Cyber Security and Your Business Seminar Liveblog

Posted on May 28, 2009

3


Vaclav from PCIS

Vaclav from PCIS

Well, almost live, as there was no wifi in the room. Here’s my report of the BBB seminar presented by Vaclav of PCIS, which announcement I posted here.

How long has it been since I was in a room with a picture of the Queen? Not to mention a pic of Gordon Campbell with 80’s hair?

We have a good chat over coffee, bonding over topics including The Drive and cafes, whether men can wear tiaras, and how awesome it would be to have a misting system like the produce section in Safeway at a singles bar with pheromones or aromatherapy. It’d be packed!

The conclusion is, somebody spiked the coffee.

The talk starts.

Vaclav says we’ve got a small audience, which is good. We can make it more interactive. He’ll share the security landscape and case studies/stories from the trenches and…yeah, let’s talk.

The name is Cybersecurity and your business and how to protect your customers from online threats. But shouldn’t you start with yourself? No, protecting yourself is important but increasingly it’s more and more difficult to protect your customers.

Outline
1 How and why cybercriminals target your business
2 the consequences of a security breach
3 why your business is liable for any security breach
4 how to protect your business assets and customer’s privacy

Horrifying slide of pull quotes about cyber security breaches, thefts, etc. Sadly can be updated nearly every day. This is only the tip of the iceberg, as you know most stuff doesn’t make the news.

If you can’t handle this, leave now. More bad news is coming.

At educational conference, someone was discussing how to structure a presentation: tell ppl the end of the presentation right at the beginning, so if power goes off, they already have everything. So here’s the punchline:

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Furl

<script>alert(‘I love you’)</script>

With these approx 30 chars of javascript, you can go start hacking websites. This is the most important line in the presentation.

1 how do they target you?

V shows us top 10 online threats
Live demo of hacking! Woohoo, criminal behavior right in the People’s Law School.
Hackers are not always evil; they just like to see how technology works, or doesn’t. They like to find out if they can do it.
We use a fake bank website for demo; as a user you provide username and password, provide bank details, etc.
Anywhere you can fill in a form online, eg comment field, search field, etc, you can put the ILOVEYOU javascript and test. You get a popup box, which means that the site doesn’t properly filter any characters submitted and that site’s succeptable to hacking! OMG!
You can then go on and use other code, eg a line of javascript that replaces ILOVEYOU with another website URL.
Now try using the site. You’ll see something weird in the URL bar, but everything else appears fine. And then, you go to sign in and put username and password. And then they have you.

Digression: SSL means you’re getting SECURELY hacked, nothing else.

So if you sign in, you put credit card details or whatever, it appears to be accepted, but what actually happens is, the hacker gets all your details. What you looked at, details you entered, all requests of the website you made. Even keylogging. IT’s all there, and yet the site appears to work just fine for the users, nobody will report it because they don’t know it’s happening.

Suddenly the presentation topic is not about YOU, but about your clients who use your website. It’s bad news all the way around. And it gets worse: as ppl who browse the internet, you have no knowledge that the site hasn’t been hacked. It’s like a bad bar. Only after you enter the door, you see it’s full of bikers and now it’s too late, cuz ther was no sign, BIKERS ONLY

How do I find which sites are suceptible? It’s lots of work! Actually, its not that hard. Cross.com (/xssed) they show you which sites as of yesterday were tested and vulnerable. 354 pages of sites today! And if you’re pissed off against a company, you can check out their site and go hard at them. And he demonstrates, using the BC government website, several of which are vulnerable: UBC, CBC, many others.

He runs raincoaster.com, and YAY it’s safe!

Question; when you enter the script, does it alter the HTML? No, it installs itself in the background, and now every page is served from the malicious site. It doesn’t show up in the HTML.
Last year V went on Business Week site, and he could add the ILOVEYOU in that. And if he’d added different code, then anyone who went to that article, he’d know. He would get their info. You can also install a higher level of script, which installs something on your machine.

Q; can they send you to their site via phishing? Sure they can do that; nowadays spam is coming in so many languages, you need an international dictionary to check it out. They don’t care if you buy viagra or whatever, they’re really after your personal information.
Phishing comes in several ways: you get sent to a doppelganger site, OR you get an email which installs something on your machine.

Why do they do this? they used to do it as a prank, nowadays going after you is almost irrelevant. It’s not about how important you are, it’s about the customers; all the people who are visiting your website. They want the numbers! You hire SEOs and get lots of traffic, and that’s why the hackers love you. You’re paying to help them get victims, if your site is not secure.

We did research studies, tried to identify why the problem is so widespread. 75% of attacks come through web apps, 90% of externally accessible apps today are web-enabled and 64% of developers are not confident in their ability to write secure apps.

Firewalls only prevent 25% of attacks which are happening today. The one hole you leave in the firewall leads to your website, and that’s where 75% of the attacks come from. It’s expensive to distribute patches, etc, so manuf acturers are making the updates web-enabled, eg Salesforce. The trend is to have all apps on the web. However, devs are not necessarily confident in their ability to develop secure apps. You can see the problem here. SSL? wrong answer. It’s important, but it’s not the whole thing; it just means you’ll get hacked SECURELY, that’s the only difference.

Bloggers blog about things and send people to other websites. TinyURL for instance, hides the destination site. Thus the source MUST be trustworthy. You can see the effect on Twitter, where people rt stuff everywhere. And the humans start spreading the malware through the internet without even knowing.

Security Scorecard Highlights: in the handouts, you can test your own organization.

2 The consequences of a security breach

Normal business operations stopped
halted revenue
loss of customers and supporters
loss of reputation
regulatory fines
legal penalties, civil suits

Google decided that they’d provide a warning, since their crawlers can detect malicious code, “THIS SITE MIGHT HARM YOUR COMPUTER“. That’s the kiss of death. So how many ppl do you think click on links like that? Even if you try to click on it in the search results, Google will not let you click through. You have to type the URL in yourself by hand, they will not facilitate your going there.

This could be happening as you’re sitting here. You could leave and then have to deal with the problem immediately.

Consequences: Security Breach
Organization woke up in the morning, got an email from a customer that told them they got the Google warning. They tried it themselves, and it happened. Suddenly the question of “How much” doesn’t exist, the q becomes how quickly can you solve this problem?
It took 2 days, because 1st they had to replace the homepage with “we are doing a reorg” talk google into going back and update their indexes so that the warning would be gone and ppl would land on the Construction page.

Google crawls the site when they realize the content changes quite rapidly, they crawl it even hourly. You can however REQUEST a reindex. In this case it took Google two days.

Q if your site is static, it would look clean for a long time, this isn’t a worry? A: wrong. Where is the responsibility for having a secure website? If you have a bus. making chairs, and you have a site on the internet: designers specialize in design, not security necessarily. Hosting companies specialize in hosting, not security. SEOs bring traffic, not security. And you’ve spent all this money on all those things, but not on security.  If someone says they outsource their security, get the specs on what, exactly, they are outsourcing. Be very careful when it comes to security considerations for your own website. Because if someone can prove it was your site that hacked him, he’ll go after YOU, not your host or your designer!

Another story: how easy it is to hack, expose private information. Daughter goes to HS, they had parent teacher night, he went, the high school went high tech and did an online form. The school found a site that had SSL security, paid a reasonable fee, students bring home URL and say “register and set the time” He said “site is ugly,  i don’t want to” she said “don’t be troublemaker, just do it”.

It asks first name, last name, username, password, email. So he logs in and 1st thing he sees is an ugly PRINT button to print all your teacher apptmnts. he clicks it, gets the entire list of everyone’s appointments. He went through the process. Then phones school, describes what happened, school asks for proof, he tries to reproduce the problem and he can’t. So now I’m the asshole who complains about nothing. He went badk and poked around the site a few mintutes. Ten minutes he was able to see his info, every eother parent’s info, was able to change every single appointment. Could also change the teacher’s passwords. “Later it was explained to me that I have very high morals”. Monday, he sent an email to the school, they contacted the vendor who was some basement kid in Newfoundland and complained. “We talked to company, can you test it again?”

“Oh, am I working for you now?” he thinks. Tested it, they’d changed a few things, but was still able to get all the info. Many people use just one password on ALL sites. Now you have a list of emails AND a list of passwords. How difficult is it to try those passwords on those email accounts? You can then log into their account just to see what’s happening; once there’s an email from the bank, you can request Change Password, and then you can lock the person out and start doing things from that account. That’s all you need to do Identity Theft. Again, they claimed they’d fixed it, when he went to check, he was able to see EVERY OTHER SCHOOL ON THE SYSTEM. Ten thousand users?

Who is responsible for this? The School? Parent? Company who provided the service.

Shot of guy with laptop and UZI, “my younger days, when I was doing collections”.

Ultimately, YOU are responsible for security.

What is your security plan?

4 How to protect your business assets and your customers privacy?

Never collect more info than you have to. And if you don’t need to keep it, delete it. The less you know, the better off you are!

Acknowledge there’s a need for security and it’s your responsibility. If you’re working with someone who doens’t agree, walk away.

understand and educate. Know where the issues are. IT people always complain about their users being stupid, clicking on any link; it’s important to educate the users, civilians don’t know.

There are only 2 industries that call their ppl “users” Drugs and Software.

Create a plan, not necessarily a huge plan. Just a plan. Think about what would you do if this kind of scenario would happen.

Act on that plan, whatever it is. Buy that software, don’t wait. Just do it, otherwise you’ll lose sleep over it, justly.

What can I do TODAY?
– don’t put anything on the internet that you don’t want your grandma to see (pic of grannie), eg Sarah Palin, remember her yahoo account got compromised because for once in her lifetime she was telling the truth, that was why her account got compromised.

The FIRST thing ppl do is forget their passwords. It costs companies lots of $ to answer emails, so they create hint questions. Yahoo used them, “what was your high school” etc. She answered them truthfully, hacker put in the honest answers, got in, changed the password. Then the hacker was in business.

You are in control of what you put in the net abt yourself and the ppl you’re talking about. You need ot understand the consequences of too much honesty.

Never tell the truth when you’re answering these questions!!!!
eg use a word that’s long enough that you won’t forget. ALWAYS use that word with maybe the domain of the website, eg Plasticfish (fave pet) eg answer “what’s your mother’s maiden name” PlasticfishYahoo “what’s your high school” PlasticfishYahoo etc etc.
Choose a pattern which is known to you and use that everywhere.

There’s absolutely no need for you to be truthful on the internet!

Who has 5 passwords? a few. who has ten? a few more, yay, Who has 20? Any takers? a couple.

If you have 20 pw’s with real complexity, you’re not human! but you’re free!

How many digits are on your PIN? four or more. Banks think you can only remember four reliably. That was their risk analysis: they lose less by making their PIN #’s easier and dealing with fewer “I forgot my PIN” queries.

Ppl are not good at remembering numbers, they’re great at pattern recognition. Who could remember all that.

Tip on creating secure passwords. Look at the keyboard, make a pattern. Eg a big N shape. Type all those keys. It’s long, it’s unique, you couldn’t even tell someone the pw without looking at the keyboard. It’s difficult to share passwords like this. And admin comes and says change it, just start on a different key each time you change it. [This is kinesthetic memory btw]

Questions:

Can MSNMessenger get hacked? Eg my ex hacking into it?
A: there could be code installed on your machine without your knowledge. they can also invite you for chat as anyone and point you to a website that has an embedded code which executes within the chat software itself. [not to mention ex using the password from your computer]

An eg: Donate sites spring up every time there was a tragedy, and not only did they fake legitimate charities, but they get your banking details. Social engineering is still a huge factor, and they are VERY creative.

The internet is more than the Wild west. It’s a dangerous place, and you’re on your own. Nobody protects you.

Q wireless fears; how can you tell if you’ve been hacked if you have wireless?

A: I don’t like the info in articles like “your disk is spinning more than usual” How should I know? I’ve been working on machines forever, how should I know? Eg tasks running, too. more than half I don’t honestly know what half the legitimate ones work.

Patch your computer as often as you can. Every day, go and check if there’s something new. You should have antivirus suites incl personal firewalls, antimalware. I check for updates twice a day on Liveupdate.

You should have 2 computers. one where you do all your banking, medical records, etc. And one for your browsing. I know it’s crazy, it costs so much money. Do your risk analysis, $200-300 you can buy a netbook! Use that for social networking, surfing, etc.

I know it’s not good news and you want me to say “do this and nothing will happen to you”. Even going on reputable websites doesn’t guarantee you won’t get compromised.

Google and Microsoft are building huge systems so they can keep your medical records. Right now, you’d have to physically break into an office. Look at those companies’ privacy policy; there is privacy, but NOT FOR YOU!

Q point about social media sites that do try to put in some kind of privacy policy, eg Facebook

Once it’s digital and it’s on the internet you cannot guarantee it’s going to stay private. YOu can trust the person, you can’t trust the machine, etc. And hey, couples DO break up. People forget and walk away when they’re logged in, etc. [eg friends going "hey, check out suzie wong's new blog" when you wanted to keep your name off that blog]

Nowadays, anyone we communicate with has to be in a whitelist, because spam filters are so aggressive. Every day I find at least one email in spam which was legitimate.

Another question is what to put in spam and what to just delete. It’s an editorial decision, it’s a hot debate and everyone has different opinions.

Q is it a good idea to have a spam filter that can be customized?
A Picture an org with several hundred ppl. Some ppl will whitelist ViagraOnline.com or whatever. Systems are not easy to use, so even ppl who would make the right decision can’t get that to work. Someone in IT will make an arbitrary decision for the whole company.

Q are there spam filters that have a combination of org policy and indiv policy?
A spam filters have three or four engines within them, run everything through all those filters and if it comes out it’s not spam. Some filters even filter out things sent after business hours! [ruh-roh]

You will see more attacks. It’s not getting better, it’s getting worse. Nobody even knows how to name the problem which is happening out there, never mind solving the problem. Eg cyberwar. It could be the kid next door going through Chinese servers, attacking you. Surprisingly, security is not considered absolutely necessary. CASH is considered absolutely necessary. Once you have cash, you can do other things.

Next BBB seminar is June 9.