{"id":833,"date":"2009-06-11T14:10:49","date_gmt":"2009-06-11T21:10:49","guid":{"rendered":"http:\/\/www.talesfromthe.net\/jon\/?p=833"},"modified":"2009-06-11T14:10:49","modified_gmt":"2009-06-11T21:10:49","slug":"pyr0-on-the-art-of-espionage-at-shakacon","status":"publish","type":"post","link":"https:\/\/2024.thenexus.today\/index.php\/2009\/06\/11\/pyr0-on-the-art-of-espionage-at-shakacon\/","title":{"rendered":"Pyr0 on “the art of espionage” at Shakacon"},"content":{"rendered":"

\"\"Sarah Blankinship and I are presented Securing with the Enemy: Social strategy and team of rivals <\/em>at Shakacon<\/a> today.\u00c2\u00a0 More about our talk later; this post has notes from the keynote presentation on The Art of Espionage<\/strong>, by Luke McOmie (aka Pyr0) of British Telecom.<\/p>\n

Luke’s consulting includes “real world risk assessments”, which sometimes involves breaking into his clients’ companies to test their security.\u00c2\u00a0 So it’s a great opportunity to hear about the kinds of techniques the real bad guys use.\u00c2\u00a0 Fascinating stuff!<\/p>\n

<\/p>\n

Goal for talk: help develop the mindset<\/strong> needed to underatnd and implement strong security in real world<\/em> environments.\u00c2\u00a0 “A lot of people take templates and manipulate them to fit their environment … but that’s just putting yourself in a box!”<\/p>\n

How frequently do people planning and implemeting corporate security systems\u00c2\u00a0 interact with the rest of the company?\u00c2\u00a0 Too often it’s a monthly meeting, involving CSO\/CFO\/CIO etc … but the threats happen all month long.\u00c2\u00a0 Average cost of “major incident” up to $480K (from $168K in 2006).\u00c2\u00a0 Several small and medium companies have gone out of business as a result.<\/p>\n

People focus almost purely on the technology, and then write processes — almost no attention to the people.\u00c2\u00a0 Better: more balanced, make sure people are adequately trained against the threats: physical, electronic, malfunction\/inherent, social engineering, blended threat.<\/p>\n

Example electronic threat: RFID capture\/spoofing\/replay — Zac Franken et al last year rigged something up at Black Hat which read your card when you walked on it and took a picture of a webcam; Chinese companies like DealExtreme<\/a> and YoPool<\/a> are selling spoofers.<\/p>\n

Another: an attack on a US electronic gaming company, traced down to a coordinated team in Turkey — for example, redirecting people who wanted to buy weapons in the game with credit cards to the attackers web site which mirrored the same site.\u00c2\u00a0 It turned out to be a company trying to get the distribution rights in Turkey.\u00c2\u00a0 Cost of attack: $15-$30K, including 14-32 people red team; cost to gaming company: $945K.<\/p>\n

Example social engineering attack: fake email from the VP of HR saying “everybody needs to visit this site to ensure we’re FIPS compliant”, redirecting people to a spoofed site which looks like the corporate site but instead actually harvests information — including network credentials.\u00c2\u00a0 “Typically when I send this to 50 people, at least 30 to 40 fall for it.”<\/p>\n

Another example: printed 12 CDs with the company logo and wrote “Payroll” on them, and dropped them in the mailroom, bathroom, and other public areas.\u00c2\u00a0 (Recommend using Metasploit’s MSFPayload in this situation.)\u00c2\u00a0 Within two hours, we had access to 8 machines … by the next day, 20 — including people’s home machines.\u00c2\u00a0 Some people were well-trained, and turned it in to accounting; accounting said “I don’t kno what this is”, so put in the CD to check … and boom, we were on the private financial network.\u00c2\u00a0 [They shouldn’t have been connected to the<\/p>\n

Spoofapp\/spoofcard: free download, for $10 you can have a different number show up from your cellphone calls for 60 minutes.\u00c2\u00a0 Example: a call from my phone looks like it comes from the US Secret Service.\u00c2\u00a0 Can change your voice from mail to female, record your calls.\u00c2\u00a0 [Don’t use it for illegal purposes — if they get hit with a subpena, they’ll cooperate.\u00c2\u00a0 For that, you need your own asterix sever.]<\/p>\n

____<\/p>\n

Try this at home (your office): information gathering, vulnerability analysis (it’s not just the computers!), target selection, planning, execution.\u00c2\u00a0 For vulnerability analysis and potential targets, look at internal, external, hired (e.g. cleaning crews), personal.\u00c2\u00a0 Keys to executing the attack: get what you need, don’t get greedy, and get out cleanly.<\/p>\n

For remote info gathering, Maltego<\/a> (formerly Paterva) lets you take a phone number, name, or email address and get all kinds of information.\u00c2\u00a0 “The tool’s amazing”.\u00c2\u00a0 Spokeo<\/a> allows you to harvest and mine social network sites.\u00c2\u00a0 “You can sign up for free — you don’t even need to give them a real info…. after I’ve used Maltego to get information about, say, the head of IT, I’ll use Spokeo to find out information like their hobbies etc.”\u00c2\u00a0 Also Google hacking, Hoovers (the #1 business intelligence site on the internet), public records, google maps.\u00c2\u00a0 “Google is the single largest data mining project on this earth.<\/p>\n

Preparing you for the attack: your brain is the most important tool you have.\u00c2\u00a0 Law enforcement uses a stop light metaphor.\u00c2\u00a0 Most people are in the “green” stage: comfortable, unaware of threats.\u00c2\u00a0 Yellow: alert, aware of your surroundings, attentive, watchful — most security people are in this state.\u00c2\u00a0 Red: heightened awareness, waiting for something to go wrong, prepared for the worst … and so able to react instantly.\u00c2\u00a0 “If you’re challenged, you need to reply instantly. ‘Who are you?’ ‘uh .. uh .. uh’\u00c2\u00a0 They won’t believe anything you say.”<\/p>\n

Physical preparation: get a business card printed — with your name on it so it matches your identification.\u00c2\u00a0 TO get a company shirt, visit local thrift cords.\u00c2\u00a0 Bring a change of clothes … and electrical tools to bypass locks.<\/p>\n

USB switchblade: plug it into a machine, within a minute it gets all the account, network information, etc.<\/p>\n","protected":false},"excerpt":{"rendered":"

Sarah Blankinship and I are presented Securing with the Enemy: Social strategy and team of rivals at Shakacon today.\u00c2\u00a0 More about our talk later; this post has notes from the keynote presentation on The Art of Espionage, by Luke McOmie (aka Pyr0) of British Telecom. Luke’s consulting includes “real world risk assessments”, which sometimes involves […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,5,9,16,1],"tags":[313,314],"class_list":["post-833","post","type-post","status-publish","format-standard","hentry","category-entertainment","category-meta","category-professional","category-tales-from-the-net","category-uncategorized","tag-security","tag-security-as-a-social-science"],"_links":{"self":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/833","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/comments?post=833"}],"version-history":[{"count":0,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/833\/revisions"}],"wp:attachment":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/media?parent=833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/categories?post=833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/tags?post=833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}