Hacking the CompanyRisks with carbon based lifeforms using vulnerable systems

$ whoami

$ whoami

Curious Hacker (eg. I like to break things apart and rebuild them!)Maker (eg. I like to make things)RC-Geek (eg. I like to fly radiocontrolled devices)Chief Security Officer @Crosskey Banking SolutionsSocial Media Twitter: @khalavak, G+: Kim Halavakoski, G+ communities: Security De-Obfuscated, PCI Jedis...

"Innostunut ja taitava tietokoneen ohjelmoija tai käyttäjä"

hacker as defined in RFC1392: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term. See also: cracker.

How?

VulnerabilitiesYoung padawan, don't forget: Lack of focus leads to sloppiness, sloppiness leads to misconfiguration and bugs, and misconfiguration and bugs leads to compromise.

Vulnerabilities

Vulnerabilities & 0-days

0-days

Top 10 vulnerable vendors

Who uses these vulnerable vendors anyway?

We all keep our systems patched? All the time? Almost? Sometimes?Example of vulnerable vendors: Microsoft, Apple, Oracle, Sun Microsystems, Cisco, Mozilla, Linux, Hewlett Packard, Adobe...

Ever used any of these vendors?

Top 10 vulnerable products

Who uses these vulnerable products anyway?

We all keep our software products patched? All the time? Almost? Sometimes?Example of vulnerable software: Linux, Firefox, Mac OS X, Google Chrome, Internet Explorer, Seamonkey,Solaris, Thunderbird

Ever used any of these softwares?

Browser market shares

According to the previous statistics with vulnerabilities in Internet Explorer, Firefox, Chromeit seems like 92.61% of the browsers used on the Internet are vulnerable.

46 vulnerabilities in 201248 vulnerabilities in 2013 (and it's only March!)of which 26 vulnerabilities with CVSS score 10.0 in 2013 until now

http://java-0day.com

http://istherejava0day.com

Patching is CriticalSecurity is as strong as the weakest link.

If you take security seriously then making sure everything is up to date is more important than ever.

Social EngineeringThere is no patch for human stupidity

Social engineering works. People are easily tricked. Really.Tap into psychological factors that are part of human natureAbuses trust frameworks that we are used to in real life.

"Could I have the root password, please?"

A good presentation needs a cat picture to soften the audience.

On a side-note, cybercriminals know that we like cute and funny pictures and videos,so they are using our eagerness to click on cute things to hack your computer...

So even if supercute, think before you click!

How easily are you tricked?

How easily are you tricked?

Would you fall for this?

Are you sure it is Paypal?

Problems with your Visa card?

Salaries! Confidential! Dare to open that PDF document?

What did I order again?

Who?

Cybercriminals

Oleg Nikolaenko24 year old hacker who ran the Mega-D botnet back in 2010Mega-D was sending 30-40% of the spam on the Internet

Vladimir TsastsinVladimir ran Estdomains and later Rove Digital, which ran "Operation Ghost Click" which was behind the infamous DNSChanger malware that caused havoc all over the world.

Hacktivists

Governments and Nation states

Why?

Cybercrime market value: $114 billion

Where?

World:10437

FI,SE,NO,DK,AX:4447

FI:2829

Top 10 values num % Helsinki 411 14.528% Tampere 406 14.351% Hämeenlinna 176 6.221% Jyväskylä 117 4.136% Turku 87 3.075% Vanda 85 3.004% Espoo 71 2.51% Pirkkala 63 2.227% Lahti 63 2.227% Oulu 59 2.086%

Helsinki 411 14.528%Turku 87 3.075%Vanda 85 3.004%Espoo 71 2.51%Pirkkala 63 2.227%Lahti 63 2.227%

Helsinki:411

From the 2829 IP-addresses in Finland I did a quick statistical analysis of the whois and DNS data and found:

most of the IPs are end-customers with ADSL, GPRS connections from Sonera, DNA, Nebula, Local Telephone companies, etc.59 whois records that seem like companies37 DNS records that looks like companies

...some small, some bigger and some of them even "security" companies and some in public services and even government use...

RSA -> Lockheed Martin RSA was hacked, allegedly in order to get into Lockheed MartinTwitter Twitter was hacked using recent Java-vulnerabilitiesFacebook Facebook was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.comMicrosoft Microsoft was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.comApple Apple was hacked using recent Java-vulnerabilities through a third-party site iphonedevsdk.com

US National Vulnerability Database hackedMalware planted on 2 webservers...Undiscovered for 2 months...

"Hacking the NVD and planting malware on the very place where we get our vulnerability information,that is just pure evil!"

Ocean's Eleven?

Matt Honan – Senior Editor at Wired Gadget LabsSecurity flaws in Apple and Amazon customer service systems lead to hackers gaining control over his account and deleting files on his Mac.

How?

MetasploitPenetration testing tool.Developed by HD Moore back in 2003.Bought by Rapid 7 in 2009.Opensource verion still available.

Social Engineer ToolkitGreat tool for performing social engineering attacks: phishing, web-attacks, malware infecter USB sticks, etc.Developed by Dave Kennedy & Co

Demo

Fictious company with the following network setup:firewall, mailserver, webserver, DNS-server, Internal Windows 7 workstation...

Conclusion

Carbon based lifeformsHumans are the weakest linkUsing age-old social frameworks in a modern connected worldEasily tricked into clicking, opening links, attachments and programsMake errors, repeadetly

Computer softwareAre programmed by humansHave bugsUsed by humans

Hacking toolsReadily availableEasy to useDeveloped by proffessionals

CybercriminalsCybercriminalsHacktivistsNation States & Governments

Questions?