Learning Technology Africa 2009

Report
Computer Emergency Readiness Teams (CERT) in Africa:
Cybercrime senarios and assessment
Produced by Oyehmi Begho
1. Identity Theft
2. Top 10 ways to steal peoples identity
3. Facebook
4. Social engineering: Phishing, impersonating
5. Solutions
6. Conclusion
Identity Theft
Identity theft and identity
fraud are terms used to
refer to all types of crime in
which someone wrongfully
obtains and uses another
person's personal data in
some way that involves
fraud or deception, typically
for economic gain.
1. Rummaging through rubbish for personal information
(dumpster diving)
2. Retrieving personal data from redundant IT
equipment and storage media, without having been
properly sanitized
3. Using public records about individual citizens,
published in official registers such as electoral rolls
4. Stealing identification typically by pickpocketing,
housebreaking, mail theft or armed robbery.
5. Brute-force attacking weak passwords and using
inspired guesswork to compromise weak password
reset questions.
6. Impersonating trusted organizations in emails, in
order to dupe victims into disclosing their personal
information.
7. Observing users typing their login credentials,
credit card numbers etc. into IT equipment
located in public places
8. Stealing personal information from computers
using malware, particularly Trojan horse
keylogging programs or other forms of spyware
9. Advertising bogus job offers in order to
accumulate resumes
10. Browsing social networking websites for
personal details published by users and their
friends.
These are only the top 10!
• Facebook is a social network
service and website launched in
February 2004
• As of July 2010 Facebook had
more than 500 million active users
• At the beginning of 2010 Nigeria
crossed the 1 million user mark
Facebook is an personal information GOLDMINE.
Name
Address
Telephone number
Date of birth
Picture
School history
Work history
Preferences
Friends
Personal
Conversations
Social engineering is the act of
manipulating
people
into
performing actions or divulging
confidential information, rather
than by breaking in or using
technical cracking techniques.
• Phishing
• Impersonation
Impersonating trusted organizations in emails, in
order to dupe victims into disclosing their personal
information or login credentials.
• Fear
• Urgency
• Familiarity
Quick Demonstration
Draft email – Phishing, Spear Phishing,
Whale Phishing
Create an authentic looking email
Website
Example Email
http://www.zenithbank.com/ibanksecurity.cfm
Website
Code to edit and copy any webpage
javascript:document.body.contentEdita
ble='true'; document.designMode='on';
void 0
HTTrack Website copier
Download a whole website at the
click of a button.
With this form of identity theft the perpetrator
steals your identity not to obtain funds from you
but to scam your friends or others into handing
over money.
• Accident or incident
• Fundraising
• Relationship & Love
EFCC crackdown
Latest email scam
First email: I'm sorry for this odd request and I'm
writing this with tears on my eyes due to the situation
of things right now,I'm stuck in London United
Kingdom with my family,we came down here on
vacation and we got Mugged at GUNPOINT.. worse
of it was that cash cell phone and credit cards were
stolen…….
Latest email scam
Second email: ….just wondering if you can loan me
some cash $$ till i get back home to refund you back.
All i need is 1000 pounds and you can have it wired to
my name via Western Union
http://chaplainclair.blogspot.com/2010/03/nigerian-scammerattacked-me-today.html
Dispose of your personal data properly
• Shredding bank statements, letters etc
• Sanitizing electronic devices
• If you are not using any accounts online delete them
or make sure you check them frequently
Keep up to date
• Keep you virus checker, spyware etc up to date
• Keep yourself up to date of the latest scam.
• Scambusrter.org
• Report attack immediately to the appropriate
authorities
Use secure passwords
Most common insecure passwords:
Password, abc123, Jesus, Christ, 1234, 123456.
qwerty, asdfg
Dictionary words, date of birth, names
Passwords should be at least 8 characters in length, include
numbers, symbols, upper and lowercase letters
Government intervention :
• Start establishing laws that govern our online data
and how organisations are responsible for that data.
• Build an awareness campaign to highlight the
dangers of identity theft.
• Set up a visible (online) task force that deals with
cyber crime and prevention.
The internet is growing and changing at a phenomenal
rate everyday and so are the ways criminals are using it.
It is the responsibility of the government to censors and
govern the way organisations protect and use our data
but it is also our individual responsibility.
We must stay ahead and stay alert
Thank You
www.futuresoft-ng.com
[email protected]

similar documents