Dayton Microcomputer Association (DMA):
April 2020 - Online Meeting
Date: April 28, 2020
Topic: Stupid Cyber Criminal Tricks and How to Combat Them
Speaker: Matt Scheurer
This talk covers various techniques used by cyber criminals, and how to spot them. This is the accompanying slide deck for a presentation that covers live demos. Who does not love a good cyber-crime story?
SCM Symposium PPT Format Customer loyalty is predi
DMA - Stupid Cyber Criminal Tricks
1. DMA April 2020 Meeting
I
R
I
R
- Matt Scheurer
Dayton Microcomputer Association
April 28, 2020
Stupid Cyber Criminal Tricks
and How to Combat Them
@c3rkah | https://www.linkedin.com/in/mattscheurer/
https://www.slideshare.net/cerkah/
2. I work for a big well-known
business...
As an Information Security
(InfoSec) Engineer,
Performing Digital Forensics &
Incident Response (DFIR)
On a Computer Security Incident
Response Team (CSIRT)
About Me...About Me...
I serve as Chair for the
I am also an
Ambassador & Security Researcher for
S||||
3. Disclaimer # 1 / 2Disclaimer # 1 / 2
Yes, I have a day job.
However…
Opinions expressed are
based solely on my own
independent security
research and do not
express or reflect the views
or opinions of my employer.
4. Disclaimer # 2 / 2Disclaimer # 2 / 2
The informational material presented is for
educational purposes only. The presenter is not
responsible for its use or misuse. No warranties
or guarantees implied or otherwise are in effect.
Use of these tools, techniques and technologies
are at your own risk!
5. Cyber Criminals?Cyber Criminals?
I work here:
As a Sr.
Systems Security Engineer
●
Are NOT “Hackers”!
– Call them
●
Threat Actors
●
Malicious Threat Actors
●
Cyber Criminals
●
Or simply just “Criminals”
6. Nothing worth taking?Nothing worth taking?
I work here:
As a Sr.
Systems Security Engineer
https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
7. Operational Security EssentialsOperational Security Essentials
I work here:
As a Sr.
Systems Security Engineer
●
Run up-to-date software and keep it patched
– Only use supported systems / devices & OS’es
●
Harden / Secure your network equipment
– Especially anything Internet facing
●
Change default usernames (where possible)
and passwords
8. OpSec BasicsOpSec Basics
I work here:
As a Sr.
Systems Security Engineer
●
Anti-Virus
– Immunet (https://www.immunet.com/)
●
Enterprise-grade next-generation AV for free
●
Nice compliment to Windows Defender
●
Firewall / HIDS / HIPS
– Search online for a Windows Firewall tutorial
– Or buy something better
9. Credential SafeguardingCredential Safeguarding
I work here:
As a Sr.
Systems Security Engineer
●
Strong Passwords
– Long passphrases
– Avoid re-use
●
Password Safes
– KeePass (On-premises)
– LastPass (Cloud / Mobile)
●
Have I been pwned?
– https://haveibeenpwned.com/
●
Multi-factor authentication
– Dual-factor or MFA
●
VPN for wireless / mobile
– Commercial Solutions
– https://cloudatcost.com/cloud-vpn
– PfSense (at home)
– Home Router
– L2TP/IPSEC if supported
10. Scams: Be skeptical!Scams: Be skeptical!
I work here:
As a Sr.
Systems Security Engineer
●
Go to sites yourself
– Instead of using links
●
Vendors & the IRS
don’t ask for gift cards
●
Callback directly to
verify
●
https://www.bbb.org/scamtracker/
“I roll to disbelieve!”
12. PhishingPhishing
I work here:
As a Sr.
Systems Security Engineer
●
Social engineering attacks using email
●
Most common attack method
– Leveraged by the most inexperienced script kiddies
– Used by nation-states
– And every type of threat actor in-between
13. Compromised EmailCompromised Email
I work here:
As a Sr.
Systems Security Engineer
https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
14. What is an email message really?What is an email message really?
I work here:
As a Sr.
Systems Security Engineer
●
A single text file in logical parts
– Headers
– Message body (source)
●
Attachments
– Base64 Encoded Text
– May contain hyperlinks
●
In the message body, or in the attachment
15. Obtaining the message sourceObtaining the message source
I work here:
As a Sr.
Systems Security Engineer
●
Will vary from email client and platform
– https://mxtoolbox.com/Public/Content/EmailHeaders/
16. Checking AttachmentsChecking Attachments
I work here:
As a Sr.
Systems Security Engineer
●
VirusTotal
– https://www.virustotal.com/
CAUTION: Do not upload potentially sensitive files to
VirusTotal or any other public web sites!
17. Checking HyperlinksChecking Hyperlinks
I work here:
As a Sr.
Systems Security Engineer
●
urlscan.io
– https://urlscan.io/
●
VirusTotal
– https://www.virustotal.com/
18. Beware of Gotcha’s...Beware of Gotcha’s...
I work here:
As a Sr.
Systems Security Engineer
●
Obfuscation by a URL Shortener
●
Evasion Code / DGA
●
iFrames
●
Redirects and Forwards
●
Encoded content
●
Relying too heavily on your defenses / tools...
19. Phishing email live demosPhishing email live demos
I work here:
As a Sr.
Systems Security Engineer
●
We’ll cover looking at email message source
– Potential malicious content may exist
●
In attachments
●
In hyperlinks potentially going to phishing sites
20. Script KiddiesScript Kiddies
I work here:
As a Sr.
Systems Security Engineer
Script kiddies may be low-skilled, but they are a real threat...
Some offensive security tools have become so user friendly and
simple that the barrier to compromising vulnerable systems has
become trivial. We will use Kali Linux, SPARTA (Legion), OWASP
ZAP, and Armitage to demonstrate just how easy exploiting some
vulnerabilities has become. The takeaways will be on vulnerability
scanning systems in your environment and Proof-of-Concept those
findings to help improve your overall security posture by eliminating
the low hanging fruit of vulnerabilities.
21. ●
All of the tools
demonstrated here
are included in Kali
Linux
●
Free to download and
use
●
https://www.kali.org/
Kali LinuxKali Linux
22. The OWASP Zed Attack Proxy (ZAP) is one of the
world’s most popular free security tools and is
actively maintained by hundreds of international
volunteers*. It can help you automatically find
security vulnerabilities in your web applications
while you are developing and testing your
applications. Its also a great tool for experienced
pentesters to use for manual security testing.
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
OWASP ZAPOWASP ZAP
23. OWASP ZAP Demo
●
In this live demo, I will use OWASP ZAP to find
hidden files on the web
●
OWASP ZAP will uncover accidental exposure
●
Sensitive data exposure is #3 on the latest
OWASP Top 10 list
OWASP ZAP DemoOWASP ZAP Demo
24. SPARTA
SPARTA is a python GUI application which simplifies
network infrastructure penetration testing by aiding the
penetration tester in the scanning and enumeration
phase. It allows the tester to save time by having
point-and-click access to his toolkit and by displaying
all tool output in a convenient way. If little time is spent
setting up commands and tools, more time can be
spent focusing on analyzing results.
https://sparta.secforce.com/
SPARTA (Legion)SPARTA (Legion)
25. SPARTA Demo
●
In this live demo, I will use SPARTA to scan a network
●
This should reveal hosts and the services running on
them
●
It will also check discovered services for
vulnerabilities
●
Also collecting screen shots of web services
SPARTA (Legion) DemoSPARTA (Legion) Demo
26. Metasploit & Armitage
●
Metasploit is the world's most used penetration testing
software. Uncover weaknesses in your defenses,
focus on the right risks, and improve security.
●
Armitage - Cyber Attack Management for Metasploit.
Armitage makes penetration testing easy by adding a
GUI to the Metasploit framework
https://www.rapid7.com/products/metasploit/
http://www.fastandeasyhacking.com/
Metasploit & ArmitageMetasploit & Armitage
27. Metasploit & Armitage Demo
●
In this live demo, I will use Armitage in an
attempt to find and exploit vulnerabilities on
another host
●
Our goal is to establish a remote shell with root
level privledges
Metasploit & Armitage DemoMetasploit & Armitage Demo
28. ●
Check out the Metasploit Unleashed
Free Ethical Hacking Course
– https://www.offensive-security.com/metasploit-unleashed/
Leveling UpLeveling Up
29. Metasploit & Armitage Demo
●
Powerful vulnerability exploitation tools are
readily available for free to tech defenders and
malicious threat actors alike
●
The barrier to entry for unskilled attackers is
very low
ConclusionsConclusions
30. Metasploit & Armitage Demo
Are you actively scanning your web sites and
cloud storage for sensitive data exposure?
Provocative QuestionsProvocative Questions
31. Metasploit & Armitage Demo
Are you actively scanning your web sites and
cloud storage for sensitive data exposure?
Are you checking for credentials susceptible to
simple dictionary and brute force attacks?
Provocative QuestionsProvocative Questions
32. Metasploit & Armitage Demo
Are you actively scanning your web sites and
cloud storage for sensitive data exposure?
Are you checking for credentials susceptible to
simple dictionary and brute force attacks?
Are your systems and network devices vulnerable
to simple exploit kit attacks?
Provocative QuestionsProvocative Questions
33. Metasploit & Armitage Demo
Malicious threat actors are probably already doing
these things against us...
ConsiderationsConsiderations
34. Metasploit & Armitage Demo
Malicious threat actors are probably already doing
these things against us...
Who would you rather have discover exposed
data, weak credentials, or easily exploitable
vulnerabilities first?
ConsiderationsConsiderations
35. Metasploit & Armitage Demo
●
Next CiNPA Security SIG meeting (Threat Roundup)
– Thursday, May 21, 2020 6:30 PM to 9:00 PM
– https://www.meetup.com/TechLife-Cincinnati/events/njkqnpybchbcc/
●
I am speaking at Circle City Con
– Topic “Lend me your IR’s!”
– June 12 – 14 (Online Virtual Conference)
– https://circlecitycon.com/
Shameless PlugsShameless Plugs
37. Thank you for attending!
I
R
I
R
- Matt Scheurer
Dayton Microcomputer Association
April 28, 2020
Stupid Cyber Criminal Tricks
and How to Combat Them
@c3rkah | https://www.linkedin.com/in/mattscheurer/
https://www.slideshare.net/cerkah/