On-Line Banking Security

Bradford Rand

Vice President

INFOSEC Officer

Online Security Approach• Online Security Is Not A Single Solution.• The Best Security Is A Layered Approach• “Defense In Depth”

• Internet• Source of Information

• Firewall• First line of Defense• Can Have Multiple Onsite• IDS / IPS at this Level

• Network Access• Grants Permissions

• Local Workstation• Anti Virus• Additional IDS / IPS

Defense In Depth• Local PC Configurations• Security Patching

• Operating System (Windows / Apple / Chrome)• Third Party Applications

• Local Workstation• Anti-Virus• Anti-Malware

• Network / Local Workstation• “Principle of Least Privilege”• Enough to perform job function, no more.

• IDS / IPS• Intrusion Prevention over Detection

• Firewall• Intrusion Detection / Prevention• Open Port Limitation• Does Not Examine Data Packets

• Physical Access• Location of Equipment

• Education• Email Phishing• Phone Calls “Vishing

• Support From Above• Buy in from Executive Management• Assist in ensuring training / compliance.

Is There a “Silver Bullet?• No. If there was, I would own stock and not be here today. • Don’t be fooled by software salesman stating there is.• The creation of the internet caused this problem.

• (Actually the users of the internet, not the internet itself.)• Opportunity to “knock on doors” without being caught.

• The safest PC is one that is not connected to the internet.• Once an unprotected PC is placed “online” with the internet, it will be compromised within 7

minutes.

** SANS Survival Times https://isc.sans.edu//survivaltime.html

• A dedicated workstation, used just for online banking, is the most secure solution for performing online transactions.

• Patching is critical. • Most compromised PC’s were not up to date with Operating System updates.

• Email: Phishing / Trojan Malware is overwhelming.• Education / Training is clue• Third Party companies are available to test for you. (some are free with limitations)

How Does It Happen?

• Every compromised incident I have been involved was initiated from the client / end user workstation.

• The compromised computer was the result of inadequate patching and / or email phishing.

Local Workstation• Can Download Malware From Many Areas

• Phishing:• Email sent to you appearing as a known source

• Contains attachment: Word / PDF / Excel / Text File• Contains hyperlink to contaminated web site.

• Click on the link and download the program• Downloaded program takes advantage of known vulnerabilities.

• Portable Media• USB sticks carry malware

• Seeding / Leave a USB stick in the parking lot. • Has label “Payroll” / Eye Candy• You plug it in at work, it autoruns.

• Browsing Web Pages• Ads on the sidebar

• Google does not verify “clean” sites well.• Redirect to compromised sites that looks like “real” site.• Download malware application

RansomwareFrom Web Pages:

• Ransomware Found Hidden in Yahoo Ads (Redmond Magazine 08/04/2015)• Antimalware company Malwarebytes yesterday released a report that discovered

attackers were hiding ransomware in Yahoo's paid ad network. Between July 28 and July 31, some ads that appeared on popular Yahoo sites, including news.yahoo.com, sports.yahoo.com and games.yahoo.com, had been bought by attackers. Once clicked, the malware tried to take advantage of an Adobe bug to inject the popular CryptoWall ransomware on systems.

• Malwarebytes was quick to point out that users of its antimalware software would have been protected once the malicious ads were clicked on.

Windows 10 Update: Ransomware On the Loose• Redmond Magazine 08/04/2015• Late last week the Talos group, Cisco's security research team, uncovered a spam

operation that is targeting users looking to upgrade to Windows 10. • Fake e-mails disguising as Microsoft are being sent advertising the free upgrade to

Windows 10. • Once the attached zipped file is downloaded, extracted and executed, a system's files

will be encrypted with CTB-Locker, a ransomware variant that operates in a unique fashion.

• Once the files are encrypted, users are presented with a standard ransom message, demanding payment for the encryption key. And to keep the whole transaction anonymous, payment through Bitcoin and transfer of the encryption keys through TOR occurs.

“Trojan” Malware• Trojan Horse

• Free Gift / Special Offer• Email or Web Browsing• Click on Link• File Appears as “Friendly”• Request to Run File• Allow Execution / Installation• Wrapper Opens and Runs a Script• Sets Up Shop On O/S• Cloaks Itself• Calls “Home”• Begins Data Transfer

Keystroke Loggers• Most Common Form Of Malware

• Easy To Deploy• End user does the work by loading the application

• “Calls Home” When Set Up• Captures All Traffic From PC Going Out To Web

• Has search criteria (Filters)• Login ID / Passwords• 9 digit socials• Account Numbers

• Records Any String Of Data Behind Keywords• Send back data in complete format• Complete report of compromised data at end of the day• Programmable application

• Possibility Of Remote Control • Removes IP location restriction in “cookies”• Performs banking from your PC.

Keystroke Logging Example

• Switch Over To Compromised Computer

• Keystroke Logging Questions?

Basic Steps• Keep Operating System up to date.

• Microsoft – Upload of patching for a reason.• Patch Tuesday / second Tuesday of the month.• Remediates known vulnerabilities.• Set Updates to automatically update.• MS Office updates – Not Part of Patch Tuesday• Browser

• Internet Explorer – Patch Tuesday’s• FireFox – Automatically Updates• Chrome – Automatically Updates

• Third Party Application Patching• Adobe Products

• Reader / Writer / Flash / Air / Shockwave• Be careful of “Toolbar” baggage applications.• Ask / Google / default checked off to load with patch.• Result is more crowded browser and slower PC.• Adware follows your browsing habits. • Google ads on the sidebar change to appeal to you.

The Best Solution• Dedicated Workstation is the best solution.

• Can be outdated PC.• No need to add to a Domain.• Will run quick enough, minimal applications running on it. • Needs Windows 7 and up.• Anti-Virus / Malware Detection• Keep up on Operating System Patching!

• Limit Access To Local Workstation• Location, location, location

• Keep it close.• Lock it up when not in use.

• Require separate local accounts.• Create Administrative account.• Limit “Basic” user accounts to not allow running of executables.• “Run As” will require administrator password to install applications

• Disable “AutoRun” • Will require a double click on the file to execute.

Phishing Examples

Email Phishing Examples• Contained In Email

• Mouse Over Hyperlink To Reveal Actual Site Address• not www.bofa.com – instead it is a “hacked” site hosting the page unknowingly.

• Attachment could be .pdf / .exe / .gif / .doc / .xls

Phishing Examples (Cont.)

Phishing Examples (Cont.)

Phishing Examples (Cont.)

Internet Country Domain Codes

Top Level Domain Extensions• “Normal” Business Usage

• .us• .gov• .com• .net• .edu• .org

• On The Horizon• .bank• Very extensive background check.• Good for public appeal.

Best Practices• If In Doubt, Throw It Out!

• Companies will attempt many ways of contacting you.• (Especially if you owe them money)• For collection, phone calls are most common, not email.

• Use Email and Common Sense:• There is never a “free” gift. (Too good to be true)• Do I know who is sending me this email?• Do I perform business with this person / company?• I don’t remember applying / asking for that?

• Opening Attachments:• Malware can be contained in:

• Word / Excel / Adobe pdf’s / Pictures• Usually asks permission to load the file.

• That is the clue, never allow an application to run !• Use: “Save As” Download the file locally, scan for viruses before double clicking.

Email Security Questions?

Fight the Fight !• Change Your Passwords Frequently

• Use Complexity, not your dogs / Children / Birthdates• Phrases are good.

• Jane, Bill and Woof / JanBilWoo / J@nBi1W00 (replace with symbols and numbers)• Personal FaceBook? Reveals Passwords by “Creeping” on your page.• Purchase a password generator.

• Do Not “AutoSave” or “Remember” Passwords In Browsers• Ensure Anti Virus Is Installed

• Auto update of definitions• Threat detection installed• IPS / not just IDS

• Intrusion Prevention instead of Intrusion Detection.

• Free Anti Virus applications will cost you in the long run!• You get what you pay for…

Windows Versions• Windows XP EOL / EOS

• April 8th, 2014 • Current is Windows version 7 - 10

• 7 Is Very Compatible• 8.1 Is Better Version Than 8.0• 10 is a free update for all registered PC’s.• Shock Factor / “Skins” Can Be Installed• classicshell.net Skin makes it look like XP or 7.

• Windows 2003 Server• EOL / EOS July 14th 2015.• Very important to update• Public Facing / Big Trouble

• IIS (Internet Information Servers)

Online Resources• Websites to sign up for security alerts:

• United States Computer Emergency Readiness Team (US-CERT)• https://www.us-cert.gov/

• SANS Internet Storm Center• https://isc.sans.edu/

• Online Threat Activity Websites:• Symantec IT Security Threats

• http://www.symantec.com/security_response/

• MacAfee Threat Center• http://www.mcafee.com/us/threat-center.aspx

• Microsoft Internet Safety and Security Center• http://www.microsoft.com/security/default.aspx

• TrendMicro Security Threats• http://www.trendmicro.com/us/security-intelligence/current-threat-activity/

Email Alert Examples

Email Alert Examples

Email Alert Examples

Email Alert Examples

Other Resources• Malwarebytes.org

• Anti-Malware Scanning Application• Free Version Download• Auto Update When Installed• Very Powerful Scanning Engine• Reveals “Cookies” and Temp Internet Files• Best Of Breed In “Free” Applications

Other Resources• Microsoft Removal Tools

• http://support.microsoft.com/botnets• http://support.microsoft.com/security/scanner/en-us/default.aspx

• Be Careful – Creates “Best Practices” On Your PC.• Firewall Turns On• Sets Up Automatic Update For Windows• Enables Internet Explorer’s Privacy Settings• Turns On User Account Control (UAC)• Cleans Out Your Internet Cache and Browsing History

• May Shut Off Other Applications• Seek I.T. Support If Available

Good Too Great• Current:

• SFA Tokens (number on display)• Cell Phone – SMS Texts a number to enter• Trusteer Rapport – Browser based

Near Future: (Here now)

• Remote Web Server will scan your computer. • Detect and report malware.• Prevent transaction from processing.• IBM PinPoint / Trusteer / Rapport combination.

Smart Phone Payments• Is Using a Smart Phone Safe?

• Apple Apps are screened for malware and viruses • Droid Apps can contain malware and viruses

• Anti Virus available

Thank You!

• Malwarebytes.org• http://www.malwarebytes.org/

• Microsoft Removal Tools: • http://support.microsoft.com/botnets• http://support.microsoft.com/security/scanner/en-us/default.aspx

• Download This Presentation: • www.bradrand.com/presentations

• Windows Shell (Appearance of XP / Vista)• http://www.classicshell.net/