2016/10/05: Fannie Mae Infosec Conference

by Gene Kim on

#realgenekim

Schifferly: "Identity theft: 17.6MM ID theft victims in 2014; 7% of US population (!!)" (Source: US Dept of Justice)
Schifferly: "Identity theft: 17.6MM ID theft victims in 2014; 7% of US population (!!)" (Source: US Dept of Justice)

Schifferly: How does identify theft happen? Top sources: lost wallets, theft by family/friends; dumpster diving; stolen mail; imposter scams
Schifferly: How does identity theft happen online: data breaches (big OPM breach), unsecure wifi hotspots, tech support scams
Schifferly: protect yourself: minimize personal info in wallet/phone (worst: people carry around SSN card); keep personal info locked up
Schifferly: tip: send tax returns as early as possible, to beat identity thieves to filing/refunds; take into post office, don't leave at home mailbox
Schifferly: go to identitytheft.gov (identitytheft dot gov) to report to FTC: will also report to IRS, credit bureaus, etc. (nice!)
Schifferly: Carnegie Mellon CyLab study: 10.2% of children in study had someone else using their SSN, 51x higher than adults, 75% for fraud (!!)
Schifferly: tips for children: order credit report for children around 16th bday; ask for "manual search" to ensure thorough search
Schifferly: senior id fraud perpetrators: relative, caregivers, scammer; more vuln: more wealth, more records (so sad to see them preyed upon!)
Schifferly: ex: retired teacher fell for Nigerian email scam; wired $1K; they opened bank acct in her name using SSN; used to recv pmts from other victims; accused of running scam (!!)
Schifferly: retired physician: IRS sent letter saying didn't report income as a dishwasher in nearby town; had to open case with IRS to resolve (!!)
Schifferly: big red flag for elderly id fraud risk: big piles of unopened mail; may need to provide help processing financial mail stmts
Schifferly: resources for id fraud: go to ftc dot gov / bulkorder; topics: child & elderly id theft, for military families, etc. Ni

Up: Matthew Braverman: FBI: Supervisory Special Agent for complex state-sponsored computer intrusions

  • FBI: 26 field offices: one guy covers all of Montana; he does lots of driving
  • Braverman: Cyber: 3 squads focus on national security, 1 squad on criminal focus; his focus coveres Chinese threat vector
  • Braverman: FBI classifies 4 threats: hacktivist (anonymous), criminal, advanced persistent threat, terrorist
  • Braverman: top criminal reported cases: business email compromise, ransomware
  • Braverman: adv persistent threat: don't care about money: they want IP or PII

- Braverman: Braverman: 4/23/2013 graph of DJIA temporary panic b/c of hacked AP twitter acct: false tweet about explosion at wh… https://t.co/GSCU3o0l4U

@RealGeneKim: Braverman: on anonymous claim that they almost crashed NASA $250MM drone: here were their claims, but upon investig… https://t.co/NEMlBU9ojK
- Braverman: stats on biz email scams reported to FBI, and sample email to CFO resulting in $500K fraud/loss. Wow! https://t.co/ZmTj661Vri
- Braverman describing how they were able to refute all the anonsec claims of NASA drone hack; one tool they used: Go… https://t.co/mTWlAZzAlt
- Braverman: ransomware: "if you see this screen, it's likely too late." They take litecoin (like bitcoin) and many t… https://t.co/yV6kbgZR2H
- Braverman: big APT breaches last yr: OPM & healthcare orgs, looking for PII. "I got 2-3 personal breach notificatio… https://t.co/sSGWmKbPzT
- Braverman: "APT orgs use 91% spearphishing"
- Braverman: 91% of APT attacks use spearphishing/credential phishing: here's examples: https://t.co/0NHcKOofHY
- Braverman: FBI in 2014 have put out arrest warrants for 5 uniformed Chinese military: can't be extradited tho
- Braverman: top desktop exploit vectors: PDF, Flash, Java
- Braverman: FBI: recommending FileHippo to ensure secure version of apps
- Braverman: shared password risk: Zuckerman hack was b/c he used same password for Twitter and LinkedIn
- Braverman: mentioning LastPass; he uses IronKey as 2 factor auth: hardware USB key; Chinese APT will use pws vs every account
- Braverman sharing his tips on account hygiene; super interesting b/c of his field of work at FBI;
- Braverman: backup: in event of malware: reload; backup at house, offsite, cloud
- Braverman: FBI: to report financial crime/incident: go to ic3 dot gov: it's a government clearing house to route yo… https://t.co/udnP4wGNw1

- More resources from Braverman, FBI https://t.co/SYQ2E2FZrW