This is the title text box. perspective on threats

Transcription

1 This is the title text box A different perspective on threats Presented b y J im Stickley

2 Today Social engineering Risks with mobile devices Evolving Malware Creative criminals

3 This is the title text box Social Engineering

4 Categories of social engineering Remote, generally low level: What most people think of when they hear social engineering Phone scams scams Though h awareness is much higher, h still easy to achieve Local / onsite, generally complex: Gaining access to confidential information physically Can be done in conjunction with remote attacks Does not require an inside accomplice Can be done without raising any red flags

5 Planning the remote attack Start with public information about organization Employee names Phone calls can gain names over time but generally takes too long Phone directories are a gold mine of information Management names and locations Quick phone call can gather this information Claim had good experience and want to give praise.

6 Planning the remote attack Finding the Gmail is great for testing s Send numerous variations See what bounces back Whatever doesn t bounce back is real

7 This is the title text box Remote Social Engineering e-card Scams

8 ecard scams Online Viewer Exploits With the rise of online video, flash programs and free games, new techniques are being deployed to trick people into loading malicious software

9 ecard scams Starting the attack Send from Hallmark a

10 Online viewer exploits

11

12 Online viewer exploits

13

14 Online viewer exploits We got one System connected on device 7 Have fun.

15 Online viewer exploits Microsoft Windows 2000 [Version ] (C) Copyright Microsoft Corp. C:\Documents and Settings\Administrator> dir Volume in drive C has no label. Directory of C:\Documents and Settings\Administrator 01/08/ :11a <DR>. 01/08/ :11a <DR>.. 02/10/ :09p 651.test.txt txt

16 Online viewer exploits What is at risk? Complete compromise of computer Launch point for other attacks Can call home at scheduled times

17 Online viewer exploits

18 Online viewer exploits What can you do to protect yourself? Awareness training Pay attention to the site you are visiting Never allow your staff to install software Be 100% certain you know what your installing

19 Online viewer exploits Digitally signed applications considered more secure

20 Test your employees!

21 This is the title text box Remote Social Engineering Public Computers

22 Public computer access Not all attacks start at the office

23 Public computer access Public Computers Available everywhere Hotels Airports Cyber Cafes Malls Conference centers Business complexes Some are free, some charge Video

24 24

25 Public computer access Other Risks Used to gain remote access to PCs Record Passwords Online Banking Purchases Hacked has numerous repercussions

26 Public computer access What can you do to protect yourself? Never use to access confidential information Use cut and paste approach Change passwords often Don t assume low level accounts are not risky

27 This is the title text box Social Engineering Coming on Site

28 Planning the onsite attack Public information Browse the internet Ribbon cutting ceremonies Partnerships Employee interests Third party vendor referral pages News Articles / Press Releases Construction Donations Upcoming events Past Events

29 The setup Starts with a sales call Who is responsible for exterminator contract? Gain information about current exterminators When will the contract expire? Are they interested es ed in a free inspection?

30 The setup Call the service provider to gain additional information Contract t information Last time serviced Next scheduled service

31 The setup What do we know? We know who the facility manager is We know details about the account Call and schedule a check-up

32 The setup Sometimes it s not that easy Won t tell us their current extermination company Need to go to plan B Schedule an appointment on Bills behalf

33 The setup Already have names of employees Already have addresses for employees Already have manager names & office locations

34 The setup Hijack the domain Addresses use l in place of or 0 in place of O ACMENSURANCE.COM ACMElNSURANCE.COM ACMEFAKECREDTUNON.COM ACMEFAKECREDTUN0N.COM acmehealthcare.comcom acrnehealthcare.com

35 The setup Need more information What does Bill s look like? Does he sign it strange? Does he include an auto signature? Does he use his whole name or just a nick name?

36 The setup

37 The setup

38 The setup Gaining access to the facility Send on behalf of Bill

39 The setup Pest nspection Pest nspection Hey Susan, Just wanted to let you know that we have hired Ex-terminex pest control to check our branches for bugs. They are attempting to win a contract from us so they are performing this inspection at no cost to us. :) They are schedule for next week and someone should be calling you to setup the exact date and time. They are not to spray or do anything to disrupt business. They are only going to set some traps and inspect the facility. Have a great week! Bill Bill Smith ACME FAKE CU Facilities Manager Direct: t s not who you know but who knows you know.

40 The setup Call a couple days later to schedule time Allows us to validate they have bought it Validates our legitimacy Sets expectation ti for arrival time

41 Discovery Gathering information before the visit One mans trash is another mans treasure

42 t s a dirty job Dumpster Diving is fast, easy and lucrative

43 Exploiting employee mistakes Lack of shred can be devastating Credit card applications Loan apps with name, social security and address Pre-filed patents nternal s Conversations about upcoming terminations Logins and Passwords Balance sheets Source code Patient Records Post-it notes with customer information Drug test results Anything with a name / contact info, account info, address or business functionality

44 Exploiting employee mistakes Look who stopped by for a visit

45 Exploiting employee mistakes Pest Control Complete access to facility Left alone most of the time Seen as low brow and not a threat Easy access to cables and phone lines Expected to be snooping around under desks

46 Exploiting employee mistakes Fire nspector Everyone loves a man in a uniform Complete access to facility by law Left alone most of the time Demands respect and is seen as trusted figure

47 Exploiting employee mistakes Vendor Sales Send product for testing Software Free software can come with a price Hardware Beware of the free keyboard

48

49

50

51

52

53

54

55

56 Day to day operations Careless mistakes are costly Not all attacks ac are pa planned Crime of opportunity is even more dangerous

57 Day to day operations What can be done? dentification must be verified when accessing secured areas Policy must state t visitors it to be escorted at all times in secured areas Open communication channel between offices, branches or departments

58 This is the title text box Social Engineering After Hours

59 After hours concerns How do you gain complete control of an organizations internal network? The Cleaning Crew

60 After hours concerns Why ygo after the cleaning crew? Cleaning crews have complete access to the facility Employees often are recognized by cleaning crew An D card is as good as a key No one ever knows you were there Video

61 61

62 After hours concerns What can you do to protect your organization? Strict policies for cleaning crew Do not allow anyone in after hours without a key Even if you know the person, they are not allowed in When they exit to take out trash, do not prop open doors Contact list available for cleaning crew Easy to access list of contacts in case of problems / questions Test cleaning crew Send real employees from time to time after hours and see if they can gain access

63 This is the title text box Mobile Technology A New Place to Hack

64 Hacking mobile technology How much damage can a hacker cause using mobile technology? This test was performed in two parts Part one, gaining access to mobile device Part two, gaining access to everything else

65 Hacking mobile technology Part 1 Create a new mobile application Target Android because the security is much lower My goal was to get people to install my application Application was a Gmail unread counter

66 Hacking Mobile Technology Do people care about permissions?

67 67

68 68

69 69

70 Hacking mobile technology Permissions required Your Personal nformation (Read contact data, Write contact data) Network Communication (Allows the application to accept cloud to device messages from applications service, full internet access) Storage (Modify / Delete SD Storage) Phone Calls (modify phone state, read phone state and identity) System Tools (Automatically start at boot, Prevent phone from sleeping, write sync settings) Your Messages (Read SMS or MMS, Receive SMS, Read Gmail including sending and deleting mail) Services that cost you money (Send SMS Messages)

71 Purpose of part 1 See how many people would download and install my app even though h it required access to everything Pull address off phone and send to me Because Android uses gmail, often multiple address will be added to phone

72 72

73 73

74 Results Over 1300 downloads in 3 month period Received over addresses Applications remained in contact with my server during this time Never reported as suspicious Never received notice to discontinue application Averaged 3 stars on feedback

75 Hacking mobile technology Part 2 Using the mobile phone to gain access to online accounts

76 Hacking mobile technology App retrieves addresses from phone. App sends information to hacker

77 Forgot password?

78 Hacking mobile technology Hacker sends forgot password and or forgot User D request to all major online applications

79 Hacking Mobile Technology Online applications send temporary password or User D to address (Gmail consolidates)

80 Hacking Mobile Technology Mobile App checks Gmail for messages from online applications

81 Hacking Mobile Technology Any matches are forwarded to hacker

82 Hacking mobile technology Mobile App then sends delete message to Gmail to delete the messages from online applications

83 Hacking mobile technology Hacker now has temporary passwords for all accounts Hacker can now login to accounts using address and temporary password Hacker can change settings, order items online, etc.

84 Results Loaded malicious app onto 20 mobile devices These people all agreed to let me hack them Able to change the password on over 100 online application Able to gain access to online banking accounts through multifactor n some cases able to gain access to original password

85 How risky is it? Hacker has complete access to Hacker has complete access to text messaging Hacker has complete access to Contacts Hacker has complete access to Calendar Hacker has ability to access numerous accounts

86 What can you do? Pay attention to permissions Even if the application has been downloaded / installed thousands of times, it doesn t guarantee it s secure When in doubt, don t install the application Never use the same password on multiple l sites Password no longer working is a red flag

87 This is the title text box Mobile Technology When Phones Attack

88 When phones attack Can a mobile device be used for hacking? Android is Linux based Written in Java with all the normal sockets Supports C code Supports native Libraries n theory you could use an Android device for hacking

89 When phones attack Target vulnerability RDP Remote Code Execution Vulnerability Published March 2012 (MS12-020) Used for remote code execution and denial of service attacks

90 When phones attack Target system Windows 2008 Server Attack software RDPKill4Android Video

91 This is the title text box

92 When phones attack What happened? Android device was able to connect to Windows computer Android device was able to send malicious code via RDP Windows 2008 server crashed with blue screen

93 When phones attack What does this mean? Mobile devices can be used to attack personal computers

94 When phones attack Why stop there? f an app on a phone can cause a windows machine to crash, what else could it do?

95 When phones attack What if? Create an app that looks legitimate Wi-Fi speed tester When the app runs, it will hack into a computer on the local network Scan all systems on local network looking for RDP port 3389 nstall code on the computer allowing remote access Any vulnerable systems, install malicious code Allow complete compromise of firewall protected network Bypass SP restricted ports

96 When phones attack Can this really be done? Video

97 97

98 What happened? Using Wi-Fi, app scans local network looking for vulnerable computers

99 Want to know real password? App find computer vulnerable to RPD MS exploit

100 Want to know real password? App exploits vulnerable computer and dinstalls malicious i software

101 Want to know real password? Exploited computer connects to hacker server allowing remote communication

102 Want to know real password? Hacker site uploads additional tools and sends commands for exploited computer to execute

103 When Phones Attack How bad is it? Complete compromise of any un-patched systems on network Remote access with the ability to install and execute code Ability to record the screen, webcam and keyboard entries Full access to contents on the hard drive Bypass Anti-Virus security

104 When Phones Attack What does this mean? Mobile devices can put your entire network at risk

105 What can you do? Pay attention to permissions Even if the application has been downloaded / installed thousands of times, it doesn t guarantee it s secure When in doubt, don t install the application Patch all computers on local l network, even computers that generally do not connect to the nternet

106 This is the title text box Evolving Malware Most attacks look like this

107 Most attacks Employee hacked through malicious website Acrobat, Flash, Java, nternet Explorer, etc. Eleonore style attacks Employee hacked through h targeted attack with attachments, e-card, fake zixmail secured , etc. Employee hacked through onsite attack Onsite social engineering including afterhours cleaning crew attacks

108 Most attacks Once a hacker is on the network, DS often detects additional probing attacks Actual hacking requires high level of skill Manual process is extremely time intensive Hacker can only attack one location at a time Most attacks rely on long term data mining

109 Most attacks While these attacks have been proven to be successful, proper security techniques can address the majority of the risks.

110 This is the title text box Evolving Malware The future looks like this

111 Times are changing Automated Hacking What happens when trojans think for themselves? Video

112 112

113 What does this mean? Hackers can attack your organization without even knowing you exist Your network can be hacked and all confidential data on the database stolen in minutes Hackers can attack your network while not at their computers When the attack is over, your network shows no signs a breach took place

114 What is at risk? Complete download of ALL customer information Name Address Phone Number Birthday Social Security Number Account Number Mothers Maiden Name Debit / Credit Card number & Exp Financial nstitution P address

115 Conservative damages estimate 2% of 16,000 = 320 financial institutions exploited 10, members / customers at a financial institution $ stolen from each member / customer Calculation: 320*10,000*100 = Total Damages: $320,000,000

116 What can you do? Awareness Training / Education Comprehensive Security Policies Limit nternet Access Monitor Network Risks / Vulnerabilities Personal Firewalls, Anti Virus ntrusion Detection / Prevention

117 Your future Manual hacking is an outdated practice Organization attacks will become fully automated What used to take days or months will now take just minutes

118 This is the title text box Other Security Concerns ATM Skimming Still Happens

119 Other security threats ATM Skimming can be obvious

120 ATM Scams Skimming Device placed over the card reader Camera set to monitor pin

121 ATM Scams Criminals continue to adapt Video

122 122

123 ATM Scams What to watch for? Does it pay out? f it fails to pay, this might be a fake. Does the card reader seem too big? Skimmers generally are clunky. s it bolted down? f you can move it, move on.

124 n The End t s All About Managing Risk

125 n the end Every organization must deal with Governance, Risk and Compliance (GRC) f you have not properly defined the risk in your organization, it is impossible ibl to understand d the controls required to protect your most valuable assets f you're not continually updating and redefining the risks as your organization changes, you will fail at managing your security Without a centralized solution, maintaining all aspects of the GRC program is unlikely to be successful

126 n the end You can t prevent every security risk You can educate others to be suspicious Remember that you can spend hundreds of thousands on security yproducts and it just takes one human mistake to bypass it all

127 Test your employees!

128 GRC Simplified - Need a self-contained solution that integrates all functional areas necessary to manage an on-going risk-based information security program Risk Policy Vulnerability Training Vendor Audit Compliance ncident Response Business mpact tanalysis Business Continuity Planning Process Reporting

129 TraceSecurity nc. Comprehensive Security Assessments Risk Assessments Penetration Testing T Audits Vendor Management Comprehensive Regulation Compliance Review Online Banking Application Testing Remote and Onsite Social Engineering Policy Development and Review Training (Onsite / Online) Employee & Customer twitter.com/jimstickley twitter.com/tracesecurity

130 130