ππΎ We’ll be spending time with our families from December 24th to January 1st. Wishing you a joyous, safe, and peaceful holiday season, and we look forward to embracing a bright New Year together! βοΈ Much love from the TendenciDEV Team πΎπ
James Crossman (http://jamescrossman.com) has led an interesting life. His discussion on security and social engineering might just blow your mind. He knows more than most people should about hacking, penetration testing and information theft.
James shares valuable stories and experiences in social engineering and how to keep your company's privacy in check.
Learn more about the awesome SchipulCon 2011 speakers here: http://www.schipulcon.com/speakers
So we'll just consider this an informal
fireside chat
and in fact that will work well too because that means that
As we go along feel free to go ahead and interrupt me if you have any questions, just stop me
And I'll try to answer them
And that way you'll go ahead and keep me from getting into long drawn-out war stories
Or any of the other things that can happen if I if I stay too
Too wrapped up in all this on my own
Okay, Dale Carnegie once said that
Before you can speak about anything there are two things you have to establish: one is
what it is you're going to say and
secondly
why it is that you're capable of speaking on this subject
essentially establishing your credentials.
Which is why we're going to fly right to that section
So I'm going to talk about ideas. I'm not going to talk about tools
This is not a discussion about how to secure your server
to protect against the latest
Wordpress attack, this is not about any specific tool. There's a piece of wisdom
I received once a long time ago that said that masters are concerned about the work and apprentices are concerned about their tools
So since someday I'd like to be a master of these things
I'm going to go ahead and stay focused on the work itself and on the ideas
The first idea that I really want to bring home is that social media is vital to profitability. I know that
I'm speaking to the choir here, but in a lot of cases there may not be
Enough information to bring back to your companies. I know a lot of other people are going to be speaking with
Charts, tables and all sorts of information to arm yourselves, so that you can go back and talk about that
But I'm going to try to focus instead on the idea of information space
That is that around each person and around each business and around each entity whether it be a corporation or anything else
there's this information space that surrounds it
And in part social media is the current tool that we use
to let us share and expose our information space to one another, so that we can work with each other.
As a result
Because we're sharing this information
We're also increasing risk to the organization, to the individual.
Lots and lots of horror stories. I won't go into a lot of them. Some of them I've lived
And I may touch on those, no war stories
But the idea that we have to share information in order to be functional as people and as businesses
But the very act of doing so increases
The innate risk that we carry, so we have to find ways to either reduce that risk
Or learn to accept it, or learn how to work within it
So knowing these things are going to help us a lot
And then finally I'm going to talk a little bit, because this is the profitability section, I'll try to speak on
Things that we can do, things that you can take away
To protect your business. Now, there's not going to be a lot of new stuff here. I want to talk if I can basically
Vigilance and education - these are your defenses.
Nothing new there. I am hoping though that with some of the ideas I want to talk about
To maybe reframe how you look at these ideas for vigilance and defense.
Now as for myself, I can speak on these things because I have a very deep and very thorough background in deception.
At 15 years old I needed money, my dad said get a job
I went to the mall. I couldn't get a job, but there was a carnival there
and I made a lot of money and I decided to stay with the carnival and
Probably should have let my parents know, but I came home about a week later, and we had a lot of fun getting back together
And I and I met law enforcement for the first time who I got to work with many times later in my career
Later using the background of some of the things that I had done as a hobby when I was younger
As well as some of the things that I learned in the carnival
because the carnival was full of wonderful lessons like
I can take this guy
for over a hundred dollars if I let this little girl beat him
and give her two twenty dollars worth of stuff off my walls
Because I could get him engaged in it. One of the first things I was taught in the carnival was piss them off
Get them angry at you, and then take that anger and transfer it to those three little milk bottles that they just can't knock down
You know they wouldn't have a problem if they were just good enough, strong enough
virile enough to knock down those milk bottles
So coming back and leveraging that background, and those early lessons in deception
I went ahead and became a professional magician working in the old playboy club in the French quarter
Also at 15, and I did so because I lied
I told them I was 23. I knew people would lie about 18 and 21, but I figured no one lie about being 23
And as a result I was never asked for an ID,
I was never asked for any identification
And I got my first start working as a magician, and magic is
one definition of magic that I really enjoy is it's the
principles and
practices of deception
for the purposes of entertainment
And as it turns out, I got to leverage a lot of this background in other projects. When I started defending
Nuclear weapons facilities
I used my background in deception. If you try to do anything logical in that environment
And you break in we'll catch you because everything's a little backwards
if you've ever seen the movie Sneakers
With Robert Redford, I like to tell my clients. I'm a lot like Robert Redford with just more girth
I used to lead a team, and I used to work in the business of
Penetration assessments. That is to say that I would break into businesses at their request, and then document how we broke in
so that we could train their employees better
I did that in part over the web through applications and through internet based attacks
And I did that in part through social engineering
I would actually walk in and talk my way into my own office behind the firewall
connect and see what I could steal, or I would go through and just lie and walk through a business
and try to gain information from specific systems or targets
I know that in fact it was this background specifically that's why I'm here and getting a chance to share this with you
Apparently some of the stories I've told over beers have gotten around
My business cards say that.I'm a technologist, a photographer, a naturalist and a thinker
And that's because somehow I've got to be both James Crosman
I've got to deal with all these different parts of myself, but specifically in the technologist area
This is what I can talk to it. I know a lot of people here
Have known me is just a fellow geek at netsquared, or at the geek gatherings, or have seen my photography
But my primary background has been a technologist
I actually walked into a computer store needing a job in 1981, so 30 years ago
And I've been working with computers ever since then. I started connecting people together
back in 1983 when the ARCNET chip set first came together
And I became fascinated by the fact that I could do something in this room on my computer
And you could see it on your screen over there
And a lot of what I've seen develop and a lot of the ideas I've started there
We now call social media. A lot of times it started back then beforehand
But we didn't quite use those names. I have designed secured networks for a variety of corporations
for law enforcement agencies, and even a couple of department of energy nuclear facilities
In 1996 I switched over and started working in information security specifically because those were the days when it was fun.
And it was profitable. I could walk into anyone's business
I could say let me show you something and sit down at their browser
And in a couple seconds I could say this is the root of your web server. These are all your files, watch
what happens when I change this file and
Then I could get business and it was great
but then in 2001 came the US Chinese hacking war and then later 911
And somewhere in the middle of this we had started a company called Bear Center
Which later became the hosting provider for FBI.gov, Nasa.Gov and I was the information security officer
So I went ahead and got my CISSP back in 2001
As a result of operating these type of systems, I was what's called a blue team leader
I worked on the blue team, so in war games over information security with hackers
there's usually a red team and a blue team if you're in the military
A blue team is the one the sneaker teams come after, the red teams are also called sneaker teams
So I'm used to having navy seals climbing through my ventilation duct work at my facility
Trying to break into my data center while I'm trying to catch them
Or trying to pin down where they are
It was a lot of fun
But it also gave me a chance to work with some of the best hackers in the world
When they would try to attack the systems that we hosted
So one of the things I got used to doing was throwing a computer out there that was defenseless
So they would promptly take it over and use it as a place to stage their attacks from and they put all their good
Brand new special hacking tools on it. So after a day or so of the war games, depending on how long we'd go
I'd just go and unplug it and take the computer away, and that's how I built my library of hacking tools
When I left this business, I went ahead and became a red team leader
So that's when I started working on the penetration assessment side. I started breaking into companies
over the internet
And then one day I was called and was told our social engineer wasn't there
Could I please go ahead and do a social engineering gig. It was okay if I got caught
Because in this particular case
We had failed the client a year earlier and the client had spent the entire year
practicing
Learning how to defend themselves against social engineering
So it was expected that I would get caught
by 1:30 in the afternoon, I had my own office
I had my own connection to
their network behind the firewall, and I had my own pass card to get me into the different floors of the building
so
At that point I tended to get a lot more assessments.
I was also the the former chair for a while, infragard is a joint operation between
commercial entities and the FBI, and for a while I used to lead the the incident response team
for the Houston area until the FBI decided that there was just too much liability
involved and they didn't want to be in that game anymore
Within social media I've been active since 1980s
I met the mother of my children in the 80s online
I dated my first murderess
online in the 80s
Those two stories are actually connected, but they're not the same person. I sort of broke up with the murderess
over the phone in order to go out with the woman I later married
And then she murdered the guy she dated right after me so, that she met online
The murderess, not my ex-wife
So yeah, my ex-wife. Yes, we broke up in person
I was a compuserve sis op in order to establish some geek cred. I don't even know if people recognize that name anymore
And I started working in the virtual teaming space in 1993 and had IBM underwrite my home laboratory for a while because I led the
virtual team of network professionals for the NPA before it died
In addition
In my personal experience, I went through hurricane Ike in Social Media
And I got to hear on the radio about all these people who are alone and afraid when I finally got bored and turned on
the radio
and I didn't have that experience because I was connected with everyone else via Twitter
And a lot of people don't realize it, but the fact that Twitter's based on text messaging or SmS communications
That is much more reliable in the event of an emergency than telephones, so throughout the entire Ike incident
We were able to stay connected with who had electricity, who needed situations
I had people contacting me via Twitter to check on my neighbors who were their family, who found me via Twitter
In addition my daughter
I met her mom online. I wanted her raised to take advantage of this new social endeavor, and so in her playpen
she had a 122 key keyboard opposite her busy box
I thought it was just wonderful that when she was nine years old I found my html reference books in her room
Then I started finding books like Hacking Exposed, How to Hack Windows, How to Hack in Linux
Showing up in her room as well
And it led to a lot of red team vs blue team in the house
But in her case, she actually also ended up running away into Houston, fifth largest city in the United states at the time
through Twitter, Facebook and
other social media outlets people would stop her almost every day and say are you Victoria?
You should call your dad, he loves you
Then finally, and she is back. She's three years sober, and I'm going to be a grandfather soon
So this is very happy ending, and then finally
For a while with my last company, I decided to see whether not I could sell mattresses online via Twitter
And I was successful enough that that company, who was a mattress reseller, ended up creating an online store to capitalize on it
I'm also the guy who thinks that this is brilliant
There was a there was a joke Facebook site not long ago that had
the storyline of someone saying, or as a screenshot of
someone's Facebook account that said I just survived my first earthquake
They're going to evacuate the building now
So this was someone that before they evacuated they had to update their Facebook
Now, for a while I was responsible for human lives as well as information security
So I think this is great. I know that the person who took this photograph told me he thought it was a joke
But, if you don't have a sign like this get one, because this is the kind of thing that people will look at
laugh at
And then if there's a fire, they'll remember it
so
Enough about me. Social Media
Let's talk about the noosphere. This is an idea that I came across in the 80s
It was originally written about by de Chardin, and he was for a long time the defacto
Patron Saint of the Internet before the Catholic church got together and found a proper Patron Saint of the internet
De Chardin was a geologist. He was a paleontologist
He was a philosopher and a jesuit priest. A lot of his writings are still under wraps and have not been released
At one point the church decided to censor him a little further and so they said we're just going to send you away
Where you won't be a problem anymore. Go to China. You won't be a problem in China
So he was at ground zero when the Peking man was found and that continued a lot of his research, but Chardin
Thought that the noosphere was the next part of evolution, that
Planets start with the geosphere. There's a planet, a rock
After that the biosphere begins to develop around it, life develops
and then finally the noosphere - this idea that we have a
region of collective human thought
invention and
spiritual seeking, and that this forms natively
Around us as we develop, as we mature, and as we evolve and that
Chardin went ahead and predicted that this would continue to get organized and that we would be better at it
And how we shared our experiences, how we shared our thoughts
And how we shared our spiritual seeking, and if this doesn't sound like the description of what
Social media has become,
I don't know what is.
The idea of the noosphere was that it it came about and it's been evolving all along with us
That would make social media just the latest tool for how we interact with the noosphere, how we are part of it
Some very interesting ideas
Similar to the noosphere is this idea of information space around it
I'll probably slip and call it infospace a few times. I try not to because that's now a company
And a commercial entity, but it's still just the idea that that around all of us is this information area
Information about myself, information about my business, what it is I'm doing, my secrets, where I'm going, what business
I'm after, what I'm going to bid for this proposal
And if that information is communicated incorrectly, then I'm at risk
The other thing that we need to be aware of is that
Several years ago a document was published called The Clue Train Manifesto
And I don't know how many of you all are familiar with it or not
It was revolutionary at the time, and I don't hear a lot talked about it much anymore
So I borrowed parts of it for this because this is the second idea to help you understand
Social Media
This is from the preamble, and it is that a powerful global conversation has begun
Through the internet people are discovering and inventing new ways
to share relevant knowledge with blinding speed. As a direct result
markets are getting smarter and
They're getting smarter faster than most companies
Now this is the area and this is the purview of social media because the first three theses
of the The Clue Train Manifesto is that markets are conversations
And conversations are how noospherical entities or people or organizations communicate
That the markets consist of human beings and not demographic sectors
That conversations among human beings sound human
They're conducted in a human voice. It's not marketing speak. It's not happy speak. It's not corporate speak
the summary of the Clue Train Manifesto is that
Every organization has only two choices
One is either to lock yourself behind
facile corporate words and happy talk brochures
And the other is to join the conversation
Now there's going to be a lot of advice on how you can join the conversation
But if you think of the conversation as taking place where these two forces are interacting, this is not
a new technology
This is a natural evolutionary force
Driving us to interact more with each other
And it's been interesting because I've tried to carry the The Clue Train Manifesto into corporate America into the companies that I've worked for
And it doesn't work because it is diametrically opposed to traditional marketing, market thinking
Look how many
Twitter accounts are in the names of companies
Rather than in the names of the individuals, I don't want to talk to IBM. I'd rather talk to Jeff at IBM
Even if he's a peon because chances are he knows something or he can get something done
Social Media is being rapidly adopted and there's a very real lack of understanding within our organizations about it
Some of the threats of social Media - and some these are just catch alls
common password usage
How many people here have a Twitter account?
How many of us have Flickr or Script, how many of us use the same passwords?
That's good. It's very good. I use it because I actually have a tiered approach of passwords
Depending on the the security level the password gets it, when it gets to banks or my website
Or anything like that those passwords are never shared between anything else. That keeps it simple
We love stories
We like to tell stories. We like to receive the attention that comes from stories
You're rapt attention, the fact that y'all are hanging on my every word, this is good stuff
And we like to hear stories. We tend to simplify things in our lives such as passwords. If you've looked at
Hcs attack against Twitter, that entire attack went down, and I'll go into a little more depth - it went down because
Users use the same passwords within the ecosystem of the web from one social media entity to another
to another, they use the same passwords
In this case
a gmail account
Privacy and confidentiality is part of our threats in
Information security we learned that the idea of information security is
three separate items, also refer to as CIA. It is the confidentiality of the information, it is the integrity of the information, andit is the
availability of the information, and if those three things are
compromised then we have a
Breach of information security. Protecting those things are important
Confidentiality of our information space is what we also consider privacy
I saw a neat poster the other day that has a picture of a person in a shower with a webcam
Pointed at it, and it says privacy helps us keep our dignity
That was rather clever, and our integrity is at risk if our privacy is compromised, if our information space is violated
But social media also lets us tell our own stories
So we get a chance to say what we do. We get to share what our
Organizations are doing better than anybody else, and these stories get to be told by people who know the stories better than anyone else
Who are uniquely qualified to tell them
I remember when internet email was a big thing, and companies fought it. What a waste of time, but we don't think of any organization
today as being very viable unless they have some sort of
of internet email, any ability to communicate with other organizations - and social Media is that new
ability to communicate with other organizations. A lot of companies tried to prohibit internet email when it first came out
Just llike a lot of companies are trying to prohibit Social Media. The idea isn't
Prohibit, the idea is learn how to manage it
Then social media connects the information spaces between ourselves our organizations, and those within our organization
Now social engineering, on the other hand, uses that same idea -social, the same need to connect with each other
But we engineer it to take advantage of people, to leverage, deception and so on to
to attack
One of the big
Movements in social engineering right now is this concept of spearfishing. I know a lot of you all have seen the eBay
Notices that says your passwords changed
Or from Paypal please login and update your password, and that's a standard phishing attack
When we bought a hosting facility that was operated by a very large manufacturer here in Texas earlier
We had a problem because their facility had been designed improperly, and as a result when we bought it
There were two rival
Organized crime entities that were using it as bases to attack
phishing attacks from, and then they would raid each other servers to steal all the credit cards that the other organization had stolen
And it was a nightmare to try to solve and get through it
Another part of what's happening with social engineering is that we have this ecosystem of the web, but when the web was originally created
Trust was built into it. It was inherent in it
There's a de facto
Trust relationship between entities in the environment
Almost everything within the current Eco system uses identity because, after all, the basic rule of security is who do you trust?
To establish who you are, almost everyone uses two things - an email address and a password
How many people have multiple email addresses they also use to manage their security?
Personally I started it to stop spam and I'm having trouble remembering sometimes so now I get two emails from everybody
The one I created just for them to manage spam and when I use my main email later
sure
I think there's I think there's value and I think there's risk. You're putting all your eggs in one basket.
So how well are you managing it, or how well are they managing your information because
You're putting the keys
Do you trust these people to the keys to your home?
Well, and there's a variety of services like it. There's even within corporations
We deal with single sign-on solutions on a regular basis. It's all about managing
Who are you? Now what is nice is it breaks down this whole idea of
Common passwords, but if I can get to it, well, now I've opened up everything
And then of course part of the current Ecosystem is all of these sites have a mechanism to allow us to remember who we are
going back to that attack by HC against Twitter
The Mechanism he used was specifically
Gmail's
I forgot my password
In that case when you said I forgot my password, when he got someone's Id and had their email
It came back and said oh, I've sent a copy of your password to
First initial blank at H blank.com so he thought oh, I wonder if he means hotmail
And he's a gmail user than chances are he's abandoned his hotmail account and hotmail actually purges their mail accounts on a regular basis
so he went over and registered a
hotmail account in that guy's name, and he went and did it again, and he got the gmail account
of this particular user emailed to his new
falsely created Hotmail account, and he started going through his gmail and in one of the emails he found a
Thank you for signing up for our new service, your id is x your password is y
And it was the same as his Gmail
So here's another example of someone simplifying their password use, so hacker crawl used that
To break into, to start his attack in Twitter
That's how he gained access within Twitter for those users and was able to get access to the 130 some odd
sensitive twitter.com
Documents that he was then passing around on the internet because he was angry at them
and so within an attack there tends to be
A few specific phases, the phases that I use and go through a lot
And that most people do. You can usually see a reconnaissance phase, the development of the attack, and then the actual execution of the attack
Under reconnaissance there's search engines. I don't need to tell you who's probably best for this
But there's a fascinating book out there called Google hacking
because what this one gentleman did was he went out and discovered that you could type in that Google tends to
create error messages, and
Specifically, Google will often stumble across vulnerable systems
so he discovered that if you put in error messages that it would pop, bring up a list of
Systems that were there. In fact there are some very nice tools that, let me go ahead and say I'm targeting this domain
run every known Google attack against it
And it'll pull every one of these queries in Google targeted against that domain
So that I can see oh, they've got a vulnerable sequential, oh I can probably get in through a sequel injection attack
Because of search engines are part of who manages and carries our information space today - all the information being cached,
All of our old historical records. I was very surprised when in the later years of the company after we were hosting
fbi.gov and nasa.gov
That someone found in an email that I had written to a forum where I said oh, we found a way
To manage our farms of web servers and look for for evidence of compromise
By using the database of all the files that we backed up
Because some of the worms
created specific files, so I mentioned the U.S. Chinese hacking war. That's notable because
The code Red worm actually came out of that war and code red version to specifically
And code red version 2 left a specific artifact that we could then search for
And we could identify all the servers where the people who were supposed to be running them didn't patch their servers and had become compromised
This led to a write up about how we were so insecure
We were having compromised systems, but in most cases if there's a tool that looks for something
Chances are that organization doesn't have it
We were impacted less by worms, by viruses, by other attacks than almost any other
Competitor of ours because we had these tools, but also because that we became later
This evidence was used against us in an attack against our credibility and they went out and found old forum postings of mine
Social media - looking for the blogs of the people who are involved
right now google has talked about a
targeted series of attacks against U.S. and South Korean
senior government officials going on by China
Where they're doing specific spear phishing attacks
Because they're learning about who these people are and then they're posing as themselves, and we'll go into spearfishing in just a minute
But again the idea of
Leveraging social media outlets, blogs, and so on to find out about people because if I want to pose as your friend I need to
Know about what's going on. If I want to break into your company, I need to know something about who works there, what y'all do
especially if you're a branch office, and you have a headquarter somewhere else because
Obviously headquarters has given me the crap job of coming out to your site having to inspect your security
Did you go ahead and log on to that server please so that I know that it works?
I need to video tape it for evidence. I can take it back and show those jerks back at headquarters
type slowly
there's actually a famous attack that used that approach they whip through and
posed as a film crew
From the local university doing an expose on security and as they walk through the business
they just kept their cameras on and they'd sweep over desks and
Then later go back frame by frame and look for papers left on the desks and then
videotape that. They'd ask people to log in the systems for
them while they videotape them
Then you need to develop the attack
People are always the weakest link within an organization. I can build a technical control that will stop everybody who tries this approach
None of those things will help if someone will open the door for me
When I did social engineering Penetration assessments part of our rules of engagement were I won't pick a lock
If a door is locked, I won't go through it
unless I can have someone open it for me
Or have them open it for themselves walk off
And then I'll just stick my foot in the door wait till they leave the area and then I'll walk through it
I usually will build a profile of anyone that I'm going to target
I need to know who they are, I need to know what their roles are within the organization
What email addresses do they use, where are they coming from, what city and state do they live in?
Where else do they tend to travel and work from?
What are their interests?
After all
You know that guy that you've been arguing with online for the past year in that other forum?
It's me
I'm that guy, remember when I said this? See, now you know it's me
So finally you go out and you actually execute the attack against the organization, or against the individual
Spearfishing - I already mentioned the use from China
against Gmail accounts for the U.S. and South Korean officials
This is a fairly recent development, but it's not uncommon
Once they can get this information, see phishing didn't work as a broadband attack because it became spam
All of us know, I hope, that if you get an email from
From Paypal saying would you please log in and take a look at this?
You know not to
But there was a compromise recently
again by a Chinese hacker against a
member of the Defense department
And in this case it was an email saying hey, Bob
How was fishing last weekend? By the way
Here's a list of all the spare military surplus stuff that we're looking for, do you have any of this that we can buy?
And it had a spreadsheet attached, so Bob went ahead and clicked on the spreadsheet
Spreadsheet launched a macro, he executed the macro, the macro compromised the system, and they were in
That's spearfishing because it was targeted against a specific
Individual and one email was sent to that one individual, unlike a traditional phishing attack
There was no spam filter, there was nothing that raised everyone's awareness that this particular attack was going on
This wasn't a broad let me see how many credit cards I could get. This was a specific I know this person
I know what they like. I know what they do. I know who they are online
I'm going to go ahead and see what I can get out of them
Of course I also like phone calls
one
One of my
Favorite best most successful, whatever word would apply the best attack I used against a different bank was
Part of the target list I received were, these are all of our top tellers
Go ahead, see who you can get information from
So these are the people with the most seniority, these are people with the most training
And I figured these are people that were the problem, the people that would probably work the hardest
So I called them
Hi, my name is
Whatever, Paul Alexander
And I'm from the Cross Mage human resources consulting group and
we were contacted by the bank to see whether or not we would conduct a
Survey to see whether or not there's interest in a flex time
Approach, and I found this great flex time survey - it asked all sorts of questions like did you take any time off this past year
because of burnout?
what do you think of your commute every day? Do you like traffic?
And there were these great conversation starters in these questions, and I'd sit there for 30 minutes with each person and go through this survey
And then when I was done, I'd say you know here at Cross Maje human resources, we
We believe that security is important, and we want to protect your privacy
So if we want to talk to you about this later
Could we get an ID and a password that we could use so that we could verify it's you before we talk about these
things?
Now I had an 80% result
From that survey eighty percent of those tellers when I sat back down and got into an internal system
I could use that ID and that password and I had full access to the system
Now this is nothing new. Mitnick used this attack years ago. In fact, that's where I originally read about it. He went dumpster diving
Pulled up a corporate phone list that had home addresses on it. So he sent out cards and said Hi
You have won this wonderful vacation
Please send an ID and a password and your information so that we can make sure it's you
And that's how he got in
I don't know
His technical skills weren't great, but he was a brilliant, brilliant
social engineer
Kevin Mitnick was, or is.
Oddly enough he also had a background in Magic and being a magician
we talked about targeted emails
And the value there because they're not broadband. They're not going out to multiple people
There's no chance of them triggering a spam filter or anything like that
I would also make friends
I can't tell you how many times I'd go through a
Debriefing after a successful attack against an organization, and I would hear things like but he was so polite
He was so nice
And in fact, it was funny
There was a university where that was IT's response - they said when have we ever hired polite and nice people?
That should have been the very first thing that tipped you off
So I would make friends in companies
If I had to break into a company right now with no warning or anything else
I'm going to go see if I can get to one of the restaurants on one of their floors
I'm gonna go sit in a stall and I'm going to wait
until someone else comes in
Then I'm going to time leaving the stall at the same time so that we're washing our hands next to each other and start talking
About the game last night
We'll just chat each other up and make new friends
so we walk down the hallway, and I'll see whether or not he opens the door for me
A lot of times he will
if not, I
walk past the door
I let him go in and then I run back and stick my foot in the door, and wait till he leaves
It was actually funny. I had a client send me a video of me actually doing that
That they found
months after the assessment where they were going through their footage in one of the Hallway video cameras
And there's me walking past the guy as he goes in the secure door, and then there's me running back after the doors. It's shutting
Sliding in to get my foot in right before it closed
Spearfishing
always comes from a trusted source
The attack against the Department of Defense
individual worked because his job specifically was
working with Surplus within the the defense department and moving it out of the company, so it was a
perfectly
normal trusted communication that someone say this is what we want to buy, any tanks for sale?
It'll come from family, it'll come from a co-worker, it'll come from friends
I don't know if any of y'all have received an email
This is not spearfishing, because it tends to broad-spectrum, but have any of you received the email that says Hi
I'm your friend, family member, or co-worker and
I'm stuck out of the country. I just got robbed. I don't have my passport. Can you please wire me some money?
Yeah
Yeah, so
If you are an organization and you've got sensitive data, that attack works just fine. In fact, if you disguise it a little bit
So you actually use proper English, don't sound Nigerian, you know, it has a much higher success rate
Spearfishing tends to directly ask you questions. It'll ask you to either send information
It'll ask you to click on the link, itll ask you to check out Hey is this you in this video?
So let's talk about your businesses
Policies are a
Natural evil, and I spent a lot of my time writing policies for businesses now. I do a lot of iso 27,000 consulting
So, there's really only three options for businesses today.
We can either deny everything, sorry you're not allowed to use any social Media outlet whatsoever
This doesn't work, and it doesn't make sense because that first premise - social media is vital to your business
We can allow everything, allow everyone to do anything they want to online. That tends to not work either because of
If everybody loses a half hour per day
People actually can keep track of that, tell you exactly how much that costs
I had an employee
Who left actually on time from work from one company, and I was called in to explain that either
I was not making them clean their desk
Or I was allowing them to stop working five minutes early to clean their desks before they left
It was the only way they could leave on time and, what it would cost if everybody in the company
left early, five minutes, stopped working early to clean their desks. So trust me, people can calculate this
Or you can allow it and monitor the access
And see what they do and give them guidance, give them education
You can keep track of your own information space. What do you keep in your conference rooms?
I love conference rooms, if I break into a company, I'm looking for your conference room
Why? Because it's where strangers go and look like they belong
I've been known to take out my little Elf camera
Take pictures of things in the conference room
and then when someone walks in, hold it against my ear like it's a cell phone and
Yell at the person that I'm on a private call, get the hell out. And that won't work anywhere else
but a conference room. And people leave things in conference rooms - there are network jacks in conference rooms,
There are corporate directories in conference rooms. What do you leave there?
Yes, it is
What do you keep on the website?
I actually had a college that I, or university that I penetrated, and
I had one very sharp individual call human resources and report me
did not trust me at all, no matter how charming I was
Because they actually had all their new hire paperwork online
I had actually had it all printed out, and so I was able to prove to HR - Look, I mean
I'm a new employee. Here's all my paperwork. I meant to bring this to you. By the way
I need to install a new virus update on your computer while I'm here. Can I do that?
The planning and event time frames. This is, the idea here is
When you say I'm going on a trip, when do you say that? Do you say that weeks in advance so that people know you're gone?
I like to say that, the last day of my trip, say I'm coming home
Security
Is essentially the people, the processes, and the technology. I'm trying to get through the rest of this. The idea of
Security is that we're free from danger
Who do you trust - we've already talked about that
Bring your own devices
This is a big thing in
The industry right now. This is where
People want to use their own new latest generation phone, their latest tablet, and so on to work within the system
And it's usually driven by management
So when we do this, if we're going to work on these policies we need to be able to retain the right
To seize this equipment if there's ever a lawsuit or legal action, and then give it to them. Consider creating a corporate app store for them
I'm working backwards
Let's talk about advanced persistent threats for just a moment
All Detection systems work if there are x number of events over y amount of time, I can detect you
If you're a government entity or an organized crime
group, then chances are you've got the time and the ability to go very slow
And be hard to detect
There's a thesis out by a group in Australia that says that if you manage any kind of natural resource
Oil, gas, water, anything, then odds are you are already the target of an advanced persistent threat
Best practices - I talked about iso 27,000
This is actual best practice
That you can use in your organization. It's been tried, it's true. It works, there are free government resources
Check NIST
Great resource. If anyone's interested in iso 27,000, It's 300 swiss dollars if you want to buy it
From them, or if you want a different title page
you can get it for Thirty bucks from
From another group that I can tell you later
The defense - I already covered this. It's education. Its vigilance
the takeaways
Never give you credentials to anyone. Don't send them an email, don't give them to someone else, don't let someone
Kind and charming borrow your access card for just a few minutes
Don't access sensitive information from an unmanaged system, should be an unpatched PC, or another server
Keep your tools up to date. It could be your software, could be a website, could be a skill set
Have processes in place for the execution
Of data. If I want you to, if I want a friend of mine to click on an ecard
My friends usually know or I will tell them hey I sent you an ecard. I'll send them a text
I'll send them something else to say that it's done
Use different passwords or email identities. Check your privacy settings and your tools. I'm rushing through this because they're saying stop back there
Check where you send information
No, we recovered that. Think before you post, and again, what stories do you tell? Think about that when you live online
And when in doubt, change your password
Thank y'all very much
No per user pricing. Unlimited admins.
Demo NowHave Questions?
Contact us!Our site saves small pieces of text information (cookies) on your device in order to deliver better experience and for statistical purposes. You can disable the usage of cookies by changing the settings of your browser. By browsing our website without changing the browser settings you grant us permission to store that information on your device. See our Privacy Policy.