Don’t be blinded by
The Light

Jason Hart CISSP CISM

SVP CRYPTOCard
About Me
Legal Disclaimer


 ALWAYS GET PERMISSION IN WRITING.

    – Performing “scans” against networked systems without
      pe...
Accepted Security Principles




  • Confidentiality
                                  HOW DO I
  • Integrity             ...
Welcome to the 3rd Age of Hacking (It’s Easier)

• 1st Age: Servers
       •   Servers
       •   FTP, Telnet, Mail, Web.
...
Cyber Crime – Cloud Attack


Welcome to the Future of Hacking

• Channels: web, mail, open services

• Targeted attacks on...
Authentication Mechanisms


• HTTP Authentication

   – Basic Authentication
   – Digest Authentication

• Integrated Wind...
Password Surfing ☺


"login: *" "password: *" filetype:xls



• This returns xls files containing login names and

  passw...
Auto Meta Data Mining


• Automated doc search via Google/Bing
• Specify domains to target
• Automated download and analys...
The Weapons



  Key loggers both software and hardware



  So easy

  And many more
ToR



• ToR is a network of virtual tunnels that allows people
  and groups to improve their privacy and security on the
...
100 Government & Embassy Passwords

 I uncovered last year on a hacking forum – reported to Hi Tech Crime Unit


 Indian E...
LIVE

e-
Next Generation Social Engineering




• http://twitter.com/#search?q=New%20Job%20Role

• http://twitter.com/#search?q=Hac...
Simple Iphone User Attack ….

          User




                               www




 Hacker
What is the Solution?
What’s the solution


Some options are more secure than others

• Create a password policy

• Improve your password securi...
Solving the password problem
User productivity requires simple, flexible, continuous and
secure access to information




...
Jason Hart CISSP CISM

Blog: www.twofactor.blogspot.com
Jason.Hart@CRYPTOCard.com
           Thank you
E Crime Mid Year Meeting London
E Crime Mid Year Meeting London
E Crime Mid Year Meeting London
E Crime Mid Year Meeting London
E Crime Mid Year Meeting London
E Crime Mid Year Meeting London
Upcoming SlideShare
Loading in …5
×

E Crime Mid Year Meeting London

1,272 views
1,190 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,272
On SlideShare
0
From Embeds
0
Number of Embeds
29
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

E Crime Mid Year Meeting London

  1. 1. Don’t be blinded by The Light Jason Hart CISSP CISM SVP CRYPTOCard
  2. 2. About Me
  3. 3. Legal Disclaimer ALWAYS GET PERMISSION IN WRITING. – Performing “scans” against networked systems without permission is illegal. Password cracking too – You are responsible for your own actions! – If you go to jail because of this material it’s not my fault, although I would appreciate it if you dropped me a postcard. – This presentation references tools and URLs - use them at your own risk!
  4. 4. Accepted Security Principles • Confidentiality HOW DO I • Integrity ACHIEVE THIS IN A CLOUDY WORLD? • Availability • Accountability • Auditability
  5. 5. Welcome to the 3rd Age of Hacking (It’s Easier) • 1st Age: Servers • Servers • FTP, Telnet, Mail, Web. • These were the things that consumed bytes from a bad guy • The hack left a foot print • 2nd Age: Browsers: • Javascript, ActiveX, Java, Image Formats, DOMs • These are the things that are getting locked down – Slowly – Incompletely • 3rd Age: Passwords: - Simplest and getting easier • Gaining someone's password is the skeleton key to their life and your business • Totally invisible – no trace
  6. 6. Cyber Crime – Cloud Attack Welcome to the Future of Hacking • Channels: web, mail, open services • Targeted attacks on premium resources • Carpet bombing for most attacks • Secondary infections through controlled outposts
  7. 7. Authentication Mechanisms • HTTP Authentication – Basic Authentication – Digest Authentication • Integrated Windows (NTLM) Authentication • Certificate-Based Authentication • Forms-based Authentication
  8. 8. Password Surfing ☺ "login: *" "password: *" filetype:xls • This returns xls files containing login names and passwords.
  9. 9. Auto Meta Data Mining • Automated doc search via Google/Bing • Specify domains to target • Automated download and analysis of docs
  10. 10. The Weapons Key loggers both software and hardware So easy And many more
  11. 11. ToR • ToR is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet and is being used by Governments World Wide
  12. 12. 100 Government & Embassy Passwords I uncovered last year on a hacking forum – reported to Hi Tech Crime Unit Indian Embassy in Oman 65.109.245.38 da da01877y Kazakhstan Embassy in Russia 81.176.67.157 akmaral@kazembassy.ru 86rb43 Kyrgyztan Embassy in Iran 212.42.96.15 embiran asdfgh Uzbekistan Consulate in France 57.66.151.179 Parij_C p2a2r0i9j Kazakhstan Embassy in Russia 81.176.67.157 alla@kazembassy.ru vhs35 Kyrgyztan Embassy in kazakhstan 212.42.96.15 kaz_emb W34#eEDd Kazakhstan Embassy in212.34.224.157 m0006614 Berlin_C b5a6h7o8r9 dol57 Uzbekistan Consulate in Germany 57.66.151.179 Indian Embassy in Italy Russia 81.176.67.157 askarest@kazembassy.ru srpq86m Uzbekistan Embassy in Russia57.66.151.179 Dehli_C i1n9d5u6 Kazakhstan Consulate in India 81.176.67.157 b.kuatbekova@kazembassy.ru bk145 Indian Embassy in Belgium 212.100.160.114 commercial@indembassy.be india01 Uzbekistan Consulate in New York 57.66.151.179 Nyu_York_UN t2r7d31ln8 Kazakhstan Embassy in Russia 81.176.67.157 baimenche@kazembassy.ru 1956 Mongolian Embassy in USA 209.213.221.249 esyam@mongolianembassy.us temp Uzbekistan Consulate in South Korea 57.66.151.179 Seul_C s1e7u0l7c Kazakhstan Embassy in Russia 81.176.67.157 den@kazembassy.ru bek70 Mongolian Embassy in USA 209.213.221.249 j.mendee@mongolianembassy.us temp Uzbekistan Consulate in USA 57.66.151.179 Vashington_c s7a9s5h3a1 Kazakhstan Embassy in Russia 81.176.67.157 emo@kazembassy.ru art35 Mongolian Embassy in USA 209.213.221.249 n.tumenbayar@mongolianembassy.us temp Uzbekistan Embassy in Afghanistan 57.66.151.179 AfghanQ a1f2g3h4a5n6q Kazakhstan Embassy in Russia 81.176.67.157 galikhin@kazembassy.ru aGC4jyfPassword UK Visa Application Centre in Nepal 208.109.119.54 vfsuknepal@vfs-uk-np.com The Office ofEmbassy in Afghanistantlc@dalailama.com tsephell Uzbekistan Dalai Lama 65.19.137.2 57.66.151.179 afghanm a1f1g0h1a0n2m
  13. 13. LIVE e-
  14. 14. Next Generation Social Engineering • http://twitter.com/#search?q=New%20Job%20Role • http://twitter.com/#search?q=Hacked%20Password
  15. 15. Simple Iphone User Attack …. User www Hacker
  16. 16. What is the Solution?
  17. 17. What’s the solution Some options are more secure than others • Create a password policy • Improve your password security • Implement Two-Factor Authentication
  18. 18. Solving the password problem User productivity requires simple, flexible, continuous and secure access to information Internal people Branch Offices PDA Users Remote Users 3rd Party Access Users and their workspaces Password Solution to password problem Two-factor authentication – a unique identity for every user, every time they log in, using: something they know + something they have Your Cloud Business processes, applications and company assets
  19. 19. Jason Hart CISSP CISM Blog: www.twofactor.blogspot.com Jason.Hart@CRYPTOCard.com Thank you

×