SlideShare una empresa de Scribd logo

Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems

K
khalavak

Keynote presentation held at ICT Expo conference in Helsinki 20.3.2013.

Tecnología
1 de 73
Descargar para leer sin conexión
Hacking the Company Risks with carbon based lifeforms using vulnerable systems
$ whoami
$ whoami Curious Hacker (eg. I like to break things apart and rebuild them!) Maker (eg. I like to make things) RC-Geek (eg. I like to fly radiocontrolled devices) Chief Security Officer @Crosskey Banking Solutions Social Media Twitter: @khalavak, G+: Kim Halavakoski, G+ communities: Security De-Obfuscated, PCI Jedis...
"Innostunut ja taitava tietokoneen ohjelmoija tai käyttäjä" hacker as defined in RFC1392: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term. See also: cracker.
How?
Vulnerabilities Young padawan, don't forget: Lack of focus leads to sloppiness, sloppiness leads to misconfiguration and bugs, and misconfiguration and bugs leads to compromise.
Vulnerabilities
Vulnerabilities & 0-days
0-days
Top 10 vulnerable vendors
Who uses these vulnerable vendors anyway? We all keep our systems patched? All the time? Almost? Sometimes? Example of vulnerable vendors: Microsoft, Apple, Oracle, Sun Microsystems, Cisco, Mozilla, Linux, Hewlett Packard, Adobe... Ever used any of these vendors?
Top 10 vulnerable products
Who uses these vulnerable products anyway? We all keep our software products patched? All the time? Almost? Sometimes? Example of vulnerable software: Linux, Firefox, Mac OS X, Google Chrome, Internet Explorer, Seamonkey, Solaris, Thunderbird Ever used any of these softwares?
Browser market shares According to the previous statistics with vulnerabilities in Internet Explorer, Firefox, Chrome it seems like 92.61% of the browsers used on the Internet are vulnerable.
46 vulnerabilities in 2012 48 vulnerabilities in 2013 (and it's only March!) of which 26 vulnerabilities with CVSS score 10.0 in 2013 until now
http://java-0day.com
http://istherejava0day.com
Patching is Critical Security is as strong as the weakest link. If you take security seriously then making sure everything is up to date is more important than ever.
Social Engineering There is no patch for human stupidity
Social engineering works. People are easily tricked. Really. Tap into psychological factors that are part of human nature Abuses trust frameworks that we are used to in real life.
"Could I have the root password, please?"
A good presentation needs a cat picture to soften the audience. On a side-note, cybercriminals know that we like cute and funny pictures and videos, so they are using our eagerness to click on cute things to hack your computer... So even if supercute, think before you click!
How easily are you tricked?
How easily are you tricked?
Would you fall for this?
Are you sure it is Paypal?
Problems with your Visa card?
Salaries! Confidential! Dare to open that PDF document?
What did I order again?
Who?
Cybercriminals
Oleg Nikolaenko 24 year old hacker who ran the Mega-D botnet back in 2010 Mega-D was sending 30-40% of the spam on the Internet
Vladimir Tsastsin Vladimir ran Estdomains and later Rove Digital, which ran "Operation Ghost Click" which was behind the infamous DNSChanger malware that caused havoc all over the world.
Hacktivists
Governments and Nation states
Why?
Cybercrime market value: $114 billion
Where?
World: 10437
FI,SE,NO,DK,AX: 4447
FI: 2829 Top 10 values num % Helsinki 411 14.528% Tampere 406 14.351% Hämeenlinna 176 6.221% Jyväskylä 117 4.136% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227% Oulu 59 2.086%
Helsinki 411 14.528% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227%
Helsinki: 411
From the 2829 IP-addresses in Finland I did a quick statistical analysis of the whois and DNS data and found: most of the IPs are end-customers with ADSL, GPRS connections from Sonera, DNA, Nebula, Local Telephone companies, etc. 59 whois records that seem like companies 37 DNS records that looks like companies
...some small, some bigger and some of them even "security" companies and some in public services and even government use...
RSA -> Lockheed Martin RSA was hacked, allegedly in order to get into Lockheed Martin Twitter Twitter was hacked using recent Java-vulnerabilities Facebook Facebook was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Microsoft Microsoft was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Apple Apple was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com
US National Vulnerability Database hacked Malware planted on 2 webservers... Undiscovered for 2 months... "Hacking the NVD and planting malware on the very place where we get our vulnerability information, that is just pure evil!"
Ocean's Eleven?
Matt Honan – Senior Editor at Wired Gadget Labs Security flaws in Apple and Amazon customer service systems lead to hackers gaining control over his account and deleting files on his Mac.
How?
Metasploit Penetration testing tool. Developed by HD Moore back in 2003. Bought by Rapid 7 in 2009. Opensource verion still available.
Social Engineer Toolkit Great tool for performing social engineering attacks: phishing, web-attacks, malware infecter USB sticks, etc. Developed by Dave Kennedy & Co
Demo Fictious company with the following network setup: firewall, mailserver, webserver, DNS-server, Internal Windows 7 workstation...
Conclusion
Carbon based lifeforms Humans are the weakest link Using age-old social frameworks in a modern connected world Easily tricked into clicking, opening links, attachments and programs Make errors, repeadetly Computer software Are programmed by humans Have bugs Used by humans Hacking tools Readily available Easy to use Developed by proffessionals Cybercriminals Cybercriminals Hacktivists Nation States & Governments
Questions?

Recomendados

Security
SecuritySecurity
SecurityBob Cherry
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking reportAkhilesh Patel
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingUmang Patel
 
Emp tech las-week-2
Emp tech las-week-2Emp tech las-week-2
Emp tech las-week-2Joemer Mabagos
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aBright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aMark Henshaw
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security ThreatsUmakant Mishra
 

Recomendados

Security
SecuritySecurity
SecurityBob Cherry
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking reportAkhilesh Patel
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingUmang Patel
 
Emp tech las-week-2
Emp tech las-week-2Emp tech las-week-2
Emp tech las-week-2Joemer Mabagos
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aBright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aMark Henshaw
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security ThreatsUmakant Mishra
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
At Your Expense
At Your ExpenseAt Your Expense
At Your ExpenseDan Oblak
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKERKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeSalma Zafar
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethicsMohit Dholakiya
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksLondon School of Cyber Security
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsLondon School of Cyber Security
 
Enemies of the west
Enemies of the westEnemies of the west
Enemies of the westNeil Lines
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacySamudin Kassan
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15haney888
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4leahg118
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014- Mark - Fullbright
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Michele Chubirka
 
Cyberspace
CyberspaceCyberspace
CyberspaceUtchi
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Vishwan Aranha
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationJeff Zahn
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 

Más contenido relacionado

La actualidad más candente

Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
At Your Expense
At Your ExpenseAt Your Expense
At Your ExpenseDan Oblak
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Enemies of the west
Enemies of the westEnemies of the west
Enemies of the westNeil Lines
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacySamudin Kassan
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15haney888
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4leahg118
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014- Mark - Fullbright
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Michele Chubirka
 
Cyberspace
CyberspaceCyberspace
CyberspaceUtchi
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Vishwan Aranha
 

La actualidad más candente (20)

Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
At Your Expense
At Your ExpenseAt Your Expense
At Your Expense
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethics
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
Enemies of the west
Enemies of the westEnemies of the west
Enemies of the west
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & Privacy
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)
 
Cyberspace
CyberspaceCyberspace
Cyberspace
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508
 

Similar a Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems

Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationJeff Zahn
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsRwik Kumar Dutta
 
How We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its DesignHow We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its DesignUXPALA
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DANeil Lines
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hackingparag101
 
Artificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusArtificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusStig-Arne Kristoffersen
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network securityBev Robb
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A DiscussionKaushik Patra
 
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)SERVICE DESIGN DAYS
 
How to Avoid IoTageddon
How to Avoid IoTageddon How to Avoid IoTageddon
How to Avoid IoTageddon Bob Snyder
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Ethi mini - ethical hacking
Ethi mini - ethical hackingEthi mini - ethical hacking
Ethi mini - ethical hackingBeing Uniq Sonu
 

Similar a Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems (20)

Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
 
How We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its DesignHow We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its Design
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
 
Artificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusArtificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virus
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network security
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A Discussion
 
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
 
How to Avoid IoTageddon
How to Avoid IoTageddon How to Avoid IoTageddon
How to Avoid IoTageddon
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Ethi mini - ethical hacking
Ethi mini - ethical hackingEthi mini - ethical hacking
Ethi mini - ethical hacking
 

Último

Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Último (20)

Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems

  • 1. Hacking the Company Risks with carbon based lifeforms using vulnerable systems
  • 3. $ whoami Curious Hacker (eg. I like to break things apart and rebuild them!) Maker (eg. I like to make things) RC-Geek (eg. I like to fly radiocontrolled devices) Chief Security Officer @Crosskey Banking Solutions Social Media Twitter: @khalavak, G+: Kim Halavakoski, G+ communities: Security De-Obfuscated, PCI Jedis...
  • 4. "Innostunut ja taitava tietokoneen ohjelmoija tai käyttäjä" hacker as defined in RFC1392: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term. See also: cracker.
  • 5.
  • 7. Vulnerabilities Young padawan, don't forget: Lack of focus leads to sloppiness, sloppiness leads to misconfiguration and bugs, and misconfiguration and bugs leads to compromise.
  • 11. Top 10 vulnerable vendors
  • 12. Who uses these vulnerable vendors anyway? We all keep our systems patched? All the time? Almost? Sometimes? Example of vulnerable vendors: Microsoft, Apple, Oracle, Sun Microsystems, Cisco, Mozilla, Linux, Hewlett Packard, Adobe... Ever used any of these vendors?
  • 13. Top 10 vulnerable products
  • 14. Who uses these vulnerable products anyway? We all keep our software products patched? All the time? Almost? Sometimes? Example of vulnerable software: Linux, Firefox, Mac OS X, Google Chrome, Internet Explorer, Seamonkey, Solaris, Thunderbird Ever used any of these softwares?
  • 15. Browser market shares According to the previous statistics with vulnerabilities in Internet Explorer, Firefox, Chrome it seems like 92.61% of the browsers used on the Internet are vulnerable.
  • 16. 46 vulnerabilities in 2012 48 vulnerabilities in 2013 (and it's only March!) of which 26 vulnerabilities with CVSS score 10.0 in 2013 until now
  • 19. Patching is Critical Security is as strong as the weakest link. If you take security seriously then making sure everything is up to date is more important than ever.
  • 20. Social Engineering There is no patch for human stupidity
  • 21.
  • 22. Social engineering works. People are easily tricked. Really. Tap into psychological factors that are part of human nature Abuses trust frameworks that we are used to in real life.
  • 23. "Could I have the root password, please?"
  • 24. A good presentation needs a cat picture to soften the audience. On a side-note, cybercriminals know that we like cute and funny pictures and videos, so they are using our eagerness to click on cute things to hack your computer... So even if supercute, think before you click!
  • 25. How easily are you tricked?
  • 26. How easily are you tricked?
  • 27. Would you fall for this?
  • 28. Are you sure it is Paypal?
  • 29. Problems with your Visa card?
  • 30. Salaries! Confidential! Dare to open that PDF document?
  • 31. What did I order again?
  • 32.
  • 33. Who?
  • 35. Oleg Nikolaenko 24 year old hacker who ran the Mega-D botnet back in 2010 Mega-D was sending 30-40% of the spam on the Internet
  • 36. Vladimir Tsastsin Vladimir ran Estdomains and later Rove Digital, which ran "Operation Ghost Click" which was behind the infamous DNSChanger malware that caused havoc all over the world.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43. Why?
  • 44. Cybercrime market value: $114 billion
  • 45.
  • 46.
  • 47.
  • 48.
  • 52. FI: 2829 Top 10 values num % Helsinki 411 14.528% Tampere 406 14.351% Hämeenlinna 176 6.221% Jyväskylä 117 4.136% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227% Oulu 59 2.086%
  • 53. Helsinki 411 14.528% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227%
  • 55. From the 2829 IP-addresses in Finland I did a quick statistical analysis of the whois and DNS data and found: most of the IPs are end-customers with ADSL, GPRS connections from Sonera, DNA, Nebula, Local Telephone companies, etc. 59 whois records that seem like companies 37 DNS records that looks like companies
  • 56. ...some small, some bigger and some of them even "security" companies and some in public services and even government use...
  • 57.
  • 58. RSA -> Lockheed Martin RSA was hacked, allegedly in order to get into Lockheed Martin Twitter Twitter was hacked using recent Java-vulnerabilities Facebook Facebook was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Microsoft Microsoft was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Apple Apple was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com
  • 59. US National Vulnerability Database hacked Malware planted on 2 webservers... Undiscovered for 2 months... "Hacking the NVD and planting malware on the very place where we get our vulnerability information, that is just pure evil!"
  • 60.
  • 61.
  • 63. Matt Honan – Senior Editor at Wired Gadget Labs Security flaws in Apple and Amazon customer service systems lead to hackers gaining control over his account and deleting files on his Mac.
  • 64. How?
  • 65. Metasploit Penetration testing tool. Developed by HD Moore back in 2003. Bought by Rapid 7 in 2009. Opensource verion still available.
  • 66. Social Engineer Toolkit Great tool for performing social engineering attacks: phishing, web-attacks, malware infecter USB sticks, etc. Developed by Dave Kennedy & Co
  • 67.
  • 68. Demo Fictious company with the following network setup: firewall, mailserver, webserver, DNS-server, Internal Windows 7 workstation...
  • 69.
  • 71. Carbon based lifeforms Humans are the weakest link Using age-old social frameworks in a modern connected world Easily tricked into clicking, opening links, attachments and programs Make errors, repeadetly Computer software Are programmed by humans Have bugs Used by humans Hacking tools Readily available Easy to use Developed by proffessionals Cybercriminals Cybercriminals Hacktivists Nation States & Governments
  • 72.