DACS General Meeting By Bruce Preston In the “good old days” a bank could secure its assets by using a vault with thick iron walls and a large door with combination and/or time lock, bars on the windows and an armed Pinkerton guard or two. If they controlled physical access to the money they were all set. Now things are very different, assets move electronically rather than in canvas bags and armored trucks, and the ‘bad guys’ use ingenious methods to divert the stream of bits to their own use. They don’t even need to be on the same continent to commit their crime, and generally don’t leave fingerprints or appear on surveillance videos. At our June 2011 general meeting, Frank Kunst and Chris Milmerstadt of Fairfield County Bank guided us through some of the behind the scenes techniques that financial institutions use to protect customer’s assets. Authentication: Frank started with the very basics – logon account and password. Frank stressed that this is just the first layer of defense, that a password should be ‘complex’ – containing a mixture of uppercase and lowercase letters, a symbol or two, a digit or two. It most definitely should not be a pet’s name or other easily guessed thing such as license plate, phone number etc. Unfortunately passwords can be cracked by brute force, dictionary attacks, etc. So banks now often impose a ‘three strikes and you’re out’ lock down mechanism. It’s a start. The next level up is “multi-factor authentication” which might consist of providing the answer to a ‘secret question’ etc. Taking it further, until very recently a more secure mechanism was the use of a cipher key, such as provided by RSA. Here a random 6-digit sequence is displayed on a key chain device, changing every 30 seconds. The device is synchronized with a generator associated with the account. The user must provide the digits as part of the login process. Even this has now been bypassed. The next step up is ‘out of band’ authentication whereby the system lists one or more phone numbers associated with the account and as part of the logon sequence places an automated call to the selected phone number and expects a response through that circuit rather than via the internet connection. Frank took it even further – for some high volume, high value accounts they provide an environment on a USB flash drive. This is an entire computer environment that is set to ‘tunnel’ via VPN (Virtual Private Network) to the transaction processor – a completely closed environment. The user must still “unlock” the environment using techniques as previously described. Best Practices: Chris then discussed ‘best practices’ when surfing the internet in that following these can greatly reduce the likelihood of having your computer compromised by malware. For example, the first thing to observe is “Where is that link I am about to click going to take me?” He suggests getting out of the habit of directly typing a URL into the browser’s address bar. Instead, do a search, find the site, and then observe and dissect the link. If you hover over a link in search results, the actual address will be displayed by the browser – usually at the lower left. Find the first backslash, and look at the TLD (Top Level Domain) immediately to the left. Common TLDs in the U.S. are .COM, .EDU, .GOV, .NET etc. For outside the U.S. the TLD is often a country code - .UK (United Kingdom,) .FR (France,) .CA (Canada,) .RU (Russia,) .CN (China) etc. He gave an example of doing a search for “Gift Card” and found a site with .RU as the TLD. He suggested that you not find it prudent to go to Eastern Europe when searching for a gift card. Be especially aware that some sites try to impersonate legitimate sites by putting in a legitimate sites domain as a sub domain. A made-up example would be “http://order.amazon.com.process.cn/check-out.asp” which may look good, but it isn’t Amazon.com! Chris also discussed the prevalence of the bogus “your computer has been infected” scareware alerts. The user goes to an infected site and gets what appears to be a legitimate notification that the computer has been infected with buttons of “OK”, “CANCEL” and perhaps the ‘red X’ in the corner. Clicking anything on the window will often initiate the downloading of malware as the browser interprets the click as authorization to accept a download. The best things to do are to immediately do a Ctrl-Alt-Del, bring up Task Manager, and kill your browser session. Phishing: A common attack is Phishing – sending an e-mail that appears to be from a legitimate source saying, for example, that the institution needs to confirm you account credentials and requesting that you click on a link that will take you to a page where any of several things may happen: You might be infected by malware – a key logger, etc., or you may be prompted to enter credentials such as account logon, password, SSN, etc.. Don’t fall for it. If you get such a message, do not use the link. Instead contact the institution to confirm the request by closing the e-mail and logon to your account via normal means. Social Networks: Chris and Frank continued to discuss other means whereby the bad guys can gain access to your computer and thus obtain information. For example, links in social networking sites such as Facebook, LinkedIn, MySpace, etc. could contain malicious content. A recent example given was that there were links purporting to have photos of the dead Osama Bin Laden available. If you clicked on the link you’d be infected. They use all sorts of “social engineering” to entice the user to click on something. Wi-Fi: Frank returned to discuss wireless safety. To start with, if you set up a Wi-Fi access point, be sure to change the administrator password from the default, change the ESSID (Wi-Fi network name) from the default (When I visit the NJ shore every summer there are dozens of open networks named “LinkSys”.) Be to secure the network using WPA-2 encryption. He wouldn’t even consider using an open Wi-Fi (such as McDonald’s, Starbucks, hotel, etc.) for e-mail or transactions of any kind unless using a VPN tunneling mechanism. For web-mail such as GMAIL, use the HTTPS preface rather than HTTP if available, this will encrypt your session. Notebook Security: If your portable device contains any sensitive information – tax data, bank data, essentially anything that should be kept private, then obtain and install an encryption mechanism that will protect the entire drive or at a minimum designated folders. Do the same for removable media such as USB flash drives. Firewalls: The firewall in a consumer-grade router is only good for thwarting various intrusion attempts, it can not prevent an unauthorized connection that originates within your machine. For that you typically need a software firewall in your machine which may be set to prevent connections using ports other than those you authorize. A typical machine needs to have several ports open - 80 is used for web browsing, 443 for secure web sites (SSL), and you generally need ports 25 and 110 or 143 for e-mail. The bad guys know this, so they often make use of these ports since the firewall can’t differentiate between good and bad on the basis of the port in use. Some firewalls may be configured to examine the application that is using the port and permit via an exception list. The Windows firewall available in XP SP3 and newer is such a firewall. Frank identified two utilities – TCPView and WireShark as being able to identify which applications are making use of which ports. You may use them to identify things that have snuck into your system. Account Hijacking: Frank described the method by which organized crime sets up “Money Mules” – typically innocent people who are hoodwinked into setting up bank accounts that end up being intermediate stops in a process whereby a cash-rich organization such as a non-profit educational institution is drained within minutes once the trap is sprung. There were enough moving parts to make your head spin. Suggestions: While they do not endorse particular products or speak for FCBC, some of the consumer-grade products mentioned include: TrueCrypt, GPG, Commodo, ZoneAlarm, Keepass, SuperAntiSpyware, and MalwareBytes. Some of these have free for home use editions. In addition, many internet service providers bundle security products with their service. Space does not permit me to repeat all of the items that Frank and Chris addressed, but they have generously provided us with a PDF (see the DACS Downloads page: http://www.dacs.org/downloads/dacsdownloads.htm) which contains their notes from the presentation as well as a list of references and resources, and we thank them for an excellent presentation on a topic of interest and concern to us all.
|
 Click Here |
 |
 |
DacsGear!
|