> think like a hacker · > think like a hacker as ransomware grows attackers will be expanding once an industry is targeted variants are built to attack all major systems used by

> think like a hacker

https://goo.gl/Pwr2Uy



pope @blesstheInfoS

ec

james

dir. IT


pope @blesstheInfoS

ec

james partner


DC801/DC435

SAINTcon, BSidesSLC, BlackHat NATO tech, NATO CyberSecurity

degrees/certs

pope @blesstheInfoS

ec

james




lockpick


lockpick badge clone



bypass tools



bypass tools

35mm film?



bypass tools

35mm film?

lying


checks


checks

master keys


checks

master keys password

s


checks


s

badge makers


checks


s

badge makers

servers


checks


s

badge makers

servers

HR data



who, what, why?


why are these people attacking me?

Money, loot, cash, filthy lucre,

greed … get the idea? In fact, it can be money even when it’s not money”


secondary motive

“Many of the attacks discussed in this report have what we call a ‘secondary motive’, which we define as when the motive of the incident is to ‘aid in a different attack’. We filter these out of the report because it would overshadow everything else if we didn’t. One example is where the bad guy compromises a web server to repurpose it to his own uses (e.g., hosting malicious files or using it in a spam or DoS botnet). Even criminals need infrastructure. “It is a far, far better thing” that someone else manages it for free, rather than having to pay for it yourself.”


how does hacking really happen?

➢  i would phish you ➢  and/or walk in the front door (login), with your bad

passwords or known password from a breach ➢  i would attack your organization with your authentication,

local admin ➢  and/or ransomware your organization

❏  missing patches



phishing

phishing is a criminal activity using

social engineering techniques.

“Phishers” attempt to fraudulently acquire sensitive

information, such as passwords, personal information, military operations, and credit card/

financial details, by masquerading as a trustworthy

person or business in an electronic communication.


portals

links

credential harvesting

payloads

access to your browser

access to your system

admin?


portals

links

credential harvesting

payloads

access to your browser

access to your system

admin?


phishing > think like a hacker


https://internationalcinematechnologyassociation.com/about-icta/



https://ashraffayadh.com/8/index.html France Reply to: [email protected]



phishing





phishing questions?


passwords


hacking passwords

●  dictionary attack ●  brute forcing ●  entropy ●  random - flip a coin! ●  pattern guessing ●  cracking hashes


used to be now is

●  Contain at least eight alphanumeric characters.

●  Contain both upper and lower case letters. ●  Contain at least one number (e.g., 0-9). ●  Contain at least one special character

(e.g., !$%^&*()_+|~-=\`{}[]:";'<>?,/). ●  Cannot contain username ●  Cannot be used last XXX times ●  Must change every 90 days

●  not in a dictionary ●  not reuse from service/

system to service/system

●  length is preferred ●  two factor, two factor,

two factor

multifactor doesn't cut it - one compromised...


used to be now is

●  Contain at least eight alphanumeric characters.

●  Contain both upper and lower case letters. ●  Contain at least one number (e.g., 0-9). ●  Contain at least one special character

(e.g., !$%^&*()_+|~-=\`{}[]:";'<>?,/). ●  Cannot contain username ●  Cannot be used last XXX times ●  Must change every 90 days

●  not in a dictionary ●  not reuse from service/

system to service/system

●  length is preferred ●  two factor, two factor,

two factor

multifactor doesn't cut it - one compromised...


questions?


ransomware


money, money, money

FBI has stated that the use of ransomware has reached an all-time high. In the first three months of 2016 alone, cybercriminals have collected $209 million by extorting businesses and

institutions to unlock computer servers. Ransomware is estimated to have made over $1 billion in 2016, with total losses being even higher once related business costs are factored in.


● BTC/XMR/XVG/SUMO has allowed attackers to anonymously monetize their target ● attacks originate from other compromised systems which leads FBI/law enforcement with little to nothing to go off when tracking down good attackers ● ransomware in 2016 saw more attacks against businesses and more often than ever before. There is no indication that the trend will be reversing anytime soon ● ransomware has already targeted the following industries: health care, police, banking, education, transportation, hotel, government, and industrial control systems








● as ransomware grows attackers will be expanding ● once an industry is targeted variants are built to attack all major systems used by that industry ● ransomware netted very conservatively over a billion dollars in 2016 ● the number of ransomware variants grew by a factor of 30x in 2016 ● every 40 seconds, an organization gets hit with ransomware, up from every two minutes in 2016










why bother? what can happen?


“YOUR SERVERS, NETWORKING EQUIPMENT, AND FILES ARE ALL ENCRYPTED”

The decryption key is stored on a secret internet server and nobody

can decrypt your files until you pay and obtain the private key

2 BTC is due now per auditorium or 35 BTC is due now for an entire chain In 24 hours the price will double to 4 per auditorium and 70 per chain

To pay: download the Tor Browser from http://torproject.org In the Tor Browser go to https://cinemaransomware.onion

(Only available via Tor Browser)

Input this public key and follow the instructions on the server &&68-frankly-DEAR-damn-66&&

Once payment has been made the movie can be resumed in under 10 minutes

ransomware - who has paid?

education

K-12

charter

universities

hospitals

police departments

loads of businesses, nonprofits, home users, etc

what they encrypt

files

backups

shares

network drives

DropBox, OneDrive, Drive, Box, etc.

external USB drives, sticks, etc.


ransomware - who has paid?

education

K-12

charter

universities

hospitals

police departments

loads of businesses, nonprofits, home users, etc

what they encrypt

files

backups

shares

network drives

DropBox, OneDrive, Drive, Box, etc.

external USB drives, sticks, etc.



questions?

hacking goals; get local admin/domain admin/

system creds


you got phished or used a bad password

good news to me you are local admin!


you got phished or used a bad password

good news to me you are local admin!


with local admin i can ➔ disable/bypass AV ➔ install whatever i want ➔ disable/bypass UAC ➔ circumvent policies


but i want system


how hard is it to go from local admin to system privilege?



how do i take down your org from here?


i need highly privileged users


enumerate



i know what hosts i want but how do i get them?



grab passwords dump hashes



it’s not always that easy

sometimes it’s easier


angry puppy


angry puppy

death star


Backups Revision Control

Offsite backups Reduce access

No local admin Disable macros

Anti-exploit software Patch Ad blockers

Awareness training Don’t click on links

Don’t open attachments Remove software (flash/java/etc)


AV w/behavioral real time scanning

SFP / DKIM









SFP / DKIM









SFP / DKIM









SFP / DKIM



Questions?

http://www.blackroomsec.com/updated-hacking-challenge-site-links/

70 sites which offer free challenges for hackers to

practice their skills.


https://goo.gl/Pwr2Uy


https://goo.gl/dqrm66


One Cinema's struggle to take it easy

Documents

> think like a hacker · > think like a hacker as ransomware grows attackers will be expanding once an industry is targeted variants are built to attack all major systems used by