20100224 Presentation at RGIT Mumbai - Information Security Awareness
1. Rajiv Gandhi Institute of Technology
February 24, 2009
Information Security … the profession;
concepts, risks and more..
Presented by:
Dinesh O Bareja
CISA, CISM, ITIL
Open Security Alliance
(www.opensecurityalliance.org)
2. About Me Warming Up
Dinesh Bareja
BA, CISA, CISM, ITIL, BS 7799 (LA, Imp)
Engaged in continuous study and learning
Work in Information Security consulting, advisory and technical
services; identifying emerging opportunities; strategic business
planning; training, mentoring and awareness & more…
Past life (pre-.com) was spent in mfg, trdg, exports.
.
Co founder of Indian Honeynet Project, Open Security Alliance and
actively involved with DSCI and other Information Security groups.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
3. A Starting Thought Warming Up
..... every human endeavour operates partly in
light and partly in shadow; and, especially, in those
fields that delve deeply into shadow, some
succumb to temptation.
- Richard Power (Computerworld)
RGIT, Mumbai 02/24 www.opensecurityalliance.org
5. Some more (simpler) thoughts Warming Up
• We have sidewalks but cannot walk on them !
• In parks they say … keep off the grass!
• Cars at home… but driving is a killer
• Using computers …. and there is the risk of
everything going wrong
• …..
• Rules… rules and more rules !!
RGIT, Mumbai 02/24 www.opensecurityalliance.org
6. My Rules Warmed Up
• Don‘t be shy … ask questions (we have a lot of time)
• Feel free to interrupt me
• Nod intelligently even if you fall asleep
• Correct me if I make a mistake (remember I am in a continuous learning
mode)
• Hijack this presentation and change it into a debate !
• Don‘t take notes, this slide deck will be available on our website (or on
the college file server)
• There is no test at the end of this session You get marks for being a
good and interactive audience
• Finally – please make sure your cellphones are in shivering mode ! It is
bad manners to make any odd sounds when people around you are
trying to learn something
RGIT, Mumbai 02/24 www.opensecurityalliance.org
7. • The What and Why of
Information Security
• Information Security Domains
and Concepts
• Standards, Guidelines and
Frameworks
Proposition
• Infosec Profession / Careers
• Risks and Awareness
RGIT, Mumbai 02/24 www.opensecurityalliance.org
8. … What …
Preserving authorized
restrictions on access and
disclosure, including
means for protecting
personal privacy and
for proprietary information
protecting information
and information
systems from
Guarding against
improper information
unauthorized access, Confidentiality modification or
Ensuring timely destruction, and
use, and reliable includes ensuring
access to and information non-
disclosure, repudiation and
use of
disruption, information. authenticity;
modification, or
destruction
Availability Integrity
RGIT, Mumbai 02/24 www.opensecurityalliance.org
9. CIA… in more detail
• Confidentiality — Sensitive information must be available only to a set of
predefined individuals. Unauthorized transmission and usage of information
should be restricted. For example, confidentiality of information ensures that a
customer's personal or financial information is not obtained by an unauthorized
individual for malicious purposes such as identity theft or credit fraud.
• Integrity — Information should not be altered in ways that render it incomplete
or incorrect. Unauthorized users should be restricted from the ability to modify
or destroy sensitive information.
• Availability — Information should be accessible to authorized users any time
that it is needed. Availability is a warranty that information can be obtained with
an agreed-upon frequency and timeliness. This is often measured in terms of
percentages and agreed to formally in Service Level Agreements (SLAs) used
by network service providers and their enterprise clients.
• Continuity — Information should be continuously available to the business
user and this is ensured thorough appropriate business continuity and disaster
preparedness.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
11. Why Information Security
• Ensure Availability of Business
• Take care of the risk of loss of Confidentiality,
Integrity and Availability of Information Assets
• Protect Data and Information Systems
• Brand and Reputation Loss
• Increased Productivity through best practices
• Higher levels of assurance
• Competitive advantage
• Enable Business Continuity and Disaster Recovery
And for this we need Security Controls
RGIT, Mumbai 02/24 www.opensecurityalliance.org
12. Security Controls
Computer security is often divided into three distinct master categories, commonly referred to as controls:
– Physical
– Technical
– Administrative
Physical Controls - is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to
sensitive material. Examples of physical controls are:
• Closed-circuit surveillance cameras
• Motion or thermal alarm systems
• Security guards
• Picture IDs
• Locked and dead-bolted steel doors
• Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods used to recognize individuals)
Administrative Controls - define the human factors of security. It involves all levels of personnel within an organization and determines
which users have access to what resources and information by such means as:
• Training and awareness
• Disaster preparedness and recovery plans
• Personnel recruitment and separation strategies
• Personnel registration and accounting
Technical Controls - use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure
and over a network. Technical controls are far-reaching in scope and encompass such technologies as:
• Encryption
• Smart cards
• Network authentication
• Access control lists (ACLs)
• File integrity auditing software
RGIT, Mumbai 02/24 www.opensecurityalliance.org
13. Key Information Security Program Elements
Technology Process
People
RGIT, Mumbai 02/24 www.opensecurityalliance.org
14. Key Information Security Program Elements
- Training
Technology - Awareness Process
- HR Policies
- Background Checks
- Roles /
responsibilities
- Mobile Computing
- Social Engineering
- Social Networking
- Acceptable Use
- Policies
- Performance Mgt
- System Security - Risk Management
- UTM. Firewalls - Asset Management
- IDS/IPS - Data Classification
- Data Center - Info Rights Mgt
- Physical Security - Data Leak Prevention
- Vulnerability Assmt - Access Management
- Penetration Testing - Change Management
-Application Security - Patch Management
- Secure SDLC - Configuration Mgmt
- SIM/SIEM - Incident Response
- Managed Services - Incident Management
People
RGIT, Mumbai 02/24 www.opensecurityalliance.org
15. Essential Information Security Practices
• MANAGEMENT COMMITMENT
• RISK MANAGEMENT
• ASSET INVENTORY AND MANAGEMENT
• CHANGE MANAGEMENT
• INCIDENT RESPONSE AND MANAGEMENT
• CONFIGURATION MANAGEMENT
• TRAINING AND AWARENESS
• CONTINUOUS AUDIT
• METRICS AND MEASUREMENT
RGIT, Mumbai 02/24 www.opensecurityalliance.org
18. Risk Management
• Risk is defined in ISO 31000 as the effect of uncertainty on objectives
(whether positive or negative).
• Risk management : the identification, assessment, and prioritization of
risks followed by coordinated and economical application of resources
to minimize, monitor, and control the probability and/or impact of
unfortunate events or to maximize the realization of opportunities.
• Risks can come from uncertainty in financial markets, project failures,
legal liabilities, credit risk, accidents, natural causes and disasters as
well as deliberate attacks from an adversary.
• Strategies to manage risk :
– Avoidance (eliminate, withdraw from or not become involved)
– Reduction (optimise - mitigate)
– Sharing (transfer - outsource or insure)
– Retention (accept and budget)
RGIT, Mumbai 02/24 www.opensecurityalliance.org
20. The driver … Malicious Motivation
Criminal
Intent
Coercion
Greed
Show Off
Revenge
Attack
Curiosity
RGIT, Mumbai 02/24 www.opensecurityalliance.org
21. Hackers ‗n‘ Crackers
• During the 1960s, the word "hacker" grew to prominence describing a
person with strong computer skills, an extensive understanding of how
computer programs worked, and a driving curiosity about computer
systems.
• True hackers are computer programming enthusiasts who pushed
computer systems to their limits without malicious intent and followed a
hacker code of ethics.
• They believed technical information should be freely available to any
person, and they abided by a code of ethics that looked down upon
destroying, moving, or altering information in a way could cause injury
or expense.
• Hacking, however, soon became nearly synonymous with illegal
activity. Negative publicity surrounding hackers continued to grow.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
22. Hackers ‗n‘ Crackers
• While the first incidents of hacking dealt with breaking into phone
systems, hackers also began diving into computer systems as
technology advanced.
• Hacking became increasingly problematic during the 1980s and as a
result, in the US the Computer Fraud and Abuse Act was created,
imposing more severe punishments for those caught abusing computer
systems. In the early 1980s, the FBI made one of its first arrests
related to hacking.
• As a result, several hacker groups coined the term 'cracker' in 1985 to
define a person who broke into computer systems and ignored hacker
ethics; however, the media continued to use the word hacker.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
23. Profiling …. the color of your hat !
Black Hat
Also known as crackers these are the
White Hat ones to watch out for, they send and
Also known as friendly hackers are always make viruses, destroy data, and
using their knowledge for good reasons deface websites along with other
illegal activity and break into peoples
machines. This type of hacker has a
bad reputation.
Grey Hat …
Are borderline white/black hats. They Not to forget the
sometimes prank unsuspecting users and hatless…..
cause general mayhem. While they think
this kind of activity is harmless, they may - Script Kiddies
face long periods of jail time if they ever get - The Hobbyist
found out.
- Insider
- Countries
RGIT, Mumbai 02/24 www.opensecurityalliance.org
24. • Information Security is
implemented in organizations
based on Standards, Guidelines,
Frameworks,
• Other factors are Laws and
Regulations, Customer
requirements Standards etc
• All require the adoption of best
practices
RGIT, Mumbai 02/24 www.opensecurityalliance.org
25. Common Standards / Frameworks / Guidelines / Regulatory
• ISO:27001 – 2005 IT Act and applicable Criminal /
• PCI-DSS Civil legislation
• CobiT HIPAA
• BS:25999 GLBA
• ISO 2000 Sarbanes Oxley
• ITIL Basel II
• Clause 49 (SEBI Guideline, PCAOB
Government of India) SAS 70
• CTCL Privacy Laws (e.g.PIPEDA)
• NERC-CIP … many more…..
• Data Protection Act
RGIT, Mumbai 02/24 www.opensecurityalliance.org
26. • ISO 27001, BS 25999, CobiT, IIL
or ISO 20000
• These are the most widely used
and recognized standard for
Information Security globally
ISO 27001, CobiT etc
• Form the foundation of security
for various other framework and
regulatory requirements
RGIT, Mumbai 02/24 www.opensecurityalliance.org
27. ISO 27001: 2005
• ―Information security is the protection of
information from a wide range of threats in order to
ensure business continuity, minimize business risk,
and maximize return on investments and business
opportunities.‖
RGIT, Mumbai 02/24 www.opensecurityalliance.org
28. ISO 27001 Fundamental Principles
Maintain and Establish ISMS
Improve the Context and Risk
ISMS Assessment
Act Plan
Development,
Improvement
and
Maintenance
Cycle
Check Do
Monitor and Design and
Review the Implement the
ISMS ISMS
RGIT, Mumbai 02/24 www.opensecurityalliance.org
29. ISO 27001 Fundamental Principle
Act Plan
Check Do
RGIT, Mumbai 02/24 www.opensecurityalliance.org
30. ITIL ®
• The Information Technology Infrastructure Library (ITIL) is a set of
concepts and practices for managing Information Technology (IT)
services (ITSM), IT development and IT operations.
• ITIL gives detailed descriptions of a number of important IT practices
and provides comprehensive checklists, tasks and procedures that any
IT organization can tailor to its needs. ITIL is published in a series of
books, each of which covers an IT management topic.
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement
RGIT, Mumbai 02/24 www.opensecurityalliance.org
33. BS 25999
• The standard for Business Continuity Management.
• Part 1 : Code of Practice
– Section 1 - Scope and Applicability.
– Section 2 - Terms and Definitions.
– Section 3 - Overview of Business Continuity Management.
– Section 4 - The Business Continuity Management Policy.
– Section 5 - BCM Programme Management.
– Section 6 - Understanding the organization.
– Section 7 - Determining BCM Strategies.
– Section 8 - Developing and implementing a BCM response.
– Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture.
– Section 10 - Embedding BCM into the organizations culture.
• Part 2 : Specification
– Section 1 - Scope.
– Section 2 - Terms and Definitions.
– Section 3 - Planning the Business Continuity Management System (PLAN).
– Section 4 - Implementing and Operating the BCMS (DO)
– Section 5 - Monitoring and Reviewing the BCMS (CHECK)
– Section 6 Maintaining and Improving the BCMS (ACT)
RGIT, Mumbai 02/24 www.opensecurityalliance.org
34. Essential Information Security Practices
• MANAGEMENT COMMITMENT
• RISK MANAGEMENT
• ASSET INVENTORY AND MANAGEMENT
• CHANGE MANAGEMENT
• INCIDENT RESPONSE AND MANAGEMENT
• CONFIGURATION MANAGEMENT
• TRAINING AND AWARENESS
• CONTINUOUS AUDIT
• METRICS AND MEASUREMENT
RGIT, Mumbai 02/24 www.opensecurityalliance.org
35. • General information about data
loss and breaches
• Snapshot of CERT reported Data Loss Statistics
incidences:
– 2003 - 137,529
– 2002 - 82,094
– 2001 - 52,658
RGIT, Mumbai 02/24 www.opensecurityalliance.org
36. Internet Users
Internet User Growth
RGIT, Mumbai 02/24 www.opensecurityalliance.org
39. Size / Business Does Not Matter
Data Breach by industry type
Number of Employees by Percent of Breaches 13 percent of
organizations
had recently
been merged
or acquired
Source: Verizon Data Breach Incident Report 2009
RGIT, Mumbai 02/24 www.opensecurityalliance.org
41. • Statistics for online habits
• Some common risks
• What can you do for yourself,
the college and the community Profession and Career
RGIT, Mumbai 02/24 www.opensecurityalliance.org
42. Information Security Certifications
ISACA - Information Systems Audit and Control Association
• CISA - Certified Information Systems Auditor
• CISM - Certified Information Security Manager
• CGEIT - Certified in the Governance of Enterprise IT
• CRISC - Certified in Risk and Information Systems Control
(ISC)²
• CISSP - Certified Information Systems Security Professional
• SSCP® - Systems Security Certified Practitioner
Institute of Internal Auditors
• CIA - Certified Internal Auditor
• (CGAP®) - The Certified Government Auditing Professional
• CFSA® - Certified Financial Services Auditor
• CCSA® Certification in Control Self-Assessment
PMI
• PMP
The Security Industry Association (SIA)
• CSPM - Certified Security Project Manager (CSPM)
RGIT, Mumbai 02/24 www.opensecurityalliance.org
43. Information Security Certifications
[ITIL]
• ITIL Service Management Foundations Certificate
• ITIL Service Manager
• ITIL Practitioner
DRI - Institute for Continuity Management
• ABCP - Associate Business Continuity Professional
• CBCP - Certified Business Continuity Professional
• CFCP - Certified Functional Continuity
• MBCP - Master Business Continuity
Association of Certified Fraud Examiners (ACFE)
• CFE - Certified Fraud Examiner
Forensics - EnCase®
• EnCE® - EnCase® Certified Examiner (EnCE®)
CISCO
• CCSP – Cisco Certified Security Professional
RGIT, Mumbai 02/24 www.opensecurityalliance.org
44. Career Specializations
• 1. Computer forensics – Learn forensic investigation tools and techniques to investigate cyber crimes and financial
crimes.
2. IT security auditor – Focus on auditing capabilities. As part of this, you must explore platforms like mainframes,
SAP, and core banking platforms as your areas of expertise.
3. Application security specialist – Specialize in areas like secure coding, security testing tools and techniques,
secure design of web applications, and threat modelling.
4. Compliance specialist – Focus on helping organizations comply to standards and regulations such as ISO 27001,
PCI DSS, HIPAA, FDA and Sarbanes-Oxley.
5. Security solutions architect – Specialize in secure network architecture, security solutions procurement and
deployment, and hardening of infrastructure.
6. Security trainer – Focus on spreading knowledge about information security, and create awareness at all levels.
7. Cyber law expert – Combine knowledge of the Indian IT Act 2008 with IT knowledge and forensics know-how.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
45. Some Required Skills or Traits
• 1. High level of passion - Security changes on an almost daily basis – there are new tools, attack
vectors, and vulnerabilities being discovered almost hourly. A security professional can remain ahead
of the game only by constantly updating himself, and this requires a high amount of passion for the
field. A security professional should not only be well-versed with a wide range of technologies,
but also be reasonably acquainted with the basics of psychology, economics, finance, and
physical security.
2. Creativity - Be it a penetration test or developing an automated way to carry out a particular activity,
a high level of creativity is a must in every aspect of a security professional's job. Thinking out of the
box is an almost daily activity for a security professional.
3. A never-say-die attitude - Security issues are typically complex, and often there are no easy
solutions. Quite often, the situations are also very high-pressure – the client's been hacked, or
someone inside leaked out critical internal data, or systems have to be hardened before going live. A
seasoned security professional knows that there is a solution on the other side of every problem. And
he is willing to do what it takes to be as resourceful in finding the right solution.
4. Grasp of a wide range of subjects - Security is not just about policies and procedures or buffer
overflows or SQL injection. Most security issues stem from, and can be resolved, by human
intervention. A security professional should not only be well-versed with a wide range of technologies,
but should also be reasonably acquainted with the basics of psychology, economics, finance, and
physical security.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
46. Technology Skills
• Application Development
• Secure SDLC
• Networking
• Vulnerability Assessment
• Penetration Testing On any given day, there
are approximately 225
• System Hardening major incidences of
security breach
• Device Support reported to the CERT
Coordination Center at
• Wireless Security Carnegie Mellon
University.
• …
RGIT, Mumbai 02/24 www.opensecurityalliance.org
47. • Common and uncommon Risks
• Statistics about online habits
• What can you do for yourself,
the college and the community Risks and Awareness
RGIT, Mumbai 02/24 www.opensecurityalliance.org
48. What Can You Do
• Cyber Security (virus, online habits, filesharing
etc)– Cyberethics (copying and use of IP) –
Cybersafety (identify protection, cyber bullying etc)
• Educate your friends and family (trojans,
keyloggers, phishing, scams
• Secure home computers and for family/friends
(wireless, backup etc)
• Take care of your Social Networking risks
RGIT, Mumbai 02/24 www.opensecurityalliance.org
49. Securing Yourself
• Common Sense
• Awareness
• Regularly Update Patches
• Anti Virus, anti spyware…
• Be careful on P2P filesharing .. what you download
• Read the computer message(s)
• Don‘t blindly click next > next > next
• Be careful when you read email especially if it belongs to
someone else
• Don‘t try to open every attachment
• Keep your password to yourself
• CybeSecurity – Cyberethics – Cybersafety
RGIT, Mumbai 02/24 www.opensecurityalliance.org
52. How many friends are online and in real life
RGIT, Mumbai 02/24 www.opensecurityalliance.org
53. So what have you done online lately
• I have connected with old friends online
• Rekindled a relationship online
• Share a secret or two or some personal stuff
online
RGIT, Mumbai 02/24 www.opensecurityalliance.org
57. What Can You Do
• Cyber Security (virus, online habits, filesharing
etc)– Cyberethics (copying and use of IP) –
Cybersafety (identify protection, cyber bullying etc)
• Educate your friends and family (trojans,
keyloggers, phishing, scams
• Secure home computers and for family/friends
(wireless, backup etc)
• Take care of your Social Networking risks
RGIT, Mumbai 02/24 www.opensecurityalliance.org
58. What Can You Do (2)
• Think out of the box
• Evaluate tools and technologies as part of your projects
• Develop tools and scripts
• Share findings with industry, government and law
enforcement
• Research and study malware trends, defense methods
• Create a virtual library of your work so your peers and
followers will also benefit
• Institutional security policies and procedures
• Conduct network assessments in the college from time to
time and share the findings with all
RGIT, Mumbai 02/24 www.opensecurityalliance.org
59. Future trends / opportunities
• Social networking compliance assurance
• Unified communication
• Microblogging
• Intelligent search
• Mobile apps
RGIT, Mumbai 02/24 www.opensecurityalliance.org
60. Case Study
• Factual Facebook Hack Case Study
– http://snosoft.blogspot.com/2009/02/facebook-from-
hackers-perspective.html
• Twitter Hack
• Hotmail Outage leads to malware offering sites
• Clicking Blindly
RGIT, Mumbai 02/24 www.opensecurityalliance.org
61. • Some information about Open
Security Alliance
About Us
RGIT, Mumbai 02/24 www.opensecurityalliance.org
62. Open Security Alliance
A small group of professionals working in Information Security got
together to discuss life beyond technical stuff which non-techies find
difficult to understand.
So these guys got together to work under the OSA banner to present
risks, threats and vulnerabilities in an easy and understandable
language. Just to make sure the non-geek understands the problems
as well and gets as scared as the IS guy.
• OSA - an open community of individuals who are committed to
providing the benefit of their knowledge and expertise to community.
• OSA - individual initiatives to undertake research and studies in
Information Security (India centric) then provide learning to community.
• …. The underlying thought is to Be The Change.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
63. Contact Information
• Dinesh O Bareja
– M: +91.9769890505
– E: dineshbareja@gmail.com
– E: dinesh@opensecurityalliance.org
– Twitter: @bizsprite
– Linked In (India Information Security Community)
RGIT, Mumbai 02/24 www.opensecurityalliance.org
65. Disclaimer
• All logos and brand names belong to their respective owners and we do not claim any relationship or
association, implied or otherwise, with them.
• Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly.
• We have taken care to attribute all sources for external materials used in this presentation, and any
oversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of these
materials kindly communicate the same to us at “issues AT opensecurityalliance DOT org
• Any omissions, in terms of attribution, may be due to an error on our part and not intentional.
This document is a creation of securians.com and is released in the public domain under
Creative Commons License (Attribution-Noncommercial 2.5 India)
http://creativecommons.org/licenses/by-nc-sa/2.5/in/.
Disclaimer: The practices listed in the document are provided as is and as guidance and the authors do
not claim that these comprise the only practices to be followed. The readers are urged to make
informed decisions in their usage. Feedback is solicited and you can access other topics at our
website www.securians.com
Contributors: Dinesh O Bareja Reviewers: Vicky Shah
Title: Information Security … the profession; concepts, risks and more..
Version: 1.0 / February 2010
RGIT, Mumbai 02/24 www.opensecurityalliance.org
66. References
• Educause Video Contest
http://www.educause.edu/SecurityVideoContest
• CERT
• India CERT
• NIST
• OWASP
• SANS
RGIT, Mumbai 02/24 www.opensecurityalliance.org
67. Social Networking Case Study : Facebook Hack
• The threat from social networks comes from social
engineering — employees post company information…
the attackers collects during reconnaissance … then
infiltrates the social network that exists between the
employees … then uses that trust to phish for VPN
passwords or any other information….
The Facebook hack case study is for an assignment carried out
by SnoSoft and presents a unique insight into the threats and
Case Study
risks exposed on such sites
RGIT, Mumbai 02/24 www.opensecurityalliance.org
68. Facebook Hack Step 1 : Reconnaissance
• Conduct Social and Technical Reconnaissance
• Social
– 1400 employees identified through the internet of which 900 used social networking
sites like Facebook, Orkut, LinkedIn, MySpace etc.
– Studied about 200 profiles and created a false identity
• Technical
– Probed the corporate website and identified Cross Side Scripting vulnerabilities
(which the researchers expected and hoped to find)
Cross-site scripting ("XSS") vulnerability is
most frequently discovered in websites that do
not have sufficient input validation or data
Case Study
validation capabilities. XSS vulnerabilities
allow an attacker to inject code into a website
that is viewed by other users. This injection
can be done sever side by saving the injected
code on the server (in a forum, blog, etc) or it
can be done client side by injecting the code
into a specially crafted URL that can be
delivered to a victim.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
69. Facebook Hack Step 2: Setup
• Used a client side attack as opposed to a server side attack because it enabled
the select ion of only those users that we are interested in attacking. Server
side attacks are not as surgical and usually affect any user who views the
compromised server page.
• A payload is created and was designed to render a legitimate looking https
secured web page that appeared to be a component of the customer's web site.
• When a victim clicks on the specially crafted link the payload is executed and
the fake web page is rendered.
• In this case our fake web page was an alert that warned users that their
accounts may have been compromised and that they should verify their
credentials by entering them into the form provided.
• When the users credentials are entered the form submitted them to
Case Study
http://www.netragard.com and were extracted by an automated tool that had
been created.
•
RGIT, Mumbai 02/24 www.opensecurityalliance.org
70. Facebook Hack Step 3: Create Profile
• After the payload was created and tested we started the process of
building an easy to trust facebook profile.
• Because most of the targeted employees were male between the
ages of 20 and 40 we decided that it would be best to become a
very attractive 28 year old female.
• A fitting photograph was found by searching google images and used
for the fake Facebook profile.
• The profile was populated with information about our experiences at
work by using combined stories that were collected from real employee
facebook profiles.
Case Study
RGIT, Mumbai 02/24 www.opensecurityalliance.org
71. Facebook Hack Step 3: Create Profile
• After the payload was created and tested we started the process of
building an easy to trust facebook profile.
• Because most of the targeted employees were male between the
ages of 20 and 40 we decided that it would be best to become a
very attractive 28 year old female.
• A fitting photograph was found by searching google images and used
for the fake Facebook profile.
• The profile was populated with information about our experiences at
work by using combined stories that were collected from real employee
facebook profiles.
Case Study
RGIT, Mumbai 02/24 www.opensecurityalliance.org
72. Facebook Hack Step 4: Attack Launch
• Upon completion we joined the company facebook group.
• Joining request was approved in a matter of hours and within twenty
minutes of accepted as group members, legitimate customer
employees began sending friendship requests.
• In addition we made hundreds of outbound requests.
• The friends list grew very quickly and included managers, executives,
secretaries, interns, and even contractors.
• Having collected a few hundred friends, we began chatting.
Case Study
RGIT, Mumbai 02/24 www.opensecurityalliance.org
73. Facebook Hack Step 5: Attack On
• Conversations were based on work related issues that we were able
to collect from legitimate employee profiles.
• After a period of three days of conversing and sharing links, we
posted our specially crafted link to our facebook profile.
The title of the link was "Omigawd have you seen this I think we got
hacked!”
…. and people started clicking on the link and verifying their credentials.
• Ironically, the first set of credentials that we got belonged to the
hiring manager.
Case Study
RGIT, Mumbai 02/24 www.opensecurityalliance.org
74. Facebook Hack Step 6: Success
• Using those credentials one had access to the web-vpn which in
turn gave access to the network.
• Those credentials also allowed access to a majority of systems on
the network including the Active Directory server, the mainframe,
pump control systems, the checkpoint firewall console, etc.
The Facebook hack has worked.
Case Study
RGIT, Mumbai 02/24 www.opensecurityalliance.org
75. Hotmail Outage
• Tuesday, February 16, 2010
• Hotmail Users Look for Answers in Dangerous Places
• An outage of the Windows Live ID service affected a large number of
MSN users today including users of the popular Hotmail email service.
Hotmail is one of the largest web based email outlets and not
surprisingly news of the outage spread quickly as users were not able
to access their email.
Those hoping to find more information on Google may have ended up
with more than they bargained for. Blackhats have once again worked
their magic to infect users looking for news related to the outage. In
fact, 8 out of the top 10 results for ―hotmail service unavailable‖
returned dangerous URLs.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
78. Le Twitter hack
RGIT, Mumbai 02/24 www.opensecurityalliance.org
79. Le Twitter Hack
From lalawaq.com
RGIT, Mumbai 02/24 www.opensecurityalliance.org
80. Clicking Blindly
Case Study : Clicking blindly !
Settled in for a nice bit of surfing in the library!
Study ! Ah hah ! Just don‘t click the link blindly !
Whoops ! That‘s a big load of malware you just got
From EDUCAUSE with sound effects !
RGIT, Mumbai 02/24 www.opensecurityalliance.org
81. You don‘t want to look like this !
Case Study : Clicking blindly !
RGIT, Mumbai 02/24 www.opensecurityalliance.org
82. Case Study : Clicking blindly !
RGIT, Mumbai 02/24 www.opensecurityalliance.org