phishing and ransomware peter wood · • steal your passwords, pins, email addresses • infect...
TRANSCRIPT
Peter WoodChief Executive Officer
First Base Technologies LLP
Personal Cyber Security
Phishing and Ransomware
Slide 2 © First Base Technologies 2017
Founder and CEO - First Base Technologies LLP
• Engineer, IT and information security professional since 1969
• Fellow of the BCS
• Chartered IT Professional
• CISSP
• Member of the Institute of Information Security Professionals
• 15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group
• Senior Member of the Information Systems Security Association (ISSA)
• Member of the BCS Information Risk Management and Assurance Group
• Chair of white-hats.co.uk
• Chair of OTIS (Operational Technology and IoT Security)
• Member of ACM, IEEE, First Forensic Forum, Institute of Directors
• Member of Mensa
Peter Wood
Slide 3 © First Base Technologies 2017
Slide 4 © First Base Technologies 2017
go.symantec.com/norton-report-2013
Slide 5 © First Base Technologies 2017
go.symantec.com/norton-report-2013
Slide 6 © First Base Technologies 2017
What is phishing?
• Emails that look as if they are from a bank, a retailer,
eBay, or even a friend
• The email sender information has been faked
• Can include a malicious attachment
• Or a link to a fake website
• Or a link to a compromised website
• Or a website with malicious adverts
• Or invite simple form filling to capture your details
Slide 7 © First Base Technologies 2017
Why phishing?
• Steal your passwords, PINs, email addresses
• Infect your computer with a banking Trojan
• Infect your computer with ransomware
• Steal your address book (contact list)
• Add your computer to a botnet
• Install spyware, keyloggers or Trojan software
Slide 8 © First Base Technologies 2017
What are botnets?
• Botnets are large groups of computers controlled by
criminals
• Each computer has been infected by malicious
software
• The computers’ owners have no idea that they’ve been
infected
• The criminals control the computers remotely and
silently
Slide 9 © First Base Technologies 2017
How big is this problem?
• Millions and millions of computers around the world are
unwittingly part of botnets
• In 2009 a botnet of 1.9 million computers was found
Slide 10 © First Base Technologies 2017
Who are these criminals?
There are all kinds of criminals working together in an
underground economy: hackers, spammers, money
launderers, even web mafia
Slide 11 © First Base Technologies 2017
Why do botnets exist?
• Send out e-mail spam
• Conduct distributed denial-of-service attacks
• Send out banking Trojans and keyloggers
• Commit click fraud
• Host phishing websites
• Infect more computers and make more botnets
Slide 12 © First Base Technologies 2017
Phishing attacks against companies
• 3,066 employees clicked on a link in a phishing email, and2,398 users entered their username and password
• An analysis of the compromised passwords from emailphishing campaigns revealed single word-based passwordsand 72% of passwords being 10 characters or less inlength
• Email phishing is the most prevalent cyber security threatto organisations. Passwords harvested grant the attackeraccess to external services, such as VPNs and OWA
• Gaining access to these services can provide an attackerwith full remote access into the network
Slide 13 © First Base Technologies 2017
How to spot a phishing email
Slide 14 © First Base Technologies 2017
Trojan software invitation
Slide 15 © First Base Technologies 2017
How do I know a site is safe?
Slide 16 © First Base Technologies 2017
How do I know a site is safe?
Slide 17 © First Base Technologies 2017
How do I know a site is safe?
Slide 18 © First Base Technologies 2017
How do I know a site is safe?
Slide 19 © First Base Technologies 2017
How do I know a site is safe?
Slide 20 © First Base Technologies 2017
How does Chrome protect me?
Slide 21 © First Base Technologies 2017
How does Firefox protect me?
Slide 22 © First Base Technologies 2017
How does Internet Explorer protect me?
Slide 23 © First Base Technologies 2017
Tips to avoid email attacks
• Never reveal personal or sensitive information in response to
an email, no matter who appears to have sent it
• If you receive a suspicious email, call the person or
organisation before you respond or open any attached files
• Never click links in an email that requests personal or
sensitive information. Enter a known web address into your
browser instead
• Report any suspicious email to the spoofed organisation (for
example your bank)
Slide 24 © First Base Technologies 2017
Ransomware
Slide 25 © First Base Technologies 2017
What is ransomware?
Slide 26 © First Base Technologies 2017
The scale of ransomware
Slide 27 © First Base Technologies 2017
Evolution
Slide 28 © First Base Technologies 2017
RaaS
Slide 29 © First Base Technologies 2017
Tips to defend against ransomware
• Secure, encrypted backups on write-once media
(DVD, Blu-ray)
• Multiple backups (local, cloud and off-line)
• Regular software patching (ref Secunia)
• Ad blocking software for browsers
• Secure home networks
• Anti-phishing training for all friends and family
• Keep up to date on the evolution of ransomware
Slide 30 © First Base Technologies 2017
Password Fun
Slide 31 © First Base Technologies 2017
People hate passwords
Slide 32 © First Base Technologies 2017
A secure password?
• Maggie1
• !J3r3my
• 6k5&R*Gz
• I.love.green.tomatoes
• Password1
• P@ssw0rd1
• Oxford1984
Slide 33 © First Base Technologies 2017
Brute force crack(using a medium-sized botnet)
1. Maggie1 unsafe: brute force instantly
2. !J3r3my unsafe: brute force in 1 second
3. 6k5&R*Gz unsafe: brute force in 1 minute
4. Password1 unsafe: brute force in 2 minutes
5. Oxford1984 unsafe: brute force in 2 hours
6. P@ssw0rd1 unsafe: brute force in 6 days
7. I.love.green.tomatoes 99 quintillion years (99x1030)
http://password-checker.online-domain-tools.com/
Slide 34 © First Base Technologies 2017
Intelligent dictionary crack
1. Maggie1 unsafe: dictionary word + one or two digits
2. !J3r3my unsafe: leet speech + one character
3. Password1 unsafe: dictionary word + one or two digits
4. Oxford1984 unsafe: dictionary word + year
5. P@ssw0rd1 unsafe: leet speech + or two digits
6. 6k5&R*Gz unsafe: brute force in 1 minute
7. I.love.green.tomatoes 99 quintillion years (99x1030)
http://password-checker.online-domain-tools.com/
Slide 35 © First Base Technologies 2017
What about websites?
Slide 36 © First Base Technologies 2017
Automatic password generator
Slide 37 © First Base Technologies 2017
Tips to avoid password theft
• Don’t use passwords based on dictionary words and names
• Use passphrases whenever you can
• Never re-use passwords: “one password to rule them all”
• Use a ‘password safe’ like Password Agent to make it easy
(http://passwordsafe.sourceforge.net/)
Peter WoodChief Executive Officer
First Base Technologies LLP
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Twitter: @peterwoodx
Need more information?