment. and changes.
DS13 Manage operations.
© IT Governance Institute


BS 25999

• The standard for Business Continuity Management.
• Part 1 : Code of Practice
– Section 1 - Scope and Applicability.
– Section 2 - Terms and Definitions.
– Section 3 - Overview of Business Continuity Management.
– Section 4 - The Business Continuity Management Policy.
– Section 5 - BCM Programme Management.
– Section 6 - Understanding the organization.
– Section 7 - Determining BCM Strategies.
– Section 8 - Developing and implementing a BCM response.
– Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture.
– Section 10 - Embedding BCM into the organizations culture.
• Part 2 : Specification
– Section 1 - Scope.
– Section 2 - Terms and Definitions.
– Section 3 - Planning the Business Continuity Management System (PLAN).
– Section 4 - Implementing and Operating the BCMS (DO)
– Section 5 - Monitoring and Reviewing the BCMS (CHECK)
– Section 6 Maintaining and Improving the BCMS (ACT)


• General information about data
loss and breaches

• Snapshot of CERT reported Data Loss Statistics
incidences:
– 2003 - 137,529
– 2002 - 82,094
– 2001 - 52,658


Internet Users
Internet User Growth


http://www.bankinfosecurity.com/articles.php?art_id=1766


Data Breach Timeline


Size / Business Does Not Matter

Data Breach by industry type

Number of Employees by Percent of Breaches 13 percent of
organizations
had recently
been merged
or acquired

Source: Verizon Data Breach Incident Report 2009


• Statistics for online habits
• Some common risks
• What can you do for yourself,
the college and the community Profession and Career


Information Security Certifications

ISACA - Information Systems Audit and Control Association
• CISA - Certified Information Systems Auditor
• CISM - Certified Information Security Manager
• CGEIT - Certified in the Governance of Enterprise IT
• CRISC - Certified in Risk and Information Systems Control
(ISC)²
• CISSP - Certified Information Systems Security Professional
• SSCP® - Systems Security Certified Practitioner
Institute of Internal Auditors
• CIA - Certified Internal Auditor
• (CGAP®) - The Certified Government Auditing Professional
• CFSA® - Certified Financial Services Auditor
• CCSA® Certification in Control Self-Assessment
PMI
• PMP
The Security Industry Association (SIA)
• CSPM - Certified Security Project Manager (CSPM)


Information Security Certifications

[ITIL]
• ITIL Service Management Foundations Certificate
• ITIL Service Manager
• ITIL Practitioner
DRI - Institute for Continuity Management
• ABCP - Associate Business Continuity Professional
• CBCP - Certified Business Continuity Professional
• CFCP - Certified Functional Continuity
• MBCP - Master Business Continuity
Association of Certified Fraud Examiners (ACFE)
• CFE - Certified Fraud Examiner
Forensics - EnCase®
• EnCE® - EnCase® Certified Examiner (EnCE®)
CISCO
• CCSP – Cisco Certified Security Professional


Career Specializations
• 1. Computer forensics – Learn forensic investigation tools and techniques to investigate cyber crimes and financial
crimes.

2. IT security auditor – Focus on auditing capabilities. As part of this, you must explore platforms like mainframes,
SAP, and core banking platforms as your areas of expertise.

3. Application security specialist – Specialize in areas like secure coding, security testing tools and techniques,
secure design of web applications, and threat modelling.

4. Compliance specialist – Focus on helping organizations comply to standards and regulations such as ISO 27001,
PCI DSS, HIPAA, FDA and Sarbanes-Oxley.

5. Security solutions architect – Specialize in secure network architecture, security solutions procurement and
deployment, and hardening of infrastructure.

6. Security trainer – Focus on spreading knowledge about information security, and create awareness at all levels.

7. Cyber law expert – Combine knowledge of the Indian IT Act 2008 with IT knowledge and forensics know-how.


Some Required Skills or Traits
• 1. High level of passion - Security changes on an almost daily basis – there are new tools, attack
vectors, and vulnerabilities being discovered almost hourly. A security professional can remain ahead
of the game only by constantly updating himself, and this requires a high amount of passion for the
field. A security professional should not only be well-versed with a wide range of technologies,
but also be reasonably acquainted with the basics of psychology, economics, finance, and
physical security.

2. Creativity - Be it a penetration test or developing an automated way to carry out a particular activity,
a high level of creativity is a must in every aspect of a security professional's job. Thinking out of the
box is an almost daily activity for a security professional.

3. A never-say-die attitude - Security issues are typically complex, and often there are no easy
solutions. Quite often, the situations are also very high-pressure – the client's been hacked, or
someone inside leaked out critical internal data, or systems have to be hardened before going live. A
seasoned security professional knows that there is a solution on the other side of every problem. And
he is willing to do what it takes to be as resourceful in finding the right solution.

4. Grasp of a wide range of subjects - Security is not just about policies and procedures or buffer
overflows or SQL injection. Most security issues stem from, and can be resolved, by human
intervention. A security professional should not only be well-versed with a wide range of technologies,
but should also be reasonably acquainted with the basics of psychology, economics, finance, and
physical security.


Technology Skills

• Application Development
• Secure SDLC
• Networking
• Vulnerability Assessment
• Penetration Testing On any given day, there
are approximately 225
• System Hardening major incidences of
security breach
• Device Support reported to the CERT
Coordination Center at
• Wireless Security Carnegie Mellon
University.
• …


• Common and uncommon Risks
• Statistics about online habits
• What can you do for yourself,
the college and the community Risks and Awareness


What Can You Do

• Cyber Security (virus, online habits, filesharing
etc)– Cyberethics (copying and use of IP) –
Cybersafety (identify protection, cyber bullying etc)

• Educate your friends and family (trojans,
keyloggers, phishing, scams
• Secure home computers and for family/friends
(wireless, backup etc)
• Take care of your Social Networking risks


Securing Yourself

• Common Sense
• Awareness
• Regularly Update Patches
• Anti Virus, anti spyware…
• Be careful on P2P filesharing .. what you download
• Read the computer message(s)
• Don‘t blindly click next > next > next
• Be careful when you read email especially if it belongs to
someone else
• Don‘t try to open every attachment
• Keep your password to yourself
• CybeSecurity – Cyberethics – Cybersafety

In Simple Words…

© Noticebored


Refer TOI today

© Noticebored


How many friends are online and in real life


So what have you done online lately

• I have connected with old friends online
• Rekindled a relationship online
• Share a secret or two or some personal stuff
online


Some online habits


What Can You Do (2)

• Think out of the box
• Evaluate tools and technologies as part of your projects
• Develop tools and scripts
• Share findings with industry, government and law
enforcement
• Research and study malware trends, defense methods
• Create a virtual library of your work so your peers and
followers will also benefit
• Institutional security policies and procedures
• Conduct network assessments in the college from time to
time and share the findings with all


Future trends / opportunities

• Social networking compliance assurance
• Unified communication
• Microblogging
• Intelligent search
• Mobile apps


Case Study

• Factual Facebook Hack Case Study
– http://snosoft.blogspot.com/2009/02/facebook-from-
hackers-perspective.html

• Twitter Hack

• Hotmail Outage leads to malware offering sites

• Clicking Blindly


• Some information about Open
Security Alliance
About Us


Open Security Alliance

A small group of professionals working in Information Security got
together to discuss life beyond technical stuff which non-techies find
difficult to understand.
So these guys got together to work under the OSA banner to present
risks, threats and vulnerabilities in an easy and understandable
language. Just to make sure the non-geek understands the problems
as well and gets as scared as the IS guy.

• OSA - an open community of individuals who are committed to
providing the benefit of their knowledge and expertise to community.
• OSA - individual initiatives to undertake research and studies in
Information Security (India centric) then provide learning to community.
• …. The underlying thought is to Be The Change.


Contact Information

• Dinesh O Bareja
– M: +91.9769890505
– E: dineshbareja@gmail.com
– E: dinesh@opensecurityalliance.org
– Twitter: @bizsprite
– Linked In (India Information Security Community)


Conclusion

• Questions and Discussion

• Thank You !


Disclaimer
• All logos and brand names belong to their respective owners and we do not claim any relationship or
association, implied or otherwise, with them.
• Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly.
• We have taken care to attribute all sources for external materials used in this presentation, and any
oversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of these
materials kindly communicate the same to us at “issues AT opensecurityalliance DOT org
• Any omissions, in terms of attribution, may be due to an error on our part and not intentional.

This document is a creation of securians.com and is released in the public domain under
Creative Commons License (Attribution-Noncommercial 2.5 India)
http://creativecommons.org/licenses/by-nc-sa/2.5/in/.
Disclaimer: The practices listed in the document are provided as is and as guidance and the authors do
not claim that these comprise the only practices to be followed. The readers are urged to make
informed decisions in their usage. Feedback is solicited and you can access other topics at our
website www.securians.com
Contributors: Dinesh O Bareja Reviewers: Vicky Shah
Title: Information Security … the profession; concepts, risks and more..
Version: 1.0 / February 2010


References

• Educause Video Contest
http://www.educause.edu/SecurityVideoContest
• CERT
• India CERT
• NIST
• OWASP
• SANS


Social Networking Case Study : Facebook Hack

• The threat from social networks comes from social
engineering — employees post company information…
the attackers collects during reconnaissance … then
infiltrates the social network that exists between the
employees … then uses that trust to phish for VPN
passwords or any other information….

The Facebook hack case study is for an assignment carried out
by SnoSoft and presents a unique insight into the threats and
Case Study

risks exposed on such sites


Facebook Hack Step 1 : Reconnaissance

• Conduct Social and Technical Reconnaissance
• Social
– 1400 employees identified through the internet of which 900 used social networking
sites like Facebook, Orkut, LinkedIn, MySpace etc.
– Studied about 200 profiles and created a false identity
• Technical
– Probed the corporate website and identified Cross Side Scripting vulnerabilities
(which the researchers expected and hoped to find)

Cross-site scripting ("XSS") vulnerability is
most frequently discovered in websites that do
not have sufficient input validation or data
Case Study

validation capabilities. XSS vulnerabilities
allow an attacker to inject code into a website
that is viewed by other users. This injection
can be done sever side by saving the injected
code on the server (in a forum, blog, etc) or it
can be done client side by injecting the code
into a specially crafted URL that can be
delivered to a victim.


Facebook Hack Step 2: Setup
• Used a client side attack as opposed to a server side attack because it enabled
the select ion of only those users that we are interested in attacking. Server
side attacks are not as surgical and usually affect any user who views the
compromised server page.
• A payload is created and was designed to render a legitimate looking https
secured web page that appeared to be a component of the customer's web site.
• When a victim clicks on the specially crafted link the payload is executed and
the fake web page is rendered.
• In this case our fake web page was an alert that warned users that their
accounts may have been compromised and that they should verify their
credentials by entering them into the form provided.
• When the users credentials are entered the form submitted them to
Case Study

http://www.netragard.com and were extracted by an automated tool that had
been created.
•


Facebook Hack Step 3: Create Profile
• After the payload was created and tested we started the process of
building an easy to trust facebook profile.
• Because most of the targeted employees were male between the
ages of 20 and 40 we decided that it would be best to become a
very attractive 28 year old female.
• A fitting photograph was found by searching google images and used
for the fake Facebook profile.
• The profile was populated with information about our experiences at
work by using combined stories that were collected from real employee
facebook profiles.
Case Study


Facebook Hack Step 4: Attack Launch
• Upon completion we joined the company facebook group.
• Joining request was approved in a matter of hours and within twenty
minutes of accepted as group members, legitimate customer
employees began sending friendship requests.
• In addition we made hundreds of outbound requests.
• The friends list grew very quickly and included managers, executives,
secretaries, interns, and even contractors.
• Having collected a few hundred friends, we began chatting.
Case Study


Facebook Hack Step 5: Attack On

• Conversations were based on work related issues that we were able
to collect from legitimate employee profiles.
• After a period of three days of conversing and sharing links, we
posted our specially crafted link to our facebook profile.

The title of the link was "Omigawd have you seen this I think we got
hacked!”
…. and people started clicking on the link and verifying their credentials.

• Ironically, the first set of credentials that we got belonged to the
hiring manager.
Case Study


Facebook Hack Step 6: Success

• Using those credentials one had access to the web-vpn which in
turn gave access to the network.
• Those credentials also allowed access to a majority of systems on
the network including the Active Directory server, the mainframe,
pump control systems, the checkpoint firewall console, etc.

The Facebook hack has worked.
Case Study


Hotmail Outage

• Tuesday, February 16, 2010
• Hotmail Users Look for Answers in Dangerous Places
• An outage of the Windows Live ID service affected a large number of
MSN users today including users of the popular Hotmail email service.
Hotmail is one of the largest web based email outlets and not
surprisingly news of the outage spread quickly as users were not able
to access their email.

Those hoping to find more information on Google may have ended up
with more than they bargained for. Blackhats have once again worked
their magic to infect users looking for news related to the outage. In
fact, 8 out of the top 10 results for ―hotmail service unavailable‖
returned dangerous URLs.


Le Twitter hack


Le Twitter Hack

From lalawaq.com


Clicking Blindly
Case Study : Clicking blindly !

Settled in for a nice bit of surfing in the library!
Study ! Ah hah ! Just don‘t click the link blindly !

Whoops ! That‘s a big load of malware you just got
From EDUCAUSE with sound effects !

You don‘t want to look like this !


20100224 Presentation at RGIT Mumbai - Information Security Awareness

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a 20100224 Presentation at RGIT Mumbai - Information Security Awareness

Similar a 20100224 Presentation at RGIT Mumbai - Information Security Awareness (20)

Más de Dinesh O Bareja

Más de Dinesh O Bareja (20)

Último

Último (20)

20100224 Presentation at RGIT Mumbai - Information Security Awareness