The Basics of
Data Security:
Hackers
Fabian M. Suchanek
based on “
A practical guide to Internet security
”
Overview
2
•
Types of cybercrime
•
Vectors of attack
•
Protecting yourself
Damage by cybercrime
3
In 2017, 978 million people in 20 countries were affected by cybercrime.
• Having a device infected by a virus or other security threat (53%)
• Experiencing debit or credit card fraud (38%)
• Having an account password compromised (34%)
• Encountering unauthorized access to or hacking of an email
or social media account (34%)
• Making a purchase online that turned out to be a scam (33%)
• Clicking on a fraudulent email or providing sensitive (personal/financial)
information in response to a fraudulent email (32%)
=> Cybercrime victims globally lost $172 billion
[
Norton Cyber Security Insights Report 2017 Global Results
]
Damage by cybercrime
4
Three common types of cybercrime:
1) account hacking (see
other lecture
)
2) malware
3) theft of personal information
=> Cybercrime victims globally lost $172 billion
[
Norton Cyber Security Insights Report 2017 Global Results
]
Def: Malware
5
Malware
is any undesired software, in particular:
- viruses that delete data (rare...)
- adware (e.g., “introductory screens”, toolbars, etc.)
- keyloggers (logs your keystrokes and thus knows your
passwords, email content, etc.)
- spyware (tracks your activity to target ads or to blackmail you)
- software that takes control of your computer to send spam,
host child pornography, or participate in denial of service attacks
- ransomware (encrypts your data and you have to pay to decrypt)
A
ransomware
is malware that makes your data unusable
by encrypting it, and requests a ransom (=money) to decrypt it.
Def: Ransomware
Cryptolocker:
325m USD paid
WannaCry:
150,000 USD
paid, 4b USD
in damages
6
The cost is not just the ransom, but also
- operational downtime
- higher insurance fees
Current systems: Emotet, Trickbot, Ryuk
Some ransomware also threatens to sell the personal information
online. Here: the ransomware “Ragnar Locker”
Ransomware++
7
In some cases, the pirates threaten to publish information about
fraudulent behavior of the company or about the sex life of its bosses.
Theft of personal information
8
Stealing
• credit card numbers (-> the thief can buy on your card)
• bank login details (-> the hacker can take your money)
• login information (-> the hacker can access your accounts)
• personal details (-> the hacker can impersonate you)
It is sometimes enough to know your name, your
birthdate, your city of birth, and your address to
- order a new credit card
- reset an account password
- receive new bank credentials
Theft of your ID
9
Your personal id can be used to
- set up a fraudulent Facebook profile
- money laundering
- set up a company in your name, and have
it default
- set up a credit card account in your name
So don’t give away scans of your id
easily!
Overview
10
•
Types of cybercrime
•
Vectors of attack
•
Protecting yourself
Vectors of Attack
11
The main entrance points for the different types of cybercrimes are
- clicking on fraudulent links (and installing something)
- clicking on fraudulent links (and entering personal information)
- opening fraudulent Office documents (and running the macros)
=> It all boils down to identifying and trusting
the party who provides the link/document
Fake Emails
Fake emails
are emails that pretend coming from a legitimate sender,
and that entice the receiver to download software, enter personal
information, or otherwise compromise their security.
Writing fake emails to gather personal information is called
phishing
.
It is very easy to send a fake email:
- the sending address can be modified ad libitum (unless sender
verification is enabled)
- the target address can be any of those that are available online
(legitimately or not)
- the content can be taken from any of the emails that companies
usually send
12
=> The only protection is your own vigilance!
Fake Emails: Examples
13
LeBonCoin
Comment remarquer un comportement suspect ?
- L’adresse email n’est pas une adresse email utilisée par leboncoin
- L’objet de l’email est en majuscule et fait mention d’une autre adresse email
- La présence de fautes d’orthographe dans le corps du texte
- L’utilisation d’une signature avec un mot anglais pour une société française
- Le design global de l’email qui n’est pas aligné
Very weak
protection
(hacker
can do
the same)
Fake Emails: Better Example
14
From public
registry (?)
Reasonable
text
Reasonable
URL at surface,
but fraudulous
target
Fake SMS & Fake Calls
15
Fake calls
are phone calls that entice the receiver to
download software or to give away personal information. Making
automated fake calls to gather personal information is called
vishing
.
Common strategies:
- Pretend to be Microsoft and ask to install an “update”
- Pretend being a help desk worker, offering “help” (
Quid pro quo
)
- Pretend to be the bank, ask for TANs
Techniques: caller id spoofing, knowing personal information upfront