How I'd hack into your business and how you can stop me!
How I’d hack into your business,
and how you can stop me!
Michael McKinnon, Security Advisor
firstname.lastname@example.org | @bigmac
What are we looking at today?
What sort of
We are all
here to prosper
• Who is AVG?
• What data are you protecting in your business?
Common hack tactics
• Phishing, Wireless Networks, Website
• Malicious links, Mobile devices, Automated scans
Security, it’s a way of thinking
• Protect, Detect and Correct
• Staying in the “know” when it comes to security.
Top line statistics in Australia
• 5.4 million Australians fell victim to cyber crime
• Estimated cost to the economy $1.65 billion
• 250 Businesses surveyed found 1 in 5 were victims
• No mandatory disclosure laws means the problem
may well be much bigger
Business - How vulnerable are you?
Is your business MORE or LESS vulnerable than the
business next door?
victims were targets of opportunity
attacks were not highly difficult
took two-weeks or more to discover
Source: Verizon Data Breach Investigations Report 2012
The solutions are NOT expensive
Tonight is all about the easy wins
Motive & opportunity
The ability for anyone to attack your business is always
based on two factors:
• How much they want to (their motive)
• How easy it would be to do (their opportunity)
When your business is connected to the Internet:
• Motivations are magnified by currency exchange rates in
poorer countries – something you don‟t value is worth
• Opportunity is provided through instant electronic
connectivity anywhere in the world. Can be so tempting,
that motivation sometimes is hard to identify!
Motives - Follow the money
• Cybercriminals tend to “follow the money”
• So, the types of attack are often predictable
Credit card data
Private customer information
Refund / returns policy
• Think about the money leaving
Example – Stealing POS transaction data
• Lots of examples in the news…
Motives – Using your reputation
• When money isn‟t available, you are the stepping stone
• You could be related to the “real” target
• So, the types of attack change slightly
Installing links on your website to snare visitors
Private Customer Information
Phishing attacks using your e-mail
Passing themselves off as your business
• The damage to your reputation could last a life time
Common types of attack
How many involve the incorrect use of passwords? 5 out of 10
* Source: Verizon Data Breach Investigations Report 2012
Malware / Trojans
• Common varieties that cause general havoc
(Fake antivirus, ransomware)
• Retail / POS specific – “RAM Scrapers”
(Designed to exflitrate transaction data)
• Remote Control Trojan or Rootkit
(Designed to remain hidden for future access)
• When combined with custom written malware, this is
highly-targeted and designed to avoid detection and
remain in place for a long time.
• In 2011, Verizon reported that 81% of incidents utilised
some form of hacking.
#1. Default passwords
1. The user manual says:
“Step 1. Change the default password”
2. Far too common that these are not changed, or they‟re
changed to someone else‟s “default” password (which
is widely known)
Passwords – Back to basics!
What should we aim for in a password?
Should be easy for you to remember
Should be hard for someone else to guess (and
Can someone guess your password?
• Favourite football team?
• Pet‟s name?
• Family members?
Rank these passwords in order of strength…
Why? Anatomy of a good password
The password: aaaaaAAAAA#####43
It is 17 characters in length
Contains upper and lowercase letters
Contains the „#‟ symbol
How many combinations?
72 combinations, 17 combinations long is 72^17
That‟s 37 thousand billion billion billion combinations!
Make new passwords for different accounts you access…
Start with your “base” password (aaaaaAAAAA#####43)
“Facebook” – you could take the letters “f” and “b” from
Facebook and create a new password:
“Twitter” – you could take the letters “t” and “r” from Twitter
and create another password:
Mix it up! Be creative! And don‟t use these examples!
The golden rules of passwords
Never, never, ever give your password to someone else!
Absolute minimum of 15 characters
Use a combination of different characters
Upper and lowercase (a – z, A – Z)
At least one numeral ( 0 – 9 )
At least one symbol ( !@#$%^&*()_+= )
Password length is always better than randomness
Must be easy for you to remember
#2. Your vulnerable website
Websites are being compromised too frequently, especially:
Wordpress, Joomla and others
Is your website password also used elsewhere?
Examples of impact to your business could be:
Theft of credit card details if you have a shopping cart
Stolen credentials can be used to access other systems
Visitors to your website can be infected/snared into other scams
Your website could be implicated in spam or phishing attacks
Get your website updated or tested.
#3. Insecure wireless networks
Wireless networks are convenient
But poorly configured they represent a huge security risk!
Data packets can be “sniffed” by nearby attackers
Secure your wireless networks
Amazing how many are insecure – including my GP!
Never use “WEP”, always use “WPA” or “WPA2”
Wireless password should be very long and NOT easy to
remember (okay to write it down somewhere safe)
When using public WiFi networks, it‟s always better to use
password protected ones rather than “open” wireless
networks – easy for criminals to “sniff” the traffic
#4. Incorrect internet banking
Many businesses I speak with are using “Consumer” grade
Not secured with two-factor authentication
Sharing logins with bookkeepers etc. (no ability to separate
permissions – i.e. who can transfer money?)
General security when accessing Internet banking
SOLUTION: Talk to your bank!
Never from an unprotected computer – keyloggers etc.
Always bookmark the Bank URL with https://…
Internet banking – Two-factor authentication
Insist on “Two-factor” authentication for business Internet
banking; either a security token (preferred) or an SMS
Contact your bank ASAP if you find anything unusual
#5. Phishing, spear phishing & whaling
“Click here to see the details of your order”
–> (login page)
Sending of specially crafted e-mails to trick users into
divulging sensitive information
Does your e-mail use anti-spam to stop these?
What about the ones that it won‟t stop?
Scams – Fake Facebook emails
* Received by AVG on 7 August 2012
Social engineering – Getting you to click
Big events – London 2012 games on YouTube
Mobile security – Rogue apps
Malicious functionality can communicate with remote
servers, install additional malware, botnet functions
Trojan-infected version of „Angry Birds Space‟ appeared in
Only download from official app stores
“Microsoft” acam – How the call starts
…a Partner of Microsoft and Microsoft R&D, given information
by your ISP that you are infected…
…viruses being tracked back to your IP number…
…Microsoft had told them of the failure and that your system
was in danger of crashing…
…My ID Number is XXX. We have been notified that your
system is infected…
…have been commissioned by Microsoft to help people
remove malware from infected systems…
Mobile security - What are the risks?
Physical loss of the device, still the biggest risk
Infection from malware and possible fraud
Mobile security – Physical risks
Can you locate your lost/stolen phone?
PIN numbers and/or passwords
“Find My iPhone/iPad”
Android solutions as well
Mobile Security - Protecting Mobile Data
What data do you have on your devices?
Do an audit to find out!
Classify your data and think about the consequences
Does it need to be mobile?
Device encryption available in latest mobile devices
Mobile security - Preventing mobile malware
Use anti-malware on your mobile
Don‟t install apps from outside trusted marketplaces
When installing apps always check permissions
Never, ever hack your phone
i.e. iPhone/iPad “Jailbreak” or Android “root”
Limit/consider implications of clicking on links on a mobile
device, especially via social networking sites
Adopting a security mindset
Identify and classify your data
Top secret (if obtained could shut your business down)
Consider classifying all the data in your business into
Your strategies around protecting your information will
be much easier.
Classified (if obtained would cause embarrassment)
Unclassified (everything else, brochures, publicly
Use strong two-factor authentication whenever you can.
If you didn’t ask for it, don’t click the link. But if you
do, make sure you‟ve got software to detect and correct.
Change default passwords, and use strong and long
passwords, and separate them.
And communicate this advice to your colleagues and staff
and even customers! You‟re only as secure as your weakest
Always update your computers and mobile devices (use
auto-update where possible).
For more information please visit our website:
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.