3. $ whoami
Curious Hacker (eg. I like to break things apart and rebuild them!)
Maker (eg. I like to make things)
RC-Geek (eg. I like to fly radiocontrolled devices)
Chief Security Officer @Crosskey Banking Solutions
Social Media Twitter: @khalavak, G+: Kim Halavakoski,
G+ communities: Security De-Obfuscated, PCI Jedis...
4. "Innostunut ja taitava tietokoneen ohjelmoija tai käyttäjä"
hacker as defined in RFC1392:
A person who delights in having an intimate understanding of the
internal workings of a system, computers and computer networks in
particular. The term is often misused in a pejorative context,
where "cracker" would be the correct term. See also: cracker.
7. Vulnerabilities
Young padawan, don't forget:
Lack of focus leads to sloppiness,
sloppiness leads to misconfiguration and bugs,
and misconfiguration and bugs leads to compromise.
12. Who uses these vulnerable vendors anyway?
We all keep our systems patched? All the time? Almost? Sometimes?
Example of vulnerable vendors: Microsoft, Apple, Oracle, Sun Microsystems, Cisco, Mozilla, Linux,
Hewlett Packard, Adobe...
Ever used any of these vendors?
14. Who uses these vulnerable products anyway?
We all keep our software products patched? All the time? Almost? Sometimes?
Example of vulnerable software: Linux, Firefox, Mac OS X, Google Chrome, Internet Explorer, Seamonkey,
Solaris, Thunderbird
Ever used any of these softwares?
15. Browser market shares
According to the previous statistics with vulnerabilities in Internet Explorer, Firefox, Chrome
it seems like 92.61% of the browsers used on the Internet are vulnerable.
16. 46 vulnerabilities in 2012
48 vulnerabilities in 2013 (and it's only March!)
of which 26 vulnerabilities with CVSS score 10.0 in 2013 until now
19. Patching is Critical
Security is as strong as the weakest link.
If you take security seriously then making sure everything is
up to date is more important than ever.
22. Social engineering works.
People are easily tricked. Really.
Tap into psychological factors that are part of human nature
Abuses trust frameworks that we are used to in real life.
24. A good presentation needs a cat picture to soften the audience.
On a side-note, cybercriminals know that we like cute and funny pictures and videos,
so they are using our eagerness to click on cute things to hack your computer...
So even if supercute, think before you click!
35. Oleg Nikolaenko
24 year old hacker who ran the Mega-D botnet back in 2010
Mega-D was sending 30-40% of the spam on the Internet
36. Vladimir Tsastsin
Vladimir ran Estdomains and later Rove Digital, which ran "Operation Ghost Click" which
was behind the infamous DNSChanger malware that caused havoc all over the world.
55. From the 2829 IP-addresses in Finland I did a quick statistical analysis of the whois and DNS data and found:
most of the IPs are end-customers with ADSL, GPRS connections from Sonera, DNA, Nebula, Local Telephone companies, etc.
59 whois records that seem like companies
37 DNS records that looks like companies
56. ...some small, some bigger and some of them even "security" companies and some in
public services and even government use...
57.
58. RSA -> Lockheed Martin
RSA was hacked, allegedly in order to get into Lockheed Martin
Twitter
Twitter was hacked using recent Java-vulnerabilities
Facebook
Facebook was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com
Microsoft
Microsoft was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com
Apple
Apple was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com
59. US National Vulnerability Database hacked
Malware planted on 2 webservers...
Undiscovered for 2 months...
"Hacking the NVD and planting malware on the very place where we get our vulnerability information,
that is just pure evil!"
63. Matt Honan – Senior Editor at Wired Gadget Labs
Security flaws in Apple and Amazon customer service systems lead to hackers gaining control over his account and deleting files on his Mac.
66. Social Engineer Toolkit
Great tool for performing social engineering attacks:
phishing, web-attacks, malware infecter USB sticks, etc.
Developed by Dave Kennedy & Co
67.
68. Demo
Fictious company with the following network setup:
firewall, mailserver, webserver, DNS-server, Internal Windows 7 workstation...
71. Carbon based lifeforms
Humans are the weakest link
Using age-old social frameworks in a modern connected world
Easily tricked into clicking, opening links, attachments and programs
Make errors, repeadetly
Computer software
Are programmed by humans
Have bugs
Used by humans
Hacking tools
Readily available
Easy to use
Developed by proffessionals
Cybercriminals
Cybercriminals
Hacktivists
Nation States & Governments