The Ultimate Defence:    Think Like a HackerAn Ethical Hacker’s View of Corporate Security                                ...
Who is Peter Wood?  Worked in computers & electronics since 1969  Founded First•Base in 1989     (one of the first ethical...
Thinking like a hacker          • Hacking is a way of thinking            A hacker is someone who thinks outside the box. ...
Traditional thinking          • Firewalls & perimeter defences          • Anti-virus          • SSL VPNs          • Deskto...
Think like a hacker          Attack the buildingSlide 5                    © First Base Technologies 2010
Impersonating an employeeSlide 6                      © First Base Technologies 2010
Cloning HID cards                          http://rfidiot.org/Slide 7                   © First Base Technologies 2010
Impersonating a supplierSlide 8                      © First Base Technologies 2010
Do-it-yourself ID cardsSlide 9                      © First Base Technologies 2010
Impersonate a cleaner       •   No vetting       •   Out-of-hours access       •   Cleans the desks       •   Takes out la...
Think like a hacker           Attack the building contentsSlide 11                         © First Base Technologies 2010
Data theft by keyloggerSlide 12                      © First Base Technologies 2010
Data theft by USB       •   USB key       •   iPod       •   CD       •   USB hard driveSlide 13                          ...
On-site bugging                                      Colour CCD                                      camera with sound    ...
Bypass Windows security           “Without a username and password I was able to use a           boot CDROM to bypass the ...
Become Local Administrator     Ophcrack is a free Windows password cracker based on     rainbow tables by the inventors of...
Think like a hacker             An alternative to           attacking head officeSlide 17                     © First Base...
Home wireless & public WiFi      • No encryption (or WEP)      • Plain text traffic           (email, unencrypted sites)  ...
Eavesdropping    Packet sniffing unprotected WiFi can reveal:    • logons and passwords for unencrypted sites    • all pla...
Active attacks           Once connected to the network an attacker can:           • conduct man-in-the-middle attacks     ...
Think like a hacker           Let’s find the soft spots               before they do!Slide 21                        © Fir...
Pragmatic security reviewsSlide 22                       © First Base Technologies 2010
Need more information?              Peter Wood           Chief Executive Officer      First•Base Technologies LLP         ...
Upcoming SlideShare
Loading in …5
×

The Ultimate Defence - Think Like a Hacker

1,470 views

Published on

  • Be the first to comment

  • Be the first to like this

The Ultimate Defence - Think Like a Hacker

  1. 1. The Ultimate Defence: Think Like a HackerAn Ethical Hacker’s View of Corporate Security Peter Wood Chief Executive Officer First•Base Technologies
  2. 2. Who is Peter Wood? Worked in computers & electronics since 1969 Founded First•Base in 1989 (one of the first ethical hacking firms) CEO First Base Technologies LLP Social engineer & penetration tester Conference speaker and security ‘expert’ Chair of Advisory Board at CSA UK & Ireland Vice Chair of BCS Information Risk Management and Audit Group Vice President UK/EU Global Institute for Cyber Security + Research Member of ISACA Security Advisory Group Corporate Executive Programme Expert Knowthenet.org.uk Expert IISP Interviewer FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, MensaSlide 2 © First Base Technologies 2010
  3. 3. Thinking like a hacker • Hacking is a way of thinking A hacker is someone who thinks outside the box. Its someone who discards conventional wisdom, and does something else instead. Its someone who looks at the edge and wonders whats beyond. Its someone who sees a set of rules and wonders what happens if you dont follow them. [Bruce Schneier] • Hacking applies to all aspects of life - not just computersSlide 3 © First Base Technologies 2010
  4. 4. Traditional thinking • Firewalls & perimeter defences • Anti-virus • SSL VPNs • Desktop lock down (GPOs) • Intrusion Detection / Prevention • Password complexity rules • HID (proximity) cards • Secure server rooms • Visitor IDsSlide 4 © First Base Technologies 2010
  5. 5. Think like a hacker Attack the buildingSlide 5 © First Base Technologies 2010
  6. 6. Impersonating an employeeSlide 6 © First Base Technologies 2010
  7. 7. Cloning HID cards http://rfidiot.org/Slide 7 © First Base Technologies 2010
  8. 8. Impersonating a supplierSlide 8 © First Base Technologies 2010
  9. 9. Do-it-yourself ID cardsSlide 9 © First Base Technologies 2010
  10. 10. Impersonate a cleaner • No vetting • Out-of-hours access • Cleans the desks • Takes out large black sacksSlide 10 © First Base Technologies 2010
  11. 11. Think like a hacker Attack the building contentsSlide 11 © First Base Technologies 2010
  12. 12. Data theft by keyloggerSlide 12 © First Base Technologies 2010
  13. 13. Data theft by USB • USB key • iPod • CD • USB hard driveSlide 13 © First Base Technologies 2010
  14. 14. On-site bugging Colour CCD camera with sound and a set of buttons to match clothing £146.88Slide 14 © First Base Technologies 2010
  15. 15. Bypass Windows security “Without a username and password I was able to use a boot CDROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes 15 seconds.”Slide 15 © First Base Technologies 2010
  16. 16. Become Local Administrator Ophcrack is a free Windows password cracker based on rainbow tables by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.Slide 16 © First Base Technologies 2010
  17. 17. Think like a hacker An alternative to attacking head officeSlide 17 © First Base Technologies 2010
  18. 18. Home wireless & public WiFi • No encryption (or WEP) • Plain text traffic (email, unencrypted sites) • SSL VPNs • False sense of securitySlide 18 © First Base Technologies 2010
  19. 19. Eavesdropping Packet sniffing unprotected WiFi can reveal: • logons and passwords for unencrypted sites • all plain-text traffic (e-mails, web browsing, file transfers, etc)Slide 19 © First Base Technologies 2010
  20. 20. Active attacks Once connected to the network an attacker can: • conduct man-in-the-middle attacks (including SSL and TLS) • redirect traffic • spoof legitimate machines • hijack PDAs, iPhones, etcSlide 20 © First Base Technologies 2010
  21. 21. Think like a hacker Let’s find the soft spots before they do!Slide 21 © First Base Technologies 2010
  22. 22. Pragmatic security reviewsSlide 22 © First Base Technologies 2010
  23. 23. Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.comSlide 23 © First Base Technologies 2010

×