Techniques:
a. Password attacks:
b. Social Engineering:
Ruse to get a password and account issued.
Fire drill exploit.
Universal pass‐badge trick.
Others: Acting dumb to get tech support
c. Phishing:
Phishing attacks use ‘spoofed’ e‐mails and fraudulent websites to fool victims into
divulging personal financial data such as credit card numbers, user‐id and passwords,
and social security numbers. By hijacking the trusted brands of well‐known banks,
online retailers and credit card companies, phishers are able to convince up to 5% of
the recipients.
Case Studies
Massive Gmail Phishing Attacks hits top U.S officials ‐ June 2011:
Hundreds of personal Gmail accounts were hacked as a result of a massive phishing
scheme. The hijackings were a result of stolen passwords, likely by malware installed on
victims’ computer. The phishing attacks emanated from Jinan, China
* Unlike spear-phishing attacks, phishing attacks are not personalized to their victims,
and are usually sent to masses of people at the same time.
Citibank
In Jan 2004, Citibank customers received email asking to logon to the Citibank website
to verify their email address. The URL in the email was a link to a bogus Citibank
website. Users have to key in their real Citibank account number and password to enter
that bogus site. Using the stolen account number and password, the attacker can do
fund transfers and many more on Citibank website!!!
More recently, on 14th June 2007, yet another phishing mail targeting Citi‐bank
customers were found circulating. Requested victims to update their account records by
16th June 2007.
d. Rootkits & (Remote Access) Trojan (RATs) programs: BO2K, Netbus, PoisonIvy
Attack on Target and Home Depot (2013)
Personal and financial info of about 110 million people, comprising 11 GB of data, was
stolen in a successful compromise during the Christmas shopping season 2013. Attackers
were undetected for almost 2 weeks, and is attributed to criminals in the Ukraine.
First they compromised a 3rd party contractor, who provides HVAC services to Target.
Probably used Target’s contractor portal as a point of presence to penetrate the internal
network and compromise an internal Windows file server. Likely that the attacker first
Lecture 2
compromised the Windows server and used it to find and compromise the point‐of‐sale
(POS) systems, where a trojan that finds clear‐text copies of credit card magnetic stripe
information was installed. None of the anti‐virus solutions on the market would have
detected the malware, dubbedTrojan.POSRAM, a variant of BlackPOS.
f. Identity Theft
A $500,000 credit card fraud:
Two brothers from California were accused of scamming 21 banks and 3 major credit
reporting bureaus. Through thousands of fake identities, they applied for loans and charged
$500,000 on fraudulent credit cards. They worked twith a guy who worked in a dentist’s
office extending loans to patients and then reporting payments to Experian, a credit bureau.
With social security numbers made up to establish false identities, they began reporting
loan information and on-time payment for fictitious dental services to Experian.
*A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the
bandwidth or resources of a targeted system, usually one or more web servers. Such an
attack is often the result of multiple compromised systems (for example, a botnet) flooding
the targeted system with traffic.
High security risks in WAP, BlueTooth and 802.11 wireless LAN (WEP – Wired Equivalent
Privacy, WPA ‐ Wi‐Fi Protected Access).
May 2001, 2 hackers accessed email and files from Sun Microsystems at their parking lot. Paul
Henry of Cyberguard described in a past NUS security conference how he discovered
numerous unprotected wireless LANs while travelling from the airport to the city. WPA2, the
most recent security protocol available for WiFi, has some small problems but is generally ok.
But why do people use WEP in the first place???, (suspect a lot less now, but some mesh
networks may still have a problem) Even the strongest WPA is not totally safe, due to password
attack and ….krack attack.
*KRACK is a severe replay attack on the Wi-Fi Protected Access protocol that secures Wi-Fi
connections. An attacker within range of a victim can exploit these weaknesses using key
reinstallation attacks (KRACKs).
Bluetooth Vulnerabilities:
a. Bluesnarfing:
Bluesnarfing is attacking the Bluetooth device, usually a phone, to rip out information.
Hackers can obtain phonebooks, calendars and stored SMS messages.
b. Bluetracking:
All Bluetooth devices have a unique address. By using special sensors or antennas you can
see where a particular Bluetooth device pops up and record a person's movement.
BlueSniper “rifle” has a vision scope & a yagi antenna with a cable that runs to a
Bluetooth‐enabled laptop or mobile device. Effective range from 33 feet to a full mile!
New credit card issuers have begun installing radio frequency identification (RFID) chips in
credit cards and passports because the technology holds more data than magnetic stripes and
can be read quicker.
It doesn't matter if the cards are kept in a wallet or a purse since they can transmit through
them when prompted by a RFID reader. (applies to company cards, unshielded epassports)
The account number and expiration date pop up on the computer screen almost
instantaneously after the reader gets within a few inches of the card.
d. Cyber espionage
- Eavesdropping
- Device attacks, e.g. wifi, bluetooth
- Misuse of the phone’s camera
Zeus could be a very powerful tool for stealing corporate secrets. It lets the criminals remotely
control their victims' computers, scanning files and logging passwords and keystrokes. With
Zeus, hackers can even tunnel through their victim's computer to break into corporate systems.
Lecture 2
Crooks could make money by selling access to computers belonging to employees of certain
companies. It became worse. Now, Zeus attacks smart phones and will do a 2 stage attack and
finally monitoring your phone for the SMS OTP, which it will then forward to the attacker.
How it works?
In a typical MitP attack, a fraudster impersonates a bank representative and calls the
banking customer to inform him/her that his/her savings, checking or card account may
have been breached or compromised. The fraudster advises the customer that to remedy
the situation he/she should remain on the line and verify a few account details.
At the same time, the fraudster initiates a call to the customer's bank and connects the
customer with a real bank representative while the fraudster remains muted on the line.
The bank requests authentication information, such as social security number, passwords
and other personal information, which is then provided by the customer. Once the
personal information is provided, the fraudster quickly ends the conference line and
informs the customer that the issue has been resolved. Meanwhile, with the personal
information gathered during the call, the fraudster can take over the customer's phone
banking relationship and transfer money out of the customer's accounts.
Shedun is one of several families of adware that can't easily be uninstalled. That's because
the apps root the device and then embed themselves into the system partition to ensure
they persist even after factory reset. The ability to use social engineering to hijack the
Android Accessibility Service is yet another sign of the creativity and ingenuity put into this
new breed of apps.
Thus, do not use third‐party app markets. 20,000 samples found impersonating apps
from Twitter, Facebook, and others. Many attacks of this kind e.g. fake iOS library in
China. Fake apps can be automatically created & inserted with crimeware kits. Mike can be
Lecture 2
turned on by malware. Bad guy needs just a few secs with your phone. SMS will be stolen,
compromising OTP SMS, gmail, ebanking etc.
5. Computer Forensics
It is a branch of digital forensic science pertaining to legal evidence found in computers and
digital storage media (Wikipedia.com)
The goal of computer forensics is to examine digital media in a forensically sound manner with
the aim of preserving, recovering, analyzing and presenting facts and opinions about the
information. Although it is most often associated with the investigation of a wide variety of
computer crime, computer forensics may also be used in civil proceedings. The discipline
involves similar techniques and principles to data recovery, but with additional guidelines and
practices designed to create a legal audit trail.
How do you know if the crime scene photos are genuine? Or that the video footages were not
been doctored. Examples: some one jumped in front of an MRT train. What really happened,
if there are no witnesses? What is at stake: a “perfect murder? Insurance claim?
IT is so pervasive now, that big or small criminals are using them. Did you get every gadget that
holds some kind of data? How much to store? Very soon, every crime will be a computer
crime. You will surely need computers to make fake passports (all passports will have a smart
chip), “rob a bank” etc. Classic cases: dispute evidence by claiming to be infected by trojan, and
destroy evidence using countermeasures.
Security Roles
Penetration tester, Computer or IT Auditor, Security Architect, Key Manager, IT Forensic
investigator, Security systems developer, System Administrator, Network Administrator,
Firewall Administrator, Security awareness trainer, Cyber Warrior.