SlideShare una empresa de Scribd logo

Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems

K
khalavak

Keynote presentation held at ICT Expo conference in Helsinki 20.3.2013.

Tecnología
1 de 73
Descargar para leer sin conexión
Hacking the Company Risks with carbon based lifeforms using vulnerable systems
$ whoami
$ whoami Curious Hacker (eg. I like to break things apart and rebuild them!) Maker (eg. I like to make things) RC-Geek (eg. I like to fly radiocontrolled devices) Chief Security Officer @Crosskey Banking Solutions Social Media Twitter: @khalavak, G+: Kim Halavakoski, G+ communities: Security De-Obfuscated, PCI Jedis...
"Innostunut ja taitava tietokoneen ohjelmoija tai käyttäjä" hacker as defined in RFC1392: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term. See also: cracker.
How?
Vulnerabilities Young padawan, don't forget: Lack of focus leads to sloppiness, sloppiness leads to misconfiguration and bugs, and misconfiguration and bugs leads to compromise.
Vulnerabilities
Vulnerabilities & 0-days
0-days
Top 10 vulnerable vendors
Who uses these vulnerable vendors anyway? We all keep our systems patched? All the time? Almost? Sometimes? Example of vulnerable vendors: Microsoft, Apple, Oracle, Sun Microsystems, Cisco, Mozilla, Linux, Hewlett Packard, Adobe... Ever used any of these vendors?
Top 10 vulnerable products
Who uses these vulnerable products anyway? We all keep our software products patched? All the time? Almost? Sometimes? Example of vulnerable software: Linux, Firefox, Mac OS X, Google Chrome, Internet Explorer, Seamonkey, Solaris, Thunderbird Ever used any of these softwares?
Browser market shares According to the previous statistics with vulnerabilities in Internet Explorer, Firefox, Chrome it seems like 92.61% of the browsers used on the Internet are vulnerable.
46 vulnerabilities in 2012 48 vulnerabilities in 2013 (and it's only March!) of which 26 vulnerabilities with CVSS score 10.0 in 2013 until now
http://java-0day.com
http://istherejava0day.com
Patching is Critical Security is as strong as the weakest link. If you take security seriously then making sure everything is up to date is more important than ever.
Social Engineering There is no patch for human stupidity
Social engineering works. People are easily tricked. Really. Tap into psychological factors that are part of human nature Abuses trust frameworks that we are used to in real life.
"Could I have the root password, please?"
A good presentation needs a cat picture to soften the audience. On a side-note, cybercriminals know that we like cute and funny pictures and videos, so they are using our eagerness to click on cute things to hack your computer... So even if supercute, think before you click!
How easily are you tricked?
How easily are you tricked?
Would you fall for this?
Are you sure it is Paypal?
Problems with your Visa card?
Salaries! Confidential! Dare to open that PDF document?
What did I order again?
Who?
Cybercriminals
Oleg Nikolaenko 24 year old hacker who ran the Mega-D botnet back in 2010 Mega-D was sending 30-40% of the spam on the Internet
Vladimir Tsastsin Vladimir ran Estdomains and later Rove Digital, which ran "Operation Ghost Click" which was behind the infamous DNSChanger malware that caused havoc all over the world.
Hacktivists
Governments and Nation states
Why?
Cybercrime market value: $114 billion
Where?
World: 10437
FI,SE,NO,DK,AX: 4447
FI: 2829 Top 10 values num % Helsinki 411 14.528% Tampere 406 14.351% Hämeenlinna 176 6.221% Jyväskylä 117 4.136% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227% Oulu 59 2.086%
Helsinki 411 14.528% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227%
Helsinki: 411
From the 2829 IP-addresses in Finland I did a quick statistical analysis of the whois and DNS data and found: most of the IPs are end-customers with ADSL, GPRS connections from Sonera, DNA, Nebula, Local Telephone companies, etc. 59 whois records that seem like companies 37 DNS records that looks like companies
...some small, some bigger and some of them even "security" companies and some in public services and even government use...
RSA -> Lockheed Martin RSA was hacked, allegedly in order to get into Lockheed Martin Twitter Twitter was hacked using recent Java-vulnerabilities Facebook Facebook was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Microsoft Microsoft was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Apple Apple was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com
US National Vulnerability Database hacked Malware planted on 2 webservers... Undiscovered for 2 months... "Hacking the NVD and planting malware on the very place where we get our vulnerability information, that is just pure evil!"
Ocean's Eleven?
Matt Honan – Senior Editor at Wired Gadget Labs Security flaws in Apple and Amazon customer service systems lead to hackers gaining control over his account and deleting files on his Mac.
How?
Metasploit Penetration testing tool. Developed by HD Moore back in 2003. Bought by Rapid 7 in 2009. Opensource verion still available.
Social Engineer Toolkit Great tool for performing social engineering attacks: phishing, web-attacks, malware infecter USB sticks, etc. Developed by Dave Kennedy & Co
Demo Fictious company with the following network setup: firewall, mailserver, webserver, DNS-server, Internal Windows 7 workstation...
Conclusion
Carbon based lifeforms Humans are the weakest link Using age-old social frameworks in a modern connected world Easily tricked into clicking, opening links, attachments and programs Make errors, repeadetly Computer software Are programmed by humans Have bugs Used by humans Hacking tools Readily available Easy to use Developed by proffessionals Cybercriminals Cybercriminals Hacktivists Nation States & Governments
Questions?

Recomendados

Security
SecuritySecurity
SecurityBob Cherry
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking reportAkhilesh Patel
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingUmang Patel
 
Emp tech las-week-2
Emp tech las-week-2Emp tech las-week-2
Emp tech las-week-2Joemer Mabagos
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aBright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aMark Henshaw
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security ThreatsUmakant Mishra
 

Recomendados

Security
SecuritySecurity
SecurityBob Cherry
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking reportAkhilesh Patel
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingUmang Patel
 
Emp tech las-week-2
Emp tech las-week-2Emp tech las-week-2
Emp tech las-week-2Joemer Mabagos
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aBright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aMark Henshaw
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security ThreatsUmakant Mishra
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
At Your Expense
At Your ExpenseAt Your Expense
At Your ExpenseDan Oblak
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKERKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeSalma Zafar
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethicsMohit Dholakiya
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksLondon School of Cyber Security
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsLondon School of Cyber Security
 
Enemies of the west
Enemies of the westEnemies of the west
Enemies of the westNeil Lines
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacySamudin Kassan
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15haney888
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4leahg118
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014- Mark - Fullbright
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Michele Chubirka
 
Cyberspace
CyberspaceCyberspace
CyberspaceUtchi
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Vishwan Aranha
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationJeff Zahn
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 

Más contenido relacionado

La actualidad más candente

Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
At Your Expense
At Your ExpenseAt Your Expense
At Your ExpenseDan Oblak
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Enemies of the west
Enemies of the westEnemies of the west
Enemies of the westNeil Lines
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacySamudin Kassan
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15haney888
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4leahg118
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014- Mark - Fullbright
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Michele Chubirka
 
Cyberspace
CyberspaceCyberspace
CyberspaceUtchi
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Vishwan Aranha
 

La actualidad más candente (20)

Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
At Your Expense
At Your ExpenseAt Your Expense
At Your Expense
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethics
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
Enemies of the west
Enemies of the westEnemies of the west
Enemies of the west
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & Privacy
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)
 
Cyberspace
CyberspaceCyberspace
Cyberspace
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508
 

Similar a Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems

Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationJeff Zahn
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsRwik Kumar Dutta
 
How We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its DesignHow We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its DesignUXPALA
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DANeil Lines
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hackingparag101
 
Artificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusArtificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusStig-Arne Kristoffersen
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network securityBev Robb
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A DiscussionKaushik Patra
 
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)SERVICE DESIGN DAYS
 
How to Avoid IoTageddon
How to Avoid IoTageddon How to Avoid IoTageddon
How to Avoid IoTageddon Bob Snyder
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Ethi mini - ethical hacking
Ethi mini - ethical hackingEthi mini - ethical hacking
Ethi mini - ethical hackingBeing Uniq Sonu
 

Similar a Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems (20)

Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
 
How We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its DesignHow We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its Design
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
 
Artificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusArtificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virus
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network security
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A Discussion
 
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
 
How to Avoid IoTageddon
How to Avoid IoTageddon How to Avoid IoTageddon
How to Avoid IoTageddon
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Ethi mini - ethical hacking
Ethi mini - ethical hackingEthi mini - ethical hacking
Ethi mini - ethical hacking
 

Último

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Último (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems

  • 1. Hacking the Company Risks with carbon based lifeforms using vulnerable systems
  • 3. $ whoami Curious Hacker (eg. I like to break things apart and rebuild them!) Maker (eg. I like to make things) RC-Geek (eg. I like to fly radiocontrolled devices) Chief Security Officer @Crosskey Banking Solutions Social Media Twitter: @khalavak, G+: Kim Halavakoski, G+ communities: Security De-Obfuscated, PCI Jedis...
  • 4. "Innostunut ja taitava tietokoneen ohjelmoija tai käyttäjä" hacker as defined in RFC1392: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term. See also: cracker.
  • 5.
  • 7. Vulnerabilities Young padawan, don't forget: Lack of focus leads to sloppiness, sloppiness leads to misconfiguration and bugs, and misconfiguration and bugs leads to compromise.
  • 11. Top 10 vulnerable vendors
  • 12. Who uses these vulnerable vendors anyway? We all keep our systems patched? All the time? Almost? Sometimes? Example of vulnerable vendors: Microsoft, Apple, Oracle, Sun Microsystems, Cisco, Mozilla, Linux, Hewlett Packard, Adobe... Ever used any of these vendors?
  • 13. Top 10 vulnerable products
  • 14. Who uses these vulnerable products anyway? We all keep our software products patched? All the time? Almost? Sometimes? Example of vulnerable software: Linux, Firefox, Mac OS X, Google Chrome, Internet Explorer, Seamonkey, Solaris, Thunderbird Ever used any of these softwares?
  • 15. Browser market shares According to the previous statistics with vulnerabilities in Internet Explorer, Firefox, Chrome it seems like 92.61% of the browsers used on the Internet are vulnerable.
  • 16. 46 vulnerabilities in 2012 48 vulnerabilities in 2013 (and it's only March!) of which 26 vulnerabilities with CVSS score 10.0 in 2013 until now
  • 19. Patching is Critical Security is as strong as the weakest link. If you take security seriously then making sure everything is up to date is more important than ever.
  • 20. Social Engineering There is no patch for human stupidity
  • 21.
  • 22. Social engineering works. People are easily tricked. Really. Tap into psychological factors that are part of human nature Abuses trust frameworks that we are used to in real life.
  • 23. "Could I have the root password, please?"
  • 24. A good presentation needs a cat picture to soften the audience. On a side-note, cybercriminals know that we like cute and funny pictures and videos, so they are using our eagerness to click on cute things to hack your computer... So even if supercute, think before you click!
  • 25. How easily are you tricked?
  • 26. How easily are you tricked?
  • 27. Would you fall for this?
  • 28. Are you sure it is Paypal?
  • 29. Problems with your Visa card?
  • 30. Salaries! Confidential! Dare to open that PDF document?
  • 31. What did I order again?
  • 32.
  • 33. Who?
  • 35. Oleg Nikolaenko 24 year old hacker who ran the Mega-D botnet back in 2010 Mega-D was sending 30-40% of the spam on the Internet
  • 36. Vladimir Tsastsin Vladimir ran Estdomains and later Rove Digital, which ran "Operation Ghost Click" which was behind the infamous DNSChanger malware that caused havoc all over the world.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43. Why?
  • 44. Cybercrime market value: $114 billion
  • 45.
  • 46.
  • 47.
  • 48.
  • 52. FI: 2829 Top 10 values num % Helsinki 411 14.528% Tampere 406 14.351% Hämeenlinna 176 6.221% Jyväskylä 117 4.136% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227% Oulu 59 2.086%
  • 53. Helsinki 411 14.528% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227%
  • 55. From the 2829 IP-addresses in Finland I did a quick statistical analysis of the whois and DNS data and found: most of the IPs are end-customers with ADSL, GPRS connections from Sonera, DNA, Nebula, Local Telephone companies, etc. 59 whois records that seem like companies 37 DNS records that looks like companies
  • 56. ...some small, some bigger and some of them even "security" companies and some in public services and even government use...
  • 57.
  • 58. RSA -> Lockheed Martin RSA was hacked, allegedly in order to get into Lockheed Martin Twitter Twitter was hacked using recent Java-vulnerabilities Facebook Facebook was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Microsoft Microsoft was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Apple Apple was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com
  • 59. US National Vulnerability Database hacked Malware planted on 2 webservers... Undiscovered for 2 months... "Hacking the NVD and planting malware on the very place where we get our vulnerability information, that is just pure evil!"
  • 60.
  • 61.
  • 63. Matt Honan – Senior Editor at Wired Gadget Labs Security flaws in Apple and Amazon customer service systems lead to hackers gaining control over his account and deleting files on his Mac.
  • 64. How?
  • 65. Metasploit Penetration testing tool. Developed by HD Moore back in 2003. Bought by Rapid 7 in 2009. Opensource verion still available.
  • 66. Social Engineer Toolkit Great tool for performing social engineering attacks: phishing, web-attacks, malware infecter USB sticks, etc. Developed by Dave Kennedy & Co
  • 67.
  • 68. Demo Fictious company with the following network setup: firewall, mailserver, webserver, DNS-server, Internal Windows 7 workstation...
  • 69.
  • 71. Carbon based lifeforms Humans are the weakest link Using age-old social frameworks in a modern connected world Easily tricked into clicking, opening links, attachments and programs Make errors, repeadetly Computer software Are programmed by humans Have bugs Used by humans Hacking tools Readily available Easy to use Developed by proffessionals Cybercriminals Cybercriminals Hacktivists Nation States & Governments
  • 72.