real security2011 release pdf

(1)

Tim Gurganus

For Cyber Security Month 2011

[email protected]

(2)

Some Computer Security Myths

•

Good Antivirus software will detect any viruses

on my computer

•

The network is on the NCSU campus, so it must

be secure.

•

Computer Security is someone else’s problem

• Using Windows Update is all you need to do to

(3)

Some Computer Security Myths

Computer Security in Movies and TV shows:

•

Cracking 128 bit SSL in 2 minutes

social engineering is much faster

•

Cracking passwords one character at a time

Truth:

Computer security threats cannot be adequately thwarted unless they are fully understood.

Truth: Most encrypted PDFs can be cracked in 96 hours.

(4)

Some Stats on Students and Computer Security

•

39% of students share passwords with friends and family

• 78% password protect laptops

• 21% secure handheld devices such as iPads with a password

• 50% secure mobile phones with a password

• 9% of students surveyed have

downloaded a virus from a social network

• 22% of web users have had their social networking

(5)

Some Stats on Mobile Computer Security

• 5% of enterprise mobile devices are lost

(6)

Some Stats on Computer Security

A day in the life of a PC on our campus network:

– Exploit attacks from laptop connected to the wireless

network

– Probed to see if it is a web server or email server

– Login attempts from infect machines on campus

wireless

– Login attempts via Remote Desktop from off campus

– SSH login attempts from the internet

– Probed to see if IP is active

– Probed to see if host is using a firewall

(7)

Some Stats on Computer Security

A day in the life of an online account:

Email Account:

– Sent 6 viruses from botnets to infect your PC or mobile phone – Sent 5 scams for Prescription drugs, Free iPads or Penny stocks – Password guessed at Gmail to see if password is simple word

– May receive returned spam where your good address was faked as the sender

– Email accounts sent phishing attacks for Gmail, NCSU email, iTunes, Paypal, Online banking, twitter, Facebook, Linked-In, Hotmail, or Yahoo! passwords

• At least one message per semester will ask for your NCSU email password

Other Accounts:

– Password guessed at twitter.com to see if password is simple word – Password guessed at Facebook to see if password is simple

– Cross site password guessing using posted lists of phished accounts

(8)

Searching for Free Stuff Online can

be costly

• According to Google, 1% of search results leads to

malware

• According to Google, 15% of malware is Fake Computer

Security software

• A study from McAfee found that adding the word "free"

when looking for entertainment content in search engines

greatly increases the chances of landing on a site hosting

malware.

(9)

Searching for Free Stuff Online can

be costly

What Search Results to Trust?:

•

Most search engines have a Safe Search or Warning level setting to

mark malicious content

Google SafeSearch

Yahoo SafeSearch and SearchScan

Bing SafeSearch

•

Avoid certain domains like .co.cc and .tk

•

Avoid URLs where the subject of the search shouldn’t match the result

– For example, a car dealership website selling clothes

To Avoid Malware:

•

Avoiding clicking on links in banner ads

•

Avoid clicking on links posted in forums and on fan pages

(10)

be costly

To Avoid Malware:

• Avoiding clicking on links in banner ads

• Avoid clicking on links posted in forums and on fan pages

• Keeping security software up to date and use link

reputation features of newer web browsers

Enable Attack Site

Warnings in FireFox

(11)

be costly

Other Ways You Meet Malware

• Digg and Reddit (like the Like It! on Facebook)

have been used to redirect users to malware

• Be Aware that hackers can use networks of

compromised computers to affect search results.

(12)

Viruses & Trojans At NCSU

In Last 12 Months % of PCs Infected

WORM_RONTOKBR (mass mailer - 13 Variants ) 27 %

(13)

Fake Antivirus Software

(14)

(15)

In 2011, the number of new variants per month was greater

than 30 for the first time.

The list below shows the variants released per day in 2011:

1/4/2011 Palladium.FakeRean 1/4/2011 HDDFix.FakeSysDef 1/5/2011 MemoryFixer.FakeSysDef 1/9/2011 DiskOK.FakeSysDef

. . .

3/23/2011 WindowsRecovery.FakeSysDef 3/23/2011 WindowsBackgroundProtector 3/24/2011 WindowsSimpleProtector 3/25/2011 WindowsPowerExpansion 3/26/2011 MSRemovalTool

(16)

In 2011, Fake Antivirus trojans for the Mac appeared:

Unique Fake AV for MAC Discovered

0 50 100 150 200 250 J u l-1 0 A u g -1 0 S e p -1 0 O c t-1 0 N o v -1 0 D e c -1 0 J a n -1 1 F e b -1 1 M a r-1 1 A p r-1 1 M a y -1 1 J u n -1 1

Unique Fake AV for MAC Discovered

(17)

In 2011, the number of new variants of Fake AV per month

was greater than 30 for the first time.

Then in August 2011, Law Enforcement shutdown the credit

card processor for one the largest Fake AV makers,

ChronoPay.

The shutdown of Russian Card Processor ChronoPay

affected Fake AV brands such as

Gagarincash

,

Gizmo

,

Nailcash

,

Best AV

,

Blacksoftware

and

Sevantivir.com

(18)

Viruses & Trojans At NCSU –

cont.

Rogue Facebook Emails Spread Oficla Trojan

September 29, 2010 malicious spam messages posing as a password change notifications from Facebook arrived on campus.

The message claimed the recipient's Facebook password had

changed and that the new password was contained in the provided attachment.

The attachment instead contained a variant of the Oficla trojan.

Date: Tue, 28 Sep 2010 09:53:11 -0400

From: "Facebook Support, Jocelyn Nicodemus" <[email protected]> To: “Larry Ellison" <[email protected]>

Subject: Your facebook password has been changed! Attachments: TEXT.htm

FaceBook_Password_Nr60891.zip Mime.822

(19)

Viruses & Trojans on Social Networks

Koobface in Action

You receive a friend request like this.

The profile picture is usually a model with a pretty face

In most cases the malicious link mentioned above takes you to a YouTube like site that pops a message that you need to install Adobe Flash, a new video codec, or some other plug-in to view the video.

Installing this is how you get infected and the cycle repeats.

(20)

Viruses & Trojans on Social Networks

Avoiding Koobface and Other Social Networking Worms

1) Avoid promiscuous friending. Spammers, phishers,

and worm distributors abound on social networking

sites. Demonstrate restraint by not accepting friend

invites from strangers. Your real friends will thank you.

(21)

Viruses & Trojans on Social Networks

Avoiding Koobface and Other Social Networking Worms

3) Use a unique strong password on each account. If

you have multiple social networking accounts, use a

unique password for each.

4) Never click links in messages received unexpectedly.

Instead, open a new page and visit the site using a

(22)

Viruses & Trojans on Social Networks

Twitter phishing attack:

Direct Message from compromised accounts:

you look like you lost weight in this video..

[http://3x3ors.tk]

(23)

Viruses & Trojans on Social Networks

Twitter phishing attack:

http://3xloanstoday.com/twitter/login/sessions/?phx=1/

URL is

NOT

(24)

Viruses, Trojans and Social

Networks

Malware on Facebook:

Scam messages appearing to offer free Facebook credits are being seen on Facebook. Here's an example:

Want Free Facebook credits go to <link> Free Faceebook credits

(25)

Viruses, Trojans and Social

Networks

Clicking on the link, leads to another page:

The page uses a clickjacking technique, whereby clicking on the red and blue boxes will actually

invisibly update your Facebook profile with references about how to get free Facebook credits.

The Red boxis over the Likebutton and the Blue box is over the Sharebutton.

(26)

ClickJacking

Click Jacking is the idea of overlaying a picture on top of the buttons that are needed to click in order to spread the attack.

The click jack window could be transparent or covered by a floating image.

The action link, such as the

Share, Comment or Like buttons are hidden by the image on top.

(27)

Viruses, Trojans and Social

Networks

If you do agree to click on the red and blue boxes, you'll be taken to a page not hosted on the Facebook website (but pretending to be a legitimate Facebook page) still claiming to offer free Facebook credits.

Continue to click on the links you will find that you are visiting webpages that ask you to sign up for a rewards program or take online surveys. The scammers behind the Facebook Credits messages earn 50 cent

(28)

Avoiding ClickJacking

1) Install the latest version of Flash Player –

It has added features to prevent ClickJacking

2) Keep your browser patched –

Patches to IE and Firefox added features to prevent clickjacking

3) Use an antivirus program with a web reputation feature or link

scanner that will block known clickjacking links

Be suspicious of pop-ups that look a little different or buttons that

appear directly on top of another button. For example, the pop-up

may not have a Close ‘X’ in the corner or the window follows the

mouse as it moves.

(29)

Facebook Security Apps - Avoiding ClickJacking

There are also some Facebook Apps you can add to your account that will

scan links, images and videos posted to your wall, messages and news

feeds for malicious links.

Defensio Social Web Security

- Delivered via the Websense global Security-as-a-Service (SaaS) platform, the Defensio Facebook application provides security and controls to manage what type of content can be posted to personal or commercial Facebook walls.

It can send you an alert email if spam or a malicious link is detected in your account.

Norton Safe Web for Facebook

- Norton Safe Web for Facebook application scans your news feeds and identifies URLs containing security risks such as phishing sites, malicious

(30)

More Facebook Security Features

Facebook begins offering https version

(31)

More Facebook Security Features

Facebook recent activity log…

(32)

• A few days another similar scam appeared using a rogue Facebook App:

• If a user clicked one of the links above, a viral Facebook App was added to their profile.

(33)

Viruses & Trojans on Social Networks

• If a user clicked one of the links above, a viral

Facebook App, fbthecredits, was added to their profile.

• This bogus application sent similar wall postings and

(34)

• You should always be suspicious whenever a third party application requires to access their profile without a legitimate reason.

(35)

Scams to Avoid on Facebook

Example of Fake Facebook Notification

Phishing attack

Hovering on the Link to reveals it is not www.facebook.com.

(36)

Computer Security for Real

People

• Half of all malware is directly downloaded from websites.

• 45% of infections result from user interaction, i.e. Social Engineering, vs. pure exploits which don’t require user interaction

Note: Patches for these tend to be important priority vs. critical

By default, WindowsUpdate only installs critical monthly security patches

• Arming the web browser with intelligence to avoid bad sites is a reasonable defensive action

Trend Micro Officescan Web Reputation Service Blocks Malicious downloads

• Most often blocked URLs are free game downloads where the game is infected with a virus • The next most often category of blocked URLs is malvertising, internet advertising that

contains a malicious image, flash animation or Javascript.

• Various fake web statistics, web metrics and web counter scripts are also blocked often (i.e. google-stats.info or clickzs.com )

(37)

Malicious URLs blocked by Officescan

URL Unique Endpoints Detections

http://bid.openx.net/jstag 63 2158

http://edge.quantserve.com/quant.js 154 1923

http://b.scorecardresearch.com/beacon.js 86 854

http://ssl.gstatic.com/gb/js/sem_67691c26458c684deff94c5b94fcc700.js 192 835 http://denis.stalker.h3q.com/scrape.php?info_hash=%24%E63k%F1%92hX%7D%0C%BF%1F%5E%AEf%21%23 2 727 http://s1.pasadserver.com/showBanner.php?size=728x90 19 376 http://denis.stalker.h3q.com/scrape.php?info_hash=%81%89%40%97%059%1Amx%A2%8D%A3%81%B6%0E%1 2 374 http://s2.pasadserver.com/showBanner.php?size=728x90 22 361

http://js.users.51.la/1210055.js 1 349

http://s2.pasadserver.com/showBanner.php?size=160x600 16 216 http://s1.pasadserver.com/showBanner.php?size=300x250 13 209 http://s1.pasadserver.com/showBanner.php?size=120x600 13 206 http://banners.hotbox.com/go/page/iframe_tab_banner_content?lang=english&&show_sex=&pid=g821718 1 198 http://s1.pasadserver.com/showBanner.php?size=160x600 12 191 http://s2.pasadserver.com/showBanner.php?size=120x600 14 175 http://s3.pasadserver.com/showBanner.php?size=728x90 10 168 http://s2.pasadserver.com/showBanner.php?size=300x250 15 167

http://www.info-komen.org/js/utils.js 22 151

http://code.37cs.com/rich/fl.php?uid=3479&pid=945 1 147 http://admonkey.dapper.net/PixelMonkey?adId=expedia&format=image&tp=111222120&useReferrer=1&type=search 28 141

http://a1.ationnet.co.kr/38843.js 4 141

http://marketgidcounter.ru/p 1 134

(38)

How Risky is Browsing the

Internet?

(39)

Computer Security for Real People

Where the Malware is Built

• The number of crimeware application suites has grown in

the last year making it easier to produce malicious code,

build botnets, create phishing attacks, etc.

Example Crimeware applications are:

• Blackhole Exploit Kit

• Crimepack

• Eleonore

• Icepack

• Mpack

(40)

Fake LinkedIn Invite Leads to ZeuS Trojan

Links in the messages lead to websites hosting the SEO Exploit Pack which attempts to drop a Zeus variant onto victims' systems.

(41)

Avoiding Malware

Zombie Infection Kit:

This screen shot from Zombie Infection Kit Shows the real-time Browser exploitation Statistics.

(42)

Avoiding Malware

Blackhole Infection Kit:

(43)

Avoiding Malware

Where the Malware is Built

Blackhole Infection Kit:

This screen shot from Blackhole Infection Kit shows the percentage of browsers and

Operating Systems Infected.

Note the support for

Opera, Safari and Google Chrome.

(44)

Avoiding Malware

SEO Sploit Pack:

This screen shot from the SEO Sploit Pack shows the

Effectiveness of various exploits targeting Java, PDF and

Windows.

(45)

Avoiding Malware

SEO Sploit Pack:

This screen shot from the SEO Sploit Pack shows the

Effectiveness of various exploits targeting Java, PDF and

Windows.

Note the number of Java exploits.

(46)

Avoiding Malware

The Need to Patch, Patch, Patch

• As you can see, production of exploit code has been

commoditized.

• The need for patching browsers, players, viewer and email

programs has never been greater.

• Most of the viruses sent to campus via email and

downloaded from websites were produced with these exploit

kits that target common applications like:

Java

Flash Player

Adobe Reader and Acrobat

Media Player

Internet Explorer

Firefox

(47)

Nearly All PCs Run Insecure

Software

•

A survey of 20,000 computer systems running Microsoft

Windows found that nearly all ran at least one program with a

vulnerability that put the computer at risk.

•

According to Microsoft's Security Intelligence Report, the US

has 2.2 million PCs infected with bot software, more than any

other country in the world.

•

A survey found that only 1.9 percent of Windows systems that

ran the Secunia Software Inspector utility for the first time had

no out-of-date programs.

(48)

Nearly All PCs Run Insecure

Software

Microsoft Security Intelligence Report,

SIRv11

:

99% of infections were propagated through social

engineering, AutoRun exploitation, file infection, and

password attacks.

(49)

Avoiding Malware

The Need to Patch, Patch, Patch

• There are free tools to scan your PC and tell you

what patches are available for your software:

Secunia Online Software Inspector:

http://secunia.com/vulnerability_scanning/online/

Qualys Browser Scanner:

https://browsercheck.qualys.com/

Firefox Plugin Check: - for Firefox users

(50)

Computer Security for Real People

•

If malware on Social Networking sites wasn’t bad enough, there are

websites with illegal tools for hacking Facebook, MySpace, Hotmail,

Gmail, AOL, Yahoo accounts.

Pricing

Hacking Facebook, Hotmail, and Yahoo passwords are free. However, there is a small fee for the decryption of the passwords.

90.00 Euros: Will hack you only 1 password.

140.00 Euros: Will get you UNLIMITED password hacking. The best on the market today!!

Equivalent amount in USD, respectively is $100.00 and $150.00

(51)

Some Interesting New Features of Modern Malware

Creative Programming has created malware that:

1) Can run without administrator access 2) Doesn’t modify the registry

3) Doesn’t store any malicious code on disk 4) Uses your location to change behavior

Role of geographic IP Information

• It is quite common these days that distribution and execution of Trojans are geographic based.

• Based on the client IP address, the C&C servers will determine whether to infect a system at all or how to behave.

• Many versions of Mebroot, SpyEye and Zeus trojans use IP location data

(52)

Some Interesting Features of SpyEye

“Create task for billing.”

uses the

billinghammer

plug-in (which is under the

Plug-ins

button), to charge

the credit cards collected to

certain sites.

This way, a Bot master can

obtain direct financial gain

from the stolen Credit card

data without as much risk

as buying stuff online

through

Amazon

then using

a drop to ship the stuff to.

(53)

Some Interesting Features of SpyEye

SpyEye runs without

Administrator privileges and

can steal all kinds of

information, such as:

• Credit Card numbers

• Online Banking Credentials • Online Account Balances • Online Banking Security

questions and answers • OnScreen keyboard logins • Login Security Certificates • Paypal username/password • Email username/password • FTP username/password • Facebook login

(54)

Some Interesting Features of SpyEye

SpyEye runs without

Administrator privileges and

can steal all kinds of

information, such as:

• Credit Card numbers

• Online Banking Credentials • Online Account Balances • Online Banking security

questions and Answers • OnScreen keyboard logins • Login Security Certificates • Paypal username/password • Email username/password • FTP username/password • Facebook login

(55)

Some Interesting Features of SpyEye

SpyEye Certificate Grabber Interface

SpyEye Certificate Grabber:

Some websites uses these

certificates to log users in

either as a substitute for or in

addition to passwords.

(56)

Some Interesting Features of SpyEye

The

Statistic

button

gives an overview of

the sites that the

infected computers are

going to the most.

Notice

Facebook,

(57)

Botnets Are Collecting Data On You and Your

PCs

Three or more years ago, botnet operators focused on stealing email and password credentials, which were useful to spammers.

Now botnet controllers are building massive profiles on their users, including: – Name

– Address – Age – Sex

– Financial worth – Relationships

– Where they visit online

They sell this information, where it ultimately finds its way into legitimate lead generation channels

Sites will buy the information stolen via botnets in bulk. In some cases, a company might pay $20 -$30 for a qualified lead.

(58)

Botnets Are Collecting Data On You

and Your PCs

Botnets are big business:

How hackers can make $$$

with a botnet:

1. Trade in stolen email addresses, usernames, passwords

2. Trade in other profile information like Name, Address, OS, software

installed, browser used

3. Pay-per-install malware.

In this scenario, bot agent malware is developed. Then the creator

subscribes to a pay-per-install company in the criminal ecosystem to infect as many machines as possible.

(59)

Digital Security Certificates

If you have a website:

Companies like GoDaddy and VeriSign can provide your site with a digital security certificate that authorizes that you are who you say you are.

This helps visitors to your site have the confidence to become buyers and will often make a big difference in your perceived credibility.

The certificate has your company name and a certificate key, which works like a key or password. GoDaddy/Verisign digitally sign your Security Certificate

When you visit a website, your web browser gets the certificate key from the webserver.

(60)

Digital Certificates Attacks

Your computer’s operating systems and some applications store lists of certificate signing companies they trust and know to be authentic.

In 2011, several certificate signing companies like Comodo and Diginotar were compromised and fraudulent certificates were signed for popular websites like Google, Gmail, Yahoo, Skype, Microsoft, CIA and Tor.

After a compromise, the certificates issued by the victim companies should not be trusted.

To update the lists of authentic certificate signing companies, your computer or applications need a patch

You can also update the lists manually, but this requires knowing which certificate name to remove

After the Diginotar certificate signing company was hacked, most everybody issued patches to remove them from the trusted list. This includes:

Apple, Microsoft, Google, Mozilla, Opera, Thunderbird

Be aware that fake certificate updates are out there. You may get one in an email that appears to be from your bank, the FDIC, Microsoft, Homeland Security, the FBI or the IRS.

(61)

Common Scams sent via e-mail to @ncsu.edu

users

Viruses sent to Campus email users included:

• Fake UPS, Fedex, DHL shipment notices in malicious PDFs • Fake I.R.S. Notices (tax payment due or denied)

• Fake Denied Electronic Fund transfers (ACH )

• Fake Credit Card notices ( card blocked, charge denied) • Fake NYC traffic/parking tickets (speeding or illegal parking) • Infected Office Documents and PDFs sent as “Scans” from

Hewlett-Packard Officejet

The Rise in Social Engineering attacks

:

While not technically sophisticated, hackers have studied what emails you

(62)

Common Scams sent via e-mail to @ncsu.edu

users

Infected Office Documents and PDFs sent as “Scans” from Hewlett-Packard Officejet or Xerox WorkCentre Pro

The attached files can vary but are along the lines of Xerox_Document_08.23_C11125.zip or Xerox_Scan_08.23_K1274.zip.

(63)

Common Scams sent via e-mail to @ncsu.edu

users

Viruses sent to Campus email users included:

• Fake UPS, Fedex, DHL shipment notices in malicious PDFs • Fake I.R.S. Notices (tax payment due or denied)

• Fake Denied Electronic Fund transfers (ACH )

• Fake Credit Card notices ( card blocked, charge denied) • Fake NYC traffic/parking tickets (speeding or illegal parking) • Infected Office Documents and PDFs sent as “Scans” from

Hewlett-Packard Officejet

• Fake trojan security updates from your bank in .zip file Trojan application update programs

Security Certificate Trojans

• Fake Facebook messages waiting notices that were really led to Facebook viruses

The Rise in Social Engineering attacks

:

While not technically sophisticated, hackers have studied what emails you

(64)

Has Your Gmail Account been Hacked?

From:

HACKED! Article in The Atlantic magazine

• Gmail user’s account was compromised and all email erased

and purged – six year’s of email, 4+ Gb of messages

• Hacker also changed password, recovery email address

and mobile number to make taking control of the account

difficult

• Scammers sent ‘Mugged in Madrid’ message to all addresses in

address book asking to send money via Western Union

(65)

Has Your Gmail Account been Hacked?

From:

Consider what is stored in email accounts now:

Electronic copies of bank statements

Electronic copies of credit card statements

Electronic copies of tax forms filed online

Electronic copies of online trading accounts

Retirement account information

Receipts for all kinds of online purchases and bills

Passwords to other websites

Password reset links for other websites

Medical information

(66)

From:

• After an account is compromised, hackers often add a redirect

rule/filter so replies go to the hacker’s other account

• After sending scams to all your friends and contacts, the hacker

may erase your address book so you will have a harder time

telling others what happened

- Make a backup of your address book too.

(67)

Gmail Account been Hacked? - Some Good

News

From:

• Google now has an Undeletion Program where email that is

maliciously deleted and purged can be recovered within 30 days

of the incident

• Google has a 2 factor verification system where you login with a

password and a code sent to your cell phone as a TXT message.

(68)

(69)

Check recent account

activity

This chart shows recent

logins times and locations

And if connection was via

web browser, IMAP client

or Mobile App

Be very suspicious of

logins from other countries

like Nigeria.

(70)

Check These items if you suspect your account is compromised:

• Login History show when last 10 logins occurred and where from

• Check Sent mail for phishing messages or spam you didn’t send

• Check Trash mail for returned mail or excessive error messages

• Check Drafts mail for drafts of phishing emails ready to go

• Check inbox for excessive returned or bounced email that you didn’t

send

• If you find evidence of account hijacking, change your password

and check your Email Settings for:

Filters that the hacker added to redirect responses elsewhere

(71)

Avoiding Phishing Attacks

Phishing Attacks in Last 12 Months

• Phishing attacks targeting NCSU:

125

• Accounts compromised via Phishing: 99

• Targeted Phishing has been going on for over

3 years now. Some new versions use

webforms and forms attached to email.

(72)

Phishers and the lies they tell:

•

Your email is over quota

•

We are Upgrading the email system and need your password

•

You have sent too much spam

•

There is a virus in the email system

•

You need to upgrade your antivirus software

•

We have too many accounts and are removing inactive ones

•

You can get more email storage if you send your password in

•

We’re sorry, but we made a mistake and now we need your

password to finish our email upgrade

•

Someone logged in from a suspicious IP, we think your account

is hacked, send us your password to show it is OK.

(73)

Phishing Attacks are Targeting Your NCSU Passwords

New phishing versions use webforms

From: Smith, Patricia [email protected]

To: [email protected]

Subject: Important Notice!!! Your Account Expires in 24 Hours

A Computer Database Maintainance is currently going on our Webmail Message Center. Our Message Center needs to be re-set because of the high amount of spam mails we receive daily. A Quarantine Maintainance will help us

prevent this everyday dilemma.

To revalidate your mailbox Please Click on the link below:

http://webform-update.ucoz.org/submitform.html

Failure to revalidate your mailbox will render your e-mail in-active from our database.

Thanks

(74)

Avoiding Phishing Attacks

Phishing Attacks Sent to NCSU Campus

(75)

New phishing

messages use

webforms like

this Google Doc

spreadsheet

Hovering over the

link, you can see

the URL to:

(76)

New phishing

messages use

webforms like

this Google

Doc

(77)

New phishing

messages use

webforms and

HTML format.

Hovering over

the link, you

can see where

the form is:

(78)

Phishing Attacks Sent to NCSU Campus

New phishing versions use webforms and forms

attached to email.

Phishers tend to use the same webservers over and

over. Here are some common phishing form hosting

sites:

http://webform-update.ucoz.org/submitform.html

http://www.my3q.com/home2/319/upgraeinbox/17067.phtml

http://www.my3q.com/survey/338/web121/79916.phtml

http://www.my3q.com/survey/337/mailboxconfirmation/80048.phtml http://submitaccount2upgrade.9hz.com/

http://form0098.9hz.com

(79)

Avoiding Phishing Attacks

Example of new phishing attack with HTML form attached to email.

Dear Account Owner:

We have reason to believe your webmail account was accessed by a

third party. Because protecting the security of your account is

important to us, we have limited access to your account.

OPEN AND COMPLETE THE FORM ATTACHED IN THIS MESSAGE

TO REGAIN ACCESS TO YOUR ACCOUNT.

Also when you will complete the document we have sent, remember to

ALLOW javascript to run from the bar that will pop-up, otherwise we

cannot verify the information you have provided.

(80)

Example of new phishing attack with

HTML form attached to email.

(81)

Avoiding Computer Theft

Computer Thefts in Last 12 Months

• Laptops:

21

• Desktops:

1

• Minis/ netbooks

1

* Statistics from NCSU Campus Police

(82)

Avoiding Computer Theft

Laptop Tracking Software

•

If your laptop or mobile phone is stolen, having tracking software

installed makes it possible to find it.

•

Install a tiny agent in your PC or phone, which silently waits for a

remote signal to wake up and contact you with the devices

location.

•

This signal is sent from the Internet and allows you to gather

information regarding the device's location, hardware and

network status, what is on the screen and a picture of the room

in front of the device.

(83)

Laptop Tracking Software

• If your laptop or mobile phone is stolen, have tracking

software installed makes it possible to find it.

• Download from

http://preyproject.com

Available for Windows 2000/XP/Vista/7 (32 and 64 bit available) OS X and Linux

Android too.

• Choose Stand Alone Mode

• Enter your website information

(84)

Avoiding Computer Theft

Prey Laptop Tracking Software

In Stand Alone mode, you have complete control of how

software works

In Control Panel mode, you use the preyproject website

to control the program

In Stand Alone mode, the program checks every 10-20

minutes for a web page on your website

(85)

The Prey report emailed to your account will show the

approximate location of your laptop:

lat=35.7885825 :: lng=-78.6708385 :: accuracy=52.0

Public network IP and gateway IP:

public ip=75.200.169.17 :: internal ip=75.200.169.17 :: gateway ip=75.200.169.17 :: mac address=00-50-56-C0-00-08

The current logged in username and uptime:

logged user=tsgurgan ::

uptime=\SECURITY-LAPTOP has been up for: 6 day(s), 6 hour(s), 52 minute(s), 10 second(s)

(86)

Avoiding Computer Theft

(87)

Installing Prey on OS X:

(88)