Understanding Why: Cybersecurity for Non-experts

before I begin I just wanted to give a shout out to my employer Chiron for giving me the opportunity to work on this during my duty hours there in the back I don't know if you you were here for kohls excellent presentation about two hours ago but Cole is here representing chyron as well so thank you before I begin let me say a little bit about Who I am and why what I'm about to say is going to matter my name is rich molten I'm an Air Force retiree I spent the better part of my career at Fort Meade I did electronics repair and then intelligence analysis intelligence collection and finally automation of intelligence collection today I work at

carry on technology services they call me a subject matter expert but really what I do is cyber security research and education on Twitter I'm a proper Tunis if you want to follow me there and I have a blog at www news com let me tell you a little bit about how this talk started before I get into it this talk is understanding why cyber security for non-experts and it started like this I follow this guy on Twitter goes by the handle at the drug fell just like this and he's a cyber security researcher like me doesn't work the same company I have no idea where in the world he is but he had a list of cybersecurity recommendations

that made a lot of sense to me I could relate to what he was saying he put it out there on the internet and said I recommend you do these things and someone came back and they said why can you explain to us why you made the recommendations that you did and said oh I don't have time for that you know I'm too busy doing research just take what works for you leave what doesn't I said I'll take that I can answer why I'm happy to do that I'm all about education so it brings us to our brief today understanding why cybersecurity for non-experts now if there are any experts in the audience you'll notice that at

certain points I'm going to kind of gloss over things this is because I don't want to get to in the in the woods I don't want to get too deep into any one subject because I have a lot of material to cover and it's a limited amount of time so bear with me if you would for those of you who are not experts a lot of this information may be new it may not be new depending upon how much cyber security training you've had up to this point let me start here software is eating the world these are the words of Marc Andreessen among other things he's well known as being the co-author of the mosaic

browser and the co-founder of Netscape both of which went on to become the foundation for one of the most commonly used browsers in the world the Firefox browser I believe when Andreessen made this quote software is eating the world what he meant to say was all the processes and machinations of our world are slowly being automated and turned into software so how many of you would agree with this statement I believe that software at this point is ubiquitous and our life depends on it it's in our cars and our automatic teller machines in our power grids so on at this point you've all seen or heard of self parking cars self-driving cars and my car the one i drive to work in

every day has for example 32 bit processor it has transmission control software written in c and c++ the entertainment system runs on top of linux see the central processing unit the brain of the computer if you will talks to the tires through bluetooth to find out how much pressure is in there well it's a regular car it's an ordinary car with stock hardware and software the cpu also talks to the breaks over an internal network so I believe that my life depends on the software if there came a point where I needed to accelerate or stop in a hurry and the software failed and prevented me from doing that that could be the end of

me the problem with software is that it's hard to do right not just get the basic functionality working but to do the security aspects as well as a software engineer I've seen it happen many times bill the banker goes and talks to Danny developer and he says I need some software that's going to count one dollar bills so Danny gets to writing program writing the program hashing it out and in the meantime bill comes back to him and says oh by the way it also needs to count five dollar bills so Danny goes and makes the changes he writes the program he delivers it still says yes this is great this is exactly what I told you I wanted but in the

meantime things have changed now I need to count tens 20s hundreds and the equivalent in Euros so Danny takes the program back and he's coding he's changing what he doesn't know is with every change that he makes little bugs creep into the program and by the time he delivers a working program it's going to have a remote code execution bug that's going to allow halle hacker to connect into bills machine and take control of it so why does Holly want to make life harder for bill obviously bills got money that's why he needs this dollar bill counting program he has something that Ali wants maybe Holly once failed to think that he has more money than he

actually does so when he goes to report it he'll over report and get himself in trouble maybe she wants him to think he has less money than he actually does so she can skim money off the top and he won't notice clearly bill has something that Holly wants is so he's a target question is are you also a target do you have anything that Hallie may be interested in maybe you do some online banking through your telephone your laptop or your desktop computer all of which I'll refer to as your computer from this point forward maybe you control investment accounts maybe you have pictures of your family or a browser that's logged into Facebook or

maybe you have a car where the CPU talks to the tires over Bluetooth and it talks to the breaks over internal network are these things important to halle let me tell you what's what Hallie cares about you might be the target of an attack because your CPU your central processing unit the brain of your computer has value to Hallie even if you don't have access to money pictures or music on your computer the fact that you have a processor is valuable to her let's say you don't have access to money from your computer you don't control your accounts through your computer your phone tally can generate electronic currency Bitcoin on your computer bitcoin is electronic currency it's not

backed by any central bank and the value is determined by supply and demand the way that you generate bitcoin is through mining means that means you have your computer do some certain mathematical calculations and you submit that as proof and then you get paid you have electronic currency you can store on a hard drive and normally this isn't worthwhile to do for people because it might take a hundred dollars worth of electricity to generate twenty dollars worth of bitcoin but if someone else is providing the hardware and paying for the electricity suddenly becomes worthwhile of course Hallie's not going to be satisfied just attacking and controlling your computer she's going to want to have an army of computers generating

this revenue for her she's going to go for what's called a botnet

your storage space also has value to Hali you RAM your hard disk any cloud storage you may have access to is going to be valuable to her maybe Hallie is a child pornographer maybe she has stolen documents or pirated movies that she controls if she gets caught with these things on her hard drive she's going to go to jail for a long time so she knows the best place to store these things are not on her computer but on yours using technology called tor The Onion Router which is technology developed by the United States government to facilitate communications of foreign dissidents she can advertise weapons drugs or illegal services online without fear of getting caught without fear of

surveillance of the police now tour along with other parts of the Deep Web is supposed to be about 500 times the size of the World Wide Web we mistakenly call the Internet so with this massive catalogue of pirated movies stolen dog porn and other things you need to access it through encrypted protocols and it's very difficult to navigate google bing yahoo these services do not enter tab index the dark web so Hallie is very comfortable here and she may be inclined to donate your storage to the dark web your content has value imagine for just a second and this is a crazy idea but imagine if you can that you actually have content on your computer that you

care about maybe you have pictures of your family or music or movies whatever it may be halle realize the long time ago that information is often most valuable to people who already possess that information the fact that you have music and videos and pictures on your computer the fact that you've collected and curated them means that you're invested in that property you care about it it means something to you and if holly can come onto your computer and a crypt encrypt it prevent you from accessing your own data you might be willing to pay to get that back recently ransomware has become a big phenomenon attackers will put some code on your computer once they gain control they

will encrypt your documents and they'll say you're not going to get access to these unless you pay me usually they'll ask you to pay them in Bitcoin so that you can actually find them this is why your content has value and because of that you may become a victim finally your internet connection itself has value in the past halle hacker and her friends would send a bunch of traffic out to legitimate business services like web services or email services whatever the case may be and they would shut those things down they would punish the companies trying to run those business services it didn't take long before they realize that they could send out a bunch

of traffic shut down those service and that's called a denial of service if it comes from a single computer or a distributed denial-of-service if multiple computers are attacking the target and after doing this distributed denial of service she will then send an extortion note saying if you don't pay me I'll shut down your surface again so this is distributed denial-of-service extortion again Hal he's smart she realizes that if she does this from her come puters for friends computers one of them is going to go to jail maybe all of them so she'd much rather do this from your computer this is why your internet connection has value to her and you might become a target

so here's how the attack would be carried out i'm going to give you four scenarios it's not limited to these four but these are four common scenarios the first is called phishing and it's just like real life fishing you get some bait you Daniel it in front of the target you wait for them to take a bite so here's what how they might do she might look you up on social networks like Facebook she might discover that you have a daughter who goes to college in another city you might put together some content to make it look like your daughter has been kidnapped and you need to pay her in order to get your daughter back so

she'll dangle this bait in front of you and wait for you to bite now this attack might come to you via email it might be SMS it's the message or even a phone call very recently think it was the New York Times reported on just this sort of virtual kidnapping where someone had researched the target they found out she had a daughter in another city in other states going to college they made it look like they had kidnapped the daughter and they had the mother driving all around town going to the local Walmart's sending money to them until at the end of the day the mother got an SMS from her daughter who actually hadn't been kidnapped and she

went to the police after that and reported this don't think she ever got her money back so that's one attack that's the phishing attack holly has many other options to her among those the watering hole attack now in the real world it works like this the lion will wait by the local watering hole for the Antelope to come and take a drink when the Antelope comes to take a drink the lion pounces on line you're the antelope so here's how this would work Hallie has compromised the website and she's put some code on there perhaps JavaScript that she knows that when you come to her website you're going to be redirected automatically in the background to

download some malware you're going to take to take control of your computer and do all those nasty things that we already talked about now she discovers which websites you're going to go to because she's researched you she knows for example ego all the time to cnn.com or facebook com google com whatever the case may be she knows a little bit about you and she has set this up in advance now it takes a little bit of effort to compromise a web server it's not impossible but it takes some effort if she's not feeling up to that another option she has is Mel vertising that is sending you an ad with some code inside that's going to manipulate your computer

into doing something you really don't want it to do there are four publishers of goods and services a bunch of legitimate advertising networks where you can make up a little commercial maybe it's an image maybe it's a video maybe it's a flash object you send this into the ad network and then publishers who want to monetize their sites and download your advertisement show it on their website and you pay them a cent five cents whatever the case may be unfortunately some of those advertisements do have bad things in them code that's going to make your computer things do things you don't want it to do I've seen this happen for example on forbes.com yahoo com and

google com among other sites in particular a friend of mine online went to forbes.com and he had an ad blocker extension in his web browser so that he wouldn't see any of these advertisements when he got to the website forbes.com said hey we noticed you're using an ad blocker it's preventing us from monetizing our site would you please turn it off before you continue to read our article he said okay that sounds reasonable he turned off his ad blocker and he instantly download downloaded malware he got malware on his computer so you may wonder why would a publisher go along with this why would they be complicit in this the fact is they have no idea

what's in the content of these ads for all they know they're simply demonstrating a good or product that you may actually want their options are either show advertisements from legitimate ad networks or don't put another way they can either monetize their site or don't they have no idea what the content of these ads are they just show them they're a vector if you will and finally even if you don't use social networks you don't access money from your computer and you're blocking acts you're not out of the woods yet if you have any software or devices that access the internet they may provide an avenue to attack they may make you vulnerable because again they're using software and

software is hard to do right publishers and developers don't have an infinite amount of time and money in spite of their best intentions to test their products against all possible inputs so a lot of times software is going to have unintended functionality if Hallie finds out what that unintentionally allottee is before the developer she may use that knowledge to get onto your computer there is a list of search terms you can look for that will help you find vulnerable devices and software on the internet it's known as the google hacking database the first time you search for the google hacking database and you take a look at it you may be mortified at the things that you're

going to find you're going to find baby cameras business cameras and front door cameras streaming live video to the internet for anyone to see you're going to see software services online that take either default credentials like username admin password admin or no credentials or maybe these software services actually have bugs in them that will allow halle to just jump on and take control of your machine so how do you protect yourself on your computer the best thing that you can do the easiest thing that you can do is simply update your operating system when new updates come out halle hacker tends to find out about a vulnerability in software and then she'll use it again

and again and again until it stops working developers realize that they find out about what it is that halle hackers doing and they will update their software so that it's no longer vulnerable to these attacks so if you ignore available updates you're basically willfully unprotected against known attacks another thing you can do is turn off any functionality that you don't need it might be office macros it might be an interpreter like a ruby parole or Python interpreter on your computer if you're not using these things if they're not a convenience for you they're just a convenience for the person who's trying to attack your computer quick Google search or bing yahoo whatever your favorite search engine is will tell you

how to disable this functionality and how to uninstall the interpreters that you don't use and finally if your operating system offers it I recommend that you use full disk encryption full disk encryption and this is where I'm going to start to gloss over things if it's available for your operating system and if it's implemented correctly will prevent people from accessing your content on the computer so if somebody hacks into your computer even if they have the highest level of privileges they don't know your password they're not going to get access to your documents pictures your music your passwords if available use full disk encryption on the web there's a gentleman by the name of Peters atco may or may not be

familiar to you he is has been for the past 20 30 years a security researcher well known at this point security circles he's a former project manager for the Defense Advanced Research Project agency he has recently set up an organization called be cyber independent testing laboratory in Virginia and what he's doing at this point is he'll take software that everyone's already using and he will test it to see just how safe it if he wants to be basically the consumer reports of software he has taken some of the most commonly used browsers the Internet Explorer Firefox Safari and chrome it's ested them to see how they hold up against attacks he's found what many people have

already known at least in security circles with chrome is the most resistant to attack to make this browser even more secure you can disable flash again a quick search engine search will tell you how to disable flesh Adobe's Flash technology is a very old technology at this point it has long been known as vulnerable software I recommend you get as far away from it as you can keep yourself safe now the drug the guy who is actually the inspiration for this halt whole talk he recommends that everyone used an ad blocker the best that I know of is you block origin this is exactly the software that my friend who went to forbes.com was using before he decided

to turn it off and get infected through malware I would recommend if you have the ability to install a browser extension into your browser use you block origin it will protect you against known malware sites updated frequently and it won't slow down your browser and finally my recomendation to anyone is use a password manager in this day and age in 2016 people are still writing down passwords on sticky notes and putting them on the desk where anybody can come and find them I recommend you use a password manager especially one that has autofill capability so you can keep track of all your passwords make sure you don't reuse passwords and it will auto fill the passwords when you go

in to log into your services so you won't forget them passwords are not unbreakable but they are much safer alternative than any other available especially sticky notes on your phone there are honestly only two options either iOS that is Apple devices or Android I understand that there is such a thing as Windows Phones I understand that there are blackberries in this world but because of the market share that they they hold right now I'm not going to talk about them the same concepts apply to those however first of these two the more secure by far is apple iOS now both Google and Apple put into their phones a certain amount of software that's supposed to

protect their vision of what the phone is supposed to be it's supposed to protect their intellectual property and it has the secondary effect of also protecting the end user so again you want to make sure that you have the most up-to-date version of iOS or Android if you're using Android prefer Nexus to other devices because Nexus gets updates from google immediately as they're available if you have another phone you will get updates when and if the verizons and the ATM to use of the world decide to send you updates maybe never the most secure device if you decide to go this route is one without a subscriber identity module now the sim card has its own hardware and software

that enables you to connect into cellular networks you won't be able to connect at the cellular networks if you don't have one but that creates greater attack surface for you to be attack it makes you more vulnerable so the best configuration is perhaps an ipad or an ipod touch that doesn't have a sim card that would be the safest device for you whatever you decide to use don't jailbreak root or put in developer mode your phone because these turn off and disable the protections that Google and Apple and other providers have put in place to protect their own software and their own visions of what the what the device is supposed to be but it also disables all

those sections that are protecting you as I said this is a secondary effect of the protections that they put in there and as for the Internet of Things semantics recently put out a warning saying that increasingly devices that connect to the internet which I'll refer to as Internet of Things devices or IOT devices are being used to do distributed denial-of-service attacks just a couple of weeks ago on the twenty-seventh of September when a 16 the website of brian krebs a well-known security journalist was attacked with an Internet of Things distributed denial of service at its peak this DDoS attack put out one terabit per second worth of data to put that into perspective over seven seconds

that's enough data to stream 1,000 HD movies a good way to keep up on whether the devices that you're using are vulnerable to attack is to follow it in Google Alerts Google Alerts is a service that will allow you to provide a keyword and then say for example the name of your IOT device or the diversion brand whatever the case may be when that name comes up in the news say it's been shown to be vulnerable to X google alerts will send you an email and let you know so when can you deviate from these recommendations that I've made the short version is this when the situation is out of your control that's out of your control you have to

deviate when you have other defenses in place perhaps some other protections that I didn't mention during this video that may be okay to deviate from these recommendations and when the benefit outweighs the risk it may be okay say for example you create a virtual machine and you go and you test out something and then you decide to destroy the virtual machine there's probably little risk there the slightly longer version is this use operational risk management figure out what is the danger here what's the likelihood of that happening what damage is going to happen and what benefits can i accrue by doing this and if it seems like it's a worthwhile thing go for it you can deviate from it but at the end

of the day you want to be a hard target you want to make yourself harder to hack than the people around you hopefully you won't be a victim this way James makings a researcher at Microsoft likes to put this problem into perspective as follows it's the Mossad or not Mossad problem for those of you not familiar Mossad is the National Intelligence Agency of Israel and Mick and says this when you get hacked you will either be hacked by Mossad or not Mossad if you're being attacked by not Mossad there are many things you can do to protect yourself maybe even stop them in their tracks completely among those are the things that I've already talked

about in addition to not reusing password requiring passwords on all accounts and having two accounts / computer this is my recommendation I recommend that that on your computer you have one account that has administrative privileges that you use to install software and a separate non-privileged account that you'll use if you're being attacked by Mossad they're going to get into your computer there's nothing that you can do they might use a custom exploit that they spend millions of dollars to develop or they might just use a crowbar and they'll hit you in the head until you open up the computer for them either way they're getting into your computer so when can you deviate honestly you know

your situation better use operational risk management to the benefits outweigh the risks and then go for it so how do you deal with a successful attack what do you do when you've been attacked I'm going to tell you a couple of things that you can do first if you have a compromised account an online account say cloud storage email whatever the case may be Dropbox first change your password that's the first thing that you should do and you should do it before the person who stole your account changes the password seconds don't reuse the password make sure that it's not the same password you're using on another account because if they get your password there they're

going to try that same password on facebook and linkedin and Dropbox and wherever else they think you might have an account and then finally verify the content if you left email or videos or executables on this remote account you want to make sure that they haven't been tampered with before you start using them again it's possible for Hallie hacker to download your content insert a virus and then upload it again so that the next time you try to access it from your computer you'll get at you'll get on so verify your content before you use it and understand that providers like Google and Yahoo LinkedIn Facebook they're being attacked constantly and sometimes those are taxes are successful

to expect that they'll be attacked again you can use google alerts to keep up on whether they've been attacked or not you'll get an email and then finally use a password manager again to prevent yourself from relying on passwords that you've used for other accounts if your computer itself is compromised here's what you do me coja ponen another cyber security researcher and the chief research officer for a well-known cyber security company has put together this info graph and he said I could use it but I didn't quite feel comfortable putting it into the presentation but here's the information first he says don't panic in an emergency people who are able to keep their cool are more

likely to come out of it intact so don't panic second don't shut down the computer now personally if I realize that I'm being attacked my first response is I need to shut down the computer and stop as a fact you don't want to do that because you're going to be destroying volatile evidence of the attack resist the urge third disconnect from all networks at this point they are probably controlling your computer remotely from one of the networks that you're connected to so disconnect from all networks fourth stop touching the computer and take a deep breath at this point if you're touching the computer you're basically stomping around in a crime scene you think you may be messing up evidence so you need

to resist the urge touch the computer anymore stop then write down all the details you can remember about the attack finally call for help you want to call someone who's got some cyber security or cyber forensic experience and preferably you want to know who you're going to call before you get hacked the last thing you want to do after you get hacked is spend a bunch of time trying to figure out who to call if you have a compromised IOT device the way that you're going to handle that is going to going to depend on the type of device that you've got so I'm going to give you two examples real-world examples earlier this year there was a young lady who was

involved in something the police came and they seized her iPhone as evidence as it turns out this iphone was connected to a baby monitor that had a camera and every time the camera would turn on there would be a little light that would indicate the camera was on now after the iphone was seized as evidence and taken back to police headquarters the woman noticed that the camera light was coming on at seemingly at all hours of the day but particularly when she was breastfeeding her baby she eventually put together that you know the camera was coming on because it was connected to the iDevice and someone had taken it out of evidence and was using it so it came to light eventually

that a policeman had taken it out of evidence that was watching her from his home at breast feeding time she was able to put this together because she recognized what was normal behavior and what was not normal behavior for this device so that's my advice to you is understand what's normal behavior for your device and what's not and then take steps when when things get weird second story is sort of electronic locks a gentleman I follow on Twitter I'll call him Bob went out and bought electronic locks for his front door now these electronic locks rely on an iDevice to work so he put an ipod touch or i think it was an ipad actually in

his living room so that the electronic flux would work he was so excited about this about never being locked outside about being able to open his front door from his phone that he went and showed his neighbor his neighbor came to look at it said yeah this is the coolest thing since sliced bread I'm probably going to get the same thing couple days passed and Bob is getting ready to go to work he's pulling out of his his parking spot and his neighbor same neighbor Tom comes over and says hey hey before you go off to work can I borrow some sugar about says sure yeah just let me parked car I'll go get it for you Thompson so don't worry

about it I'll let myself in he walks up to the front door and he says hey Siri open the front door the I device I think it was an iPad actually sent a signal to the electronic lock opening the front door for Tom bob was mortified he called in sick and he went he returned that electronic lock the same day so the message here is security is not always baked into the IOT devices that you're using so understand again what's normally what's normal behavior what's not normal behavior and then know what steps to take when you realize that things are not the way you expected them to be got all the way through without getting

a water I really needed at this one okay so in conclusion let me sum up what we've talked about first realize that you are a target if you've got a CPU you've got storage you've got a network connection then you are a valuable target for Halle hacker even if you're not the ultimate target how i can use what you have to get what she wants to protect yourself second realize that you are vulnerable even if you don't do online banking you don't use social networks if you have any hardware or software that talks to the internet you may potentially be vulnerable because software is hard to do right follow the software and the devices that you're using using google

alerts and when it turns out that it's vulnerable you'll be the first to know protect yourself regularly update your software if that's possible and disable any unused code that you don't need turn off office macros if you don't use them remove the Python interpreter if you don't use that and so on anything that you don't need get it off your computer because if it's not a convenience to you it's just a convenience to someone who's trying to get onto your computer recognize bad behavior know your software know your IOT devices understand what's normal behavior what's not and know who to call when things get weird share what you know this is not everything that you need to know about

cyber security but knowing what you know now will make you a harder target than most of the people in the world if you share what you know with your family friends and co-workers you could help them to protect themselves online and we'll all be better off for it especially Brian Krebs finally understand that security is not an end state it's something to aspire to you're never going to get there but you have to keep working or toward it at this point hopefully with the knowledge that you have you're able to recognize when attacks are happening and deal with them in a way that will preserve evidence and hopefully stop the attack in its tracks now what were those steps to handling an

attack again one don't panic 2 don't turn off the computer three disconnect from all networks or stop touching the computer take a deep breath by write down all the details you can remember about the attack and six call for help at this point you understand why you might become the attack of the victim of a cyber attack you understand how that attack may be carried out you understand some cybersecurity practices to protect yourself and why they work and at this point you should have enough information to handle an attack and publish much success thanks for listening any questions for me

thank you again I'm good afternoon you