Cyber Security Risks

By Hemant Dusane
Agenda
Overview of
Network & Information &
Networking The Internet
Concepts its sources
Concepts

Types of
Social Content
Services & Location Based
Networking Sharing
Case studies

WiFi Network Terms & Authentication WiFi Security

Security Definitions Types @Home

Online Banking Terms & Online Banking Securing Online

Security Definitions & Fraud Banking

Mobile Device
Common Uses Threat & Risks Best Practices
Security
What is a network?
Internet & its history
A minute world of
us
Types of Services
Social Networking
Facebook, Google+, LinkedIn, Twitter, WhatsApp etc.

Content Sharing
The Logical Indian, ScoopWhoop, Pinterest, Facebook, Dropbox, Google
Drive etc.

Location-based Services
Google Maps, Facebook Check-in etc.
Social Networking

A platform to build social networks or social relations among people who

share similar interests, activities, backgrounds or real-life connections.

A social network service consists of a representation of each user (often a

profile), his or her social links, and a variety of additional services such as
career services.
Content Sharing

Any form of content such as blogs, wikis, discussion forums, posts, chats,
tweets, podcasting, pins, digital images, video, audio files, advertisements
and other forms of media that was created by users of an online system
or service, often made available via social media websites

P2P sharing is one of the best known example.

Location-based Services
A general class of computer program-level services that use location data to
control features.

An information service and an entertainment services, which is accessible

with mobile devices through the mobile network and which uses information
on the geographical position of the mobile device.

Critical to many businesses as well as government organizations to drive real

insight from data tied to a specific location where activities take place.

Include services to identify a location of a person or object, e.g. discovering

the nearest banking cash machine (ATM) or the whereabouts of a friend or
employee.
Why is it free?

If a service does not charge you money, then you are paying in other
ways
Marketing and Advertising
Privacy

Facebook has 1.55 Billion monthly active users

Revenues for Q415: $5.36 billion, 78% from ads

Linkedin Marketing Solutions: $63.1 Million

Twitter uses Promoted Tweets based on you

Social Networking

Facebook Privacy setting

WhatsApp privacy setting

Google+ privacy setting

LinkedIn Privacy setting

 Facebook Privacy
Settings Demo

https://www.facebook.com/help/
 Facebook Privacy
Settings Demo

https://www.facebook.com/help/
WhatsApp Privacy
Settings Demo
Google+ Privacy
Setting Demo

http://www.google.com/intl/en/policies/privacy/
LinkedIn Privacy
Setting Demo
Networking Privacy
Do not Friend or Connect with people that you have not met in person or know well

Customize your timeline content settings

Who can post, tag you, tag reviews

Disable tag suggestions for photos uploaded

Review and Monitor

Recognized Devices

Active Sessions

Turn off data sharing with third-party apps and sites

Delete old and unused Apps

Limit search engine inclusion

Content Sharing
ScoopWhoop

Facebook

Google Drive
ScoopWhoop
Privacy Policy
Demo
ScoopWhoop
Privacy Policy
Demo
 Facebook
Privacy Policy
Demo
 Facebook
Privacy Policy
Demo
Google Drive
Privacy Policy
Demo
Google Drive
Privacy Policy
Demo
Content Sharing Privacy
Enable two-step verification

Manage your Dashboard data

Before you post, ask the following:

Will this post/picture cause a problem for me?

Can I say this in front of my parents?

Disable LAN sync on laptops

Do not put sensitive data & Encrypt files if needed

Review Apps linked to your account

Review your shared folders periodically

Location-based Services
Google Maps

Facebook Check-in
Google Maps
Privacy Policy
Demo
Facebook Check-in
Privacy Policy
Demo
LBS Privacy
Enable two-step verification

Turn off geo location data in photos

Limit your check-in information to friends only

Never check in at your home, school, work

Avoid public lists for a location

Do not let friends check you in

Review posts you are tagged in

Terms
Wireless network A computer network that uses radio waves to send and receive data.

WLAN Wireless local area network.

Standard A document that establishes uniform technical requirements to ensure that electronic devices can operate
together.

IEEE (Institute of Electrical and Electronics Engineers) The IEEE is a serious trendsetter, creating the standards for
computer communications.

Hot spot An area in which you can easily connect to a wireless network.

Wireless freeloader Someone who connects to an unsecured wireless connection that really belongs to someone
else.

War driving A popular hacker past-time. This is literally driving around town trying to pick up wireless networks.

Router The physical device that routes information between devices within a network.

Bluetooth An open wireless protocol that allows data to be exchanged by mobile devices over short distances.
WiFi Network
What are Wireless Networks?
A wireless network is the way that a computer is connected to a router without a physical
link.

Why do we need?
Facilitates mobility You can use lengthy wires instead, but someone might trip over them.

Why security?
Attacker may hack a victims personal computer and steal private data or may perform
some illegal activities or crimes using the victims machine & ID. Also there's a possibility
to read wirelessly transferred data (by using sniffers)
Security Definitions
Security context between two (network) entities should provide

Authentication - to prove identity

Integrity - to detect altered packets

Privacy - to prevent eavesdropping

WEP (Wired Equivalent Privacy)
Encryption:
40 / 64 bits
104 / 128 bits

Passphrase:
Key 1-4
Each WEP key can consist of the letters "A" through "F" & the numbers "0" through "9"
Attacking WEP
iwconfig a tool for configuring wireless adapters. You can use this to ensure that your w
ireless adapter is in monitor mode which is essential to sending fake ARP (Address Resol
ution Protocol) requests to the target router

macchanger a tool that allows you to view and/or spoof (fake) your MAC address

airmon a tool that can help you set your wireless adapter into monitor mode (rfmon)

airodump a tool for capturing packets from a wireless router

aireplay a tool for forging ARP requests

aircrack a tool for decrypting WEP keys

How to defend when using WEP
Use longer WEP encryption keys, which makes the data analysis task more difficult. If
your WLAN equipment supports 128-bit WEP keys.

Change your WEP keys frequently. There are devices that support "dynamic WEP" w
hich is off the standard but allows different WEP keys to be assigned to each user

Use a VPN for any protocol, including WEP, that may include sensitive information.

Implement a different technique for encrypting traffic, such as IPSec over wireless. T
o do this, you will probably need to install IPsec software on each wireless client, ins
tall an IPSec server in your wired network, and use a VLAN to the access points to th
e IPSec server.
WPA / WPA2
Encryption:
TKIP
AES

Pre-Shared Key:
A key of 8-63 characters

Key Renewal:
You can choose a Key Renewal period, which instructs the device how often it should
change encryption keys. The default is 3600 seconds
Attacking WPA
macchanger a tool that allows you to view and/or spoof (fake) your MAC address

airmon a tool that can help you set your wireless adapter into monitor mode (rfmon)

airodump a tool for capturing packets from a wireless router

aireplay a tool for forging ARP requests

Capture WPA/WPA2 handshakes by forcing clients to reauthenticate

Generate new Initialization Vectors

aircrack a tool for decrypting WEP keys (should be used with dictionary)
How to defend when using WPA
Passphrases the only way to crack WPA is to sniff the password PMK associated
with the handshake authentication process, and if this password is extremely comp
licated it will be almost impossible to crack

Passphrase Complexity select a random passphrase that is not made up of dicti

onary words. Select a complex passphrase of a minimum of 20 characters in lengt
h and change it at regular intervals
Common defense techniques
Change router default user name and password

Change the internal IP subnet if possible

Change default name and hide broadcasting of the SSID (Service Set Identier)

None of the attack methods are faster or effective when a larger passphrase is used.

Restrict access to your wireless network by filtering access based on the MAC (Media
Access Code) addresses

Use encryption (WPA/WPA2)

Use long and complex keys/passphrases

Terms
EULA End User Licensing Agreement. This is the detailed legalese document that you must agree to in
order to install most programs.

Hacker A programmer who breaks into someone elses computer system or data without permission. (Black
Hats, White Hats, and Gray Hats)

Computer forensics The process of collecting digital evidence needed to identify and convict computer
criminals

SPAM Unsolicited email messages, also called electronic junk mail.

Spoofed email An email message containing a fake From: address making it impossible to tell where it was
actually sent from.

Phishing A con artist scam to trick people into giving out personal and financial information.

SPAM relay A hijacked PC thats used to send SPAM without the PC owners knowledge.

SPAM proxy An email server thats been hijacked to deliver SPAM.

Terms
Web bug A hidden image that spammers use to verify that youre actually reading the SPAM they sent
you. (Also called a web beacon or transparent GIF.)

Email scavenger A type of web crawler program that searches the Internet and collects (harvests) all the
email addresses it finds posted on web pages.

Security token A two-factor authentication method using a physical device as well as a secret code.

Cookie Information written to your hard drive by a website that you visit. A website can use a cookie to
recognize you, and sometimes remember custom settings, when you visit that site again in the future.

Data pharmer Someone who farms the Internet, growing collections (databases) of information about
Internet users.

Privacy policy The official policy of a commercial website telling you what (if any) information it collects
about you and what it does with that information.
Online Banking
 Online
Transaction
Online Banking fraud
SMS Banking
SMS Banking fraud
Real world
Scenario
Secure Online Banking
Choose an account with two factor authentication

Create a strong password

Do not share your details with anyone

Secure your computer and keep it up-to-date

Clear Your Browser's Cache

Be wary of unsolicited emails or phone calls asking you for PINs or passwords

Type your internet banking URL & Look for the lock icon

Access your accounts from a secure location

Always log out when you are done

Set up account notifications (if available)

Monitor your accounts regularly

Mobile Devices & its Security
What would we do without them?
Phone service and text messaging

WiFi and cellular Internet capabilities

Document storage and productivity capabilities

Different from computers:

Less likely to have up-to-date software and anti-virus software installed

Size

Functionality
Common uses
Reading corporate and personal email

Scheduling appointments & reminders

Accessing social Websites

Listening to music and watching videos

Playing online games

Online shopping, banking and bill paying

Smartphone Risks
Increase mobility Increased exposure

Easily lost or stolen

device, content, identity

Susceptible to threats and attacks

App-based, Web-based, SMS/Text message-based
Best Security Practices
Protect
Password protect

Passcode protect

Pass swipe protect?

Install Security Software

Anti-virus and anti-malware available for mobile devices

Keep your apps up-to-date

Install a phone finder app

Enroll in a backup program

Set device to wipe contents after specified number of failed login attempts
Best Security Practices cont.
When installing apps
Take time to read the small print
What information does the app require access to?

Where are you downloading the app from?

Is it the app store location set by default on the phone?

Know where your device is at all times

Be mindful of how you use your device

Follow same guidelines as you do for your computer

Double check URLs for accuracy

Dont open suspicious links

Make sure the Website is secure before giving any personal data
Best Security Practices cont.
Limit your activities when using public WiFi

Your cellular network connection is more secure than WiFi

Check URLs before making a purchase https:// is secure; http:// is not

Lost or Stolen? Treat as if your purse or wallet

File a report with law enforcement

Contact your service vendor to cancel your service and report your device missing

If you have a backup/wipe program, contact your vendor to have them wipe the device
Smartphone Nabbing & Infection
Difficult to determine

Decreased performance
Slow operation and decreased function

Random action
Phone powers on by itself

Applications open on their own

Items are downloaded without permission

Phone log shows calls you didnt make

Emails are sent to addresses you dont recognize

Key Security Points
Password/Passcode protect your device

Lock your device

Use anti-virus software

Sync/back up your data

Install a phone finder app

Thank you
www.hemantdusane.xyz