By P.Raveendra Babu

Asst.Professor

CSE Department

V R Siddhartha Engineering College Vijayawada

3

Mobility FactsOn an Average People check their phones 150 times a day – That’s

once every 6.5 minutes

More than 1.5 million Apps are available in the App store, Google

Play, Windows store and Blackberry App world

On an Average each Smartphone user runs 41 Apps

Every day, more Android phones are activated than babies born

Expected to grow to 20 Million by 2020

Smartphones are

redefining customer service into 24x7 anytime anywhere

contextual interactions

2.

The three big mobility trends

Tablets are

liberating IT from the desktop1.

Tablets are the new battleground for

attracting and

retainingprofitable customer segments

3.

World-wide Smartphone SalesA Whopping 60% growth on Smart devices sales

In 2006, Android, iOS, Windows Phone and Bada did not exist and just 64 million smartphones were sold

Of the World’s 4 Billion phones 1.08 Billion are smart phones

2006

2013

88

Future Networks – Internet of Things

Opportunities

9Source: http://blog.trentonsystems.com/internet-of-things-crosses-business-personal-boundaries/

10 10

“Things” connected to the Internet

Image Courtesy: : CISCO

Why cyber space is at risk?

Defending is difficult Risk v/s convenience Increasing complexity Security was never a part

of Internet Varied threats and threat

actors

Attacking is easy Attacker’s anonymity Attribution challenges Inconsistent laws Proximity no longer a

requirement

Cyber space is getting target-rich Increasingly valuable Increasingly online Increasing dependency Technical convergence

Contents Password

Security threats to passwords

Best practices to create password

Handling passwords

Real time examples

E-mail attacks

Password Password is the most common method for users to authenticate themselves when entering

computer systems or websites. It acts as the first line of defence against unauthorized access,

and it is therefore critical to maintain the effectiveness of this line of defence by rigorously

practising a good password management policy

SECURITY THREATS TO PASSWORDS

The following are common security risks where a legitimate user may lose his or her

password:

Over the shoulder attack: when a person types in his or her password, someone

might be able to observe what is typed and hence steal the password by looking over

the person‟s shoulder, or by indirect monitoring using a camera.

Brute-force attack: because a password has a finite length, usually 8 alphanumeric

characters, an attacker can use programs that automatically Password Management

Page 4 of 18 generate passwords, trying all possible combinations until a valid

password is found. With recent advances in computing power, the time needed to

execute a successful brute fore attack has dropped considerably.

Continue… Sniffing attack: when a password is sent over a network, it could be captured by

network sniffing tools if the network channel is not properly encrypted. In addition,

certain malicious tools (such as a keylogger) might be able to capture a user‟s

password when the password is typed in during the authentication process.

Login spoofing attack: this is where an attacker sets up a fake login screen that is

similar in look-and-feel to the real login screen. When a user logins to the fake

screen, his password will be recorded or transmitted to the attacker

Dictionary Attack: A hacker uses a program or script to try to login by cycling

through combinations of common words.

Key Logger Attack: A hacker uses a program to track all of a user’s keystrokes. So

at the end of the day, everything the user has typed—including their login IDs and

passwords—have been recorded. Key logger attacks are also different because

stronger passwords don’t provide much protection against them, which is one reason

that multi-factor authentication (MFA) is becoming a must-have for all businesses

and organizations.

With two-factor authentication (also called multi-factor authentication, 2FA, and

advanced authentication), a user is required to not only provide a password to gain

access to the system, but also a another security “factor,” like a unique one-time

access code generated from a token device or secure mobile app on their

Smartphone. A network protected by MFA is nearly impenetrable to an outside

attack; even if a hacker is able to attain a system password, he won’t be able to

provide the needed second security factor.

BEST PRACTICES

Examples of Bad Passwords that can be easily guessed or cracked using password crackers freely available on the Internet

"password" - the most easily guessed password

"administrator" - a login name

"Cisco" - a vendor's name

"peter chan" - a person‟s name

"aaaaaaaa" - repeating the same letter

"abcdefgh" - consecutive letters

"23456789" - consecutive numbers

"qwertyui" - adjacent keys on the keyboard

"computer" - a dictionary word

"computer12" - simple variation of a dictionary word

"c0mput3r" - simple variation of a dictionary word with „o‟ substituted by „0‟ and „e‟ substituted by „3‟

Simple rules to create a password:DON’Ts

Do not use your login name in any form (as-is, reversed, capitalised, doubled, etc).

Do not use your first, middle or last name in any form.

Do not use your spouse‟s or child‟s name.

Do not use other information easily obtained about you. This includes ID card numbers, license numbers, telephone numbers, birth dates, the name of the street you live on, and so on.

Do not use a password that contains all digits, or all the same letters. Do not use consecutive letters or numbers like "abcdefgh" or "23456789".

Do not use adjacent keys on the keyboard like "qwertyui".

Do not use a word that can be found in an English or foreign language dictionary.

Do not use a word in reverse that can be found in an English or foreign language dictionary.

Do not use a well-known abbreviation e.g. HKSAR, HKMA, MTR.

Continue… Do not reuse recently used passwords.

Do not use the same password for everything; have one password for non-critical

activities and another for sensitive or critical activities.

DO’s

1. Use a password with a mix of at least six mixed-case alphabetic characters,

numerals and special characters.

2.Use a password that is difficult to guess but easy for you to remember, so you do

not have to write it down.

3. Use a password that you can type quickly, without having to look at the

keyboard, thereby preventing passers-by seeing what you are typing

HANDLING PASSWORDS

DON’Ts

Do not write down your password, particularly anywhere near your computer or file

it in a box file with the word „password‟ written on it.

Do not tell or give out your passwords to other people, even for a very good reason.

Do not display your password on the monitor.

Do not send your password unencrypted, especially via email.

Avoid using the “remember your password” feature associated with some websites,

and disable this feature in your browser software.

Do not store your password on any media unless it is protected from unauthorised

access (e.g. encrypted with an approved encryption method).

Continue..DO’s

1. Change your password frequently, at least every 90 days.

2. Change the default or initial password the first time you login.

3. Change your password immediately if you believe that it has been compromised.

Once done, notify the system/security administrator for follow up action

Washing Machine

22

• 3 years Guarantee• Fully automatic• At the time of purchase

data fed in to the computer

• Damaged exactly after 1098 days…

• Analysis of chip-----• Logic Bomb

Embedded Forensics

23

December 2012: a vulnerability in SamsungSmart TVs that allows an intruder to takecontrol of the devices that are connected to thesame network.

November 2013: LG's Smart TVs are sendingpersonal information back to the company'sservers about what channels you watch andviewing habits.

July 2013: Another vulnerability allowedhackers to remotely crash Samsung Smart TVwithout doing much efforts

24

Taiwan Government

Motion sensor

Motion sensor

Motion sensor

ECG sensor

Internet

People Connecting to Things

25

What happens?

Motion sensor

Motion sensor

Motion sensor

ECG sensor

Internet

Safest computer on Earth?

Operation Quantum:

The devices can be secretly installed in the computers when they are manufactured.

27

WHERE WE ARE---- DO YOU KNOW WHAT THE OS/ APPLICATION PACKAGE DOING

BEHIND ?

CAN YOU BELIEVE YOUR ROUTER ?

US Govt identified flaws in equipment from fourcompanies including CISCO SYSTEMS which HACKERS canexploit to break into computer networks (3 December2009).

14 trapdoors were identified in most popular operatingsystem.

SUSPICIOUS ROUTER

USERS

Internet Switch

Internet

Radius Server

Internet

Monitoring

Personnel

ENEMY

COUNTRY

ZTE & Huawei A future nightmare scenario could be disabling of trains,

financial networks and water supply in combination witha physical attack. “The collective result could be a cyber-Pearl Harbour, an attack that would cause physicaldestruction and loss of life…and create a profound newsense of vulnerability - Defense Secretary, USA LeonPanetta.

China said to have a 30,000-strong cyber army withanother 150,000 hackers who serve as a support group.

Russia is said to have 7,000 cyber warriors.

WHERE WE ARE---- IS THE ANTI- SPYWARE YOU PURCHASED IS A

SPYWARE or ANTI-SPYWARE.

Why certain SPYWARES are not detected even by thebest anti-spyware programs ?

WHO CAN DECRYPT YOUR ENCRYPTIONALGORITHIM ?

WHO KNOWS YOUR ATM PIN

GUERRILLA MAIL

32

Changing scenario (Crimes)

1st generation - Fraud

Production of fake currency, ---

2nd Generation - Fraud

Fake profiles, Morphed images, Phishing, Cyber squatting

Manipulation of software’s for gains, Stealing passwords

Recruitment frauds, online bookings

Team Viewer.

Cyber Defamation

PMO

CBI WEBSITE HACKED

37

DATA DIDLING INVOLVES ALTERING THE RAW DATA JUST BEFORE A COMPUTER

PROCESSES IT AND THEN CHANGING IT BACK AFTER

PROCESSING IS COMPLETED

SECONDARY STATE BOARD

PRIVATE STUDENTS TOPPED OVER GOVT STUDENTS 6 DIGIT ROLL NUMBER

GOVT STUDENTS STARTS WITH 3

PRIVATE STUDENTS STARTS WITH 4

SOFTWARE MANIPULATION

FOR ROLL_ NO 3 > 68 <= 100 DEDUCT 9

FOR ROLL_ NO 4 > 68 < 88 ADD 9

Mobile billing?

A few--

Manager of a Bank

Transferring Money from Savings bank dormant accounts to his account

Re-depositing after 15-30 days

GUESS ?

Phishing

Delhi high court address is'http://delhihighcourt.nic.in

while the phishing website addressis http://delhi.highcourt.in.

40

CASE OF ICICI BANK

SUPPORT@ICICI.COM Asked to validate or conform their account details for

verification details User id’s, login password & transaction password

http://infinity.icicibank.co.in/verify.jsp ON CLICKING

TWO WINDOWS PRESS “ VERIFY TAB” , THE WEB PAGE TAKES YOU TO

http://icici.com WHICH REDIRECTS TO www.icicibank.com

URL http://all-about-notebooks.com/icici/verify.php

ICICI NEITHER OWNS NOR IN ANY CONNECTED WITH THE SAID URL

41

42

43