Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Hacker's Guide to NOT Getting Hacked

131 views

Published on

This is a light talk I did for CryptoAUS event.
See the bonus material: http://goo.gl/BSZ4mN

Published in: Technology
  • Be the first to comment

The Hacker's Guide to NOT Getting Hacked

  1. 1. The Hacker’s Guide to NOT Getting Hacked Jakub Kaluzny
  2. 2. About Me ▪ Sucked at games, started hacking ▪ Maths & Algo background ▪ Dev at European Space Agency ▪ Security Consultant in EU and AU ▪ Sometimes I have interesting projects: ▪ Printers, ATMs ▪ FOREX trading software ▪ Online banking systems ▪ Voice biometrics ▪ Published research at BlackHat, HackInTheBox, OWASP AppSec, Zeronights, AusCERT, BSides
  3. 3. Attack surface – WHERE Threat modelling – WHAT Threat actors - WHO Attack vectors – HOW MITIGATION Using phone in cafes Phone theft Opportunistic pickpocketer Pick it up when you go to the toilet KEEP THE PHONE WITH YOU Threat Modelling
  4. 4. Your assets ▪ Devices: ▪ Phone ▪ Computer ▪ IoT ▪ Home router ▪ Accounts: ▪ SIM card ▪ Mail ▪ Social Media ▪ Bank ▪ Finances: ▪ Bank ▪ Paypal / similar ▪ SIM credit line ▪ Amazon/Uber/Netflix/any service ▪ Information / Identity: ▪ Documents, scans ▪ Private data / nudes
  5. 5. OPPORTUNISTIC Most threats are
  6. 6. Level of paranoia 99% people ▪ Log in to their bank account on a public computer ▪ Have one password ▪ Travel to China, use public wi-fi, ▪ Leave phone & wallet on the beach, enjoy a swim Security conscious ▪ Log in to their bank only on phone / their own computer ▪ Use password manager ▪ Keep their phone with them all time ▪ Take only one card and use a phone cheap enough to not cry when you loose it Security paranoid ▪ Use 2-FA, distribute money between multiple accounts ▪ Use 30-char passwords ▪ Take a burner phone, destroy it afterwards ▪ Don’t go further than 5 seconds from the bag
  7. 7. Your assets ▪ Devices: ▪ Phone ▪ Computer ▪ IoT ▪ Home router ▪ Accounts: ▪ SIM card ▪ Mail ▪ Social Media ▪ Bank ▪ Finances: ▪ Bank ▪ Paypal / similar ▪ SIM credit line ▪ Amazon/Uber/Netflix/any service ▪ Information / Identity: ▪ Documents, scans ▪ Private data / nudes ▪ OTHER ▪ Your brain
  8. 8. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  9. 9. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  10. 10. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  11. 11. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  12. 12. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  13. 13. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  14. 14. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam ▪ lost phone scam - check location
  15. 15. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  16. 16. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  17. 17. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  18. 18. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “top Google ad" scam
  19. 19. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “Top Google ad" scam
  20. 20. General scams/hacks ▪ Buying crypto wallets on ebay ▪ SMS, phone call ▪ Fake anti-virus scam ▪ Fake ads on ATM ▪ Gumtree ▪ Fake hacked webcam ▪ Fake FB/Tinder nudes ▪ Premium line call back ▪ Facebook - friends asking for money ▪ Ebay hijacked accounts ▪ FBI / police locking your computer ▪ “Top Google ad" scam ▪ lost phone scam - check location
  21. 21. PHONE threats
  22. 22. PHONE threats ▪ THROW AWAY OLD PHONES ▪ DO NOT GIVE IT TO YOUR GRANDMA
  23. 23. PHONE threats
  24. 24. PHONE threats ▪ NEVER INSTALL APPS FROM UNKNOWN SOURCES
  25. 25. PHONE threats ▪ If you do, check the permissions
  26. 26. Malware sources
  27. 27. PHONE threats ▪ DO NOT CONNECT TO PUBLIC WIFIS
  28. 28. PHONE threats This is NOT a Tesla hack: ▪ Tricked Android 4.4 user to connect to fake McD Wi-Fi ▪ Redirected him to a fake website ▪ Tricked him into installing malicious app from unknown sources ▪ The app used a public exploit toolbox (Kingroot) to root Android 4.4 device
  29. 29. PHONE threats ▪ USE VPN
  30. 30. PHONE threats ▪ Enable backups ▪ Enable screenlock! ▪ Enable encryption!!
  31. 31. My other computer is your computer COMPUTER threats
  32. 32. COMPUTER threats ▪ Keep it up-to-date ▪ Use AV
  33. 33. COMPUTER threats ▪ Never install dodgy programs ▪ If unsure, use VirusTotal.com
  34. 34. COMPUTER threats ▪ Don’t connect to public Wi-Fis ▪ Never ignore security warnings ▪ Use VPN
  35. 35. COMPUTER threats ▪ Have backups ▪ Use full-disk encryption ▪ Lock workstation ▪ Have a strong password
  36. 36. COMPUTER threats ▪ Never plug in dodgy USB sticks
  37. 37. IOT THREATS Why would anyone need a smart…
  38. 38. IoT threats ▪ Just don’t
  39. 39. ROUTER threats ▪ Keep it up-to-date ▪ Choose WPA2 for Wi-Fi security ▪ Don’t share passwords
  40. 40. ACCOUNTS THREATS “Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life” – @thegrugq
  41. 41. ACCOUNTS threats ▪ Make a list of all your important accounts ▪ USE A PASSWORD MANAGER The top 10 passwords on the 2017 list: ▪ 1. 123456 (Unchanged) ▪ 2. Password (Unchanged) ▪ 3. 12345678 (Up 1) ▪ 4. qwerty (Up 2) ▪ 5. 12345 (Down 2) ▪ 6. 123456789 (New) ▪ 7. letmein (New) ▪ 8. 1234567 (Unchanged) ▪ 9. football (Down 4) ▪ 10. iloveyou (New)
  42. 42. ACCOUNTS threats
  43. 43. ACCOUNTS threats ▪ Do not reuse passwords
  44. 44. ACCOUNTS threats ▪ USE 2-FA
  45. 45. ACCOUNTS threats ▪USE 2-FA
  46. 46. ACCOUNTS threats Hardware token SMS Push U2F Biometrics No 2-FA Password guess / theft OK OK OK OK OK NO Phishing ~NO ~NO OK ~OK ~OK NO PC Malware NO ~OK ~OK ~NO ~NO NO Phone Malware OK NO ~NO OK ~NO NO SIM hijacking OK NO ~OK OK ~OK OK OK GOOD VERY GOOD VERY GOOD ~OK NOT GOOD
  47. 47. ACCOUNTS threats ▪ For financial accounts: device with a screen - mobile push notifications (very good) or SMS (good) ▪ For all other: U2F (very good), SMS (good)
  48. 48. ACCOUNTS threats ▪ If you are redirected to log in screen, check domain
  49. 49. ACCOUNTS threats ▪ Hack yourself: regularly go through forgotten password functionality
  50. 50. The system is as weak as its weakest link SIM card
  51. 51. SIM card threats ▪ Set additional security features ▪ Do not use and disable insecure features – sending and receiving messages via web ▪ Understand that sender (and caller) ID may be spoofed
  52. 52. SIM card threats ▪ Set SIM card PIN (stolen phone) ▪ Enable limits ▪ Disable premium services
  53. 53. With great power comes great responsibility MAIL threats
  54. 54. MAIL threats ▪ Usually e-mail access is enough to recover passwords to other services
  55. 55. Mail threats
  56. 56. Mail threats ▪ Confirm actions via second channel
  57. 57. Social media threats ▪ Don’t allow dodgy games / apps access your data ▪ Don’t publish pictures of your credit card ▪ Don’t trust strangers
  58. 58. ALWAYS CHECK AMOUNT AND BENEFICIARY NUMBER Bank account threats
  59. 59. Bank account threats ▪ Enable alerts ▪ Check balance regularly ▪ Check access via other channels ▪ Keep bigger money on a separate account
  60. 60. Bank account threats ▪ Set limits – for transactions, credit card, mobile payments ▪ Change credit card regularly ▪ Prefer to pay in cash, especially overseas ▪ Never let the waitress go away with your card
  61. 61. Bank account threats ▪ Online shopping: use a separate card – a pre-paid with limits ▪ There is chargeback ▪ Pay via trusted gateways – e.g. paypal, rather than directly ▪ Do not enter your banking password on any website (POLi, Trustly) other than the bank itself
  62. 62. Bank account threats ▪ Consider 3rd parties for alerting and monitoring… Nah
  63. 63. Other services threats ▪ Netlifx / Amazon / Uber etc. – keep track of those ▪ Change cards regularly
  64. 64. Identity threats ▪ Watermark scans ▪ Upload via webform, do not send via e-mail ▪ Paranoid: change ID regularly
  65. 65. Identity threats ▪ Do not keep scans, sensitive documents, nudes etc. online ▪ Encrypt them
  66. 66. Travel safe AND secure Travel security
  67. 67. Travel security ▪ Do not use public chargers ▪ Consider a polarizing screen ▪ Cover your keyboard when typing passwords
  68. 68. Summary Define attack surface Model threats Define level of paranoia Apply changes Review regularly
  69. 69. BONUS http://goo.gl/BSZ4mN
  70. 70. Thank you Twitter: @j_kaluzny

×