infosec on the road - wordpress.com · 2011. 7. 11. · infosec on the road -or- keeping...
TRANSCRIPT
InfoSec on the Road
-or-
Keeping what's yours, yours.
HU UK 2011 meeting – 26th June 2011
Alexandros Papadopoulos, CISSP
How do you use computers on the road?
Withdrawing money from ATMs
E-Banking
Saving photos
Writing your blog/book
Posting in forums
Emailing for work or personal stuff
Chatting with friends and family
……………….. Skimmers
……………………………………… Sensitive info stolen (malware)
…….……..…………………………………… Data loss, privacy
Censorship, privacy, sensitive info stolen
ATMs (1)
Beware of skimmers
Designed to steal your:
Bank card's information
PIN
Cash
http://krebsonsecurity.com/all-about-skimmers/
ATMs (2) Stealing the bank card information
ATMs (3) Stealing your PIN
ATMs (4) Anything wrong with this ATM?
ATMs (5) Hidden mobile phone camera captures PIN
ATMs (6) Stealing your cash: Cash Trapping
e-banking
• Most publicly accessible computers are infected with malware
• They can therefore not be trusted for e-banking
• Carrying a password generator with you makes this a bit safer
What is malware?
• Malicious + software = malware
• Example: Zeus & URLZone - dynamically rewrite your online bank statements (after it has
stolen your bank login and used it to drip-feed money out of your account)
• Example: StuxNet – destroys nuclear plant equipment
• Generally, crooks are after your passwords
• Your phone, camera, GPS, laptop, USB stick will probably be infected
Malware – Is this legit?
Malware – amateurs!
Malware – webfake I
Malware – webfake II
Malware – Fake Bank Statement
Saving photos
• Your enemies:
• Vibrations, humidity, thieves, weight, accidental deletion, software error…
• Your allies:
• Online storage – Flickr ($25/year)
• Multiple copies
• Solid state media (SD cards)
• Encrypted storage (TrueCrypt)
Saving files (general)
• Google Docs
• Dropbox
• TrueCrypt “Portable Mode” USB sticks
Possible to have a secure “password file” with you
The best defence against all this…
• Is free!
• Allows you to completely ignore the software installed on the machine you use
• Like carrying your own computer-on-a-stick!
DIY bootable USB stick
http://www.ubuntu.com/download/ubuntu/download
This is what you get
Stories from Iran
• The charming “foreigners police” connected my camera’s SD card to one of their Windows PCs to check out my photos
• No software copyright enforcement => pirated software everywhere => no security updates => everything infected with malware
• HTTPS necessary if you want to speak your mind on email/blog.
Keep snoopy governments from (easily) reading your emails
Signs of country-level blocking
Signs of country-level proxying
Recent high-profile cases
• Stuxnet (travellers most certainly involved!)
• Hijacked webmail/Facebook accounts
• The goodies I brought home when I returned from UK2India
Invisible in Windows XP/7 with 3 different antivirus suites
Visible but untouchable in MacOS X
Finally deleted with GNU/Linux
Once you’re back home
• Systematically disinfect all removable media (GPS memory card, camera, any USB sticks you used during the trip) • Use a trusted system like a recent GNU/Linux bootable disk
to delete all files you don’t recognise from your media
• Change your passwords (bank, webmail, forums etc)
Questions?
• Personal data protection tips: http://thinkingspaces.org (my security blog)
• Surveillance self-defence project by the Electronic Frontier Foundation: https://ssd.eff.org/
• Remote backup software: http://www.crashplan.com
• Encryption software: http://www.truecrypt.org
• Anonymous browsing: https://ssd.eff.org/tech/tor
Get this presentation: http://tinyurl.com/infosecontheroad