what you don't know about cybersecurity can hurt you

What You Don’t Know About Cybersecurity

CAN Hurt You

Phillip D. Shade

© 2014 Global Knowledge Training LLC. All rights reserved. 04/12/2023

Phill [email protected]

Certified instructor and internationally recognized network security and forensics expert with more than 30 years of experience

US Navy Retired and the founder of Merlion’s Keep Consulting, a professional services company specializing in network and forensics analysis

A member of the Global Cyber Response Team (GCRT), FBI InfraGard, Computer Security Institute, and the IEEE and volunteer at Cyber Warfare Forum Initiative

Holds numerous certifications, including Certified Network Expert (CNX)-Ethernet, CCNA, Certified Wireless Network Administrator (CWNA), and WildPackets Certified Network Forensics Analysis Expert (WNAX)


Thank You for Joining Us Today


You Are Not Alone. From the Headlines…

Inquiries begin into nude celebrity photo leaksBy Associated Press

Updated: 16:39 EST, 1 September 2014


Today’s Agenda

1. What is a Hacker? An introduction to the dark side of the Internet

2. Meet the Hacker’s Best Friend – You: Social Engineering 101

3. Current Threat Landscape: What's old is new again; The return of some old favorites (Man-in-the Middle, Phishing, Drive-by Downloads) and other things best forgotten

4. Cyber Survival 101: Forget preventing them; How do I best defend against and mitigate things once the damage has been done?


Some Sobering Statistics

After several years of a decreasing number of incidents, note the

increase in the number of threats

facing mobile devices and cloud-based

architectures and the increasing number of

financial fraud reports.


And the News Gets Even Better


Black, White, or Grey Hat

So What Is a Hacker? There are Competing Definitions:*

Computer Programming: A software designer and programmer who builds elegant, beautiful programs and systems. A hacker can also be a programmer who hacks or reaches a goal by employing a series of modifications to exploit or extend existing code or resources.

Computer Security: A person who specializes in work with the security mechanisms for computer and network systems. It more often is used to refer to those who seek access despite them.

Other Technical Fields: A person who makes things work beyond perceived limits through their own technical skill, such as a hardware or reality hacker.

*Wikipedia: http://en.wikipedia.org/wiki/Hacker


Then We Have the “Classic” Public Profile

>80%: Former Employee or Student 18–35 years old / Intelligent / Creative / Loner

Highly Motivated Economic gain / Bragging rights / Revenge / Curiosity / Pride

>60% from 5 Major Regions: China / North Korea / Russia / Eastern Europe: RU, CZ, HU, RO,

TR / South America: BR

0%

100% Elite 1%

Script-Kiddies a.k.a. Amateurs

90%

Professionals9% Financially Motivated

Experimentation & Bragging Rights

Personal Ideology


Meet the Opposition


Time to Meet the Hacker’s Best Friend: YOU

An introduction to social engineering, or how I trick you into letting me into your network


Welcome to Social Engineering 101


Example from the Inbox: Peter Pan

“Peter Pan” virus threatens hundreds of thousands of computers


Just How Difficult Is It to Start?

A simple search revealed a multitude of sites willing to provide any training the user could desire.

Case Study 1:Phishing and Spearphishing


Which One Is Legitimate?


Let’s Take a Closer Look


From the Headlines: China Gmail Hack

Google executives received an email containing a PDF with an embedded link saying “Corporate Information – Google Management” Clicking the link took them to a web page in Chinese – http://

www.google.com/corporate/execs.html Site purports to list Google’s executives, including Eric Schmidt, Sergey Brin,

and Larry Page

The site executed a “Drive-by” exploit that installed Trojan spyware on the victims’ computers Compromised information included identities of numerous human rights

activists using Gmail to evade Chinese security agencies

Cost not publically released, but numerous dissidents have reportedly “disappeared”

http://www.google.com/corporate/execs.html

http://www.google.com/corporate/execs.html


What They Saw

Case Study 2:Man-in-the-Middle


Anatomy of a Man-in-the-Middle Attack

Attacker attempts to “insert” himself or herself into a key location within the network Favorite of industrial espionage and banking attackers Originated within the early Ethernet community, returned with the advent of

wide-spread Wi-Fi networking

It will then launch a diversionary attack such as the classic “ARP-poison” to trick the targeted systems into accepting it as the “true” server, gateway, router, client, etc.

The targeted devices will now send their traffic to the intruder Intruder can copy/reinsert/manipulate the traffic


Real World Event: Software Vendor

A major network analysis vendor had been working on a key project for two years

One week prior to product launch, a competitor suddenly trademarked the primary and secondary names for the product

Company was forced to research, develop, and produce an entirely new marketing campaign, literature, and product documentation

A forensics investigation aided by the company’s data recorders revealed that the software company had been “Man-in-the-Middle” victimized

Cost to company was in excess of $14 million (USD)


ARP Poison in Progress

The device AmbitMic_aa:af:80 is attempting to trick the Internet gateway (Runtop_d9:0d:db) into thinking it is the client while making the client (AmbitMic_aa:af:01) think it is the Internet gateway.

Case Study 3:Application-BasedAttacks/Exploits


Example from the Headlines

Recent revelations that the Healthcare.gov website had an ongoing hack estimated to have persisted for at least six months


Examples of Drive-By Exploits


What is Really Happening

How It Works:

Malicious Code Encoded:


Password Attacks

An attacker has found a machine and now is trying to break in An automated script is run that tries username/password combinations

When the list of passwords comes from a list, it is called a dictionary attack Example: Password, pa$$word, passw0rd, Spring2004, corvette, Elizabeth,

etc.

When the list of passwords is generated by a program, it is called a brute force attack It usually follows a pattern: “aaaa”, “aaab”, “aaac” Brute force attacks across a WAN will take considerable time, because

the number of combinations for even a small (five-character) password is considerable

Just lowercase 26^5= 11,881,376 Upper and lowercase 52^5 = 380,204,032 Upper, lower, and standard symbols 70^5 = 1,680,700,000


Simple Truth: Hackers use protocol analyzers just like we do

A simple filter for the words USER or PASS at the beginning (bytes 54–59) of a packetwill often find other protocols using clear-text passwords

Hackers observe users of these protocols and rapidly gain users’ passwords, which makes impersonating servers using these protocols much easier (i.e., Man-in-the-Middle).

The following protocols send passwords in clear-text (How many of these do you use?)Internet: HTTP / NNTP / IRC / Yahoo / AIM / MSN / Skype Chat File transfer: FTP / TFTP / Most Peer-to-Peer Sharing SoftwareEmail: POP3 / IMAP / SMTPNetwork Monitoring: SNMP / RMON / TelnetVoIP: Signaling Set Up (SIP, Megaco, SCCP, H.323, and Others?)


The 2013 Most Common Passwords Are…

United States1. 123456

2. password3. 12345678

4. qwerty5. abc123

6. 1234567897. 111111

8. 12345679. iloveyou

10. adobe123

United States1. 123456

2. password3. 12345678

4. qwerty5. abc123

6. 1234567897. 111111

8. 12345679. iloveyou

10. adobe123

UK1. 123 (3.784‰)

2. password (3.780‰)3. liverpool (1.82‰)4. letmein (1.76‰)5. 123456 (1.63‰)6. qwerty (1.41‰)7. charlie (1.39‰)

8. monkey (1.33‰)9. arsenal (1.11‰)

10. thomas (0.99‰)

UK1. 123 (3.784‰)

2. password (3.780‰)3. liverpool (1.82‰)4. letmein (1.76‰)5. 123456 (1.63‰)6. qwerty (1.41‰)7. charlie (1.39‰)

8. monkey (1.33‰)9. arsenal (1.11‰)

10. thomas (0.99‰)

Singapore1. Password

2. Admin / Administrator3. SingPass4. Singapore

5. raffles6. merlion7. 1234568. zachary9. qwerty10. dvork

Singapore1. Password

2. Admin / Administrator3. SingPass4. Singapore

5. raffles6. merlion7. 1234568. zachary9. qwerty10. dvork

Is yours here?


Sample Packet Capture File

This example shows a brut-force password attack against an FTP server.

Cyber Survival 101: Forget preventing them;

how do I mitigate things oncethe damage is done?


My Network is Safe Right?

I have the classic Trilogy of Defense: DMZ + Firewall + Intrusion Detection System (IDS)

Ye Olde DMZ

Ye Olde FirewallYe Olde IDS

We must accept a simple, unpleasant fact: If intruders want in, it is not a question of CAN they get in, it is only a

question of WHEN!


We Have to Change the Way We Think

Given the ever-increasing flood of public headlines, the traditional methods, while still useful, are insufficient to prevent successful intrusions Attackers are always learning, and their techniques are becoming

increasingly sophisticated True security is and always will be a “moving target” requiring constant

investment. We must actively explore new techniques and methodologies to survive


An Unfortunate Truth: Things We Are Doing Wrong

User education and reporting is perhaps the most overlooked, yet most effective, security measure If you know what is normal, it is much easier to recognize something

“abnormal” Teach users to report abnormalities: “If you see something strange, tell

someone.”

Information sharing within the security community is the other area where we are failing; no one wants to admit they got hacked Unfortunately this plays into the hackers’ hands

Proactive security is another area we should be paying attention to This technique requires in-depth knowledge of our networks and is closely

related to the first point discussed under user training: If you know what is normal, it is much easier to recognize something “abnormal.”


I’ve Been Hacked: Key Network Forensics Questions to Ask

1. What damage has been done?

2. Who was the intruder, and how did they penetrate the existing security precautions?

3. What did they do? Did the intruder leave anything, such as a new user account, a Trojan horse, or perhaps some new type of worm or bot software, behind?

4. Is there sufficient data to analyze and reproduce the attack and verify the fix will work?


A Recent Network Forensics Example

A casino experienced an intrusion aided by social engineering in which the hacker gained a Sys Admin’s credentials

A routine audit of the access logs showed that the user had logged into the network Friday evening and stayed in until Monday morning

Unfortunately, the user individual in question was on a cruise ship in the North Atlantic and had no Internet access

Due to the severity of the crime, a government response team was called in to investigate

Traditional, log-based forensics could only show the suspect logging into the system and disabling the logging function

Fortunately, the casino had recently implemented data recorder technology that recorded a continuous 90-day record of all traffic

Network forensics evaluation of the packet captures showed the real story: Suspect, following disabling of logging, built multiple root-level accounts, uploaded several types of malware, and moved onto each system to repeat the process


A Final Example…


Phill Shade: [email protected]

Merlion’s Keep Consulting: [email protected]

International: [email protected]

Instructor Contact Information

mailto:[email protected]




Learn More

Recommended Global Knowledge Courses

Cybersecurity Foundations CEH v8 ECSA v8 CASP Prep Course Security+ Prep Course Fundamentals of Information

Systems Security

Request an On-Site Delivery We can tailor our courses to meet

your needs We can deliver them in a private

setting

Visit Our Knowledge Center Assessments Blog Case Studies Demos Lab Topologies Special Reports Twitter Videos Webinars White Papers

Questions?

Thank You for Attending

For more information contact us at: www.globalknowledge.com | 1-800-COURSES | [email protected]

what you don't know about cybersecurity can hurt you

Technology

global knowledge training

larry page

web page

global cyber response

network systems

social engineering

computer securityinstitute

computer programming