the ultimate defence - think like a hacker
DESCRIPTION
TRANSCRIPT
The Ultimate Defence: Think Like a Hacker
Peter WoodChief Executive Officer
First•Base Technologies
An Ethical Hacker’s View of Corporate Security
Slide 2 © First Base Technologies 2010
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First•Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’Chair of Advisory Board at CSA UK & IrelandVice Chair of BCS Information Risk Management and Audit GroupVice President UK/EU Global Institute for Cyber Security + ResearchMember of ISACA Security Advisory GroupCorporate Executive Programme ExpertKnowthenet.org.uk ExpertIISP Interviewer
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2010
Thinking like a hacker
• Hacking is a way of thinkingA hacker is someone who thinks outside the box. It's someone who discards conventional wisdom, and does something else instead. It's someone who looks at the edge and wonders what's beyond. It's someone who sees a set of rules and wonders what happens if you don't follow them. [Bruce Schneier]
• Hacking applies to all aspects of life- not just computers
Slide 4 © First Base Technologies 2010
Traditional thinking
• Firewalls & perimeter defences
• Anti-virus
• SSL VPNs
• Desktop lock down (GPOs)
• Intrusion Detection / Prevention
• Password complexity rules
• HID (proximity) cards
• Secure server rooms
• Visitor IDs
Slide 5 © First Base Technologies 2010
Think like a hacker
Attack the building
Slide 6 © First Base Technologies 2010
Impersonating an employee
Slide 7 © First Base Technologies 2010
Cloning HID cards
http://rfidiot.org/
Slide 8 © First Base Technologies 2010
Impersonating a supplier
Slide 9 © First Base Technologies 2010
Do-it-yourself ID cards
Slide 10 © First Base Technologies 2010
Impersonate a cleaner
• No vetting• Out-of-hours access• Cleans the desks• Takes out large black sacks
Slide 11 © First Base Technologies 2010
Think like a hacker
Attack the building contents
Slide 12 © First Base Technologies 2010
Data theft by keylogger
Slide 13 © First Base Technologies 2010
Data theft by USB
• USB key• iPod• CD• USB hard drive
Slide 14 © First Base Technologies 2010
On-site bugging
Colour CCD camera with sound and a set of buttons to match clothing
£146.88
Slide 15 © First Base Technologies 2010
Bypass Windows security
“Without a username and password I was able to use a boot CDROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes 15 seconds.”
Slide 16 © First Base Technologies 2010
Become Local Administrator
Ophcrack is a free Windows password cracker based on rainbow tables by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.
Slide 17 © First Base Technologies 2010
Think like a hacker
An alternative toattacking head office
Slide 18 © First Base Technologies 2010
Home wireless & public WiFi
• No encryption (or WEP)
• Plain text traffic
(email, unencrypted sites)
• SSL VPNs
• False sense of security
Slide 19 © First Base Technologies 2010
Eavesdropping
Packet sniffing unprotected WiFi can reveal:
• logons and passwords for unencrypted sites
• all plain-text traffic(e-mails, web browsing, file transfers, etc)
Slide 20 © First Base Technologies 2010
Active attacks
Once connected to the network an attacker can:
• conduct man-in-the-middle attacks(including SSL and TLS)
• redirect traffic
• spoof legitimate machines
• hijack PDAs, iPhones, etc
Slide 21 © First Base Technologies 2010
Think like a hacker
Let’s find the soft spots before they do!
Slide 22 © First Base Technologies 2010
Pragmatic security reviews
Slide 23 © First Base Technologies 2010
Peter WoodChief Executive Officer
First•Base Technologies LLP
Twitter: peterwoodx
Blog: fpws.blogspot.com
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Need more information?