SlideShare a Scribd company logo

Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems

K
khalavak

Hacking risks exist due to vulnerabilities in systems used by carbon-based lifeforms and software programmed by humans. Social engineering techniques that exploit human psychology remain effective means of tricking people into compromising security. Common tools are readily available to help hackers access networks and devices. Major motivations for malicious cyber activity include financial gain from cybercrime and political/ideological goals of hacktivists and nation states. Overall, humans and the software they create continue to be the weakest links that enable a variety of actors to engage in hacking activities.

Technology
1 of 73
Download to read offline
Hacking the Company Risks with carbon based lifeforms using vulnerable systems
$ whoami
$ whoami Curious Hacker (eg. I like to break things apart and rebuild them!) Maker (eg. I like to make things) RC-Geek (eg. I like to fly radiocontrolled devices) Chief Security Officer @Crosskey Banking Solutions Social Media Twitter: @khalavak, G+: Kim Halavakoski, G+ communities: Security De-Obfuscated, PCI Jedis...
"Innostunut ja taitava tietokoneen ohjelmoija tai käyttäjä" hacker as defined in RFC1392: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term. See also: cracker.
How?
Vulnerabilities Young padawan, don't forget: Lack of focus leads to sloppiness, sloppiness leads to misconfiguration and bugs, and misconfiguration and bugs leads to compromise.
Vulnerabilities
Vulnerabilities & 0-days
0-days
Top 10 vulnerable vendors
Who uses these vulnerable vendors anyway? We all keep our systems patched? All the time? Almost? Sometimes? Example of vulnerable vendors: Microsoft, Apple, Oracle, Sun Microsystems, Cisco, Mozilla, Linux, Hewlett Packard, Adobe... Ever used any of these vendors?
Top 10 vulnerable products
Who uses these vulnerable products anyway? We all keep our software products patched? All the time? Almost? Sometimes? Example of vulnerable software: Linux, Firefox, Mac OS X, Google Chrome, Internet Explorer, Seamonkey, Solaris, Thunderbird Ever used any of these softwares?
Browser market shares According to the previous statistics with vulnerabilities in Internet Explorer, Firefox, Chrome it seems like 92.61% of the browsers used on the Internet are vulnerable.
46 vulnerabilities in 2012 48 vulnerabilities in 2013 (and it's only March!) of which 26 vulnerabilities with CVSS score 10.0 in 2013 until now
http://java-0day.com
http://istherejava0day.com
Patching is Critical Security is as strong as the weakest link. If you take security seriously then making sure everything is up to date is more important than ever.
Social Engineering There is no patch for human stupidity
Social engineering works. People are easily tricked. Really. Tap into psychological factors that are part of human nature Abuses trust frameworks that we are used to in real life.
"Could I have the root password, please?"
A good presentation needs a cat picture to soften the audience. On a side-note, cybercriminals know that we like cute and funny pictures and videos, so they are using our eagerness to click on cute things to hack your computer... So even if supercute, think before you click!
How easily are you tricked?
How easily are you tricked?
Would you fall for this?
Are you sure it is Paypal?
Problems with your Visa card?
Salaries! Confidential! Dare to open that PDF document?
What did I order again?
Who?
Cybercriminals
Oleg Nikolaenko 24 year old hacker who ran the Mega-D botnet back in 2010 Mega-D was sending 30-40% of the spam on the Internet
Vladimir Tsastsin Vladimir ran Estdomains and later Rove Digital, which ran "Operation Ghost Click" which was behind the infamous DNSChanger malware that caused havoc all over the world.
Hacktivists
Governments and Nation states
Why?
Cybercrime market value: $114 billion
Where?
World: 10437
FI,SE,NO,DK,AX: 4447
FI: 2829 Top 10 values num % Helsinki 411 14.528% Tampere 406 14.351% Hämeenlinna 176 6.221% Jyväskylä 117 4.136% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227% Oulu 59 2.086%
Helsinki 411 14.528% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227%
Helsinki: 411
From the 2829 IP-addresses in Finland I did a quick statistical analysis of the whois and DNS data and found: most of the IPs are end-customers with ADSL, GPRS connections from Sonera, DNA, Nebula, Local Telephone companies, etc. 59 whois records that seem like companies 37 DNS records that looks like companies
...some small, some bigger and some of them even "security" companies and some in public services and even government use...
RSA -> Lockheed Martin RSA was hacked, allegedly in order to get into Lockheed Martin Twitter Twitter was hacked using recent Java-vulnerabilities Facebook Facebook was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Microsoft Microsoft was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Apple Apple was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com
US National Vulnerability Database hacked Malware planted on 2 webservers... Undiscovered for 2 months... "Hacking the NVD and planting malware on the very place where we get our vulnerability information, that is just pure evil!"
Ocean's Eleven?
Matt Honan – Senior Editor at Wired Gadget Labs Security flaws in Apple and Amazon customer service systems lead to hackers gaining control over his account and deleting files on his Mac.
How?
Metasploit Penetration testing tool. Developed by HD Moore back in 2003. Bought by Rapid 7 in 2009. Opensource verion still available.
Social Engineer Toolkit Great tool for performing social engineering attacks: phishing, web-attacks, malware infecter USB sticks, etc. Developed by Dave Kennedy & Co
Demo Fictious company with the following network setup: firewall, mailserver, webserver, DNS-server, Internal Windows 7 workstation...
Conclusion
Carbon based lifeforms Humans are the weakest link Using age-old social frameworks in a modern connected world Easily tricked into clicking, opening links, attachments and programs Make errors, repeadetly Computer software Are programmed by humans Have bugs Used by humans Hacking tools Readily available Easy to use Developed by proffessionals Cybercriminals Cybercriminals Hacktivists Nation States & Governments
Questions?

Recommended

Security
SecuritySecurity
Security
Bob Cherry
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking report
Akhilesh Patel
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingUmang Patel
 
Emp tech las-week-2
Emp tech las-week-2Emp tech las-week-2
Emp tech las-week-2
Joemer Mabagos
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
Akiumi Hasegawa
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aBright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aMark Henshaw
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
London School of Cyber Security
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security ThreatsUmakant Mishra
 

Recommended

Security
SecuritySecurity
Security
Bob Cherry
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking report
Akhilesh Patel
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingUmang Patel
 
Emp tech las-week-2
Emp tech las-week-2Emp tech las-week-2
Emp tech las-week-2
Joemer Mabagos
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
Akiumi Hasegawa
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aBright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aMark Henshaw
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
London School of Cyber Security
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security ThreatsUmakant Mishra
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
Dinesh O Bareja
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
At Your Expense
At Your ExpenseAt Your Expense
At Your Expense
Dan Oblak
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKERKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
Salma Zafar
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
Felipe Prado
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethics
Mohit Dholakiya
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
London School of Cyber Security
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
London School of Cyber Security
 
Enemies of the west
Enemies of the westEnemies of the west
Enemies of the west
Neil Lines
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
London School of Cyber Security
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacySamudin Kassan
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15haney888
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4leahg118
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014
- Mark - Fullbright
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
Yury Chemerkin
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)
Michele Chubirka
 
Cyberspace
CyberspaceCyberspace
Cyberspace
Utchi
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508
Vishwan Aranha
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
Jeff Zahn
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
Positive Hack Days
 

More Related Content

What's hot

Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
Dinesh O Bareja
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
At Your Expense
At Your ExpenseAt Your Expense
At Your Expense
Dan Oblak
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
Salma Zafar
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
Felipe Prado
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethics
Mohit Dholakiya
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
London School of Cyber Security
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
London School of Cyber Security
 
Enemies of the west
Enemies of the westEnemies of the west
Enemies of the west
Neil Lines
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
London School of Cyber Security
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacySamudin Kassan
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15haney888
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4leahg118
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014
- Mark - Fullbright
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
Yury Chemerkin
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)
Michele Chubirka
 
Cyberspace
CyberspaceCyberspace
Cyberspace
Utchi
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508
Vishwan Aranha
 

What's hot (20)

Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
At Your Expense
At Your ExpenseAt Your Expense
At Your Expense
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethics
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
Enemies of the west
Enemies of the westEnemies of the west
Enemies of the west
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & Privacy
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)
 
Cyberspace
CyberspaceCyberspace
Cyberspace
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508
 

Similar to Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems

Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
Jeff Zahn
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
Positive Hack Days
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
Rwik Kumar Dutta
 
How We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its DesignHow We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its Design
UXPALA
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
Neil Lines
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
parag101
 
Artificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusArtificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virus
Stig-Arne Kristoffersen
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network securityBev Robb
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
Cyber Security Alliance
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A Discussion
Kaushik Patra
 
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
SERVICE DESIGN DAYS
 
How to Avoid IoTageddon
How to Avoid IoTageddon How to Avoid IoTageddon
How to Avoid IoTageddon
Bob Snyder
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
Andris Soroka
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
Gianluca Varisco
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
Ethi mini - ethical hacking
Ethi mini - ethical hackingEthi mini - ethical hacking
Ethi mini - ethical hackingBeing Uniq Sonu
 

Similar to Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems (20)

Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
 
How We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its DesignHow We Got Here: A History of Computer Security And Its Design
How We Got Here: A History of Computer Security And Its Design
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
 
Artificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusArtificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virus
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network security
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A Discussion
 
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
Service Design Days 2017 - Keynote Jon Rogers (University of Dundee)
 
How to Avoid IoTageddon
How to Avoid IoTageddon How to Avoid IoTageddon
How to Avoid IoTageddon
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Ethi mini - ethical hacking
Ethi mini - ethical hackingEthi mini - ethical hacking
Ethi mini - ethical hacking
 

Recently uploaded

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 

Recently uploaded (20)

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 

Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems

  • 1. Hacking the Company Risks with carbon based lifeforms using vulnerable systems
  • 3. $ whoami Curious Hacker (eg. I like to break things apart and rebuild them!) Maker (eg. I like to make things) RC-Geek (eg. I like to fly radiocontrolled devices) Chief Security Officer @Crosskey Banking Solutions Social Media Twitter: @khalavak, G+: Kim Halavakoski, G+ communities: Security De-Obfuscated, PCI Jedis...
  • 4. "Innostunut ja taitava tietokoneen ohjelmoija tai käyttäjä" hacker as defined in RFC1392: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term. See also: cracker.
  • 5.
  • 7. Vulnerabilities Young padawan, don't forget: Lack of focus leads to sloppiness, sloppiness leads to misconfiguration and bugs, and misconfiguration and bugs leads to compromise.
  • 11. Top 10 vulnerable vendors
  • 12. Who uses these vulnerable vendors anyway? We all keep our systems patched? All the time? Almost? Sometimes? Example of vulnerable vendors: Microsoft, Apple, Oracle, Sun Microsystems, Cisco, Mozilla, Linux, Hewlett Packard, Adobe... Ever used any of these vendors?
  • 13. Top 10 vulnerable products
  • 14. Who uses these vulnerable products anyway? We all keep our software products patched? All the time? Almost? Sometimes? Example of vulnerable software: Linux, Firefox, Mac OS X, Google Chrome, Internet Explorer, Seamonkey, Solaris, Thunderbird Ever used any of these softwares?
  • 15. Browser market shares According to the previous statistics with vulnerabilities in Internet Explorer, Firefox, Chrome it seems like 92.61% of the browsers used on the Internet are vulnerable.
  • 16. 46 vulnerabilities in 2012 48 vulnerabilities in 2013 (and it's only March!) of which 26 vulnerabilities with CVSS score 10.0 in 2013 until now
  • 19. Patching is Critical Security is as strong as the weakest link. If you take security seriously then making sure everything is up to date is more important than ever.
  • 20. Social Engineering There is no patch for human stupidity
  • 21.
  • 22. Social engineering works. People are easily tricked. Really. Tap into psychological factors that are part of human nature Abuses trust frameworks that we are used to in real life.
  • 23. "Could I have the root password, please?"
  • 24. A good presentation needs a cat picture to soften the audience. On a side-note, cybercriminals know that we like cute and funny pictures and videos, so they are using our eagerness to click on cute things to hack your computer... So even if supercute, think before you click!
  • 25. How easily are you tricked?
  • 26. How easily are you tricked?
  • 27. Would you fall for this?
  • 28. Are you sure it is Paypal?
  • 29. Problems with your Visa card?
  • 30. Salaries! Confidential! Dare to open that PDF document?
  • 31. What did I order again?
  • 32.
  • 33. Who?
  • 35. Oleg Nikolaenko 24 year old hacker who ran the Mega-D botnet back in 2010 Mega-D was sending 30-40% of the spam on the Internet
  • 36. Vladimir Tsastsin Vladimir ran Estdomains and later Rove Digital, which ran "Operation Ghost Click" which was behind the infamous DNSChanger malware that caused havoc all over the world.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43. Why?
  • 44. Cybercrime market value: $114 billion
  • 45.
  • 46.
  • 47.
  • 48.
  • 52. FI: 2829 Top 10 values num % Helsinki 411 14.528% Tampere 406 14.351% Hämeenlinna 176 6.221% Jyväskylä 117 4.136% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227% Oulu 59 2.086%
  • 53. Helsinki 411 14.528% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227%
  • 55. From the 2829 IP-addresses in Finland I did a quick statistical analysis of the whois and DNS data and found: most of the IPs are end-customers with ADSL, GPRS connections from Sonera, DNA, Nebula, Local Telephone companies, etc. 59 whois records that seem like companies 37 DNS records that looks like companies
  • 56. ...some small, some bigger and some of them even "security" companies and some in public services and even government use...
  • 57.
  • 58. RSA -> Lockheed Martin RSA was hacked, allegedly in order to get into Lockheed Martin Twitter Twitter was hacked using recent Java-vulnerabilities Facebook Facebook was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Microsoft Microsoft was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com Apple Apple was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com
  • 59. US National Vulnerability Database hacked Malware planted on 2 webservers... Undiscovered for 2 months... "Hacking the NVD and planting malware on the very place where we get our vulnerability information, that is just pure evil!"
  • 60.
  • 61.
  • 63. Matt Honan – Senior Editor at Wired Gadget Labs Security flaws in Apple and Amazon customer service systems lead to hackers gaining control over his account and deleting files on his Mac.
  • 64. How?
  • 65. Metasploit Penetration testing tool. Developed by HD Moore back in 2003. Bought by Rapid 7 in 2009. Opensource verion still available.
  • 66. Social Engineer Toolkit Great tool for performing social engineering attacks: phishing, web-attacks, malware infecter USB sticks, etc. Developed by Dave Kennedy & Co
  • 67.
  • 68. Demo Fictious company with the following network setup: firewall, mailserver, webserver, DNS-server, Internal Windows 7 workstation...
  • 69.
  • 71. Carbon based lifeforms Humans are the weakest link Using age-old social frameworks in a modern connected world Easily tricked into clicking, opening links, attachments and programs Make errors, repeadetly Computer software Are programmed by humans Have bugs Used by humans Hacking tools Readily available Easy to use Developed by proffessionals Cybercriminals Cybercriminals Hacktivists Nation States & Governments
  • 72.