Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Online Security and Privacy Issues
1. Presented by ebusinessmantra at
Online Security and Privacy Issues
www.ebusinessmantra.com
Presented by ebusinessmantra at
ecommerce Conference at Umass Dartmouth, MA
April 19, 2013
2. Agenda
(In)Security Landscape
It’s all business
What is your identity worth?
How does it work on the web?
Does it matter to SMB?
Problem
www.ebusinessmantra.com
Does it matter to SMB?
Myths about security
Vulnerability Exploits (Hacking 101) Demo
SQL Injection, XSS, Google Hacking
How do you minimize the risk?
Security Tools - Demo
Discussions
ProblemSolution
3. About ebusinessmantra
WebApplication Security Consultants
Assess and recommend security solutions
Through partnerships, we offer:
WebApplication Security Scanner
WebApplication Firewalls
www.ebusinessmantra.com
WebApplication Firewalls
Database Firewalls
File Systems Monitoring
Training and eLearning (in process)
Customers: *.mil, *.gov, *edu , *.org, *.com
Web Site Design and Development (past)
7. Top 10 security breaches of 2012
Wyndham Hotels – 600,000 credit cards #s stored in plain text, $10.5
billion in fraudulent transactions
Yahoo – 400,000 passwords stored in plain text (SQL injection)
Apple – 11 million Unique Device Identifiers - access user names, devices
names, cell phone numbers and addresses
Global Payments – 1.5 million credit card numbers withTrack 2 data used
www.ebusinessmantra.com
Global Payments – 1.5 million credit card numbers withTrack 2 data used
to clone credit cards
Ghostshell - Hactivist Group stole account information for 1.6 government
and contractors
LinkedIn – 6.5 million (hashed) passwords – published on web
Nationwide and Allied Insurance Co. – 1.1 million applicants’ info
South Carolina DOR – 3.8 million tax records
Zappos – 24 million customer data
Government Sector – 94 million Personal Identifiable Information (PII)
12. Business of cybercrime
Cybercrime is a highly organized, well run profitable business
Hierarchal structure - specialists
Programmer, Hackers, Distributors, Hosting Providers, Money
Mule, Cashiers,Tellers (FBI classification)
www.ebusinessmantra.com
Mule, Cashiers,Tellers (FBI classification)
14. Fraudulent tax returns
Alabama: 1000 false returns for $1.7 million
LA County: 65 false returns for $358,000
www.ebusinessmantra.com
Fort Lauderdale: 2000 false tax returns were filed from
10/2010 - 6/2012 for $11 million.
15. Your identity @ bargain price…
Fullz Info USAType A
package
# of records Price/record
Full Name
Email address + password
PhysicalAddress
Phone Number
1- 499 0.25
500 - 4999 0.22
5000 - 9999 0.18
www.ebusinessmantra.com
Phone Number
DOB, SSN, DL Numbers
Bank Name,Account number
+ routing number
Employer's name + # years of
employment
10000 - 16499 0.16
Fullz Info USAType B package includes mother’s maiden name.
Web site claims to have 99 to 100% of people in US in their database and have most
upto date database.
16. Typical Offers on Black Market - Price List
Products Price
Credit card details $2 - $90
Physical credit cards $190 + cost of details
Card cloners $200 - $1000
Bank credentials $80 to $700 (with guaranteed balance)
www.ebusinessmantra.com
Bank credentials $80 to $700 (with guaranteed balance)
Bank transfers and cashing checks from 10% to 40% of total
Online stores and pay platforms $80 - $1500 with guaranteed balance
17. (In)Security Landscape
Pretty grim, sobering landscape!
Notable web sites have been hacked (Govt.,
security firms, banks)
Many are not reported and many more do not
know they are being hacked. Your web site might
www.ebusinessmantra.com
know they are being hacked. Your web site might
have been hacked and you may be unaware of it.
Organized crimes, blackmail/extortion,
defraud IRS
High costs to remediate: $90 - $300 per
record, plus lost business, tangible and
intangible losses
18. How does it work on the web?
Hackers exploit vulnerabilities in the code
to steal data
to make you, web site users, do things that you did not intend to
to distribute and install malware, ransom-ware, in general, bad-
ware
www.ebusinessmantra.com
ware
Monitor your activities on the computer, web site and report data
19. We are Small Business, it does not matter
to us…
S&M are most vulnerable because they don’t have resources that
large organizations have.
Your site could be used to launch or distribute malware
www.ebusinessmantra.com
Your site could be used to launch or distribute malware
You may not think you are at risk – but actually you could be –
usingWordPress or some other platform which may be
vulnerable
Google search for vulnerabilities inWordPress site.
20. We don’t have anything of value on our
web site…
Even if you don’t believe you have anything of value on your website, it
could be used as a means for malicious acts. Here are some negative side-
effects:
Credibility
www.ebusinessmantra.com
Block -Your business website could be blocked by your Internet service provider
or even Google, Bing, and other search engines.
http://www.google.com/safebrowsing/diagnostic?site=domainname
Blacklisting -Your email address or entire domain could be blacklisted by spam
filtering services.
http://www.spamhaus.org: Track internet spam senders and spam services and provide real-time anti-
spam protection and to identify and pursue spammers worldwide
Time and money - remediation
21. Myths about security
We have SSL (https) on my web site
Our network has firewalls
Our site is password protected
Our developers will deal with security
www.ebusinessmantra.com
Our developers will deal with security
Our OS and software are upto date and patched
These are essential but none of these protect your web site from
being hacked.
22. Are you chasing the mice or protecting the
cheese?
www.ebusinessmantra.com
24. Vulnerability Exploits - Hacking 101
Demo
SQL Injection
Cross Site Scripting
Google Hacking
www.ebusinessmantra.com
25. Injection Attack
Very widely used by hackers and is one of the top 10
vulnerabilities in web applications
SQL Injection Attack Demo
www.ebusinessmantra.com
26. Cross Site Scripting Attack
Another very frequently used attack method - Demo
www.ebusinessmantra.com
27. Google hacking demo
Have you Googled yourself or your business?
Advance Google search –
Demo
inurl:admin intext:username=AND email=AND password= OR pass=
filetype:xls
www.ebusinessmantra.com
filetype:xls
"your password is" filetype:txt
Tools that can do the search for you - demo
28. How do you minimize risk?
Awareness
All stakeholders must recognize the risks and work towards mitigation
Culture within the organization, mandate from the management
Examples – IT (network security), coders (perplexed), management (state of
denial), users (unsafe browsing, cool sites!)
Develop security strategy
Secure Coding Practices during SDLC
Developers need to understand the threats; write secure code; follow
www.ebusinessmantra.com
Developers need to understand the threats; write secure code; follow
published guidelines
Resource Intensive: time and $ - training, coding, testing
QA
During all stages of application development life cycle
At regular intervals while in production
Web Application Scanning, static code analysis
Monitoring
Web Application Scanning (demo)
Web Application Firewall
Database Firewall
Compliance
29. Security Strategy
Web Site Scanning
Snapshot of vulnerabilities (new vulnerabilities), fix
vulnerabilities, and install patches
Web Application Firewall
Real time, continuous
Set policies to alerts and/or block attacks
www.ebusinessmantra.com
Set policies to alerts and/or block attacks
Virtual patch from scanning results
Block traffic from certain region
Database Firewall
Data Protection
Set policies to alert and/or block attacks
(Prevent) Internal and external threats
Secured Hosting
36. How can we help…
Security Assessment
Develop a strategy
Implement strategy
Training
www.ebusinessmantra.com
Training
37. Take away
Web presence and doing business on web is essential
Security should also be part of the web strategy
Internal and external threats
Develop a strategy for securing data
www.ebusinessmantra.com
Develop a strategy for securing data
Take action
Call us if you need help with securing your digital assests.