Get documents about "PPT - Security Science
Document Sample
Hackers are here…
…where are you?
Arnel C. Reyes
Chief Technology Officer
Global Content & Research Ltd.
September 8, 2010
Hacking Defense
You may watch this video clip at:
http://www.security-science.com/internet-security-science-community/99-
securityexpert/videos/video/97-Victims+Hacked+Companies
Download complete [rar file] presentation with video at:
http://www.security-science.com/learn-security/internet-security-science-
presentations
The Only Way to Stop a
Hacker Is to Think Like One
Hacking, What’s so Ethical
About It?
You may watch this video clip at:
http://www.security-science.com/internet-security-science-community/99-
securityexpert/videos/video/91-Hackers+Outlaws+and+Angels
Download complete [rar file] presentation with video at:
http://www.security-science.com/learn-security/internet-security-science-
presentations
“The Biggest Military Computer
Hack of all Time”
Gary McKinnon, a systems administrator
gained illegal access and made
unauthorized modifications to 97 computers
belonging to the US government, including
computers from the DoD, NASA and the
National Security Agency over 12 months
The US government
said McKinnon's
hacking caused
downtime and Lethal Weapons -
personnel costs of software available freely
around $1m (£0.6m)
over the internet were
used to gain access
to computer networks
used by the US Army,
Navy & Air Force
Common Attacks
• Backdoor Replay attack
• Bacteria Script kiddies
• Buffer overflow/overrun Security audit tools
• Compromised system utilities Shell escapes
• E-mail forgery Shoulder surfing
• E-mail relay Smurfing
• IP spoofing Social engineering
• Keystroke monitoring SYN flooding
• Logic bomb Traffic analysis
• Mail bombing Trapdoor
• Man in the middle Trojan horse
• Masquerade van Eck attack
• Network scanning Virus
• Packet sniffing War dialing
• Password cracking Worm
• Ping flooding
Is your security skills or talent pool
on the cutting edge of security
practices?
• A recent study identified the following as probable
reasons behind a hack attack. Predominantly, the cause
seemed to be personnel related:
• High turnover of administrators and technical staff in the
IT departments
• Gap in position
• Lack of proper training : How Do We Train Them?
• Poor direction
Normal instances and why you
should be concerned! - 1
Does this sound familiar?
• “We have a good firewall, an anti-virus and know the people
we work with.”
A good firewall can be mis-configured and turn out to be
the best thing a hacker can use against you.
The anti-virus may not be updated and your system can
be compromised.
The mail from your friend can turn your machine into a
zombie for further attacks.
You could be held responsible for the attack by the law
enforcement agencies!
Normal instances and why you
should be concerned! - 2
Does this sound familiar?
• “We don’t transact on the Internet, so why would anybody
hack our systems over the Internet?”
Your web server can be used as a “warez” house, even
though you don’t transact? You could be hosting illegal
files of questionable moral content.
A poll of more than 150 CIOs by IDG's CIO Magazine
found that two-thirds felt that information about a hacker
attack would adversely affect their company's
valuation.
Normal instances and why you
should be concerned! - 3
Does this sound familiar?
• “Our employees are so well connected that we work in real-
time.”
Ever heard of spoofing? Information can be stolen in
real-time and sold even before you can blink and
click?
How sure can you be that the access point you have
logged onto is not a rogue access point? - FAKE
ACCESS TO STEAL USER NAME/PASSWORDS.
Are you really sure that you have not let a hacker take
advantage of your lack of awareness and
compromised your network?
Normal instances and why you
should be concerned! - 4
Does this sound familiar?
• “I just browse and check my mail… I don’t see why or how I
can be hacked.”
You can be hacked while simply browsing – you don’t
have to click or open anything!
A poll of more than 150 CIOs by IDG's CIO Magazine
found that 64 percent of senior technology executives are
worried about hackers stealing their e-mail and
personal identity.
Identity theft can even drive you bankrupt!
I.T Audits and Security Policy
Do you SEE what the
Hacker Sees?
Are you aware of your
security posture?
Why Cyber Attacks?
• The principal motives behind using the Internet for digital attacks include:
Creating political tension
Registering protest and digital warfare
Carrying out espionage, surveillance and reconnaissance
Causing destruction of competitive advantage or share price
Outlet for disgruntled or misdirected workforce issues
Symbolizing anti-globalization and anti-capitalism protest
Hacktivism: environmental and animal rights activism
Boredom: intellectual challenge and recreational hacking
Most Popular: financial gain
Most Critical: LOSS of HUMAN LIFE
Think about it
• Attackers can potentially:
Shut off the electricity of a city
Shut down the phone lines in a given neighborhood
Cause a dam to release the water it is holding
Cause two trains to crash into each other
Many government experts assume that militant operatives will actually
launch a cyber-attack in conjunction with a more conventional attack.
For instance, terrorists could blow up a building and then disable the
phone system in the surrounding area in order to prevent law
enforcement, medical, and emergency officials from responding to the
attack.
Why Terrorists use the Internet
Anonymity - The Internet makes it easier for them to communicate covertly,
preach to the public, and solicit funds.
Location Independence - They can use it to plan and coordinate their
attacks. The launch pad is no longer a runway, but a computer – the
attacker, no longer a combat pilot, but a computer hacker bent on
destruction.
Lesser tangible armory required as well as lesser skill levels; as tools are
available on the Internet. Example: John, a citizen, cannot go out and buy
an F1-17 or Tornado fighter plane or an attack submarine. But with a
relatively simple computer capability, individuals can do things via the
cyberspace environment that can impact on the national security interests of
actual nation states.
Ease of availing and transferring funds
Extensive Reach of the medium
EC-Council’s Security Track
• Defense (Defend your Network)
– Network Security Course
• Hacking (Penetration Testing)
– Ethical Hacking and Countermeasures
• Incident Handling (Forensics)
– Computer Hacking Forensics Investigator
• Prosecute (Legal indictment)
– Cyber Law
“SHIP” Approach
Secure your Network Hack Your Network
1 2
Security
4 3
Prosecute (Legal) Investigate (Forensics)
Can you be hacked?
Hacking DEMO
Ingenuity of Trojans
• Lycos had recently announced the screensaver as a means
to combat spammers.
• John had recently installed the Lycos anti-spam screensaver.
He had received it over mail as an attachment titled "Lycos
screensaver to fight spam.zip."
What John did not know was that - ever since he double clicked on the
attachment, all his keystrokes were being captured unknown to him. Somebody
was stealing his usernames, passwords, credit card details and e-mail
addresses. His system was Trojaned!!
Trojans are malicious code that are executed when the user unwittingly
executes a seemingly benign software / link / mail attachment. They install a
backdoor to the machine and the attacker can have complete access or
“ownership” of information assets or system resources unknown to the user.
Scenario
Robin is working as a sales executive with a
Drug manufacturing firm. Despite achieving the
set target he fails to get the remuneration he
desires.
He feels his loyalty and commitment is not
valued by his superiors. A frustrated Robin
approaches the rival company for the post of
Associate Manager (Sales) that was posted on a
job site he had visited.
The Manager of a rival company agrees to offer
him the job if he could pass them the patent
information related to a particular drug.
Robin agrees to the condition.
MergeStreams Attack
• Robin , a computer savvy goes back to his
firm and searches for the required
document and stores it in a MS Excel file.
• Since use of storage media is restricted in
his office premises the use of disks was
not possible to transfer the file.
• He uses a tool “MergeStreams” to send
the file across through email
Tool: MergeStreams
• Steps to use the tool:
1. Launch the tool.
2. Select the respective MS Word file/MS Excel file that needs to be
merged.Click the browse button to select the respective files
Tool: MergeStreams
3. Click “Merge” button to merge the files.
Tool: MergeStreams
• Open the MS Word document. The original content in
the file would be displayed.
• Try opening the merged MS Word document with MS
Excel and find the difference.
Implications
• Confidential information is at risk !
• Can lead to huge losses if critical business
information is passed on
• A covert attack that can destabilized the
victim firm/individual
Scenario
John is working as a Personal Assistant to his Sales Manager. He is
very eager to know the confidential files stored in his Manager’s
computer.
One day the Manager leaves John unattended on his laptop. John
takes advantage of the opportunity and installs a hardware keylogger
without the knowledge of his superior.
After few days similar situation arises and John removes the
hardware keylogger that was installed via keyboard. He goes home
and gets to know the username and password of his superior's official
and personal account.
What do you think John can do?
Classification: Hardware
keyloggers
• KeyGhost keylogger KeyKatcher keylogger
KeyGhost
• The device can be installed even when the target computer is logged out,
has a password, is locked or switched off
• The device can be unplugged and the keystrokes retrieved on another
computer
• Over 500,000 keystrokes can be stored with STRONG 128-bit encryption in
non-volatile flash memory (same as in smart cards) that doesn't need
batteries to retain storage
• The device works on any desktop PC & all PC operating systems, including
Windows 3.1, 95, 98, NT, 2000, Linux, OS/2, DOS, Sun Solaris and BeOS
• No software installation is needed at all to record or retrieve keystrokes.
Recorded keystrokes can be played back into any text editor using
proprietary 'keystroke ghosting' technique
• The device plugs into computers with a small PS/2 keyboard plug or a large
DIN plug
• Unlike software keystroke recorders, KeyGhost records every keystroke,
even those used to modify the BIOS before boot up
• It is impossible to detect or disable using software
Keyboard cable with Keyboard cable with
KeyKatcher installed
KeyGhost installed
Password information
Password information is recorded in the way presented
below (user keystrokes are in bold):
User activity Screen information
User types <ctr-alt-del> <ON><PWR>
User types login <PWR><ctrl-alt-del>
password Wnt24~L4r
A site URL www.americanexpress.c
User types a user ID om
User types a password JohnDoe
9ltrscr_T
The Social Engineering Attack
“The art and science of getting people to comply to your wishes”
Aspects
• Social engineering has many aspects
Face to face
Telephone & email
Eaves dropping
Trashing
Web site surfing
Part 1
Social Engineering in Action
You may watch this video clip at:
http://www.security-science.com/internet-security-science-community/99-
securityexpert/videos/video/95-Hacking+Social+Engineering+In+Action+1
Download complete [rar file] presentation with video at:
http://www.security-science.com/learn-security/internet-security-science-
presentations
Commentary
• Social Engineering:
It’s easy
It’s inexpensive
It’s successful
It can happen today, to your organization, for a thousand different reasons
Common Faults
Keys to Access Classified Information
You may watch this video clip at:
http://www.security-science.com/internet-security-science-community/99-
securityexpert/videos/video/94-Information+Security+Dumpster+Diving
Download complete [rar file] presentation with video at:
http://www.security-science.com/learn-security/internet-security-science-
presentations
Part 2
Social Engineering in Action
You may watch this video clip at:
http://www.security-science.com/internet-security-science-community/99-
securityexpert/videos/video/96-Hacking+Social+Engineering+In+Action+2
Download complete [rar file] presentation with video at:
http://www.security-science.com/learn-security/internet-security-science-
presentations
Myths of Social Engineering
Myths
• Myth #1 – Social engineering is tricking
people into giving up information
• Myth #2 -Social engineering is just
telling the victim a bunch of lies
• Myth #3 – Social engineering only works
against the ignorant/uninformed
Realities of Social Engineering
Realities
• Social engineering IS a threat
• Most companies ignore the possibility
• Result: Easy entry and a wealth of
information
Prevention
and
Mitigation
Prevention
[ A-C-T ]
Awareness
Comprehension
Training/Testing
Mitigation
Keep an “I” ON your network
Inform
Observe
Notify
Wrap Up
• Different organizations have different
security problems
• To prevent security problems, you
must A-C-T, not react
• To mitigate security problems, keep
an “I” “ON” your network
• Take A-C-T-I-O-N to secure your data
The Only Way to Stop a
Hacker Is to Think Like One
THANK YOU FOR YOUR ATTENTION!!!
Hope you find this informative…
LEARN HACKING DEFENSE & COUNTERMEASURES
WWW.SECURITY-SCIENCE.COM
