will you be hacked? - strathfield council · compromised workstation or ‘zombie’ machine ......

1

Will you be hacked?Daniel Weis

Will you be hacked?

Dan Weis

Lead Penetration Tester

Head of Security

Kiandra IT

2


Lead Pen-tester and Head of Security at

Kiandra IT

I get paid to break into company &

government networks for a living

Major nerd

Been in IT since 1995 in various roles both here and

internationally

06

7 years in security consulting, 5+ years as a Pen-tester

1of 10 people globally to become a Certified Ethical Hacker (CEH)

Trainer of upcoming CEH’s

Have a couple of certs (23) & published resources

3


The content presented today contains tools,techniques and resources used for hacking &illegal activities

The content is for education purposes only

The underground sites presented today shouldnot be visited and are monitored by federalauthorities

Hacking is illegal. You MUST have writtenpermission from the associated target/party(s)

STOP

I do not condone illegal hacking or maliciousactivities.

4


Dodgey emails enticing you

to click a link or open

attachment

PHISHING

Malicious software

designed to do

something bad

MALWARE

The art of deception, tricking

a target to do something

SOCIAL ENGINERING

Harvest different personal

details and apply for

services as you

IDENTITY THEFT

Compromised workstation or ‘zombie’

machine

BOT/BOTNETS

HEARD OF THESE BEFORE?

Code designed to exploit a

vulnerability in a system

EXPLOIT

5


The technology space has moved so fastThe problem is that people still don’t understand the fundamentals

This is what kids used to do, they used to get fresh air

The internet, what’s that? Mobile Phones, maybe 1 in 10 had one

6


7


8


9


10


11


12


13


14


Because of this growth we now have a uniqueset of challenges

Regardless of your job, Age, Race or countrywe now all need to be “I.T Savy”

And because of stats like this

15


Malicous URL’s / Phishing Attacks

Source: Trendlabs Annual

#3Botnet Infections

#4

16


Protect yourself in 8 easy steps

You can also find these steps via the staysafeonline website: https://www.staysmartonline.gov.au

17


Anything that is put online, is there FOREVER

SOCIAL

MEDIAStop and think before you provide any photos or financial or personal information about yourself, your friends or your family.

18


• You should use secure passwords like ‘z#JFkj03%!’*E

• Let’s face it that’s tough to remember!

• Why not use a passphrase? ‘I really hate passwords!’

• Now you have a pretty strong password, 26 characters & 3 symbols, but easy to remember.

• Passphrases are hard to guess!

• You could have a unique one for each site like:“I really hate logging into gmail! Its crap!.”

• Drawbacks: some applications/websites impose character limits on passwords

• In that case let’s use this one: "Irhligm!Ic!."

19


• Name

• Siblings/Spouse Names/Pet Names

• Days of the week (Monday, Tuesday, Wednesday etc.)

• Months of the year (January, Jan, February, Feb) and/or contains the current year (2016, 2017)

• Anything with the word Password or Welcome!!

• Keyboard combinations (qwerty, qazwsxedc,1234567 etc.)

• Anything containing information on your workplace, (company name, what it does, or functions.) or address

• Dictionary based words, and number at the end!

20


• Use a password manager like lastpass or 1password

• Do not use the same password for everything

• You should be using two-factor authentication (also called multi-factor authentication)

• To check if you accounts or details have been hacked use:

https://haveibeenpwned.com/

• Change password regularly

• Passwords should be minimum 10 but BP of 12-15 characters

• Use uppercase, lowercase, special characters and numbers

https://haveibeenpwned.com/

21


Treat any unexpected message with caution

TREAT WITH CAUTIONWhen you receive an

email, consider who is emailing you and what they are asking you to

do.

CONSIDER WHO AND WHYCall the business a suspect

message claims to be from using contact details obtained from a

website or other legitimate source.

CALL THE BUSINESS

22


23


24


25


26


27

Will you be hacked?Daniel WeisMore information and examples can be found at scamwatch: https://www.scamwatch.gov.au

SCAM

The bank will never ever email you to confirm anything, only emailing of statements

Paypal will never email you and ask you to confirm anything

Look out for missing logos, spelling or grammar mistakes

If it’s a delivery email, go direct to the site and enter in your tracking details instead of using the link

If it seems to good to be true it most likely is

Sender is unknown!

Incentives, e.g. survey emails

Links that have alternate URLs

https://www.scamwatch.gov.au/

28


Minimise visits to unknown websites and avoid being enticed by the promise of sensational content through ‘clickbait’.

Look for the padlock symbol and ‘https’ in the browser address bar when visiting sites.Particularly when undertaking a transaction or entering personal information online.

Delete suspicious emails and leave websites that:

• Ask you to provide your banking details or personal information

• Promise you money• Present hard luck or exotic stories telling

you that you can share in hidden millions of dollars

• Offer jobs where you need no qualifications, but just ask for a bank account for money transfers.

• Emails claiming to be “looking for a friend” or husband

29


DEMO

30


The attacker only needs to get it right once.

You need to get it right all the time.

31


Install a firewall on your computer and make sure it is activated.1

2 345

Never provide personal details via emails or links from emails. If you are unsure, double check by telephone with the company or institution.

Never follow the links in spam emails; these could lead to downloading unwanted viruses, spyware or malware.

Ensure that you have up-to-date anti-virus and anti-spyware software installed on your computer.

If it seems too good to be true, it probably is

32


Deal primarily with trusted and reliable online retailers.

Access your bank’s website by typing the address directly into your browser.

Keep your computer up-to-date with anti-virus/anti-malware, anti-spyware and firewall software.

Use the security measures (such as two-factor authentication) recommended by your bank.

Always log out of the internet banking menu and closing your browser when you have completed a session.

Research unknown retailers and their products and services. Google them!http://www.resellerratings.com/http://www.fairtrading.nsw.gov.auhttps://www.sitejabber.com/

http://www.resellerratings.com/

http://www.fairtrading.nsw.gov.au/

https://www.sitejabber.com/

33


Only make online purchases from companies that have a clear privacy policy and secure payment pages.

Think before you fill out online forms. Ask yourself: how much information do I need to enter into this site?

Only share your primary email address with people you know

Be careful when signing up to mailing lists – spammers use the unsubscribe button to validate addresses.

Use strong passwords and don't share them with anyone.

Check your billing and account records carefully to detect

potential identity theft early.

Treat your personal information as you would treat your money—don't leave it lying around

for others to take.

Set up a separate email address for shopping and newsgroups. If you need to, you can then change this address without

disrupting online business activities.

Shred sensitive information and documents

Keep a record of what information you have given to whom..

34


Be careful how much personal information

you post or reveal online

People who share personal information are more likely to be

targeted

Use privacy settings to control the amount and type of information you want to share on social media

Think about what information you may have

online that is spread across multiple sites. Identity

thieves can piece together your identity from public

information

35


36


37


38


Notify the relevant websites

Notify your financial institutions.

Request a credit report from a reputable credit reference bureau

Change your passwords

Monitor your accounts and devices Don’t panic

39


Turn on the security features of your mobile devices

Set a password/phrase or PIN that must be entered to unlock the device

Install reputable security software

People are unaware of mobile security

Use the most up-to-date operating systems and keep your phone updated!

Turn off unnecessary services when not in use, wireless, NFC, Bluetooth

Be careful of the apps you are installing

40


41


Internet Café’s also pose the same risks

Anything you send across the Wi-Fi on a network can be intercepted, period.

Public/Open/ Free Wi-Fi hotspots should not be used to access sensitive information unless you are using a VPN.

If you have to use an open Wi-Fi network do not log into sensitive accounts like banking!

42


• Step 1: Think before you post• Step 2: Rethink your passwords• Step 3: Think before you click• Step 4: Minimize Your Exposure• Step 5: Use Bank Security

Measures & Research First• Step 6: Protect your identity• Step 7: Protect your mobile device• Step 8: Avoid Free WiFi

43


But where does the stolen data

end up?

44


Cyber Underground and Cybercrime

45


• Anything that can be indexed by a typical search engine like Google, Bing or Yahoo

• The “visible web”• 4 billion indexed web pages• This is the web you know

SURFACE WEB

• Is a small portion of the deep web that has been intentionally hidden and is inaccessible through standard web browsers

• Can only be accessed with special software designed to hide you

• Contains darknet markets• Anonymous marketplace ecosystem does in excess of

$500,000 a day.

DARK WEB

• The deep web is anything that a search engine can’t find,• Data behind firewalls, like corporate resources, business

intranets, password protected websites, infrastructure etc

DEEP WEB

THE INTERNET

46


The internet

47


A VISIT TO THE UNDERGROUND

48


When they get shut down, they just come back again a short time later on a different provider

Usually operate in countries with no jurisdictions, such as South America, Eastern Europe, South East Asia

Use bulletproof hosting

Mini ISP’s (datacenters)

Specialise in offering services that are largely immune from takedown requests and pressure from western law

enforcement agencies.

49


Located six miles off coast of Suffolk, England

BE THE BEST MARKETING COMPANY

Built during WW2 as an anti-aircraft gun platform

Declared an independent nation in 1967

Home to HavenCo the worlds first bulletproof hoster

“Its own nation, its own rules.”

50


Former home of Wikileaks


Inside White Mountains of Stockholm

Located below 30 meters of granite and secured by a 40-centimeter-thick door

The data-center can withstand a hydrogen bomb attack.

51



Abandoned NATO bunker

Netherlands

Discarded by Dutch military in 1994

Built to survive a 20-megaton nuclear attack

5 subterranean levels.

52


RESOURCES

53


Cyber for Parents

Cyber resources

54


As much as we may not like it, The internet is an integral part of a young people’s lives

55


While the internet offers an exciting world of experiences for kids and teens, it's important to be mindful that they could:

05

Experience cyber bullying

Be exposed to inappropriate, illegal or harmful content

Be at risk from contact with unwanted strangers

Unknowingly or deliberately share personal information without realising the risks

Leaving behind an online footprint that might not reflect well on them in the future.

56


57


Covering a number of key online safety issues, the Parent's guide to online safety offers practical, issues focused information and advice for parents of children of all ages.

Topics covered include:

• Cyberbullying• Social networking• Unwanted contact• Sexting• Inappropriate content; and• Online safeguards

58


Office of the Childrens eSafetyCommissionerhttps://www.esafety.gov.au

Stay Smart Onlinehttps://www.staysmartonline.gov.au

ScamWatchhttps://www.scamwatch.gov.au

Cybersmarthttp://www.cybersmart.gov.au/

Digital Parentinghttps://www.f-secure.com/en/web/home_global/digital-parenting

HELP & FURTHER INFORMATION

Online crimes to ACORNhttp://report.acorn.gov.au

Cyberbullying to Childrens eSafetyCommissionerChildrens eSafety Commissioner

Offensive or illegal content to Childrens eSafety Commissioner Childrens eSafety Commissioner

ScamWatchhttps://www.scamwatch.gov.au

REPORT IT!

Thinkuknowhttps://www.thinkuknow.org.au

Headspacehttps://headspace.org.au/

Childrens eSafety Commissionerhttps://www.esafety.gov.au

Reachouthttp://au.reachout.com/

Kidshelplinehttps://kidshelpline.com.au/Or 1800551800

YOUTH HELP AND INFORMATION

https://www.esafety.gov.au/

https://www.staysmartonline.gov.au/


http://www.cybersmart.gov.au/

https://www.f-secure.com/en/web/home_global/digital-parenting

http://report.acorn.gov.au/

https://www.esafety.gov.au/complaints-and-reporting/cyberbullying-complaints/i-want-to-report-cyberbullying

https://www.esafety.gov.au/complaints-and-reporting/offensive-and-illegal-content-complaints/report-offensive-or-illegal-content


https://www.thinkuknow.org.au/

https://headspace.org.au/

https://www.esafety.gov.au/

http://au.reachout.com/

https://kidshelpline.com.au/

59


QUESTIONS

60


THANKS FOR WATCHINGSee you next time

https://au.linkedin.com/in/daweis https://www.peerlyst.com/users/daniel-weis

will you be hacked? - strathfield council · compromised workstation or ‘zombie’ machine ......

Documents