Igor was talking about latest biggest hacks and security threats, and about Human Security Interaction. Get ready to hear real-life stories about reasons why human factor is so important in security nowadays. OWASP Ukraine 2017 Security Conference https://www.facebook.com/events/914991308665427/

1. Incident Busters. Human Security Interaction
Igor Beliaiev| 2017
*Cybersecurity is a team sport, being alone you will lose

2. whoami
Security Engineer
OWASP Lviv Chapter Leader
The Conference Organizer 
Igor Beliaiev

3. What people think hackers do?
#before

4. What hackers actually do?
#before

5. things have changed

6. things have changed
#after

7. How was 2017? WannaCry About NotPetya?
The Shadow Brokers
Medoc, CCleaner, ..?
WannaCry
BadRabbit
NotPetya

8. Shadow Brockers
© Sean Brian Townsendinformnapalm.org/41245-kazus-kasperskogo-i-kibershpionazh-kak-rossiya-otkryla-yashhik-pandory

9. WannaCry
Vulnerability MS17-010 in SMBv1
Jan 2017 – Shadow Brokers said that there is 0-day in SMB
14 Mar 2017 – patch released for update
14May 2017
240.000 computers in 150+ countries got infected
240.000 have only made 19 bitcoin
6Jun 2017
520.000 computers, 200.000 IPs
320 users paid 50.91735344 BTC

10. NotPetya

11. NotPetya

12. https://www.facebook.com/cyberpoliceua/posts/540958002695034
Cyberpolice

13. The Nyetya attack was a destructive ransomware variant that affected many
organizations inside of Ukraine and multinational corporations with operations
in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos
identified several key aspects of the attack. The investigation found a supply
chain-focused attack at M.E.Doc software that delivered a destructive payload
disguised as ransomware. By utilizing stolen credentials, the actor was able to
manipulate the update server for M.E.Doc to proxy connections to an actor-
controlled server. Based on the findings, Talos remains confident that the attack
was destructive in nature. The effects were broad reaching, with Ukraine Cyber
police confirming over 2000 affected companies in Ukraine alone.“
http://blog.talosintelligence.com/2017/07/the-medoc-connection.html
NotPetia/Nyetya

14. Money is not always the answer

15. ??.2015
New Black Energy was used to infect victims

16. 11.2015. Elections date
Black Energy infection => media. StarLightMedia

17. 12.2015
Black Energy infection => power plants, energy sector

18. Beginning of 2016
Black Energy => Kyiv Boryspil international airport

19. У грудні 2016 року спеціалісти ESET опублікували два докладні
матеріали про руйнівні атаки, проведені групою, яку дослідники
ESET назвали TeleBots, зокрема про атаку на фінансові установи
та Linux-версію загрози KillDisk, яку використовувала ця група.
TeleBots організовує кібератаки на різні комп'ютерні системи в
Україні, які можна віднести до об’єктів критичної
інфраструктури. Крім того, група TeleBots має зв'язки з групою
BlackEnergy, причетною до відключення електроенергії в грудні
2015 року в Україні.
TeleBots

20. https://eset.ua/download_files/news/Supply-Chain_attacks_ukr.pdf
2017

22. CredRaptor (викрадач паролів) •
Plainpwd (модифікований Mimikatz,
який використовувався для вилучення
облікових даних Windows з пам'яті)
SysInternals PsExec використовувався
для розповсюдження)

23. What’s next? >> IoT

24. More IoT!

25. BadRabbit

26. Why it’s so important?
Same Mistakes
Social Engineering
Human errors
Predictable behavior

27. Hacking is hard?

28. Some stories

29. Airport security

30. Airport security

31. #fuckups. Ukraine. Autumn 2017
#FuckResponsibleDisclosure © Ukrainian Cyber Alliance

33. #fuckup Судова влада України. Open FTP

34. #fuckup Херсонська обласна рада
Open network disk
r/w access
confidential data
#SambaCry
and … ZverCD, Zillya, DS-sharing

35. #fuckup Херсонська обласна рада

36. #fuckup Державна служба фінансового моніторингу України
…monitoring since 2008 ©

37. #fuckup Міністерство внутрішніх справ
Just some scans

38. #fuckup Національна академія внутрішніх справ
windows share
sql.db:
- all intranet machines
- site db+passwords
- students + officers db
#SambaCry

39. #fuckup CERT-UA

40. CERT-UA

41. #fuckup Lvivvodokanal

42. Ok, it's enough

43. Social Engineering Works

45. Social Engineering Works - @Ukraine

46. One of US biggest product adv/marketing company
17 target email
addresses for Social
Engineering
2 people out of
office
17-2 = 15 targets
Test duration -
3days
10 users clicked on
malicious url in
mailbox
47% of target
employees entered
password (7 from
15)
Attacker get VPN
access
IT registered
incident
Attackers tracked
down
Attacker access
monitored
Jan Jan
Jan ??
Started: Jan 27
… senior(security) admin

47. Magic of Statistic
35%
24%
29%
12%
Total
tried to log in on malicious site
just clicked on malicious url
did nothing
out of office

48. Consequences of SE
Sensitive client’s data (2000 accounts)
jira/confluence admin access
Nexpose, Appspider, etc

49. IT company
Technological risks:
Malware/viruses/intrusions
Cyber attacks
Service provider failure
Physical security (f.e. loss of devices)
Data related vulnerabilities
Phishing
Human risks:
Human error/mistakes
Insider sabotage/theft
Lack of skills
Lack of knowledge
Lack of guidance

50. IT company @UA
The weakest part in security?
The most valuable information in company?
PEOPLEMONEY CLIENTS
Choosing targets
Finance
IT(backups, access, data)
Accounting
Infrastructure Legal
The security level of the system is determined
by its most insecure element

52. Ask to use your USB flash

53. Acting like IT Support

54. Change in mindset needed

56. going inside…SoftServe

57. igor@beliaiev.com
skype: ghost-bel
/sechole
owasp-lviv.blogspot.com