Cybersecurity Symposium

1. Privacy, the Dark Web, &
Hacker Devices
Brian Pichman
Twitter: @Bpichman

2. • 9:00
The Dark Side: Privacy, Dark Web & Hacker Devices
Brian Pichman, Director, Strategic Innovation, Evolve Program
Pichman walks through the tools that help provide anonymity and
some ways to help mitigate the ease of being tracked. He goes
beyond private VPNs and Tor Browsing to provide other tips and
tricks. He gives an overview of some of the common devices, either
hardware- or software-based, that are used by the Dark Side, and
some easy-to-use defenses that you and your users can employ to
protect yourselves from these attack vectors. Think of it as a Defense
Against the Dark Arts class! And bring your device to actually try it
out!

3. Disclaimer
• Technology is inherently neutral.
• It can be used by bad people to bad things
• It can be used by good people to do good things.
• This presentation is provided for informational and technical training
purposes only.
• It is intended to familiarize you with some of the methods, tools, and
services used to provide Internet anonymity.
• It may, at times, “pull back the veil” and offer a look at the other side
of the Internet.
• We do not encourage or support using the information presented in
this session for illegal or unethical purposes.

5. Why do People Attack?
• Financial Gain
• Stocks
• Getting Paid
• Selling of information
• Data Theft
• For a single person
• For a bundle of people
• Just Because
• Malicious

6. How to navigate and prevent wrong turns
• Who are the people we’re
trying to void?
Hacker Groups
• Lizard Squad. ...
• Anonymous. ...
• LulzSec. ...
• Syrian Electronic Army. ...
• Chaos Computer Club (CCC) ...
• Iran's Tarh Andishan. ...
• The Level Seven Crew. ...
• globalHell.

7. Tools For Anonymity
Making yourself more “invisible”

8. Onion Routing, Tor Browsing
• Technique for anonymous communication to take place over a network.
The encryption takes place at three different times:
• Entry Node
• Relay Node
• Exit Node
• Tor is made up of volunteers running relay servers. No single router knows
the entire network (only its to and from).
• Tor can bypass internet content filtering, restricted government networks
(like China) or allow people to be anonymous whistle blowers.
• Tor allows you to gain access to “.onion” websites that are not accessible
via a normal web browser.
• Communication on the Dark Web happens, via Web, Telnet, IRC, and other
means of communication being developed daily.

9. Some History
• Originally grew with help from the U.S.
Military as a way to communicate without
detection.
• In 1995 the concept of “onion routing” was
born.
• The Deep Web was coined in 2001 by
BrightPlanet which specializes in locating
content within the dark web.
• In 2004 the U.S. Naval Research Lab
released the Tor code to the public, and in
2006 it was retooled as the Tor Project.

10. Cloak of Invisibility
Anonymous Browsing tools like the Tor Project

11. Cloak of Invisibility
Top reasons why people want to hide their IP address:
1. Hide their geographical location
2. Prevent Web tracking
3. Avoid leaving a digital footprint
4. Bypass any bans or blacklisting of their IP address
5. Perform illegal acts without being detected

12. Cloak of Invisibility
How do you Hide an 800lb Gorilla?
• Use Free Wifi (To Hide your location)
• Use a Secure Web Browser
• Use a Private VPN
• Go back to Dial-up
• Setup RF Data Transfer over CB Radio
Waves
• Use Kali linux to hack someone else’s
Wifi Encryption.
• Setup long-range Wireless Antennas

13. Cloak of Invisibility
• How to hide yourself?
• Private VPN
• You want a TOTALLY anonymous service.
• Look for one that keeps no log history (Verify via reviews)
• Look at Bandwidth & Available Servers
• Recommendations:
• Private Internet Access (PIA)
• TorGuard VPN
• Pure VPN
• Opera Web Browser
• Avast AntiVirus (SecureLine)
• Worst Case: Free WIFI

14. Using a VPN Client

15. Normal Users and How They Appear:

16. VPN Protected Users

17. Cloak of Invisibility
• How Tor anonymizes – “You”.
• How VPN keeps ”You” protected.

18. Dial Up?
• Use an ISPs like NetZero that can be registered with fictitious personal
information, and to which you can connect with caller ID disabled
• Makes it a bit more difficult to identity “you”

19. Free WiFi
• Sometimes a good alternative if
you need to do something
anonymously
• Nothing is ever 100% anonymous
• Some public wifi does track
websites you access, what you
do, etc.
• Make sure your computer name
you are using doesn’t include your
actual name

20. Hacked WiFi – Cain and Abel

21. Best Tips and Practices
Do
• Use a device that you’ve never
signed into anything ”personal
on”.
• Pro Tip: buy a computer from a
Pawn Shop or Garage Sale
• If using public WiFi; don’t make
purchases with a credit card.
Don’t
• While on a VPN or any other
anonymous tool; don’t sign into
personal accounts (banks, social
media, etc).
• If posting, don’t use anything
that could be associated to you

22. Q and A

23. Tools to become a hacker
Explore tools hackers use to exploit companies and us

24. How do you Hide an 800lb Gorilla?
• TorBrowser
• Mainstream browser that helps gain
access to a private collection of
websites and servers. This runs on a
separate, “Parallel Universe” on the
Internet.
• Telnet to a BBS
• Bulletin Board Systems never died.
They just got modernized!
• Kodi
• Leverage tools for your
entertainment.

25. Tools to become a hacker
• Get a router that allows for VPN at the router
• Install a second VPN Client on the PC
• Use Tor Browser for Browsing
• Access Kodi
• Use other tools form this point
• Keeps everything anonymized

26. Tools to become a hacker
• The Basics.
• Social Engineering
• Get a Voice that’s not behind a computer.
• Write a Batch File
• Odd, but Windows still has DOS hidden underneath

27. Top Hacker Tools
• #1 Metasploit.
• #2 Nmap.
• #3 Acunetix WVS.
• #4 Wireshark.
• #5 oclHashcat. ...
• #6 Nessus Vulnerability Scanner. ...
• #7 Maltego. ...
• #8 Social-Engineer Toolkit.

29. BackTrack can get you ALOT
• BackTrack was a Linux distribution that focused on security based on
the Knoppix Linux distribution aimed at digital forensics and
penetration testing use. In March 2013, the Offensive Security team
rebuilt BackTrack around the Debian distribution and released it
under the name Kali Linux.
https://en.wikipedia.org/wiki/BackTrack

31. Attacks
• Man in the Middle
• Sitting between a conversation and either listening or altering the data as its sent
across.
• DNS Spoofing (https://null-byte.wonderhowto.com/how-to/hack-like-pro-spoof-dns-
lan-redirect-traffic-your-fake-website-0151620/) set up a fake website and let people
login to it.
• D/DoS Attack (Distributed/Denial of Service Attack)
• Directing a large amount of traffic to disrupt service to a particular box or an entire
network.
• Could be done via sending bad traffic or data
• That device can be brought down to an unrecoverable state to disrupt business
operations.
• Sniffing Attacks
• Monitoring of data and traffic to determine what people are doing.

32. More Sources
• https://www.reddit.com/r/deepweb/
• DuckDuckGo.Com doesn’t track searches
• Also lets you search of .onion sites when using TorBrowser to access.

33. Other tricks
• 10 Minute Email
• https://10minutemail.com/10MinuteMail/index.html
• Temporarily get an email box that’s anonymous and disappears after 10
minutes
• Dr Cleaner (Mac) or Eraser (Win) can overwrite files on your
computer with “blank” data to make file recovery near impossible.
• Tools like Recuva is free softwares to allow you to restore deleted files.

34. Your Library
• Administrative Accounts are easy to figure out if they
are something like “administrator” ”root” or “power
users”. At the same time, no employee should have
their account as a full admin.
• Instead, give them their own username for admin access (like
brian.admin)
• Change the default “login” pages for sites to something
that’s not www.mysitename.com/login. Bots look for
this and attack.
• My Drupal Site login page is www.evolveproject.org/catpower
• User Awareness is key to any secure organization. Teach
users how to identify potential threats and how to
respond quickly.
• Avoid shared accounts. One account should only be
used by one person.

35. You
• Sites to protect yourself all the time (not free)
• IdentiyGuard.com
• LifeLock.com
• Sites to monitor when breached data gets related (this is free)
• Haveibeenpwned.com
• Password Management Sites (like lastpass.com)
• Don’t have the same password for all your sites.
• Don’t write your passwords down on a post-it-note and leave it at your desk

37. Google Isn’t Always Your Friend

38. Dual Factor Authentication
• After logging in; verify login via Email, SMS, or an app with a code.

39. Credit Card Tools for Online Shopping
• Check out Privacy.Com
• https://privacy.com/join/4
73XB shameless plug

40. Q and A

43. • 10:00 Attacks & Responses
• Brian Pichman, Director, Strategic Innovation, Evolve Program
• Includes a look at social media privacy: how do we keep the
advantages of social media participation? What are the differences
between institutional versus personal social media practices and
privacy? Bring your own issues to share with participants and
speakers.

44. Evolution of Hacking
• Hacking has evolved because of
Social Media
• Core values haven’t changed
• But Social websites have pushed
this Hacktivism to the
mainstream.
• The news keeps covering to drive
more awareness.

45. Hacking
• With Social Media & a new found Cause, “Hacktivism”
• Born in the era of the Internet
• Rooted in Hacker Culture/Ethics with ties related to Free Speech, Human
Rights, and Freedom of Information.
• Cyber attacks ensue
• Most with a purpose
• Some for fun
• Minimal for Personal Gain

46. Digital Identity
• Everyone (institution or personal) uses Social Media to define their
online identity
• Many children actually have a digital identity before they are born
(Ultrasound pictures)
• Digital Identities are just another target for access into:
• A business / personal information
• Reputation Management

47. Basic Tips
• Accept only people you know to personal and professional accounts
• Never click on links from people you don’t know.
• Especially if they are using a url shortner: bit.ly, tinyurl.com, etc
• https://www.urlvoid.com/ - test the website to see if its safe
• https://snapito.com/ gets a screenshot of what will load on the site
• If there are people claiming to be you on social media, it’s best to get
your account “verified” on those social media platforms
• This lets users distinguish that you’re the actual official account
• Dual factor authenticate all of your social media logins

50. Myths
• I’m not worth being attacked.
• Hackers won’t guess my password.
• I have anti-virus software.
• I’ll know if I been compromised.

51. Understanding Breaches and Hacks
• A hack involves a person or group to gain authorized access to a
protected computer or network
• A breach typically indicates a release of confidential data (including
those done by accident)
• Both of these require different responses if breaches/hacks occur.

52. Examples of Hacks/Breaches
• An employee/family member allows a hacker to access their machine
through:
• Email Attachments
• Social Engineering
• Walking away from their computer unattended
• An employee/family member sends information to someone thinking
they are someone else
• “Hi, I’m the CFO assistant, he needs me to collect all the W2s”
• Or more intrusive –
• There is an attack on a database or server that then allowed a hacker in (SQL
Injection)
• There is a brute force attack or someone guessed the password on a key admin
account, on servers/networks, etc.

54. The Costs Of Breaches
• This year’s study found the average consolidated total cost of a data breach grew
from $3.8 million to $4 million. The study also reports that the average cost
incurred for each lost or stolen record containing sensitive and confidential
information increased from $154 to $158
[IBM 2016
http://www-03.ibm.com/security/data-breach/]
• Data Breached Companies Experience…
• People loose faith in your brand
• Loss in patrons
• Financial Costs
• Government Requirements,
Penalties, Fees, etc.
• Sending of Notifications
• Payment of Identity Protection or
repercussions.
https://betanews.com/2016/02/10/the-economic-cost-of-being-hacked/

55. Responses
• If someone (SPAM) constantly tags your social brand, you need to
report that account as SPAM
• Sometimes may need to submit a ticket with the social media provider
• Send out communications
• If your account gets hacked, you need to share with your users what occurred
and what you’re doing to resolve the issue.

57. cyber-insurance
• Policies can be purchased from most major insurance carriers for
between $5,000 and $10,000 per $1 million in protection.
• Policies will generally cover:
• Legal Fees
• Forensic Fees
• Costs for providing customer credit monitoring for those impacted
• Any court costs related to civil litigation and class actions.
• Some policies include access to portals/support so if and when an attack
occurs, you can get guidance and support on what to do.

59. • Evolve Project
• https://www.linkedin.com/in/bpichman
• Twitter: @bpichman
Brian Pichman
Contact