SlideShare una empresa de Scribd logo

The Hacker's Guide to NOT Getting Hacked

Jakub Kałużny
Jakub Kałużny

This is a light talk I did for CryptoAUS event. See the bonus material: http://goo.gl/BSZ4mN

Tecnología
1 de 71
Descargar para leer sin conexión
The Hacker’s Guide to NOT Getting Hacked Jakub Kaluzny
About Me ▪ Sucked at games, started hacking ▪ Maths & Algo background ▪ Dev at European Space Agency ▪ Security Consultant in EU and AU ▪ Sometimes I have interesting projects: ▪ Printers, ATMs ▪ FOREX trading software ▪ Online banking systems ▪ Voice biometrics ▪ Published research at BlackHat, HackInTheBox, OWASP AppSec, Zeronights, AusCERT, BSides
Attack surface – WHERE Threat modelling – WHAT Threat actors - WHO Attack vectors – HOW MITIGATION Using phone in cafes Phone theft Opportunistic pickpocketer Pick it up when you go to the toilet KEEP THE PHONE WITH YOU Threat Modelling
Your assets ▪ Devices: ▪ Phone ▪ Computer ▪ IoT ▪ Home router ▪ Accounts: ▪ SIM card ▪ Mail ▪ Social Media ▪ Bank ▪ Finances: ▪ Bank ▪ Paypal / similar ▪ SIM credit line ▪ Amazon/Uber/Netflix/any service ▪ Information / Identity: ▪ Documents, scans ▪ Private data / nudes
OPPORTUNISTIC Most threats are
Level of paranoia 99% people ▪ Log in to their bank account on a public computer ▪ Have one password ▪ Travel to China, use public wi-fi, ▪ Leave phone & wallet on the beach, enjoy a swim Security conscious ▪ Log in to their bank only on phone / their own computer ▪ Use password manager ▪ Keep their phone with them all time ▪ Take only one card and use a phone cheap enough to not cry when you loose it Security paranoid ▪ Use 2-FA, distribute money between multiple accounts ▪ Use 30-char passwords ▪ Take a burner phone, destroy it afterwards ▪ Don’t go further than 5 seconds from the bag
Your assets ▪ Devices: ▪ Phone ▪ Computer ▪ IoT ▪ Home router ▪ Accounts: ▪ SIM card ▪ Mail ▪ Social Media ▪ Bank ▪ Finances: ▪ Bank ▪ Paypal / similar ▪ SIM credit line ▪ Amazon/Uber/Netflix/any service ▪ Information / Identity: ▪ Documents, scans ▪ Private data / nudes ▪ OTHER ▪ Your brain
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam ▪ lost phone scam - check location
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “Top Google ad" scam
General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “Top Google ad" scam ▪ lost phone scam - check location
PHONE threats
PHONE threats ▪ THROW AWAY OLD PHONES ▪ DO NOT GIVE IT TO YOUR GRANDMA
PHONE threats
PHONE threats ▪ NEVER INSTALL APPS FROM UNKNOWN SOURCES
PHONE threats ▪ If you do, check the permissions
Malware sources
PHONE threats ▪ DO NOT CONNECT TO PUBLIC WIFIS
PHONE threats This is NOT a Tesla hack: ▪ Tricked Android 4.4 user to connect to fake McD Wi-Fi ▪ Redirected him to a fake website ▪ Tricked him into installing malicious app from unknown sources ▪ The app used a public exploit toolbox (Kingroot) to root Android 4.4 device
PHONE threats ▪ USE VPN
PHONE threats ▪ Enable backups ▪ Enable screenlock! ▪ Enable encryption!!
My other computer is your computer COMPUTER threats
COMPUTER threats ▪ Keep it up-to-date ▪ Use AV
COMPUTER threats ▪ Never install dodgy programs ▪ If unsure, use VirusTotal.com
COMPUTER threats ▪ Don’t connect to public Wi-Fis ▪ Never ignore security warnings ▪ Use VPN
COMPUTER threats ▪ Have backups ▪ Use full-disk encryption ▪ Lock workstation ▪ Have a strong password
COMPUTER threats ▪ Never plug in dodgy USB sticks
IOT THREATS Why would anyone need a smart…
IoT threats ▪ Just don’t
ROUTER threats ▪ Keep it up-to-date ▪ Choose WPA2 for Wi-Fi security ▪ Don’t share passwords
ACCOUNTS THREATS “Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life” – @thegrugq
ACCOUNTS threats ▪ Make a list of all your important accounts ▪ USE A PASSWORD MANAGER The top 10 passwords on the 2017 list: ▪ 1. 123456 (Unchanged) ▪ 2. Password (Unchanged) ▪ 3. 12345678 (Up 1) ▪ 4. qwerty (Up 2) ▪ 5. 12345 (Down 2) ▪ 6. 123456789 (New) ▪ 7. letmein (New) ▪ 8. 1234567 (Unchanged) ▪ 9. football (Down 4) ▪ 10. iloveyou (New)
ACCOUNTS threats
ACCOUNTS threats ▪ Do not reuse passwords
ACCOUNTS threats ▪ USE 2-FA
ACCOUNTS threats ▪USE 2-FA
ACCOUNTS threats Hardware token SMS Push U2F Biometrics No 2-FA Password guess / theft OK OK OK OK OK NO Phishing ~NO ~NO OK ~OK ~OK NO PC Malware NO ~OK ~OK ~NO ~NO NO Phone Malware OK NO ~NO OK ~NO NO SIM hijacking OK NO ~OK OK ~OK OK OK GOOD VERY GOOD VERY GOOD ~OK NOT GOOD
ACCOUNTS threats ▪ For financial accounts: device with a screen - mobile push notifications (very good) or SMS (good) ▪ For all other: U2F (very good), SMS (good)
ACCOUNTS threats ▪ If you are redirected to log in screen, check domain
ACCOUNTS threats ▪ Hack yourself: regularly go through forgotten password functionality
The system is as weak as its weakest link SIM card
SIM card threats ▪ Set additional security features ▪ Do not use and disable insecure features – sending and receiving messages via web ▪ Understand that sender (and caller) ID may be spoofed
SIM card threats ▪ Set SIM card PIN (stolen phone) ▪ Enable limits ▪ Disable premium services
With great power comes great responsibility MAIL threats
MAIL threats ▪ Usually e-mail access is enough to recover passwords to other services
Mail threats
Mail threats ▪ Confirm actions via second channel
Social media threats ▪ Don’t allow dodgy games / apps access your data ▪ Don’t publish pictures of your credit card ▪ Don’t trust strangers
ALWAYS CHECK AMOUNT AND BENEFICIARY NUMBER Bank account threats
Bank account threats ▪ Enable alerts ▪ Check balance regularly ▪ Check access via other channels ▪ Keep bigger money on a separate account
Bank account threats ▪ Set limits – for transactions, credit card, mobile payments ▪ Change credit card regularly ▪ Prefer to pay in cash, especially overseas ▪ Never let the waitress go away with your card
Bank account threats ▪ Online shopping: use a separate card – a pre-paid with limits ▪ There is chargeback ▪ Pay via trusted gateways – e.g. paypal, rather than directly ▪ Do not enter your banking password on any website (POLi, Trustly) other than the bank itself
Bank account threats ▪ Consider 3rd parties for alerting and monitoring… Nah
Other services threats ▪ Netlifx / Amazon / Uber etc. – keep track of those ▪ Change cards regularly
Identity threats ▪ Watermark scans ▪ Upload via webform, do not send via e-mail ▪ Paranoid: change ID regularly
Identity threats ▪ Do not keep scans, sensitive documents, nudes etc. online ▪ Encrypt them
Travel safe AND secure Travel security
Travel security ▪ Do not use public chargers ▪ Consider a polarizing screen ▪ Cover your keyboard when typing passwords
Summary Define attack surface Model threats Define level of paranoia Apply changes Review regularly
BONUS http://goo.gl/BSZ4mN
Thank you Twitter: @j_kaluzny

Recomendados

Cyber peace for youth tanta
Cyber peace for youth tantaCyber peace for youth tanta
Cyber peace for youth tanta
Samir Deutsch
 
Internet safety and security
Internet safety and securityInternet safety and security
Internet safety and security
DjTechs
 
Building Trust in the Digital Age
Building Trust in the Digital AgeBuilding Trust in the Digital Age
Building Trust in the Digital Age
Marian Merritt
 
Online Security & Privacy: Updated
Online Security & Privacy: UpdatedOnline Security & Privacy: Updated
Online Security & Privacy: Updated
Amanda L. Goodman
 
Guide to facebook security
Guide to facebook securityGuide to facebook security
Guide to facebook security
Ernest Staats
 
10.a guide-to-facebook-security
10.a guide-to-facebook-security10.a guide-to-facebook-security
10.a guide-to-facebook-security
robert mota
 
Internet safety presentation 2013
Internet safety presentation 2013Internet safety presentation 2013
Internet safety presentation 2013
KanelandSvihlik
 
Social networking fraud handout june 2011
Social networking fraud handout june 2011Social networking fraud handout june 2011
Social networking fraud handout june 2011
Lawrence Medical Managers
 

Recomendados

Cyber peace for youth tanta
Cyber peace for youth tantaCyber peace for youth tanta
Cyber peace for youth tanta
Samir Deutsch
 
Internet safety and security
Internet safety and securityInternet safety and security
Internet safety and security
DjTechs
 
Building Trust in the Digital Age
Building Trust in the Digital AgeBuilding Trust in the Digital Age
Building Trust in the Digital Age
Marian Merritt
 
Online Security & Privacy: Updated
Online Security & Privacy: UpdatedOnline Security & Privacy: Updated
Online Security & Privacy: Updated
Amanda L. Goodman
 
Guide to facebook security
Guide to facebook securityGuide to facebook security
Guide to facebook security
Ernest Staats
 
10.a guide-to-facebook-security
10.a guide-to-facebook-security10.a guide-to-facebook-security
10.a guide-to-facebook-security
robert mota
 
Internet safety presentation 2013
Internet safety presentation 2013Internet safety presentation 2013
Internet safety presentation 2013
KanelandSvihlik
 
Social networking fraud handout june 2011
Social networking fraud handout june 2011Social networking fraud handout june 2011
Social networking fraud handout june 2011
Lawrence Medical Managers
 
Online Security
Online SecurityOnline Security
Online Security
Amanda L. Goodman
 
Internet Safety Jeopardy Game
Internet Safety Jeopardy GameInternet Safety Jeopardy Game
Internet Safety Jeopardy Game
cynthia.warner
 
Internet safety presentation 2012
Internet safety presentation 2012Internet safety presentation 2012
Internet safety presentation 2012
KanelandSvihlik
 
Cyber safety tips
Cyber safety tipsCyber safety tips
Cyber safety tips
Arunmozhi Ramesh
 
Cyber safety
Cyber safetyCyber safety
Cyber safety
Shruti Bansal
 
Cyber safety
Cyber safetyCyber safety
Cyber safety
alyssacarricato
 
Internet Safety for 1950s Adults and Beginners
Internet Safety for 1950s Adults and BeginnersInternet Safety for 1950s Adults and Beginners
Internet Safety for 1950s Adults and Beginners
Rajesh Soundararajan
 
Cyber-Safety and Digital Citizenship
Cyber-Safety and Digital CitizenshipCyber-Safety and Digital Citizenship
Cyber-Safety and Digital Citizenship
PantegoChristian
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and students
Rayanehaz
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and students
Rayane Hazimeh
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and students
Rayane Hazimeh
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technical
Stephen Cobb
 
Identity theft
Identity theftIdentity theft
Identity theft
Nick Chandi
 
Mobile Security for the Modern Tech Mogul
Mobile Security for the Modern Tech MogulMobile Security for the Modern Tech Mogul
Mobile Security for the Modern Tech Mogul
Andrew Schwabe
 
Log Out Cyber Awareness
Log Out Cyber AwarenessLog Out Cyber Awareness
Log Out Cyber Awareness
Apurv Singh Gautam
 
Beware of Scam Artists - Recognize Them Before They Get You!
Beware of Scam Artists - Recognize Them Before They Get You!Beware of Scam Artists - Recognize Them Before They Get You!
Beware of Scam Artists - Recognize Them Before They Get You!
Narayan Makaram
 
Common Fraud Schemes - Presentation
Common Fraud Schemes - PresentationCommon Fraud Schemes - Presentation
Common Fraud Schemes - Presentation
Christopher Hoina
 
FNC Personal Protect Workshop
FNC Personal Protect WorkshopFNC Personal Protect Workshop
FNC Personal Protect Workshop
forensicsnation
 
Id Theft
Id TheftId Theft
Id Theft
mojo_5
 
How to Avoid Crypto Scams - Crypto JBro
How to Avoid Crypto Scams - Crypto JBroHow to Avoid Crypto Scams - Crypto JBro
How to Avoid Crypto Scams - Crypto JBro
Jared Broker
 
MacMAD MacOS Security
MacMAD MacOS SecurityMacMAD MacOS Security
MacMAD MacOS Security
bos45
 
2020 Scams & ID Theft
2020 Scams & ID Theft2020 Scams & ID Theft
2020 Scams & ID Theft
Mary Hagan
 

Más contenido relacionado

La actualidad más candente

Internet Safety Jeopardy Game
Internet Safety Jeopardy GameInternet Safety Jeopardy Game
Internet Safety Jeopardy Game
cynthia.warner
 
Internet safety presentation 2012
Internet safety presentation 2012Internet safety presentation 2012
Internet safety presentation 2012
KanelandSvihlik
 

La actualidad más candente (8)

Online Security
Online SecurityOnline Security
Online Security
 
Internet Safety Jeopardy Game
Internet Safety Jeopardy GameInternet Safety Jeopardy Game
Internet Safety Jeopardy Game
 
Internet safety presentation 2012
Internet safety presentation 2012Internet safety presentation 2012
Internet safety presentation 2012
 
Cyber safety tips
Cyber safety tipsCyber safety tips
Cyber safety tips
 
Cyber safety
Cyber safetyCyber safety
Cyber safety
 
Cyber safety
Cyber safetyCyber safety
Cyber safety
 
Internet Safety for 1950s Adults and Beginners
Internet Safety for 1950s Adults and BeginnersInternet Safety for 1950s Adults and Beginners
Internet Safety for 1950s Adults and Beginners
 
Cyber-Safety and Digital Citizenship
Cyber-Safety and Digital CitizenshipCyber-Safety and Digital Citizenship
Cyber-Safety and Digital Citizenship
 

Similar a The Hacker's Guide to NOT Getting Hacked

Beware of Scam Artists - Recognize Them Before They Get You!
Beware of Scam Artists - Recognize Them Before They Get You!Beware of Scam Artists - Recognize Them Before They Get You!
Beware of Scam Artists - Recognize Them Before They Get You!
Narayan Makaram
 
FNC Personal Protect Workshop
FNC Personal Protect WorkshopFNC Personal Protect Workshop
FNC Personal Protect Workshop
forensicsnation
 
Webinar: How to avoid the 12 Scams of Christmas
Webinar: How to avoid the 12 Scams of ChristmasWebinar: How to avoid the 12 Scams of Christmas
Webinar: How to avoid the 12 Scams of Christmas
AbilityNet
 
Protecting Personal Privacy
Protecting Personal PrivacyProtecting Personal Privacy
Protecting Personal Privacy
DoubleXDS
 

Similar a The Hacker's Guide to NOT Getting Hacked (20)

Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and students
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and students
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and students
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technical
 
Identity theft
Identity theftIdentity theft
Identity theft
 
Mobile Security for the Modern Tech Mogul
Mobile Security for the Modern Tech MogulMobile Security for the Modern Tech Mogul
Mobile Security for the Modern Tech Mogul
 
Log Out Cyber Awareness
Log Out Cyber AwarenessLog Out Cyber Awareness
Log Out Cyber Awareness
 
Beware of Scam Artists - Recognize Them Before They Get You!
Beware of Scam Artists - Recognize Them Before They Get You!Beware of Scam Artists - Recognize Them Before They Get You!
Beware of Scam Artists - Recognize Them Before They Get You!
 
Common Fraud Schemes - Presentation
Common Fraud Schemes - PresentationCommon Fraud Schemes - Presentation
Common Fraud Schemes - Presentation
 
FNC Personal Protect Workshop
FNC Personal Protect WorkshopFNC Personal Protect Workshop
FNC Personal Protect Workshop
 
Id Theft
Id TheftId Theft
Id Theft
 
How to Avoid Crypto Scams - Crypto JBro
How to Avoid Crypto Scams - Crypto JBroHow to Avoid Crypto Scams - Crypto JBro
How to Avoid Crypto Scams - Crypto JBro
 
MacMAD MacOS Security
MacMAD MacOS SecurityMacMAD MacOS Security
MacMAD MacOS Security
 
2020 Scams & ID Theft
2020 Scams & ID Theft2020 Scams & ID Theft
2020 Scams & ID Theft
 
Webinar: How to avoid the 12 Scams of Christmas
Webinar: How to avoid the 12 Scams of ChristmasWebinar: How to avoid the 12 Scams of Christmas
Webinar: How to avoid the 12 Scams of Christmas
 
Data security best practices for risk awareness and mitigation
Data security best practices for risk awareness and mitigationData security best practices for risk awareness and mitigation
Data security best practices for risk awareness and mitigation
 
SIT Summer School (Cyber Security)
SIT Summer School (Cyber Security)SIT Summer School (Cyber Security)
SIT Summer School (Cyber Security)
 
Avoiding Fraud and Identity Theft - October 2008
Avoiding Fraud and Identity Theft - October 2008Avoiding Fraud and Identity Theft - October 2008
Avoiding Fraud and Identity Theft - October 2008
 
Internet Scams, Identity Theft And
Internet Scams, Identity Theft AndInternet Scams, Identity Theft And
Internet Scams, Identity Theft And
 
Protecting Personal Privacy
Protecting Personal PrivacyProtecting Personal Privacy
Protecting Personal Privacy
 

Más de Jakub Kałużny

Pentesting voice biometrics solutions - AusCERT 2017
Pentesting voice biometrics solutions - AusCERT 2017Pentesting voice biometrics solutions - AusCERT 2017
Pentesting voice biometrics solutions - AusCERT 2017
Jakub Kałużny
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
Jakub Kałużny
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
Bypassing malware detection mechanisms in online banking
Bypassing malware detection mechanisms in online bankingBypassing malware detection mechanisms in online banking
Bypassing malware detection mechanisms in online banking
Jakub Kałużny
 

Más de Jakub Kałużny (8)

Pentesting voice biometrics solutions - AusCERT 2017
Pentesting voice biometrics solutions - AusCERT 2017Pentesting voice biometrics solutions - AusCERT 2017
Pentesting voice biometrics solutions - AusCERT 2017
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
 
ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ? ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ?
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Bypassing malware detection mechanisms in online banking
Bypassing malware detection mechanisms in online bankingBypassing malware detection mechanisms in online banking
Bypassing malware detection mechanisms in online banking
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

The Hacker's Guide to NOT Getting Hacked

  • 1. The Hacker’s Guide to NOT Getting Hacked Jakub Kaluzny
  • 2. About Me ▪ Sucked at games, started hacking ▪ Maths & Algo background ▪ Dev at European Space Agency ▪ Security Consultant in EU and AU ▪ Sometimes I have interesting projects: ▪ Printers, ATMs ▪ FOREX trading software ▪ Online banking systems ▪ Voice biometrics ▪ Published research at BlackHat, HackInTheBox, OWASP AppSec, Zeronights, AusCERT, BSides
  • 3. Attack surface – WHERE Threat modelling – WHAT Threat actors - WHO Attack vectors – HOW MITIGATION Using phone in cafes Phone theft Opportunistic pickpocketer Pick it up when you go to the toilet KEEP THE PHONE WITH YOU Threat Modelling
  • 4. Your assets ▪ Devices: ▪ Phone ▪ Computer ▪ IoT ▪ Home router ▪ Accounts: ▪ SIM card ▪ Mail ▪ Social Media ▪ Bank ▪ Finances: ▪ Bank ▪ Paypal / similar ▪ SIM credit line ▪ Amazon/Uber/Netflix/any service ▪ Information / Identity: ▪ Documents, scans ▪ Private data / nudes
  • 6. Level of paranoia 99% people ▪ Log in to their bank account on a public computer ▪ Have one password ▪ Travel to China, use public wi-fi, ▪ Leave phone & wallet on the beach, enjoy a swim Security conscious ▪ Log in to their bank only on phone / their own computer ▪ Use password manager ▪ Keep their phone with them all time ▪ Take only one card and use a phone cheap enough to not cry when you loose it Security paranoid ▪ Use 2-FA, distribute money between multiple accounts ▪ Use 30-char passwords ▪ Take a burner phone, destroy it afterwards ▪ Don’t go further than 5 seconds from the bag
  • 7. Your assets ▪ Devices: ▪ Phone ▪ Computer ▪ IoT ▪ Home router ▪ Accounts: ▪ SIM card ▪ Mail ▪ Social Media ▪ Bank ▪ Finances: ▪ Bank ▪ Paypal / similar ▪ SIM credit line ▪ Amazon/Uber/Netflix/any service ▪ Information / Identity: ▪ Documents, scans ▪ Private data / nudes ▪ OTHER ▪ Your brain
  • 8. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  • 9. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  • 10. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  • 11. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  • 12. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  • 13. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  • 14. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam ▪ lost phone scam - check location
  • 15. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  • 16. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  • 17. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  • 18. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  • 19. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “Top Google ad" scam
  • 20. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “Top Google ad" scam ▪ lost phone scam - check location
  • 22. PHONE threats ▪ THROW AWAY OLD PHONES ▪ DO NOT GIVE IT TO YOUR GRANDMA
  • 24. PHONE threats ▪ NEVER INSTALL APPS FROM UNKNOWN SOURCES
  • 25. PHONE threats ▪ If you do, check the permissions
  • 27. PHONE threats ▪ DO NOT CONNECT TO PUBLIC WIFIS
  • 28. PHONE threats This is NOT a Tesla hack: ▪ Tricked Android 4.4 user to connect to fake McD Wi-Fi ▪ Redirected him to a fake website ▪ Tricked him into installing malicious app from unknown sources ▪ The app used a public exploit toolbox (Kingroot) to root Android 4.4 device
  • 30. PHONE threats ▪ Enable backups ▪ Enable screenlock! ▪ Enable encryption!!
  • 31. My other computer is your computer COMPUTER threats
  • 32.
  • 33. COMPUTER threats ▪ Keep it up-to-date ▪ Use AV
  • 34. COMPUTER threats ▪ Never install dodgy programs ▪ If unsure, use VirusTotal.com
  • 35. COMPUTER threats ▪ Don’t connect to public Wi-Fis ▪ Never ignore security warnings ▪ Use VPN
  • 36. COMPUTER threats ▪ Have backups ▪ Use full-disk encryption ▪ Lock workstation ▪ Have a strong password
  • 37. COMPUTER threats ▪ Never plug in dodgy USB sticks
  • 38. IOT THREATS Why would anyone need a smart…
  • 40. ROUTER threats ▪ Keep it up-to-date ▪ Choose WPA2 for Wi-Fi security ▪ Don’t share passwords
  • 41. ACCOUNTS THREATS “Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life” – @thegrugq
  • 42. ACCOUNTS threats ▪ Make a list of all your important accounts ▪ USE A PASSWORD MANAGER The top 10 passwords on the 2017 list: ▪ 1. 123456 (Unchanged) ▪ 2. Password (Unchanged) ▪ 3. 12345678 (Up 1) ▪ 4. qwerty (Up 2) ▪ 5. 12345 (Down 2) ▪ 6. 123456789 (New) ▪ 7. letmein (New) ▪ 8. 1234567 (Unchanged) ▪ 9. football (Down 4) ▪ 10. iloveyou (New)
  • 44. ACCOUNTS threats ▪ Do not reuse passwords
  • 47. ACCOUNTS threats Hardware token SMS Push U2F Biometrics No 2-FA Password guess / theft OK OK OK OK OK NO Phishing ~NO ~NO OK ~OK ~OK NO PC Malware NO ~OK ~OK ~NO ~NO NO Phone Malware OK NO ~NO OK ~NO NO SIM hijacking OK NO ~OK OK ~OK OK OK GOOD VERY GOOD VERY GOOD ~OK NOT GOOD
  • 48. ACCOUNTS threats ▪ For financial accounts: device with a screen - mobile push notifications (very good) or SMS (good) ▪ For all other: U2F (very good), SMS (good)
  • 49. ACCOUNTS threats ▪ If you are redirected to log in screen, check domain
  • 50. ACCOUNTS threats ▪ Hack yourself: regularly go through forgotten password functionality
  • 51. The system is as weak as its weakest link SIM card
  • 52. SIM card threats ▪ Set additional security features ▪ Do not use and disable insecure features – sending and receiving messages via web ▪ Understand that sender (and caller) ID may be spoofed
  • 53. SIM card threats ▪ Set SIM card PIN (stolen phone) ▪ Enable limits ▪ Disable premium services
  • 54. With great power comes great responsibility MAIL threats
  • 55. MAIL threats ▪ Usually e-mail access is enough to recover passwords to other services
  • 57. Mail threats ▪ Confirm actions via second channel
  • 58. Social media threats ▪ Don’t allow dodgy games / apps access your data ▪ Don’t publish pictures of your credit card ▪ Don’t trust strangers
  • 59. ALWAYS CHECK AMOUNT AND BENEFICIARY NUMBER Bank account threats
  • 60. Bank account threats ▪ Enable alerts ▪ Check balance regularly ▪ Check access via other channels ▪ Keep bigger money on a separate account
  • 61. Bank account threats ▪ Set limits – for transactions, credit card, mobile payments ▪ Change credit card regularly ▪ Prefer to pay in cash, especially overseas ▪ Never let the waitress go away with your card
  • 62. Bank account threats ▪ Online shopping: use a separate card – a pre-paid with limits ▪ There is chargeback ▪ Pay via trusted gateways – e.g. paypal, rather than directly ▪ Do not enter your banking password on any website (POLi, Trustly) other than the bank itself
  • 63. Bank account threats ▪ Consider 3rd parties for alerting and monitoring… Nah
  • 64. Other services threats ▪ Netlifx / Amazon / Uber etc. – keep track of those ▪ Change cards regularly
  • 65. Identity threats ▪ Watermark scans ▪ Upload via webform, do not send via e-mail ▪ Paranoid: change ID regularly
  • 66. Identity threats ▪ Do not keep scans, sensitive documents, nudes etc. online ▪ Encrypt them
  • 67. Travel safe AND secure Travel security
  • 68. Travel security ▪ Do not use public chargers ▪ Consider a polarizing screen ▪ Cover your keyboard when typing passwords
  • 69. Summary Define attack surface Model threats Define level of paranoia Apply changes Review regularly