ToddHDow Studios

Tag: infosec

  • SC Congress – Day 1 – 3:30pm – “Keynote: How hackers operate”

    CGIDay 1 – Tues June 11 2013:
    3:30pm – “Keynote: How hackers operate: Live demonstrations of current methods of breaching networks and stealing information”, by Derrick Webber, penetration testing and digital forensics team lead, CGI

    Derrick demonstrated some practical applications of the Social Engineering Toolkit (SET). He demonstrated how to conduct a phishing attack to obtain user login credentials for banking, Google and other sites. In a nutshell, here were the steps:

    1. Use SET to build a clone of a production website (the site looks the same, only it uses a different URL – wwwgoogle.com.cn for example)
    2. Use SET to send a phishing email to your target, hoping that they will click the link to your clone website;
    3. The target goes to the clone website and attempts to log in. At that point, the credentials are captured and the user is redirected to the legitimate website;
    4. The user then logs in to the legitimate website, usually none the wiser that they just gave up their credentials to the bad guys;

    Derrick mentioned using the Google Hacking Database to identify data that Google has crawled and would be useful in an exploit. It really is unbelievable how much publically available content is available – and Google has done a great job of indexing it and sharing it if you know how to search for it. For example:

    • inurl:”/root/etc/passwd” intext:”home/*:” – this will identify publically accessible password files;
    • filetype:ini “This is the default settings file for new PHP installations” – these files contain info that could help you compromise a web server;
    • site*.*.*/webalizer intitle:”Usage Statistics” – log files, anyone?

    Finally, Derrick demonstrated using Metasploit to build a trojan, obfuscate attach it to the back of a legitimate exe file (think winword.exe, notepad.exe, etc.) and then deliver the file to an unsuspecting target.

    Derrick shared a great slide on preventing exfiltration of data from hackers. It suggested using proxies, block ports, etc. I haven’t seen the slides online yet, but if I find them, I will link to them from here.

    Overall, this was an awesome presentation!

  • SC Congress – Day 1 – 12:55pm – “Keynote: Changing landscape of risk”

    Day 1 – Tues June 11 2013:
    12:55pm – “Keynote: Changing landscape of risk”

    This presentation offered a high level survey of the changing risk landscape. I didn’t take many notes at this session. There was plenty of good discussion, but nothing noteworthy.

  • SC Congress – Day 1 – 11:45am – “Big Data”

    Day 1 – Tues June 11 2013:
    11:45am – “Big Data”

    This presentation was a panel discussion discussing big data

    I didn’t take many notes at this session. There was plenty of good discussion, but nothing noteworthy.

    One funny quote from the session: “NSA’s Prism = the best data backup program ever.”

  • SC Congress – Day 1 – 10:55am – “Information security adaptation: Survival in an evolving threat landscape”

    RadwareDay 1 – Tues June 11 2013:
    10:55am – “Information security adaptation: Survival in an evolving threat landscape”, Carl Herberger, VP of security solutions, Radware

    This presentation (I couldn’t find his exact slides, but I found this alternate copy from this location) provided a great overview of the current threat landscape. The presentation offered great statistics pertaining to brands that have been affected by outages over the last 18 months. Vendors include such names as Best Buy, Apple, Walmart, AT&T, KPMG and numerous other large global brands. Carl’s key message: nobody is immune.

    Carl also shared some stories pertaining to threats, including a story about Anonymous intervening in a property dispute in Philadelphia.

    Common cloud targets right now include:

    • DNS
    • ISPs
    • CDNs
    • CA/CRL

    If you look at the “security trinity”:

    1. Confidentiality
    2. Integrity
    3. Availability

    Out of the three, availability is the toughest to deal with right now as it is the avenue being exploited by many attackers today.

    ddoswarriors.com (aka security.radware.com) offer some great insight and tutorials into this area.

    Carl highlighted some of the various weaknesses that DOS attacks target right now. He referred to these by calling them “Gartner Sep 2012: Anti-DoS “BlindSpot””. I couldn’t find the Gartner reference online anywhere, but the slides were compelling in that they showed tools (firewalls, CDNs, etc.) and the attack types that were vectored against the various tools (vulnerability exploits, network flood, etc.). Very informative summary!

    Carl ended with a very compelling (and creative) way of viewing today’s threat landscape. He explained the concept of the Zombie House. The house has thick concrete walls that completely envelop the house in the event of a Zombie attack. Carl suggested that we wouldn’t be happy if the concrete only closed 80% of the way, as this would still leave the occupants vulnerable. Similarly, we can’t be satisfied with 80% protection from current threats, otherwise, we remain vulnerable to attack.

    Overall, this was a fantastic presentation with plenty of great material.

  • SC Congress – Day 1 – 9:50am – The Honey Stick Project

    SymantecDay 1 – Tues June 11 2013:
    9:50am – “The Honey Stick Project: Opportunistic threats and human vulnerabilities”, Scott Wright, @streetsec, security coach and consultant, Security Perspectives

    Scott’s presentation was one of my favourites at SC Congress 2013. Here’s a summary of Scott’s presentation:
    In 2011, an experiment was conducted where “lost” smartphones were allowed to be picked up by the public in order to gather data about human threats to data accessible on those devices. What were the results?

    Some additional links:

    What a fantastic experiment! Scott shared some statistics from his experiment:
    Of all of the people that “found” the phones:

    • 50% of people offered to return the phone;
    • 89% of people accessed personal data;
    • 83% of people accessed business data;

    I was interested to hear how Scott’s work was funded by Symantec. This is a great example of industry funding some great independent research.

    Scott also talked about the need to limit the collection of personal data during his research. In a project like this, the potential to capture photos, location info and behavioural information from those that took the phones could lead to embarrassing or otherwise awkward disclosures of data. Scott did a good job of avoiding the collection of personal info by stating which info he would and would not collect during his research.

    Scott left me with a parting thought that still resonates: “We still need more innovation in human studies. People pay attention to stories about other people.”

    And, Scott also left me wondering, “what will Scott work on next?”! I look forward to hearing about future projects.