CIO Synergy – Kevin Mitnick
February 5, 2015 – CIO Synergy Keynote Presentation
One of the highlights of today was an opportunity to hear Kevin Mitnick speak. Kevin was made fairly famous as a hacker, whom the FBI put in prison for a number of years. Which he deserved. Since his release, his company works with other companies to test their security, their operations, and help make improvements. Kevin is a fascinating speaker who uses real life experience and real life scenarios to make his points. And yet he pulls no punches in letting us know that he was wrong, and how easy it is to fool people even today. The following are just my quick notes from his presentation – Todd.
The Art of Deception
How Hackers and Con Artists Manipulate You and What You Can Do About It
Why Attackers Use Social Engineering?
Easier than hacking a system
Evades all Intrusion Detection Systems
Free or low cost tools
Low risk for attacker
Works on every O/S platform
No logs (audit trail)
Nearly 99.5% effective
Assume Users can be Negligent:
7/10 office workers at London’s Waterloo Station gave away their password for a chocolate easter egg.
Collectively, small nuggets of seemingly useless information can be joined to form valuable information.
Leveraging social networks to identify business and personal relationships
FOCA Pro is a tool that automates analyzing Metadata:
FOCA will analyze Metadata from Microsoft Office Documents, PDF files, and even EXIF Metadata out of images.
Enumerate usernames, installed software, email addresses, printers
Link discrete items together to build a network map
Easy to use: just choose options, point to domain, and let it go!
Tip: Strip out all of your meta data before you post a file
Dumpster Diving: “Digging for Gold”
Project names and plans, and internal correspondence
Employee names, internal e-mail addresses, phone directories, company manuals, system manuals and calendars
Discarded media (hard drives or removable media)
Even user lists that include passwords
Printouts of sensitive data
Incredibly, dumpster diving is NOT illegal unless a “no trespassing sign” is posted and the trash is located on private property
Social Engineering Attack Methods:
Auto-executing malicious programs
Does malicious code ever serve a good purpose?
Leveraging USB firmware to inject keystrokes that may install malicious code
How to find target’s Antivirus protection
List Yourself trick
Stealing passwords by embedding UNC links (ie. Word)
If one of your employees found a USB stick, would they plug it in?
USB Drive – auto-insert / launch code <- Can turn off auto-run or auto-play
USB Drive – can deal with issues in firmware to turn your computer into a trojan, automatically connect to server somewhere else.
Antivirus – call enterprise sales for the AV companies and ask to add 1,000 licenses. AV company releases the information to the attackers.
Word file – Can be checked with AV, nothing found. When opening the file, it starts communicating with an external server. Windows account name and password hash can be easily pulled from it. Can help mitigate by preventing NetBIOS ports out of the firewall
Old School Phishing Attack
Click on this link to check something.
Skype Phishing Attack
Click on this link to update/fix a problem. Nope. Actually causing a problem.
Call into your pbx, record entire tree, and then setup a shadow tree with open source software
Evolving Phishing Attacks – IVR
Social Engineering Attack Methods:
Pocket Phisherman & Pineapple
Attacking the victims browser, document readers, and media players, Java, etc.
How safe is that PDF file in your inbox?
How safe is that Java Applet?
Hackers don't even need to gain access to a target's computers. They could social engineer the target into disclosing the information.
Pretexting: The Confidence Game
Establish identity and role
Develop plausible…. Get more details:
Managing the Risk of Social Engineering:
FOCA Inoculate your users by attacking and testing them (www.KnowBe4.com)
Demonstrate personal vulnerability (role-play to demonstrate SE techniques); suggest a method to resist/protect against it.
Force users to go through an application proxy
Establish Social Engineering Incident Response Program
Educate your employees about what information at your organization is considered sensitive and under what circumstances it can be disclosed. Educate users about cooperating with strangers to perform action items that may lead to a system compromise
Modify organization politeness norms – its OK to say NO!
Building the Human Firewall:
Implement the KISS method – easy to understand security protocols targeting types of common mistakes that often lead to a security incident
Develop interactive SE resistance training!
Perform social engineering pen-tests
Discovering the weak links
Don’t forget periodic dumpster diving
Use Googles Quick View or Docs to open untrusted attachments
Use technology whenever possible to take decision making out of your employee’s hands.
Don’t forget to test your security at your company.
Kevin demonstrated how to capture data from a PROX card, from up to two feet away, and then write to a new card, that is completely identical to the original. They also have devices that can go directly to the reader and capture enough information to break the encryption code.
Kevin Mitnick Security Awareness Training
Free training course:
http://www.mitnicksecurity.com/free Promo code CIO2015