How You Get Hacked5259318c-bfd4-4979-bce6... · Hack: “a piece of code providing a quick or...
Transcript of How You Get Hacked5259318c-bfd4-4979-bce6... · Hack: “a piece of code providing a quick or...
How You Get Hacked
October 9, 2017
Tim McGuffin
Introduction
Tim McGuffin
– Former Information Security Officer at Sam Houston State
– Current Red Team Manager at Lares Consulting
– 20 years in IT
– 15 of that Security Related
– DEF CON Conference Organizer
What do we do?
– “Adversarial Simulations”
– Blended Physical, Electronic, and Social attacks
2
Introduction
Tim McGuffin
– Former Information Security Officer at Sam Houston State
– Current Red Team Manager at Lares Consulting
– Not an Expert.
3
Agenda
Hacker History
Hacking History
Targeting Corporations
Targeting Individuals
Recommendations
4
Agenda
Hacker History
Hacking History
Targeting Corporations
Targeting Individuals
Recommendations
Feel Free to ask questions along the way
5
What is a Hacker?
6
*Google Image Search for “Worst Hacker Stock Photo”
What is a Hacker?
7
Hack: “a piece of code providing a quick or inelegant solution to a
problem.”
Hacker: the person who wrote it.
Curious Person who asks “what happens if….”
Hacker Methodology:
– “What can I make this do?”
– Try a bunch of stuff.
– See where it breaks.
– See what falls in our lap.
https://en.oxforddictionaries.com/definition/us/hack
Image: Cliff Stoll
Hacker History
8
Hack: “a piece of code providing a quick or inelegant solution to a
problem.”
Hacker: the person who wrote it
Curious Person who asks “what happens if….”
Sometime in the 1990s, things changed
Image: ARPANet 1988
Hacker History
9
Hack: “a piece of code providing a quick or inelegant solution to a
problem.”
Hacker: the person who wrote it
Curious Person who asks “what happens if….”
Sometime in the 1990s, things changed
Commerce boomed on the Internet
Hacker History
10
Hack: “a piece of code providing a quick or inelegant solution to a
problem.”
Hacker: the person who wrote it
Curious Person who asks “what happens if….”
Sometime in the 1990s, things changed
Commerce boomed on the Internet
And Crime follows Money
Image: “the Guru”
Hacker History
11
Now Hacker means Cyber Criminal
Computers are the means to an end
“Computer Crime” is the same old crime that has always existed
It just uses a new medium, and makes them easier
– Extortion
– Theft
– Fraud
– Harassment
– Espionage
Hacker History
12
Computers provide an advantage over face-to-face crime
– Larger Target Population
– Action at a Distance
– Knowledge is easy to obtain
– Political Boundaries prevent Law Enforcement Collaboration
– Less likelihood of getting caught
Hacking History
13
Hacking History
14
Targeting Corporations
15
Standardized Testing Methodology
… but every assessment is different
Targeting Corporations
16
Standardized Testing Methodology
… but every assessment is different
Targeting Individuals
17
You’re digital life is complex
But you’re likely OK with it
– It’s always been this way
Data is all over the place
– Data About You
– Personal Devices
– Cloud Services
Each location has it’s own risks and threat model
Data About You
18
Information ABOUT you, owned by someone else
Some Examples:
Anthem Healthcare
United Airlines
US Office of Personnel Management
Exquifax
Social Security Number
Online Medical Records
Biographical Information
Internet History
Location Information
Hardest Category to do something about
– But you can do something…
Data About You - Recommendations
19
Minimize What Data you Share
– Ad-blocking software
– Private Browsing Mode
– Use cash where necessary
– Disable Location Services
– Review Application and Service Privacy Settings
Identify What Data is Available About You
– https://annualcreditreport.com/
– https://www.aboutthedata.com/
– https://myactivity.google.com/
– https://www.google.com/maps/timeline
– Review Service Specific Settings and Permissions
Opt-Out
– http://optout.aboutads.info
– https://tools.google.com/dlpage/gaoptout
– https://www.lexisnexis.com/privacy/
– https://www.donotcall.gov/
Personal Devices - Exploitation
20
“Unauthenticated Remote Code Execution”
– Broadcom BMC43xx RCE
– iPhone SMS RCE
– http://androidvulnerabilities.org
– Windows RCE
User-Assisted Remote Code Execution
– Drive-by downloads
– Trojaned Documents
– Phishing
But what happens after that?
– They were after something.
• Extortion
• Theft
• Fraud
• Harassment
• Espionage
Personal Devices – Outcomes
21
What happens after initial exploitation?
Use your computer for something
– Distributed Denial of Service
– Use your connection to attack others
– Spy on you
Use your data for something
– Keystroke Logging
– Banking Information
– Additional Access
Deny access to your data
– Ransomware
– Destruction
Personal Devices – Outcomes
22
What happens if someone gets your unlocked phone?
Try to access Service through apps
Access Services through web browser
Use the password reset option
Switch to the Mail app and reset the password
Continue on with the Service
Personal Devices - Recommendations
23
Prevention
– Minimize PII Data Storage
– Use "secure by design" or alternative software
– Run an ad-blocker and Javascript blocker
– Apply updates when it is available
– Limit Administrative Privileges
– Limit “Risky” Activity
• Be Paranoid of attachments you weren’t expecting
Detection
– Consider a “Next-Generation” AV Client
– Behavior Based Analytics
Response
– Have a plan
– Backups
– Have alternate copies of important documents
Cloud Services - Exploitation
24
Exploitation is primarily Authentication Based
Password Reset Options
– Piece Together Information from Social Media
– Gather Information From One Service to Attack Another
Password Re-Use
– Find passwords for one cloud service
– Re-Use them on another service
Brute Forcing
– Generate a Keyword List
– Try various password combinations
Cloud Services – Mat’s Story
25
Mat Honan – Tech Journalist
Wrote a story on the DDoS of PSN and XBL on Christmas
Attackers taunted him on Twitter
They just wanted revenge
Cloud Services – Mat’s Story
26
Attack Path
– Called Amazon to add a Credit Card to an Account
– Called Amazon and said they lost access to the account’s email address
• Authenticated with last 4 of CC on the account
– E-Mail address changed and password reset email sent
– Attackers reset password and logged into to view the other CCs on file
– Called Apple, auth’d with e-mail address and last 4 of billing CC
• Temporary Password given over the phone
– Attackers log into iCloud.com
– Send password reset for gmail.com account to his @me.com account
– Attackers log into Gmail
– Send Twitter Password reset to Gmail account
– Compromise his Twitter Account
– Wipe his iPhone and Macbook, Delete Gmail account “for the lulz”
Cloud Services – Mat’s Story
27
Online Services - @N
28
Similar story to Mat’s
Naoki rarely used Twitter
Attackers wanted his account, @N
Attacker’s called paypal and obtained the last 4 of the CC on file
Attackers authenticated to GoDaddy’s Support with last 4 of CC
Modified his domain registration information
Pointed his mail server information to their servers
Reset Twitter and Facebook passwords
Cloud Services - Recommendations
29
Prevention
– Unique Passwords Per Site
• Writing them may be OK. What’s your threat model?
– Use a Password Manager
– Generate Strong Passwords
– Consider Federated Authentication
– Enable Two Factor Authentication
Detection
– Monitor your accounts for breaches
• https://www.haveibeenpwned.com
– Setup Account Alerts
– Setup Bank Transfer Alerts
Response
– Backups
– Have access to your bank’s customer support number
– Keep a physical copy of important documents
Recommendations Summary
30
Data About You
– Minimize Data Collection
– Review What information your Services Have On You
– Opt-Out
– Freeze Accounts
Personal Devices
– Use Automatic Updates
– Use Chrome + Ad and Script Blockers
– Minimize Sensitive Data Storage
– Be Paranoid
– Offline Backups
Cloud Services
– Generate Strong and Unique Passwords
– Use a Password Manager
– Consider Federated Authentication
– Two Factor Authentication
– Review your Settings
– Monitor and Alert on Suspicious Activity
Questions?
31
“If the media stopped saying ‘hacking’ and instead said ‘figured out
their password,’ people would probably take password security a lot
more serious.”
Thank you!
Contact Information:
Tim McGuffin
@NotMedic