Peter Wood is the CEO of First Base Technologies, an ethical hacking firm. He advocates thinking like a hacker to identify security vulnerabilities, such as impersonating employees or cleaning staff to gain physical access, using USB devices to steal data, or exploiting lack of wireless encryption to eavesdrop on traffic. Traditional defenses like firewalls and antivirus are not enough; organizations must consider alternative attack scenarios to find and address soft spots before attackers do.

1. The Ultimate Defence:
Think Like a Hacker
An Ethical Hacker’s View of Corporate Security
Peter Wood
Chief Executive Officer
First•Base Technologies

2. Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First•Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLP
Social engineer & penetration tester
Conference speaker and security ‘expert’
Chair of Advisory Board at CSA UK & Ireland
Vice Chair of BCS Information Risk Management and Audit Group
Vice President UK/EU Global Institute for Cyber Security + Research
Member of ISACA Security Advisory Group
Corporate Executive Programme Expert
Knowthenet.org.uk Expert
IISP Interviewer
FBCS, CITP, CISSP, MIEEE, M.Inst.ISP
Registered BCS Security Consultant
Member of ACM, ISACA, ISSA, Mensa
Slide 2 © First Base Technologies 2010

3. Thinking like a hacker
• Hacking is a way of thinking
A hacker is someone who thinks outside the box. It's
someone who discards conventional wisdom, and does
something else instead. It's someone who looks at the
edge and wonders what's beyond. It's someone who
sees a set of rules and wonders what happens if you
don't follow them. [Bruce Schneier]
• Hacking applies to all aspects of life
- not just computers
Slide 3 © First Base Technologies 2010

4. Traditional thinking
• Firewalls & perimeter defences
• Anti-virus
• SSL VPNs
• Desktop lock down (GPOs)
• Intrusion Detection / Prevention
• Password complexity rules
• HID (proximity) cards
• Secure server rooms
• Visitor IDs
Slide 4 © First Base Technologies 2010

5. Think like a hacker
Attack the building
Slide 5 © First Base Technologies 2010

6. Impersonating an employee
Slide 6 © First Base Technologies 2010

7. Cloning HID cards
http://rfidiot.org/
Slide 7 © First Base Technologies 2010

8. Impersonating a supplier
Slide 8 © First Base Technologies 2010

9. Do-it-yourself ID cards
Slide 9 © First Base Technologies 2010

10. Impersonate a cleaner
• No vetting
• Out-of-hours access
• Cleans the desks
• Takes out large black sacks
Slide 10 © First Base Technologies 2010

11. Think like a hacker
Attack the building contents
Slide 11 © First Base Technologies 2010

12. Data theft by keylogger
Slide 12 © First Base Technologies 2010

13. Data theft by USB
• USB key
• iPod
• CD
• USB hard drive
Slide 13 © First Base Technologies 2010

14. On-site bugging
Colour CCD
camera with sound
and a set of
buttons to match
clothing
£146.88
Slide 14 © First Base Technologies 2010

15. Bypass Windows security
“Without a username and password I was able to use a
boot CDROM to bypass the login password and copy the
document files from my hard drive to my iPod in about 3
minutes 15 seconds.”
Slide 15 © First Base Technologies 2010

16. Become Local Administrator
Ophcrack is a free Windows password cracker based on
rainbow tables by the inventors of the method. It comes with
a Graphical User Interface and runs on multiple platforms.
Slide 16 © First Base Technologies 2010

17. Think like a hacker
An alternative to
attacking head office
Slide 17 © First Base Technologies 2010

18. Home wireless & public WiFi
• No encryption (or WEP)
• Plain text traffic
(email, unencrypted sites)
• SSL VPNs
• False sense of security
Slide 18 © First Base Technologies 2010

19. Eavesdropping
Packet sniffing unprotected WiFi can reveal:
• logons and passwords for unencrypted sites
• all plain-text traffic
(e-mails, web browsing, file transfers, etc)
Slide 19 © First Base Technologies 2010

20. Active attacks
Once connected to the network an attacker can:
• conduct man-in-the-middle attacks
(including SSL and TLS)
• redirect traffic
• spoof legitimate machines
• hijack PDAs, iPhones, etc
Slide 20 © First Base Technologies 2010

21. Think like a hacker
Let’s find the soft spots
before they do!
Slide 21 © First Base Technologies 2010

22. Pragmatic security reviews
Slide 22 © First Base Technologies 2010

23. Need more information?
Peter Wood
Chief Executive Officer
First•Base Technologies LLP
peterw@firstbase.co.uk
Twitter: peterwoodx
Blog: fpws.blogspot.com
http://firstbase.co.uk
http://white-hats.co.uk
http://peterwood.com
Slide 23 © First Base Technologies 2010