under the black hat

© 2013 Armstrong Teasdale LLP


Under the Black Hat

Daniel Nelson, C|EH, CIPP/US

August 27, 2014


How Bad is the Hacking Threat? “Hackers” write sophisticated computer code to

invade computer networks

Hackers do this to target personal information

which is then used for identity theft

“Hacking” is the digital equivalent of robbing a

bank: hackers break into a system, rob it, and

make their get-away

Hacking leaves digital fingerprints that can be

traced back to catch the thief


What’s the Real Story?


Who’s The Hacker?


Who’s The Hacker

Adrian Lamo

Kevin Poulsen

Mercedes Haefer

John “Captain Crunch” Draper

Robert Morris

Berkley Blue & Oaf Tobark


They Hack for Profit

Sometimes, but:Revenge Information“A Cause”Street CredBoredom“Because It’s There”


They Are After Our Personal Information Says who?

--Brian Krebs, KrebsonSecurity.com


Hackers Are Computer “Black Belts”


Everything A Hacker Needs

Over 100 Hacking Tools Pre-installed


Tools such as:

John the Ripper (Password Cracking) Angry IP Scanner (Scanning) THC Hydra (Password Cracking) Cain & Abel (Anything you can imagine on a

Windows System) Burp-Suite (Web Apps) Social Engineering Toolkit (“SET”) Wire Shark (packet sniffer)

One of the biggest challenges is to choose from among a plethora of tools


Nessus

How Bad for You/Good for Me

Vulnerability Name: So I Can Find It Easily


Trespassing At Will?....Priceless

Kali Linux……………………The Included Tools…………Nessus……………………….

FREEFREEFREE


But the Two Most Powerful Hacking Tools?


Google

Pre-hack Reconnaissance on Target:• System configurations• Usernames• Passwords• Email Addresses• Reporting Relationships

The Answer to Any “How Do I” Question You Could Ever Ask


YouTube

FUD: Fully Undetectable

Remote Administration Terminal (a Trojan)


True Hackers…

Love to Share•Know-how•Exploits•Data•Updates


Hacking Is Easily Detected


Hacking Leaves Digital Tracks


Quick Overview of Hacking

Basic (but still dangerous) hacking

requires access to YouTube and a

willingness to learn

Hackers have many different targets

Good Hackers may lurk in a system for

months

Hacking is extremely difficult to detect


What Can Be Done

Combat Social Engineering• Understand the Threat• Train

Engage With Security• Understand what “IT” really means• Take Charge

Understand Current Legal Requirements Avoid The Compliance Trap Be Your Own CISO


Social Engineering

“Hacking the Wetware” The most direct, efficient and effective form

of attack One simple goal: generate an emotional

response Takes Many Forms:

• Phishing/Spearphising• Physical Intrusion• Remote

Odds are strongly in Hacker’s favor


Phishing/Spearphishing

Phishing: Impersonal “blast” email Spearphishing: Uses personal information

about “sender” or recipient to encourage recipient to trust the email• Vacation plans• Recent promotions• Company events• Hobbies

This information is all too easy to find:


Spearphishing Takes Many Forms


There’s An App For That


Phishing With SET


Physical Intrusion

First Rule of Hacking: If you can touch it, you will own it.


Social Engineering Countermeasures

Build Awareness•Every Employee is Part of Your Security Plan

Train•Recognize the Common Attack Vectors•Appreciate the Dangers


Engage With Security

Understanding “IT”• The field is highly specialized

−Network−Desktop−Database−Programming−Website

Security is 10% IT, and 90% Everybody Else• Physical Security• Mobile Device Security• Anti-Phishing


The Biggest Mistake

Ignoring Counsel’s Essential Role in Data Security

What You Give Up:• Privilege• Participation in decisions when it matters

most• Independent analysis


Protecting Privilege

Attorney-client privilege can be invoked between the victim company’s outside legal counsel and hired third-party forensic firms that perform a review of the system during a breach. Invoked privilege allows the forensic company to report breach results directly to the law firm.

http://www.secretservice.gov/ECTF_best_practices.pdf


Being There When It Matters Most Data Security incidents often have legal consequences• Regulators• Insurance coverage issues• Lawsuits

IT won’t be representing the company!

You can be there when decisions are made, or you can be there when the die has been cast.


Independent Eyes

Why do we have outside auditors? Same principal holds true for data forensics: often outside eyes see more clearly• Independent evaluation of what went

right, and what went wrong• May well be more qualified for forensic

work• Better expert witnesses• Detect the “inside job”


The Second Biggest Mistake

Failure to have a planData Incidents take many forms, and involve complicated questions that demand real-time answers

Regulators (and underwriters) increasingly looking to whether you had a plan


What’s the Next Step?

Front Desk Security calls: There are two FBI Agents in the Lobby asking to speak to the head of Information Security.• Do you meet with them?• Do you allow them access to your network?• What is your company’s policy with respect to

cooperation with law enforcement?


What’s the Next Step (Part II)

Your CEO receives an email containing the private financial information of ten of your customers. The sender informs you that they have all 10,000 such records, and intend to release them unless your company pays a ransom within 12 hours.• What is your company’s policy for this?• Do you involve law enforcement?• What is your media strategy?• Does your cyber policy cover this?• How do you evaluate whether the threat is

real?


Understand the Legal Requirements

Fast Changing LandscapeThe “Law” Simply Can’t Keep Up

FTC “Common Law” on Security

HIPAAState Data Security LawsLong on Recommendations, but Short on Specifics


37

Recent FTC Enforcement Actions Cbr Systems, Inc.

• Cbr’s privacy policy promised to handle personal information securely and in accordance with its Privacy Policy and Terms of Service

• After unencrypted data contained on storage media and a laptop were stolen from a Cbr employee’s car, the FTC charged Cbr with deceptive trade practices because Cbr failed to meet its promised security promises. In particular, the FTC focused on Cbr’s failure to employ secure data transport practices, failure to encrypt data, and retention of data for which Cbr no longer had a business need


Enforcement Actions

TRENDnet

• SecurView cameras for home monitoring

• Software issue allowed anyone with camera's web address to view the live feed

FTC charged:

• Failure to utilize reasonable measures to test security;

• Unencrypted transmission of user credentials, and unencrypted mobile storage of login information.


39

Massachusetts Data Security Laws Requires “Comprehensive” data security

program that includes:• Designated responsible employee(s)• Identification & assessment of risks• Employee security policies• Oversight of service providers (including

requiring such providers, by contract, to maintain appropriate security measures)

• Encryption of data that will “travel across public networks” or that will be “transmitted wirelessly”


Encryption Growing body of regulations and

enforcement actions requiring some form of encryption

Encryption may come in many forms:

• Encryption in transmission (e.g. PCI Rules, TSL/SSL, PGP Email)

• File level Encryption

• Full disk Encryption


The Compliance Trap

Compliance can be Security’s Worst Enemy

“Check the Box” is not the same as “Secure”

Compliance: Do you have a home alarm?

Security: Do you actually turn it on?


Be Your Own CISO Update & Patch

• Very little “Zero Day” Malware• Significant Amount of Malware is Reverse

Engineered from the Patch Password Security

• Wrc$5oo93=T• Longer is Better• PollyWants1Cracker

Secure Physical Access Change Default Passwords

• Computers/Wireless Access Points• Home Alarms


43

Questions?

Dan Nelson, C|EH, CIPP/US, Partner314.552.6650 [email protected]

http://twitter.com/DanNelsonEsq www.linkedin.com/in/danielcnelson

under the black hat

Documents

armstrong teasdale llphacking

armstrong teasdale llpwhos

armstrong teasdale llpnessus

armstrong teasdale llpbut

armstrong teasdale llphackers

armstrong teasdale llptools

armstrong teasdale llpwhats

armstrong teasdale llphow