Your SlideShare is downloading. ×
0
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Give Me Your Data!
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Give Me Your Data!

999

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
999
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Give Me Your Data! Pilfering Data without Breaking In Dave Chronister CISSP, MCSE, C|HFI Founder / Managing Technical Partner Parameter Security
  • 2. About Me • Security Practitioner • Ethical Hacker • Forensic Investigator • (MO PI Lic#2012039253) • Instructor • Founder Parameter Security • We Find, Not Fix Issues
  • 3. Data is not Secured
  • 4. Could I Obtain Sensitive Data? Without Breaching Any Access Controls?
  • 5. Determine Sources of Data Purchase Old Hardware Social Media Sites FTP Sites
  • 6. WARNING This is a demonstration, not an instruction manual for criminal behavior. Obfuscation of sensitive data was done by me. When possible, the data owner was notified of insecure information. The identity of the owners have been hidden to protect the Security Impaired.
  • 7. Old Hardware 1. Create Forensic Image 2. Data Carve Files 3. Profit??
  • 8. Old Hardware EBay – 2 IPhone / 9 Hard Drives Targeted Individuals Selling Equipment (IT Employees Offloading Equipment) 2 Rounds of Purchases 2nd Round Included Hardware Resellers Total Cost - $50 IPhone, $120 Hard Drives
  • 9. Results: IPhones Forensically Clean Drives Re-Partitioned w/ Artifacts 5 – “Floor Models” (Only OS) Hard Drives Zero’d Out University of ######## Drive Term Papers, Porn, and Mal-ware Office Equipment Service company in PA Service Logs, Time Off Request 2 1 7
  • 10. Drive 9
  • 11. Drive 9
  • 12. Drive 9
  • 13. Drive 9
  • 14. Drive 9 Purchased from Re-Seller
  • 15. Drive 9
  • 16. Drive 9
  • 17. Drive 9 • Purchased from Re-Seller • Drive was not Formatted • Partitions were not Deleted • Drive belonged to Re-Seller Owner Conclusion – Promising but could be Expensive How do you handle EoL Media??
  • 18. Photo Sharing Sites Photobucket Recent Uploads
  • 19. Photo Sharing Sites Recent Uploads – Open Buckets App allows phones to upload pics automatically
  • 20. Photo Sharing Sites Before you ask, yes I found that
  • 21. Photo Sharing Sites Before you ask, yes I found that
  • 22. Photo Sharing Sites Before you start browsing…warning
  • 23. Photo Sharing Sites Before you ask, yes I found that
  • 24. Photo Sharing Sites Before you ask, yes I found that
  • 25. Photo Sharing Sites Before you ask, yes I found that
  • 26. Photo Sharing Sites Before you ask, yes I found that
  • 27. Photo Sharing Sites Before you ask, yes I found that
  • 28. Photo Sharing Sites But I Also Found…
  • 29. Photo Sharing Sites Credit Cards
  • 30. Photo Sharing Sites Address Information
  • 31. Photo Sharing Sites International Cards
  • 32. Photo Sharing Sites International Cards
  • 33. Photo Sharing Sites Vendor’s Notes
  • 34. Photo Sharing Sites Checks
  • 35. Photo Sharing Sites Lots of Checks
  • 36. Photo Sharing Sites Identity
  • 37. Photo Sharing Sites Identity
  • 38. Photo Sharing Sites Family Relationships
  • 39. Photo Sharing Sites With Their Info
  • 40. Photo Sharing Sites My Favorite
  • 41. Photo Sharing Sites Target #1
  • 42. Photo Sharing Sites Target #1
  • 43. Photo Sharing Sites Target #2
  • 44. Photo Sharing Sites Target #2
  • 45. Results: Credit Card Numbers Login Information Social Security Numbers Also, Personal Info and Business Trade Secrets Conclusion – Very Easy, No Cost, No way to Automate…. Yet…. 10 15 30 Total Time Spent – Approx. 8 hours How could you control “pix leakage?”
  • 46. FTP Sites Used Metasploit Framework – FTP Anon Scanner Could also use Nmap
  • 47. FTP Servers Typical Finding
  • 48. FTP Servers Typical Finding
  • 49. FTP Servers Started Getting Good
  • 50. FTP Servers WTF?!?
  • 51. FTP Servers Trends Forming Anonymous READ (220 Welcome to ASUS RT-AC66U FTP Service.) Default config creates external FTP Site
  • 52. FTP Servers Trends Forming
  • 53. FTP Servers What Did We Find? • Financial Information • Unencrypted Backups • Medical Records (PHI) • Intellectual Property • Passwords Galore (Include System Passwords to Global Companies) • Voter Information/ Political Parties Info In a Nutshell - Everything!
  • 54. FTP Servers ASUS Is Not Alone • At least 3 more vendors have same issue • Currently contacting vendors • Will release when patched or after 3 months
  • 55. FTP Servers Anything Else Interesting? READ/Write Access PCI / Safe Harbor Violations
  • 56. FTP Servers Results: • IPs Scanned – ½ Class A • Anonymous FTP Servers – 3000+ • “Legitimate” Servers - >100 Conclusion – THE Path of Least Resistance
  • 57. Questions? www.ShowMeCon.com Dave<dot>Chronister<at>ParameterSecurity<dot>com @Bagomojo

×