Security 4 - Bad Guys

What do bad guys do?

Bad guys most often want money. How can they convert either (a) your password or (b) access to your computer into money?

To read a series of often entertaining stories about various bad guy activities, a fantastic source is Krebs On Security blog

Bad Guy 101 - Generic

• Puzzle: malware on victim machine .. how to make money?
• Ransomware: encrypt all the user's files, demand bitcoin
• Send Spam using victim account to address book (exploit higher trust)
  -spam email could be just ads, or malware
• Use login on site to post spammy forum comments with links to bad stuff
• Sell fake goods on victim ebay account (exploit account rating, clever!)
• (phone) Call expensive 900 numbers, money goes back to bad guy
• Turn victim computer/phone into a "zombie"
• Try the same password on other accounts you might have
  (2016 Clinton hack had this, gmail/twitter password the same)
• Dig through victim computer or steal your name, SSN etc. for fraud posing as you
• Dig through victim computer for financial accounts, CC numbers

Bad Guy 101 - At Stanford

Here are some specific things that have happened at Stanford with stolen passwords. Dictionary attacks and phishing are two of the top ways that Stanford accounts get broken into (before two-factor was required).

• Stanford accounts are desirable in the bad-guy world, so Stanford gets a lot of bad-guy attention
• Host #6 google ranked beastiality porn on Stanford wiki using stolen login (confirmed)
• Use Stanford "fat pipes" internet connection: DDOS
• Steal research information (China)
• Put links to bad spam/malware sites on Stanford pages .. use Stanford's high page-rank credibility to make the bad sites show up better in search results
• Steal paychecks by changing direct-deposit account info in axess (confirmed)