How You Get Hacked

October 9, 2017

Tim McGuffin

Introduction

Tim McGuffin

– Former Information Security Officer at Sam Houston State

– Current Red Team Manager at Lares Consulting

– 20 years in IT

– 15 of that Security Related

– DEF CON Conference Organizer

What do we do?

– “Adversarial Simulations”

– Blended Physical, Electronic, and Social attacks

2

Introduction

Tim McGuffin

– Former Information Security Officer at Sam Houston State

– Current Red Team Manager at Lares Consulting

– Not an Expert.

3

Agenda

Hacker History

Hacking History

Targeting Corporations

Targeting Individuals

Recommendations

4

Agenda

Hacker History

Hacking History

Targeting Corporations

Targeting Individuals

Recommendations

Feel Free to ask questions along the way

5

What is a Hacker?

6

*Google Image Search for “Worst Hacker Stock Photo”

What is a Hacker?

7

Hack: “a piece of code providing a quick or inelegant solution to a

problem.”

Hacker: the person who wrote it.

Curious Person who asks “what happens if….”

Hacker Methodology:

– “What can I make this do?”

– Try a bunch of stuff.

– See where it breaks.

– See what falls in our lap.

https://en.oxforddictionaries.com/definition/us/hack

Image: Cliff Stoll

Hacker History

8

Hack: “a piece of code providing a quick or inelegant solution to a

problem.”

Hacker: the person who wrote it

Curious Person who asks “what happens if….”

Sometime in the 1990s, things changed

Image: ARPANet 1988

Hacker History

9

Hack: “a piece of code providing a quick or inelegant solution to a

problem.”

Hacker: the person who wrote it

Curious Person who asks “what happens if….”

Sometime in the 1990s, things changed

Commerce boomed on the Internet

Hacker History

10

Hack: “a piece of code providing a quick or inelegant solution to a

problem.”

Hacker: the person who wrote it

Curious Person who asks “what happens if….”

Sometime in the 1990s, things changed

Commerce boomed on the Internet

And Crime follows Money

Image: “the Guru”

Hacker History

11

Now Hacker means Cyber Criminal

Computers are the means to an end

“Computer Crime” is the same old crime that has always existed

It just uses a new medium, and makes them easier

– Extortion

– Theft

– Fraud

– Harassment

– Espionage

Hacker History

12

Computers provide an advantage over face-to-face crime

– Larger Target Population

– Action at a Distance

– Knowledge is easy to obtain

– Political Boundaries prevent Law Enforcement Collaboration

– Less likelihood of getting caught

Hacking History

13

Hacking History

14

Targeting Corporations

15

Standardized Testing Methodology

… but every assessment is different

Targeting Corporations

16

Standardized Testing Methodology

… but every assessment is different

Targeting Individuals

17

You’re digital life is complex

But you’re likely OK with it

– It’s always been this way

Data is all over the place

– Data About You

– Personal Devices

– Cloud Services

Each location has it’s own risks and threat model

Data About You

18

Information ABOUT you, owned by someone else

Some Examples:

Anthem Healthcare

United Airlines

US Office of Personnel Management

Exquifax

Social Security Number

Online Medical Records

Biographical Information

Internet History

Location Information

Hardest Category to do something about

– But you can do something…

Data About You - Recommendations

19

Minimize What Data you Share

– Ad-blocking software

– Private Browsing Mode

– Use cash where necessary

– Disable Location Services

– Review Application and Service Privacy Settings

Identify What Data is Available About You

– https://annualcreditreport.com/

– https://www.aboutthedata.com/

– https://myactivity.google.com/

– https://www.google.com/maps/timeline

– Review Service Specific Settings and Permissions

Opt-Out

– http://optout.aboutads.info

– https://tools.google.com/dlpage/gaoptout

– https://www.lexisnexis.com/privacy/

– https://www.donotcall.gov/

Personal Devices - Exploitation

20

“Unauthenticated Remote Code Execution”

– Broadcom BMC43xx RCE

– iPhone SMS RCE

– http://androidvulnerabilities.org

– Windows RCE

User-Assisted Remote Code Execution

– Drive-by downloads

– Trojaned Documents

– Phishing

But what happens after that?

– They were after something.

• Extortion

• Theft

• Fraud

• Harassment

• Espionage

Personal Devices – Outcomes

21

What happens after initial exploitation?

Use your computer for something

– Distributed Denial of Service

– Use your connection to attack others

– Spy on you

Use your data for something

– Keystroke Logging

– Banking Information

– Additional Access

Deny access to your data

– Ransomware

– Destruction

Personal Devices – Outcomes

22

What happens if someone gets your unlocked phone?

Try to access Service through apps

Access Services through web browser

Use the password reset option

Switch to the Mail app and reset the password

Continue on with the Service

Personal Devices - Recommendations

23

Prevention

– Minimize PII Data Storage

– Use "secure by design" or alternative software

– Run an ad-blocker and Javascript blocker

– Apply updates when it is available

– Limit Administrative Privileges

– Limit “Risky” Activity

• Be Paranoid of attachments you weren’t expecting

Detection

– Consider a “Next-Generation” AV Client

– Behavior Based Analytics

Response

– Have a plan

– Backups

– Have alternate copies of important documents

Cloud Services - Exploitation

24

Exploitation is primarily Authentication Based

Password Reset Options

– Piece Together Information from Social Media

– Gather Information From One Service to Attack Another

Password Re-Use

– Find passwords for one cloud service

– Re-Use them on another service

Brute Forcing

– Generate a Keyword List

– Try various password combinations

Cloud Services – Mat’s Story

25

Mat Honan – Tech Journalist

Wrote a story on the DDoS of PSN and XBL on Christmas

Attackers taunted him on Twitter

They just wanted revenge

Cloud Services – Mat’s Story

26

Attack Path

– Called Amazon to add a Credit Card to an Account

– Called Amazon and said they lost access to the account’s email address

• Authenticated with last 4 of CC on the account

– E-Mail address changed and password reset email sent

– Attackers reset password and logged into to view the other CCs on file

– Called Apple, auth’d with e-mail address and last 4 of billing CC

• Temporary Password given over the phone

– Attackers log into iCloud.com

– Send password reset for gmail.com account to his @me.com account

– Attackers log into Gmail

– Send Twitter Password reset to Gmail account

– Compromise his Twitter Account

– Wipe his iPhone and Macbook, Delete Gmail account “for the lulz”

Cloud Services – Mat’s Story

27

Online Services - @N

28

Similar story to Mat’s

Naoki rarely used Twitter

Attackers wanted his account, @N

Attacker’s called paypal and obtained the last 4 of the CC on file

Attackers authenticated to GoDaddy’s Support with last 4 of CC

Modified his domain registration information

Pointed his mail server information to their servers

Reset Twitter and Facebook passwords

Cloud Services - Recommendations

29

Prevention

– Unique Passwords Per Site

• Writing them may be OK. What’s your threat model?

– Use a Password Manager

– Generate Strong Passwords

– Consider Federated Authentication

– Enable Two Factor Authentication

Detection

– Monitor your accounts for breaches

• https://www.haveibeenpwned.com

– Setup Account Alerts

– Setup Bank Transfer Alerts

Response

– Backups

– Have access to your bank’s customer support number

– Keep a physical copy of important documents

Recommendations Summary

30

Data About You

– Minimize Data Collection

– Review What information your Services Have On You

– Opt-Out

– Freeze Accounts

Personal Devices

– Use Automatic Updates

– Use Chrome + Ad and Script Blockers

– Minimize Sensitive Data Storage

– Be Paranoid

– Offline Backups

Cloud Services

– Generate Strong and Unique Passwords

– Use a Password Manager

– Consider Federated Authentication

– Two Factor Authentication

– Review your Settings

– Monitor and Alert on Suspicious Activity

Questions?

31

“If the media stopped saying ‘hacking’ and instead said ‘figured out

their password,’ people would probably take password security a lot

more serious.”

Thank you!

Contact Information:

Tim McGuffin

tim@mcguffin.org

@NotMedic