WCC 2012: General security introduction for non-security studentsJoel Cardella
The document provides information about IT security and the internet. It begins with the author's background and then covers topics such as how the internet works, domain name system address translation, what is needed to make the internet work, threats to security, and steps individuals can take to help improve security. It notes that hacking is common and attackers are financially motivated to steal personal and corporate data, which is then sold on black markets. The document emphasizes being aware of security risks and taking steps like using antivirus software and strong passwords.
Marketing strategies. Wondering how to raise your profile, drive more people to your items and increase your sales? Here's a few ideas to help you along the
This document discusses the history and techniques of phishing and spam. It begins by explaining how phishing originated in 1995 targeting AOL customers to open accounts using stolen credit cards. It then describes how phishing evolved to target online payment systems starting in 2001. The document outlines common phishing techniques like creating a sense of urgency, using legitimate-looking email addresses and links, and attaching files. It also provides statistics on potential rewards from phishing and discusses spear phishing and cross-site scripting attacks. Lastly, it offers tips to protect against phishing like using separate email addresses, not responding to spam, keeping software updated, and verifying website security.
This document discusses best practices for using email professionally and avoiding potential issues. It provides tips on choosing an appropriate email address, how email is transmitted over the internet, and privacy considerations when using employer-provided technology. The key recommendations are to use caution when sending sensitive information over email, avoid strongly emotional or inappropriate content, and consider calling instead of emailing for sensitive discussions to allow for proper tone and context.
2FA, WTF? - Phil Nash - Codemotion Amsterdam 2016Codemotion
Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be! Don't worry, I'm not trying to scare you (that much). We have plenty of safeguards against attempts on our applications' user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA? We'll take a look into generating one time passwords, implementing 2FA in web applications and the only real life compelling use case for QR codes. Together, we'll make the web a more secure place.
To create an Apple ID, you need a computer with internet access. You go to appleid.apple.com, click "Create an Apple ID", and fill out a form with your primary email and other information. After submitting the form, you verify your email address by clicking a link Apple sends you via email.
WCC 2012: General security introduction for non-security studentsJoel Cardella
The document provides information about IT security and the internet. It begins with the author's background and then covers topics such as how the internet works, domain name system address translation, what is needed to make the internet work, threats to security, and steps individuals can take to help improve security. It notes that hacking is common and attackers are financially motivated to steal personal and corporate data, which is then sold on black markets. The document emphasizes being aware of security risks and taking steps like using antivirus software and strong passwords.
Marketing strategies. Wondering how to raise your profile, drive more people to your items and increase your sales? Here's a few ideas to help you along the
This document discusses the history and techniques of phishing and spam. It begins by explaining how phishing originated in 1995 targeting AOL customers to open accounts using stolen credit cards. It then describes how phishing evolved to target online payment systems starting in 2001. The document outlines common phishing techniques like creating a sense of urgency, using legitimate-looking email addresses and links, and attaching files. It also provides statistics on potential rewards from phishing and discusses spear phishing and cross-site scripting attacks. Lastly, it offers tips to protect against phishing like using separate email addresses, not responding to spam, keeping software updated, and verifying website security.
This document discusses best practices for using email professionally and avoiding potential issues. It provides tips on choosing an appropriate email address, how email is transmitted over the internet, and privacy considerations when using employer-provided technology. The key recommendations are to use caution when sending sensitive information over email, avoid strongly emotional or inappropriate content, and consider calling instead of emailing for sensitive discussions to allow for proper tone and context.
2FA, WTF? - Phil Nash - Codemotion Amsterdam 2016Codemotion
Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be! Don't worry, I'm not trying to scare you (that much). We have plenty of safeguards against attempts on our applications' user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA? We'll take a look into generating one time passwords, implementing 2FA in web applications and the only real life compelling use case for QR codes. Together, we'll make the web a more secure place.
To create an Apple ID, you need a computer with internet access. You go to appleid.apple.com, click "Create an Apple ID", and fill out a form with your primary email and other information. After submitting the form, you verify your email address by clicking a link Apple sends you via email.
How i stole someone's identity scientific americanCheck People
The document describes how the author was able to access a friend's online banking account by using publicly available personal information about her from blogs and other online sources. Through a series of steps, including recovering passwords for her college and Gmail accounts, the author was eventually able to gain access to her bank account by answering security questions with details found online. The document warns that oversharing personal details publicly makes online accounts vulnerable and emphasizes the importance of security and privacy.
I was hacked and lost my IG account. A very disappointing experience and I see it happen to so many friends. So here is how I was hacked and some ways you can learn from my mistakes.
Einar worked to identify and help victims of online abuse and hacking from 2012-2014. This included tracking down an iCloud hacker who stole private photos of girls in Norway by setting up a honeypot. He was eventually able to identify the hacker and provide evidence to police, though it took them over 6 months to act. Einar then started working at VG.no in 2014 where he continued investigating online criminal networks, including those spreading child abuse materials. Through analyzing download logs from hacked sites totaling over 36 million entries, he helped identify around 300 individuals in Norway downloading such content.
This document discusses social engineering and phishing scams. It defines social engineering as manipulation to gain information through deception. Phishing involves using fake websites, emails or SMS to steal personal information. Various types of phishing are covered, including email, website, IM and those using URL shorteners. The document warns about how social engineers may try to get computer access through exploits or malicious Java apps embedded in phishing pages. It provides tips on verifying sender information and advises not sharing personal details unless the caller is known.
This document provides a guide to improving security on Facebook. It discusses protecting your Facebook account by using strong passwords and logging out of your account when not in use. It also covers how to avoid common scammers on Facebook like phishers, account thieves, and malware distributors. The document recommends using advanced Facebook security settings such as secure browsing and login approvals to enhance protection of your account and information.
Phishing attacks are on the rise globally. In the first half of 2012, attacks rose 19% worldwide with estimated losses of $687 million. Canada saw a significant 400% increase in phishing attacks in Q1 2012. The number of new phishing sites detected per month peaked in 2012 at over 300,000. Common tactics used in phishing include spoofed emails appearing to come from banks or online retailers that try to steal personal information like credit card numbers and passwords. While technical measures can help reduce risk, user awareness of how phishing works and what to watch out for is also important in avoiding falling victim to these scams.
This document provides a guide to securing one's Facebook account. It discusses how to create strong passwords, use advanced security settings, log out of Facebook when not in use, and avoid common scams. Specific scams addressed include phishing scams, account theft attempts, malware distribution, gaming app scams, vanity scams, and clickjacking. The guide emphasizes being cautious of any unsolicited messages or links and thinking before clicking in order to protect one's privacy and security on Facebook.
Here are 10 predictions for 2014, all cyber attacks using social engineering to penetrate the network. Have fun reading, and I will try to report back in 12 months which ones came out as real.
The document discusses social engineering and phishing scams. It defines social engineering as manipulation to gain information through deception. Phishing involves using fake websites, emails or SMS to steal personal information. Common phishing techniques include email phishing, website spoofing, IM links to phishing sites, URL shorteners used to disguise malicious links, exploiting Java apps or browser flaws to gain full access to a target's computer, and caller ID spoofing to pose as legitimate companies. The document provides examples of these techniques and advises on how to protect yourself from social engineering attacks.
This document provides information on various types of phishing scams and security best practices. It discusses email, spear, smishing, search result, social media, QR code, vishing scams and how criminals target individuals. It also outlines recommendations for strong passwords, multi-factor authentication, firewall use, avoiding public WiFi, recognizing ransomware and wire fraud, and safely using USB devices. The overall message is to be wary of unsolicited requests, verify unknown contacts, and enable extra account protections.
If you are looking for free security awareness training presentation look no further - we have you covered! :) Not only is this a great PowerPoint presentation, it's also short and to the point with only 25 slides including the cover and summary slides. But don't let this security awareness training example for employees fool you - it includes all the security awareness basics plus a bit more.
The document discusses internet scams and provides information to help avoid becoming a victim. It outlines why scammers find the internet attractive due to anonymity, low cost, and a large user base. The top 5 scams are discussed as auction fraud, phishing, Nigerian letters, reshipping scams, and prize notifications. Tips to avoid scams include using common sense, paying with credit cards, taking safety precautions, being skeptical, and being careful on auction sites. Scams related to the Haiti earthquake are also warned about. The document emphasizes following tips like not responding to unsolicited emails and not paying in advance.
To set up an Apple ID using a school email address, follow these steps: create an Apple ID using your school email and choose a password, verify the Apple ID by clicking the link in the verification email, and sign in to iTunes and App Store with the new Apple ID and password. Be sure to download the Pages, Keynote, Numbers, iMovie, GarageBand, and iPhoto apps from the App Store.
We believe its more important than ever to keep your personal information as private and as secure as possible these days, so we developed this great guide to help keep you safe and secure against phishing attempts and scammers on the internet.
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not LearnedJoel Cardella
17 years after the Challenger disaster, NASA suffered another loss of life when Columbia burned up on re-entry. Compounding this tragedy was the fact that all the failures of Challenger were repeated. This talk looks at some of those reasons and how to learn the lessons so they won't be repeated.
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
Joel Cardella has over 20 years of experience in IT, including infrastructure operations, data centers, sales support, network operations, and security. He provides his email and Twitter contact information. The document discusses using a risk-based approach to cybersecurity and focusing on reducing risks to the business using positive return on investment. It provides examples of security strategies and a layered security model.
This talk is a summarized view of the various other talks in my profile. It was given to TACOM HQ LCMC as part of the "Our Shared Responsibility" initiative.
This is a good topical overview with some technical information.
GRRCON 2013: Imparting security awareness to all levels of usersJoel Cardella
My GRRCON 2013 talk on imparting security awareness. This is based on a highly successful and well received awareness program I created and rolled out for both blue collar and white collar users.
How i stole someone's identity scientific americanCheck People
The document describes how the author was able to access a friend's online banking account by using publicly available personal information about her from blogs and other online sources. Through a series of steps, including recovering passwords for her college and Gmail accounts, the author was eventually able to gain access to her bank account by answering security questions with details found online. The document warns that oversharing personal details publicly makes online accounts vulnerable and emphasizes the importance of security and privacy.
I was hacked and lost my IG account. A very disappointing experience and I see it happen to so many friends. So here is how I was hacked and some ways you can learn from my mistakes.
Einar worked to identify and help victims of online abuse and hacking from 2012-2014. This included tracking down an iCloud hacker who stole private photos of girls in Norway by setting up a honeypot. He was eventually able to identify the hacker and provide evidence to police, though it took them over 6 months to act. Einar then started working at VG.no in 2014 where he continued investigating online criminal networks, including those spreading child abuse materials. Through analyzing download logs from hacked sites totaling over 36 million entries, he helped identify around 300 individuals in Norway downloading such content.
This document discusses social engineering and phishing scams. It defines social engineering as manipulation to gain information through deception. Phishing involves using fake websites, emails or SMS to steal personal information. Various types of phishing are covered, including email, website, IM and those using URL shorteners. The document warns about how social engineers may try to get computer access through exploits or malicious Java apps embedded in phishing pages. It provides tips on verifying sender information and advises not sharing personal details unless the caller is known.
This document provides a guide to improving security on Facebook. It discusses protecting your Facebook account by using strong passwords and logging out of your account when not in use. It also covers how to avoid common scammers on Facebook like phishers, account thieves, and malware distributors. The document recommends using advanced Facebook security settings such as secure browsing and login approvals to enhance protection of your account and information.
Phishing attacks are on the rise globally. In the first half of 2012, attacks rose 19% worldwide with estimated losses of $687 million. Canada saw a significant 400% increase in phishing attacks in Q1 2012. The number of new phishing sites detected per month peaked in 2012 at over 300,000. Common tactics used in phishing include spoofed emails appearing to come from banks or online retailers that try to steal personal information like credit card numbers and passwords. While technical measures can help reduce risk, user awareness of how phishing works and what to watch out for is also important in avoiding falling victim to these scams.
This document provides a guide to securing one's Facebook account. It discusses how to create strong passwords, use advanced security settings, log out of Facebook when not in use, and avoid common scams. Specific scams addressed include phishing scams, account theft attempts, malware distribution, gaming app scams, vanity scams, and clickjacking. The guide emphasizes being cautious of any unsolicited messages or links and thinking before clicking in order to protect one's privacy and security on Facebook.
Here are 10 predictions for 2014, all cyber attacks using social engineering to penetrate the network. Have fun reading, and I will try to report back in 12 months which ones came out as real.
The document discusses social engineering and phishing scams. It defines social engineering as manipulation to gain information through deception. Phishing involves using fake websites, emails or SMS to steal personal information. Common phishing techniques include email phishing, website spoofing, IM links to phishing sites, URL shorteners used to disguise malicious links, exploiting Java apps or browser flaws to gain full access to a target's computer, and caller ID spoofing to pose as legitimate companies. The document provides examples of these techniques and advises on how to protect yourself from social engineering attacks.
This document provides information on various types of phishing scams and security best practices. It discusses email, spear, smishing, search result, social media, QR code, vishing scams and how criminals target individuals. It also outlines recommendations for strong passwords, multi-factor authentication, firewall use, avoiding public WiFi, recognizing ransomware and wire fraud, and safely using USB devices. The overall message is to be wary of unsolicited requests, verify unknown contacts, and enable extra account protections.
If you are looking for free security awareness training presentation look no further - we have you covered! :) Not only is this a great PowerPoint presentation, it's also short and to the point with only 25 slides including the cover and summary slides. But don't let this security awareness training example for employees fool you - it includes all the security awareness basics plus a bit more.
The document discusses internet scams and provides information to help avoid becoming a victim. It outlines why scammers find the internet attractive due to anonymity, low cost, and a large user base. The top 5 scams are discussed as auction fraud, phishing, Nigerian letters, reshipping scams, and prize notifications. Tips to avoid scams include using common sense, paying with credit cards, taking safety precautions, being skeptical, and being careful on auction sites. Scams related to the Haiti earthquake are also warned about. The document emphasizes following tips like not responding to unsolicited emails and not paying in advance.
To set up an Apple ID using a school email address, follow these steps: create an Apple ID using your school email and choose a password, verify the Apple ID by clicking the link in the verification email, and sign in to iTunes and App Store with the new Apple ID and password. Be sure to download the Pages, Keynote, Numbers, iMovie, GarageBand, and iPhoto apps from the App Store.
We believe its more important than ever to keep your personal information as private and as secure as possible these days, so we developed this great guide to help keep you safe and secure against phishing attempts and scammers on the internet.
Similar to 2nd FACTOR: The Story of Mat Honan (14)
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not LearnedJoel Cardella
17 years after the Challenger disaster, NASA suffered another loss of life when Columbia burned up on re-entry. Compounding this tragedy was the fact that all the failures of Challenger were repeated. This talk looks at some of those reasons and how to learn the lessons so they won't be repeated.
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
Joel Cardella has over 20 years of experience in IT, including infrastructure operations, data centers, sales support, network operations, and security. He provides his email and Twitter contact information. The document discusses using a risk-based approach to cybersecurity and focusing on reducing risks to the business using positive return on investment. It provides examples of security strategies and a layered security model.
This talk is a summarized view of the various other talks in my profile. It was given to TACOM HQ LCMC as part of the "Our Shared Responsibility" initiative.
This is a good topical overview with some technical information.
GRRCON 2013: Imparting security awareness to all levels of usersJoel Cardella
My GRRCON 2013 talk on imparting security awareness. This is based on a highly successful and well received awareness program I created and rolled out for both blue collar and white collar users.
INFRAGARD 2014: Back to basics securityJoel Cardella
This talk focuses on getting Back To Basics with security controls. Too many enterprises are focusing on the wrong threats and spending money in the wrong places. Often overlooked are our basic security controls that require care and feeding, and regular review. This talk focuses on a few of those areas.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
4. “I realized something was wrong at about 5 p.m. on Friday. I
was playing with my daughter when my iPhone suddenly
powered down. I was expecting a call, so I went to plug it back
in.”
“It then rebooted to the setup screen. This was irritating, but I
wasn’t concerned. I assumed it was a software glitch. And, my
phone automatically backs up every night. I just assumed it
would be a pain in the ass, and nothing more. I entered my
iCloud login to restore, and it wasn’t accepted. Again, I was
irritated, but not alarmed. ”
THE SYMPTOMS APPEAR
5. “I went to connect the iPhone to my computer and restore from
that backup — which I had just happened to do the other day.
When I opened my laptop, an iCal message popped up telling me
that my Gmail account information was wrong. Then the screen
went gray, and asked for a four-digit PIN.”
“I didn’t have a four-digit PIN.”
“By now, I knew something was very, very wrong. For the first
time it occurred to me that I was being hacked. Unsure of exactly
what was happening, I unplugged my router and cable modem,
turned off the Mac Mini we use as an entertainment center,
grabbed my wife’s phone, and called AppleCare, the company’s
tech support service, and spoke with a rep for the next hour and
a half.”
FROM BAD TO WORSE
6. His first call was to AppleCare – but according to them it was
not his first time calling!
Someone had called at 4:33 claiming to be Mat, saying he
could not get to his Me.Com email
In response, Apple issued a temporary password. It did this
despite the caller’s inability to answer security questions Mat
had set up. And it did this after the hacker supplied only two
pieces of information that anyone with an internet connection
and a phone can discover.
WHITHER GOES MAT?
7. It turns out, a billing address and the last four digits of a
credit card number are the only two pieces of information
anyone needs to get into your iCloud account. Once supplied,
Apple will issue a temporary password, and that password
grants access to iCloud.
Once someone has access to iCloud, they have access to your
AppleID
A hacker, going by the name Phobia, was able to track down
this information easily
WHAT HAD HAPPENED
8. “After coming across my account, the hackers did some
background research. My Twitter account linked to my personal
website, where they found my Gmail address. Guessing that this
was also the e-mail address I used for Twitter, Phobia went to
Google’s account recovery page. He didn’t even have to actually
attempt a recovery. This was just a recon mission.
Phobia could view the alternate e-mail Mat had set up for
account recovery. Google partially obscures that information,
starring out many characters, but there were enough characters
available, m••••n@me.com. Jackpot.
This was how the hack progressed. If I had some other account
aside from an Apple e-mail address, or had used two-factor
authentication for Gmail, everything would have stopped here.
But using that Apple-run me.com e-mail account as a backup told
the hacker I had an AppleID account, which meant I was
vulnerable to being hacked.”
THE HACK
9. All you need to access someone’s AppleID is
the associated e-mail address,
a credit card number,
the billing address,
and the last four digits of a credit card on file
Phobia had gone to Google and requested a password
recovery
Google had shown him that it was using a @me.com email
Phobia knows Mat has an AppleID and now needs access
So Phobia knew part of the email address – how did he get
the other pieces?
IT’S ALL YOU NEED!
10. He got the billing address by doing a whois search on Mat’s
personal web domain. If someone doesn’t have a domain, you
can also look up his or her information on Spokeo,
WhitePages, and PeopleSmart.
First you call Amazon and tell them you are the account
holder, and want to add a credit card number to the account.
All you need is the
name on the account,
an associated e-mail address,
and the billing address.
Amazon then allows you to input a new credit card. (Wired
used a bogus credit card number from a website that
generates fake card numbers that conform with the industry’s
published self-check algorithm.) Then you hang up.
AMAZIN AMAZON
11. Next you call back, and tell Amazon that you’ve lost access to
your account.
Upon providing a name, billing address, and the new credit
card number you gave the company on the prior call, Amazon
will allow you to add a new e-mail address to the account.
From here, you go to the Amazon website, and send a
password reset to the new e-mail account. This allows you to
see all the credit cards on file for the account — not the
complete numbers, just the last four digits.
But, as we know, Apple only needs those last four digits!
MORE DATA THAN YOU CAN EAT
12. Any waiter or waitress in a restaurant where you paid for your
meal
Any cashier at any store who took your credit card as payment
Any 16-year old kid working anywhere that accepts credit cards,
with enough sense to memorize 4 digits and a last name –
especially an easy one
So Phobia calls AppleCare and gives them his name
“Mat Honan”
His billing address
Found using internet search tools
Last 4 of the credit card
Found from the email from Amazon
And now Apple resets Mat’s iCloud account, giving Phobia access
WHO ELSE HAS THE LAST 4 OF YOUR
CREDIT CARD?
13. Phobia accesses Mat’s account, gets access to his @me.com
password- then a race ensues
4:50 p.m., a password reset confirmation arrived in my @me.com
inbox. They then were able to follow the link in that e-mail to
permanently reset my AppleID password.
4:52 p.m., a Gmail password recovery e-mail arrived in my me.com
mailbox. Two minutes later, another e-mail arrived notifying me that
my Google account password had changed.
5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone.
5:02 p.m., they reset my Twitter password.
5:05 they remotely wiped my MacBook. Around this same time, they
deleted my Google account.
5:10, I placed the call to AppleCare.
5:12 the attackers posted a message to my account on Twitter taking
credit for the hack.
PWNED
15. Mat says:
They could have used my e-mail accounts to gain access to my
online banking, or financial services.
They could have used them to contact other people, and
socially engineer them as well.
As Ed Bott pointed out on TWiT.tv, my years as a technology
journalist have put some very influential people in my address
book. They could have been victimized too.
COULDA BEEN WORSE!
16. Why did it happen?
What was the reason he got hacked, his personal info erased,
moments from his life gone forever?
What was the reason?
He had a 3 character Twitter user name, and they thought it
was cool and wanted it
WHY?
17. Mat was able to get some data back
He sent his machine to a firm called DriveSavers, who have
custom hardware and software which can recover data from
hard drives (even SSDs)
They recovered about 75% of the data, including most of his
digital pictures
The cost: $1,690
HE GOT SOME DATA BACK
18. 2 factor authentication means you need 2 things to prove who
you are
Something you know [a password]
Something you have [a cell phone]
If Mat had enabled Google’s 2nd factor authentication, this
would not have happened
Duo Security makes a product which can be used for free –
you can get SMS, iPhone push, phone call, software token
generation
2 FACTOR AUTHENTICATION