1
00:00:00,060 --> 00:00:05,100
every how's it going hopefully your sink
2
00:00:02,399 --> 00:00:07,560
Khan's going good morning keynotes and
3
00:00:05,100 --> 00:00:13,650
lunch and if you're still just in this
4
00:00:07,560 --> 00:00:15,509
room for meat lunch feel free to stay my
5
00:00:13,650 --> 00:00:17,310
name is James Pope everybody just calls
6
00:00:15,509 --> 00:00:19,560
me Pope because they find that easier to
7
00:00:17,310 --> 00:00:21,990
say and it's not because I'm really into
8
00:00:19,560 --> 00:00:22,979
Catholicism or anything but she was born
9
00:00:21,990 --> 00:00:26,839
that I have been asked that question
10
00:00:22,980 --> 00:00:30,750
many a times and today I'm presenting a
11
00:00:26,840 --> 00:00:33,260
security 101 track on think like a
12
00:00:30,750 --> 00:00:39,719
hacker it's still just a little hot
13
00:00:33,260 --> 00:00:41,519
thank you this is you know generally you
14
00:00:39,719 --> 00:00:44,690
don't put in shady URLs but a lot of
15
00:00:41,520 --> 00:00:47,610
people keep asking me to give them the
16
00:00:44,690 --> 00:00:49,559
slide deck later it's not a lot of use
17
00:00:47,610 --> 00:00:50,879
for you but there's a link to the slide
18
00:00:49,559 --> 00:00:53,968
deck if you wanted to follow along in
19
00:00:50,879 --> 00:00:56,129
your phone or later if you you chose to
20
00:00:53,969 --> 00:01:00,180
and I can come back to that later if you
21
00:00:56,129 --> 00:01:01,800
want it so who my little intro here I'm
22
00:01:00,180 --> 00:01:04,409
a partner my own company is called Polk
23
00:01:01,800 --> 00:01:06,270
tech real original right we just put
24
00:01:04,409 --> 00:01:08,100
tech at the end of our name and then do
25
00:01:06,270 --> 00:01:11,610
lots of things technology and security
26
00:01:08,100 --> 00:01:14,130
so so I worked there and I actually
27
00:01:11,610 --> 00:01:15,750
still hold a job doing stuff for it's a
28
00:01:14,130 --> 00:01:18,750
theater chain based out of Los Angeles
29
00:01:15,750 --> 00:01:20,280
I've been in movie theaters since like
30
00:01:18,750 --> 00:01:22,020
the year 2000 so I've done a lot of
31
00:01:20,280 --> 00:01:26,159
stuff in the theater world
32
00:01:22,020 --> 00:01:28,199
I've a member of DC 801 and we're trying
33
00:01:26,159 --> 00:01:30,689
to start like a DC 4 3 5 I moved up to
34
00:01:28,200 --> 00:01:32,070
Logan so I'm working on that
35
00:01:30,689 --> 00:01:34,500
also I'm one of the committee members
36
00:01:32,070 --> 00:01:36,869
here at st. Kahne I also helped run
37
00:01:34,500 --> 00:01:39,240
b-sides and I like a team lead at
38
00:01:36,869 --> 00:01:41,040
blackhat knock every year and I sit on
39
00:01:39,240 --> 00:01:43,770
some associations for theaters
40
00:01:41,040 --> 00:01:45,119
cybersecurity stuff as well I do have
41
00:01:43,770 --> 00:01:47,360
some degrees inserts but that's not
42
00:01:45,119 --> 00:01:50,369
really fun to talk about
43
00:01:47,360 --> 00:01:52,500
so you're here to think like a hacker
44
00:01:50,369 --> 00:01:54,630
how to learn to be a hacker well you
45
00:01:52,500 --> 00:01:57,719
know you know what motivates them how do
46
00:01:54,630 --> 00:01:59,789
you get in that mindset and you know
47
00:01:57,719 --> 00:02:01,770
some of that is kind of simplistic and
48
00:01:59,790 --> 00:02:03,299
some of it's also very complicated so
49
00:02:01,770 --> 00:02:06,090
we're gonna touch on a few of them and
50
00:02:03,299 --> 00:02:09,479
the the way I know how to relate to this
51
00:02:06,090 --> 00:02:12,239
that is to tell you a story about how I
52
00:02:09,479 --> 00:02:14,660
came to think like a hacker and a lot of
53
00:02:12,239 --> 00:02:18,960
the stuff I do
54
00:02:14,660 --> 00:02:21,150
when I was young we got computers came
55
00:02:18,960 --> 00:02:24,120
to us from other family members their
56
00:02:21,150 --> 00:02:25,590
older computers and we had a screen that
57
00:02:24,120 --> 00:02:26,820
was very similar to this this one's a
58
00:02:25,590 --> 00:02:29,490
point of sale I couldn't find one
59
00:02:26,820 --> 00:02:31,829
exactly one of my uncle's he would
60
00:02:29,490 --> 00:02:34,830
provide it was an administrator to K
61
00:02:31,830 --> 00:02:36,840
through 12 and would lock him down so we
62
00:02:34,830 --> 00:02:39,360
saw these das menus that were completely
63
00:02:36,840 --> 00:02:41,580
locked down to what you could do like
64
00:02:39,360 --> 00:02:44,730
word processor and a few other stuff so
65
00:02:41,580 --> 00:02:46,230
we were all stuck in this of like what
66
00:02:44,730 --> 00:02:48,660
the ideal parent wants their kid to do
67
00:02:46,230 --> 00:02:54,329
right just sit there and like I don't
68
00:02:48,660 --> 00:02:55,859
write articles or something so what we
69
00:02:54,330 --> 00:02:58,770
did instead is we figured out how to
70
00:02:55,860 --> 00:03:00,270
make boot disks right and dot's boot
71
00:02:58,770 --> 00:03:02,040
disk and put them in before they boot up
72
00:03:00,270 --> 00:03:04,260
and get command prompt and we could do
73
00:03:02,040 --> 00:03:06,750
every one right we can load you know
74
00:03:04,260 --> 00:03:08,340
Commander Keen right so one of my
75
00:03:06,750 --> 00:03:11,040
biggest drivers in life was Commander
76
00:03:08,340 --> 00:03:12,510
Keen we would do that and monster bash
77
00:03:11,040 --> 00:03:14,549
over here that you just sit there and
78
00:03:12,510 --> 00:03:15,899
play these four hours parents leave play
79
00:03:14,550 --> 00:03:17,390
fact we only have accessed a word
80
00:03:15,900 --> 00:03:20,850
processor so that's what we do right
81
00:03:17,390 --> 00:03:23,130
until they leave reboot the Machine get
82
00:03:20,850 --> 00:03:24,660
admin on it essentially but the whole
83
00:03:23,130 --> 00:03:27,660
drive was to play video games and this
84
00:03:24,660 --> 00:03:31,920
is like aged 10 ish something in there
85
00:03:27,660 --> 00:03:33,510
and they came two more controls right so
86
00:03:31,920 --> 00:03:36,268
the computer suddenly had this like
87
00:03:33,510 --> 00:03:38,700
tumbler key lock on the thing and we
88
00:03:36,269 --> 00:03:40,830
couldn't turn it on right somehow we got
89
00:03:38,700 --> 00:03:42,030
ratted out found out that we're just
90
00:03:40,830 --> 00:03:43,709
sitting there playing Commander Keen all
91
00:03:42,030 --> 00:03:46,110
the time right so we have this physical
92
00:03:43,709 --> 00:03:48,390
walk and that did stop us for a bit
93
00:03:46,110 --> 00:03:49,980
we were just beating our head okay kind
94
00:03:48,390 --> 00:03:53,429
of play computer can't turn it on like
95
00:03:49,980 --> 00:03:56,130
how do you do anything here until one
96
00:03:53,430 --> 00:03:58,049
day I took it apart and jumped it right
97
00:03:56,130 --> 00:04:00,269
I remember staring at that switch for
98
00:03:58,049 --> 00:04:02,070
like two minutes like it's just two
99
00:04:00,269 --> 00:04:04,380
wires right like what does this thing
100
00:04:02,070 --> 00:04:06,269
actually do so we jumped it computer
101
00:04:04,380 --> 00:04:08,519
boots up hey put it back together play
102
00:04:06,269 --> 00:04:11,459
video games right this is the drive get
103
00:04:08,519 --> 00:04:13,110
it back together video games so jetpack
104
00:04:11,459 --> 00:04:15,269
I don't even play that was a big big
105
00:04:13,110 --> 00:04:16,560
favorite as well so just the whole drive
106
00:04:15,269 --> 00:04:18,750
was just sit there to play these video
107
00:04:16,560 --> 00:04:20,370
games we had him on discs labeled what
108
00:04:18,750 --> 00:04:21,930
they were we're copying on parents are
109
00:04:20,370 --> 00:04:24,780
breaking I'm destroying hiding him up in
110
00:04:21,930 --> 00:04:27,010
ceiling tiles right like the whole drive
111
00:04:24,780 --> 00:04:28,299
was it was not too
112
00:04:27,010 --> 00:04:30,039
anyway or just said like hey you should
113
00:04:28,300 --> 00:04:32,980
think like a hacker you should be a
114
00:04:30,040 --> 00:04:34,540
hacker you should as a cyber security or
115
00:04:32,980 --> 00:04:36,400
security controls or circumvent these
116
00:04:34,540 --> 00:04:39,820
things it was just a drive to play video
117
00:04:36,400 --> 00:04:41,169
games at the time right so really think
118
00:04:39,820 --> 00:04:43,030
like a hacker the primary motive there
119
00:04:41,170 --> 00:04:44,620
is just to think different about it it's
120
00:04:43,030 --> 00:04:46,869
it's just to come out something that
121
00:04:44,620 --> 00:04:48,160
you're not used to right depending what
122
00:04:46,870 --> 00:04:50,170
that is it could be completely different
123
00:04:48,160 --> 00:04:52,180
your mindset could already be geared for
124
00:04:50,170 --> 00:04:54,910
this it could also be geared of like I
125
00:04:52,180 --> 00:04:56,800
only do PCI compliance or I only do this
126
00:04:54,910 --> 00:04:58,360
framework and that's the only way
127
00:04:56,800 --> 00:05:01,240
somebody's gonna come at me is through
128
00:04:58,360 --> 00:05:03,250
that and what I'm asking you to do we're
129
00:05:01,240 --> 00:05:05,080
gonna go down a rabbit hole today of
130
00:05:03,250 --> 00:05:08,950
thinking like a hacker think just a
131
00:05:05,080 --> 00:05:10,479
little different about a situation so I
132
00:05:08,950 --> 00:05:12,490
did what anybody would do I want to
133
00:05:10,480 --> 00:05:14,800
become a hacker right so I go to wiki
134
00:05:12,490 --> 00:05:16,450
how like a like how do you become a
135
00:05:14,800 --> 00:05:18,100
hacker right and this is the article how
136
00:05:16,450 --> 00:05:20,020
to think like a big hacker so that's
137
00:05:18,100 --> 00:05:22,600
actually my bad that my presentation
138
00:05:20,020 --> 00:05:24,490
wasn't as cool as their topic they got
139
00:05:22,600 --> 00:05:26,590
big in there and they had these bullet
140
00:05:24,490 --> 00:05:28,000
points which is great and some of these
141
00:05:26,590 --> 00:05:29,080
are pretty interesting I just I thought
142
00:05:28,000 --> 00:05:31,720
I was did she I just want to share it
143
00:05:29,080 --> 00:05:33,190
identify possible exploits and their
144
00:05:31,720 --> 00:05:34,600
domain names gathering as much
145
00:05:33,190 --> 00:05:40,690
information as you can and create a
146
00:05:34,600 --> 00:05:42,430
footprint analysis really great but pay
147
00:05:40,690 --> 00:05:44,380
attention step to that step one there's
148
00:05:42,430 --> 00:05:47,500
only five steps you can in wikiHow you
149
00:05:44,380 --> 00:05:49,450
can become a big hacker five easy steps
150
00:05:47,500 --> 00:05:52,210
so by the time we're done here you guys
151
00:05:49,450 --> 00:05:54,250
are all gonna be you know sitting here
152
00:05:52,210 --> 00:05:56,370
like this this is you guys right you
153
00:05:54,250 --> 00:05:59,170
ready these five steps okay
154
00:05:56,370 --> 00:06:02,230
all right so step one step two pay
155
00:05:59,170 --> 00:06:02,920
attention to backdoor entry points so
156
00:06:02,230 --> 00:06:04,600
there you go
157
00:06:02,920 --> 00:06:07,990
just pay attention of those as step 2
158
00:06:04,600 --> 00:06:09,850
this tip 3 go ahead and just connect to
159
00:06:07,990 --> 00:06:12,430
all their ports their UDP and TCP ports
160
00:06:09,850 --> 00:06:13,740
and see what's running on this is
161
00:06:12,430 --> 00:06:16,390
actually not bad
162
00:06:13,740 --> 00:06:18,010
step 4 think about how you will gain
163
00:06:16,390 --> 00:06:20,200
access to the target once you've learned
164
00:06:18,010 --> 00:06:21,520
that information so you got these ports
165
00:06:20,200 --> 00:06:22,750
you know they got some ftp server on
166
00:06:21,520 --> 00:06:24,729
there and how you gonna gain access to
167
00:06:22,750 --> 00:06:25,690
that so we're really close now you're
168
00:06:24,730 --> 00:06:26,530
about ready to come a hacker you ready
169
00:06:25,690 --> 00:06:28,450
step 5
170
00:06:26,530 --> 00:06:32,859
take that username and password that you
171
00:06:28,450 --> 00:06:35,170
got Trojan it okay so here we go we all
172
00:06:32,860 --> 00:06:36,910
got our we got our hoods on and we're
173
00:06:35,170 --> 00:06:39,610
all hackers now right we passed wikiHow
174
00:06:36,910 --> 00:06:40,310
I saw this one it came on Twitter last
175
00:06:39,610 --> 00:06:42,380
night
176
00:06:40,310 --> 00:06:43,940
of a police agency you think it's in
177
00:06:42,380 --> 00:06:45,020
Australia that just posted this
178
00:06:43,940 --> 00:06:46,670
yesterday I'm not gonna read all this
179
00:06:45,020 --> 00:06:50,289
because it's really long but they
180
00:06:46,670 --> 00:06:52,340
essentially 14 steps to spot a hacker
181
00:06:50,290 --> 00:06:54,410
this is like last night on Twitter and
182
00:06:52,340 --> 00:06:56,989
and the the InfoSec world was pretty
183
00:06:54,410 --> 00:07:00,440
much just like killing this thing right
184
00:06:56,990 --> 00:07:02,720
but some of these are pretty funny and I
185
00:07:00,440 --> 00:07:04,400
think would probably classify everybody
186
00:07:02,720 --> 00:07:06,260
in this room probably has seven of these
187
00:07:04,400 --> 00:07:07,549
I would actually you know we could
188
00:07:06,260 --> 00:07:09,260
probably take a poll and I've got seven
189
00:07:07,550 --> 00:07:10,520
people you'd have seven of these traits
190
00:07:09,260 --> 00:07:12,620
almost every single person in this room
191
00:07:10,520 --> 00:07:15,620
right like spend more of your time on a
192
00:07:12,620 --> 00:07:18,890
computer than you do with people yeah I
193
00:07:15,620 --> 00:07:22,610
probably do that right use terms like
194
00:07:18,890 --> 00:07:25,090
DDoS and pwned yeah okay do you have
195
00:07:22,610 --> 00:07:27,700
multiple email addresses hacker right
196
00:07:25,090 --> 00:07:30,169
you're a hacker you cannot do that
197
00:07:27,700 --> 00:07:31,670
multiple social media profiles on one
198
00:07:30,170 --> 00:07:33,230
platform mmm
199
00:07:31,670 --> 00:07:35,720
you probably enumerated somebody on
200
00:07:33,230 --> 00:07:38,000
LinkedIn there right things like tor red
201
00:07:35,720 --> 00:07:39,530
flag can't do that selling computer
202
00:07:38,000 --> 00:07:42,380
games online cheats online you're a
203
00:07:39,530 --> 00:07:48,250
hacker your internet connection goes
204
00:07:42,380 --> 00:07:50,630
slow Yap hacker it's not Comcast hacker
205
00:07:48,250 --> 00:07:51,650
and it's long there's a bunch in there
206
00:07:50,630 --> 00:07:53,870
it's not worth right now but I was like
207
00:07:51,650 --> 00:07:56,000
you know I think if you do these 14
208
00:07:53,870 --> 00:07:58,850
things you're also hoodie on ready to go
209
00:07:56,000 --> 00:08:00,980
right and the interesting thing is you
210
00:07:58,850 --> 00:08:02,660
kind of are right like I was thinking
211
00:08:00,980 --> 00:08:03,770
like a hackers a little kid a little bit
212
00:08:02,660 --> 00:08:05,030
but that wasn't really the drive and
213
00:08:03,770 --> 00:08:08,060
that's probably not somebody you're
214
00:08:05,030 --> 00:08:09,830
trying to protect against now granite
215
00:08:08,060 --> 00:08:11,510
physical access is important and there
216
00:08:09,830 --> 00:08:13,190
are some controls and things that should
217
00:08:11,510 --> 00:08:15,800
be put in place but that maybe is not
218
00:08:13,190 --> 00:08:19,550
what you're against and it may be it's a
219
00:08:15,800 --> 00:08:20,810
little different so I did so I do a
220
00:08:19,550 --> 00:08:22,190
bunch of work and on those we do
221
00:08:20,810 --> 00:08:23,330
engagements and some of those have been
222
00:08:22,190 --> 00:08:24,530
straight at pen test and I did some for
223
00:08:23,330 --> 00:08:26,479
the state of Utah I worked at Union on
224
00:08:24,530 --> 00:08:30,950
helping going around a lot of K through
225
00:08:26,480 --> 00:08:32,810
12 but I also did dump some G's did some
226
00:08:30,950 --> 00:08:34,010
plenty of those afterwards and we do a
227
00:08:32,809 --> 00:08:36,530
lot of consulting and a lot of it's
228
00:08:34,010 --> 00:08:38,179
compliance driven and I like to break it
229
00:08:36,530 --> 00:08:40,339
down to like here's kind of the reality
230
00:08:38,179 --> 00:08:41,479
right you have things and security
231
00:08:40,340 --> 00:08:42,980
frameworks are great and I'm actually a
232
00:08:41,480 --> 00:08:45,320
big proponent of security frameworks
233
00:08:42,980 --> 00:08:47,510
when they're used for the right reasons
234
00:08:45,320 --> 00:08:50,390
when they're used to improve your
235
00:08:47,510 --> 00:08:53,300
security posture and not used for
236
00:08:50,390 --> 00:08:53,930
compliance over security and if you're
237
00:08:53,300 --> 00:08:55,699
doing compliance
238
00:08:53,930 --> 00:08:57,229
security I've legitimately done and
239
00:08:55,700 --> 00:08:59,570
Bennett orgs that have completely passed
240
00:08:57,230 --> 00:09:02,180
a PCI or whatever the compliance is and
241
00:08:59,570 --> 00:09:07,370
have completely failed at security right
242
00:09:02,180 --> 00:09:09,620
like do we have a IPS yes we do well
243
00:09:07,370 --> 00:09:10,940
it's not even on any applied correct so
244
00:09:09,620 --> 00:09:12,680
it's not in any of the zones that you
245
00:09:10,940 --> 00:09:13,779
actually have traffic on yeah but it
246
00:09:12,680 --> 00:09:16,310
asked if we had one
247
00:09:13,779 --> 00:09:18,649
it didn't say we implemented it
248
00:09:16,310 --> 00:09:20,089
correctly right and so that's where I
249
00:09:18,649 --> 00:09:21,560
have a hard time with and I actually
250
00:09:20,089 --> 00:09:22,940
always talked to customers our front
251
00:09:21,560 --> 00:09:23,449
like listen if you're trying to improve
252
00:09:22,940 --> 00:09:24,560
your posture
253
00:09:23,450 --> 00:09:26,149
I'll help work with you if you're
254
00:09:24,560 --> 00:09:27,380
literally just want to check box you
255
00:09:26,149 --> 00:09:28,250
should go somewhere else and there's
256
00:09:27,380 --> 00:09:31,730
plenty people who will do that
257
00:09:28,250 --> 00:09:32,870
unfortunately but there and in PC I had
258
00:09:31,730 --> 00:09:34,399
another racket right you Larry just
259
00:09:32,870 --> 00:09:36,200
hired another person if you get like a
260
00:09:34,399 --> 00:09:38,690
bad one I don't like that let me just
261
00:09:36,200 --> 00:09:40,130
hire another one right but so this is
262
00:09:38,690 --> 00:09:41,810
what I'm seeing like orgs generally
263
00:09:40,130 --> 00:09:43,490
getting taken down from and when we do
264
00:09:41,810 --> 00:09:45,979
engagements how easily take it down and
265
00:09:43,490 --> 00:09:47,000
so phishing is the top one and I kind of
266
00:09:45,980 --> 00:09:48,980
lump fishing together with some other
267
00:09:47,000 --> 00:09:51,320
social engineering but generally just
268
00:09:48,980 --> 00:09:54,760
phishing users and I don't want to beat
269
00:09:51,320 --> 00:09:57,800
up users but it's a reality in your work
270
00:09:54,760 --> 00:09:59,569
users and I have a big advocate of
271
00:09:57,800 --> 00:10:02,719
putting controls in to also mitigate
272
00:09:59,570 --> 00:10:04,670
some stuff that users do but phishing
273
00:10:02,720 --> 00:10:08,300
walking through the front door right
274
00:10:04,670 --> 00:10:09,680
we'll get to that show Ted I'm gonna put
275
00:10:08,300 --> 00:10:11,029
it in stone because I use it a lot and
276
00:10:09,680 --> 00:10:12,410
it's pretty amazing if you're doing a
277
00:10:11,029 --> 00:10:13,700
single target now that is amazing if
278
00:10:12,410 --> 00:10:15,020
you're just swath in the internet for
279
00:10:13,700 --> 00:10:16,700
things showdown is amazing and we'll
280
00:10:15,020 --> 00:10:18,410
touch on that for a second
281
00:10:16,700 --> 00:10:20,089
leveraging what you have once you get
282
00:10:18,410 --> 00:10:22,100
any type of foothold we'll go over that
283
00:10:20,089 --> 00:10:23,300
for a second and then of course you're
284
00:10:22,100 --> 00:10:25,279
just gonna ransomware it because why
285
00:10:23,300 --> 00:10:26,990
wouldn't you lease we're gonna talk
286
00:10:25,279 --> 00:10:28,220
about is missing patches that's not
287
00:10:26,990 --> 00:10:30,529
really fun to talk about but it's
288
00:10:28,220 --> 00:10:32,660
definitely legitimate it's out there and
289
00:10:30,529 --> 00:10:33,620
showdown does use some s will touch on
290
00:10:32,660 --> 00:10:37,400
it just for a bit
291
00:10:33,620 --> 00:10:39,650
so for fishing unfortunately in the
292
00:10:37,400 --> 00:10:41,060
world if you just take all the things
293
00:10:39,650 --> 00:10:43,939
you're trying to go after it is almost
294
00:10:41,060 --> 00:10:45,890
this easy in some scenarios like
295
00:10:43,940 --> 00:10:48,260
legitimately like you just have to try
296
00:10:45,890 --> 00:10:50,870
like a tool or a thing and here they go
297
00:10:48,260 --> 00:10:53,240
right like can you go get an open-source
298
00:10:50,870 --> 00:10:55,250
fishing program go fish or something and
299
00:10:53,240 --> 00:10:56,600
implement it and then tweak it on
300
00:10:55,250 --> 00:10:59,149
yourself until you eventually get it to
301
00:10:56,600 --> 00:11:01,399
pass their filters it is almost as easy
302
00:10:59,149 --> 00:11:03,020
it's just I don't need to throw down a
303
00:11:01,399 --> 00:11:06,260
rod and do one at a time I can just
304
00:11:03,020 --> 00:11:08,160
start picking up a bunch fishing a lot
305
00:11:06,260 --> 00:11:10,739
of times they're generally after a few
306
00:11:08,160 --> 00:11:13,170
portal's is a login page that they want
307
00:11:10,739 --> 00:11:15,600
you to put in some information when you
308
00:11:13,170 --> 00:11:17,429
do a pen test engagement it's generally
309
00:11:15,600 --> 00:11:19,679
the way they go a lot of people don't
310
00:11:17,429 --> 00:11:20,459
like you to drop payloads sometimes
311
00:11:19,679 --> 00:11:22,550
they're in scope and you can drop
312
00:11:20,459 --> 00:11:25,518
payloads but otherwise it's a link
313
00:11:22,550 --> 00:11:27,628
google authenticate authenticate here
314
00:11:25,519 --> 00:11:28,589
what I actually found that works the
315
00:11:27,629 --> 00:11:30,420
best if I were to say there's one
316
00:11:28,589 --> 00:11:32,399
fishing portal it works the best is a
317
00:11:30,420 --> 00:11:36,479
website that I own called like vote for
318
00:11:32,399 --> 00:11:38,670
site comm and it just legitimately lets
319
00:11:36,480 --> 00:11:40,259
you vote for a website like your company
320
00:11:38,670 --> 00:11:41,399
has a brand new website coming out pick
321
00:11:40,259 --> 00:11:44,249
out of these templates what do you want
322
00:11:41,399 --> 00:11:45,749
to pick and every loves to choose the
323
00:11:44,249 --> 00:11:48,480
direction of the look and feel of some
324
00:11:45,749 --> 00:11:49,439
CSS right there like that one and it
325
00:11:48,480 --> 00:11:51,600
actually tells them like thanks for
326
00:11:49,439 --> 00:11:52,949
information and and submits it it
327
00:11:51,600 --> 00:11:54,299
doesn't go to an air page and redirects
328
00:11:52,949 --> 00:11:56,549
them back to their home page and people
329
00:11:54,299 --> 00:11:58,739
just love to do that including like sis
330
00:11:56,549 --> 00:12:01,279
admins and domain admins which is nuts
331
00:11:58,739 --> 00:12:03,299
right but these portals they work
332
00:12:01,279 --> 00:12:05,850
because people don't stop and pay
333
00:12:03,299 --> 00:12:07,439
attention pay loads is generally
334
00:12:05,850 --> 00:12:08,759
something that they want to execute in
335
00:12:07,439 --> 00:12:11,998
your system this can absolutely be
336
00:12:08,759 --> 00:12:13,139
mitigated a lot of scenarios by IT you
337
00:12:11,999 --> 00:12:14,999
guys can run a lot of things to mitigate
338
00:12:13,139 --> 00:12:18,059
payloads however there are still things
339
00:12:14,999 --> 00:12:19,049
like beef and hooking browsers but
340
00:12:18,059 --> 00:12:21,029
payloads
341
00:12:19,049 --> 00:12:23,939
and do they have atom what can you
342
00:12:21,029 --> 00:12:25,679
leverage of their admin credential once
343
00:12:23,939 --> 00:12:27,629
you're on a system so we'll touch on
344
00:12:25,679 --> 00:12:29,129
those we've seen this basic one however
345
00:12:27,629 --> 00:12:30,569
I do want to touch on some of these so
346
00:12:29,129 --> 00:12:32,399
some of these if they're way under where
347
00:12:30,569 --> 00:12:34,709
you're at apologies but this is a one on
348
00:12:32,399 --> 00:12:36,689
one track so we're gonna touch on some
349
00:12:34,709 --> 00:12:38,849
of the basic stuff these are the basic
350
00:12:36,689 --> 00:12:41,309
validating where it comes from this is
351
00:12:38,850 --> 00:12:43,230
you know our things were dry are they
352
00:12:41,309 --> 00:12:44,699
looking weird are these URLs going to
353
00:12:43,230 --> 00:12:46,769
the wrong places and some of these are
354
00:12:44,699 --> 00:12:48,299
getting much and much harder as much as
355
00:12:46,769 --> 00:12:50,069
we know some of these like yeah let's
356
00:12:48,299 --> 00:12:52,829
hover over link and see that tell me how
357
00:12:50,069 --> 00:12:54,479
you do that on your cell phone well you
358
00:12:52,829 --> 00:12:55,888
can hold down on it for a while and then
359
00:12:54,480 --> 00:12:57,360
it pops up and maybe gives you some
360
00:12:55,889 --> 00:13:00,149
options on what you can do
361
00:12:57,360 --> 00:13:01,980
so things as we know more things are
362
00:13:00,149 --> 00:13:04,439
getting harder some of these URLs that
363
00:13:01,980 --> 00:13:06,869
off you skate where you go they
364
00:13:04,439 --> 00:13:09,269
intentionally make them long to go off
365
00:13:06,869 --> 00:13:10,739
of your cell phone right on a desktop it
366
00:13:09,269 --> 00:13:13,649
would like that look shady but on your
367
00:13:10,739 --> 00:13:14,999
mobile I don't know so some things are
368
00:13:13,649 --> 00:13:16,589
getting a little more complicated with
369
00:13:14,999 --> 00:13:20,220
some of that stuff and we've seen these
370
00:13:16,589 --> 00:13:21,340
generally with phishing away I advocate
371
00:13:20,220 --> 00:13:24,370
people is
372
00:13:21,340 --> 00:13:26,410
to validate at the source timing is
373
00:13:24,370 --> 00:13:28,360
always on your side you can always go
374
00:13:26,410 --> 00:13:30,670
validate at the source right you don't
375
00:13:28,360 --> 00:13:33,070
need to act on what they act if I show
376
00:13:30,670 --> 00:13:35,530
up with a Comcast shirt on and say hey
377
00:13:33,070 --> 00:13:37,450
is your internet running slow your
378
00:13:35,530 --> 00:13:38,740
answer is generally yes right and I'm
379
00:13:37,450 --> 00:13:40,720
here to fix it I need in your data
380
00:13:38,740 --> 00:13:43,360
center right the answer is generally yes
381
00:13:40,720 --> 00:13:45,250
but you should be able to validate that
382
00:13:43,360 --> 00:13:47,800
from the source and that source is not
383
00:13:45,250 --> 00:13:48,940
the business card I hand you with
384
00:13:47,800 --> 00:13:51,400
somebody sitting in a truck outside
385
00:13:48,940 --> 00:13:52,870
right that source is you go call Comcast
386
00:13:51,400 --> 00:13:55,120
you called some you call the vendor
387
00:13:52,870 --> 00:13:57,280
directly you validate at the source if
388
00:13:55,120 --> 00:13:59,890
you get and we always want to act on a
389
00:13:57,280 --> 00:14:01,030
position of something there you can get
390
00:13:59,890 --> 00:14:04,600
to much smarter people that will tell
391
00:14:01,030 --> 00:14:05,980
you the positions of fear and Clow and
392
00:14:04,600 --> 00:14:07,240
all these other reasons why your
393
00:14:05,980 --> 00:14:08,650
emotional triggers get you to act on
394
00:14:07,240 --> 00:14:10,360
some of this stuff but it's generally
395
00:14:08,650 --> 00:14:12,280
like they want you to do something now
396
00:14:10,360 --> 00:14:14,470
and timing is on your side it is in your
397
00:14:12,280 --> 00:14:16,930
best interest to not act on that email
398
00:14:14,470 --> 00:14:19,360
to think about it to go over to validate
399
00:14:16,930 --> 00:14:21,130
at the source right so things like this
400
00:14:19,360 --> 00:14:24,040
like hey your email counts gonna get
401
00:14:21,130 --> 00:14:25,450
shut down that actually could happen if
402
00:14:24,040 --> 00:14:27,189
somebody didn't pay a bill and that's
403
00:14:25,450 --> 00:14:28,750
scary and I got emails and you can't
404
00:14:27,190 --> 00:14:31,120
take away my emails or take my emails I
405
00:14:28,750 --> 00:14:33,040
can't work right or slack depending
406
00:14:31,120 --> 00:14:35,320
which work you're in but you can't take
407
00:14:33,040 --> 00:14:38,020
that away and this is a legit scenario
408
00:14:35,320 --> 00:14:40,210
you might be concerned about but you
409
00:14:38,020 --> 00:14:42,100
contact your IT team you contact your
410
00:14:40,210 --> 00:14:43,870
provider Microsoft Google you contact
411
00:14:42,100 --> 00:14:45,850
them you don't click this link and
412
00:14:43,870 --> 00:14:48,910
validate that right if chase says your
413
00:14:45,850 --> 00:14:50,650
credit card is expired or it's been
414
00:14:48,910 --> 00:14:53,290
declined or in this scenario like this
415
00:14:50,650 --> 00:14:55,329
right this is this would be interesting
416
00:14:53,290 --> 00:14:58,900
right email security later hey you just
417
00:14:55,330 --> 00:15:00,190
logged in from Russia well I'm a
418
00:14:58,900 --> 00:15:03,100
security person I'm shutting that down
419
00:15:00,190 --> 00:15:06,010
now right well that's actually what they
420
00:15:03,100 --> 00:15:09,040
want you to click here put in your
421
00:15:06,010 --> 00:15:12,550
password portal harvest credentials or
422
00:15:09,040 --> 00:15:15,040
payload drop a payload right so this
423
00:15:12,550 --> 00:15:16,959
one's just a position of like you've
424
00:15:15,040 --> 00:15:19,209
already been compromised like whoa right
425
00:15:16,960 --> 00:15:21,370
chase sends you an email out hey you've
426
00:15:19,210 --> 00:15:22,900
already been compromised click here to
427
00:15:21,370 --> 00:15:23,320
you know freeze your card or get a new
428
00:15:22,900 --> 00:15:24,790
one
429
00:15:23,320 --> 00:15:27,010
you might be freaking out about that
430
00:15:24,790 --> 00:15:29,020
validate at the source office validate
431
00:15:27,010 --> 00:15:30,790
at the source timing is on your side so
432
00:15:29,020 --> 00:15:32,710
these are getting better and better less
433
00:15:30,790 --> 00:15:33,819
is the language weird and there's still
434
00:15:32,710 --> 00:15:34,640
plenty of those that are out there but
435
00:15:33,820 --> 00:15:37,070
most of those are just
436
00:15:34,640 --> 00:15:38,180
Brayan and some people still do it but
437
00:15:37,070 --> 00:15:39,620
they're getting better and better this
438
00:15:38,180 --> 00:15:42,410
is a well-crafted email this is a
439
00:15:39,620 --> 00:15:43,460
well-crafted email there might be some a
440
00:15:42,410 --> 00:15:46,069
few things in there you can think about
441
00:15:43,460 --> 00:15:47,720
but overall these could happen which is
442
00:15:46,070 --> 00:15:49,360
why other triggers right somebody could
443
00:15:47,720 --> 00:15:51,680
log in your email account from Russia
444
00:15:49,360 --> 00:15:54,380
your provider might give you an alert
445
00:15:51,680 --> 00:15:55,790
for that that would be concerning unless
446
00:15:54,380 --> 00:15:56,870
you're in Russia maybe not so concerned
447
00:15:55,790 --> 00:16:02,329
but here in Utah
448
00:15:56,870 --> 00:16:05,390
that'd be red flag for me validate at
449
00:16:02,330 --> 00:16:07,430
that source right this one I've used
450
00:16:05,390 --> 00:16:09,380
this in a few presentations I've done
451
00:16:07,430 --> 00:16:10,849
and and let me let me be clear in a
452
00:16:09,380 --> 00:16:13,040
bunch these examples I don't pull these
453
00:16:10,850 --> 00:16:17,090
off the internet these are from things
454
00:16:13,040 --> 00:16:20,089
that worked this worked right somebody
455
00:16:17,090 --> 00:16:22,310
was like I got a download this doc file
456
00:16:20,090 --> 00:16:23,000
or yeah this was a docx file send them
457
00:16:22,310 --> 00:16:24,770
to a doc file
458
00:16:23,000 --> 00:16:27,260
I got download this doc file and enable
459
00:16:24,770 --> 00:16:30,740
that macro right in this scenario what
460
00:16:27,260 --> 00:16:31,939
would you do to validate this I mean
461
00:16:30,740 --> 00:16:34,100
those who can't read in the back I know
462
00:16:31,940 --> 00:16:36,440
it's I try to make them big but it is a
463
00:16:34,100 --> 00:16:38,480
long room this is a divorce letter right
464
00:16:36,440 --> 00:16:41,480
from an attorney who's coming from
465
00:16:38,480 --> 00:16:44,650
something shady like Co dot slash
466
00:16:41,480 --> 00:16:47,660
divorce right if your attorneys there
467
00:16:44,650 --> 00:16:51,140
they shouldn't have that attorney but
468
00:16:47,660 --> 00:16:52,819
let alone and this could be a real thing
469
00:16:51,140 --> 00:16:54,230
I hope it's not in your life I hope your
470
00:16:52,820 --> 00:16:55,400
spouse hopefully you've had some
471
00:16:54,230 --> 00:16:58,160
conversations before would read
472
00:16:55,400 --> 00:16:59,750
something like this however even if it
473
00:16:58,160 --> 00:17:02,600
wasn't it shouldn't be immediate like
474
00:16:59,750 --> 00:17:03,770
screw them I'm gonna preemptive you know
475
00:17:02,600 --> 00:17:05,569
and click on these things like you
476
00:17:03,770 --> 00:17:06,619
should call your spouse probably right
477
00:17:05,569 --> 00:17:08,839
you're gonna have two other conversation
478
00:17:06,619 --> 00:17:10,099
at some point but it shouldn't be good
479
00:17:08,839 --> 00:17:14,839
either because this might be malicious
480
00:17:10,099 --> 00:17:16,819
right all right this this one is huge I
481
00:17:14,839 --> 00:17:17,929
don't know why this still works I'm just
482
00:17:16,819 --> 00:17:19,698
amazed how many people have not
483
00:17:17,930 --> 00:17:21,980
implemented or Microsoft directly has
484
00:17:19,699 --> 00:17:24,589
not just disabled this by default like
485
00:17:21,980 --> 00:17:28,790
GPIO or group policies haven't just
486
00:17:24,589 --> 00:17:30,530
pushed like no macros Mac I'm not saying
487
00:17:28,790 --> 00:17:31,790
macros aren't a thing in some Excel
488
00:17:30,530 --> 00:17:33,950
documents I definitely see them still
489
00:17:31,790 --> 00:17:35,330
being a thing and they shouldn't be but
490
00:17:33,950 --> 00:17:37,790
I've never seen a legitimate word macro
491
00:17:35,330 --> 00:17:39,980
I don't know they probably have a
492
00:17:37,790 --> 00:17:41,870
purpose but not anymore like I've never
493
00:17:39,980 --> 00:17:43,130
seen legitimate word macro you can
494
00:17:41,870 --> 00:17:44,899
absolutely create a policy that just
495
00:17:43,130 --> 00:17:46,730
says like that can't run in my org and
496
00:17:44,900 --> 00:17:48,090
you can do it on an individual computer
497
00:17:46,730 --> 00:17:50,240
or you can do it through group policy
498
00:17:48,090 --> 00:17:52,529
that should not read you should not run
499
00:17:50,240 --> 00:17:55,049
macros out of a Word document it makes
500
00:17:52,529 --> 00:17:57,990
no sense like the way to break it down
501
00:17:55,049 --> 00:17:59,400
to people what a macro is you're
502
00:17:57,990 --> 00:18:02,610
essentially saying I would like this
503
00:17:59,400 --> 00:18:04,380
script to run on my machine right so
504
00:18:02,610 --> 00:18:06,299
let's put into actually English I would
505
00:18:04,380 --> 00:18:08,070
like this malicious filed may be
506
00:18:06,299 --> 00:18:10,289
malicious maybe not I want this file to
507
00:18:08,070 --> 00:18:11,970
run on my machine not just view and
508
00:18:10,289 --> 00:18:15,419
invoice let alone an invoice shouldn't
509
00:18:11,970 --> 00:18:17,460
really be coming in a word file anyway
510
00:18:15,419 --> 00:18:18,960
let alone have a macro and the brand-new
511
00:18:17,460 --> 00:18:21,630
version of this that I just got like a
512
00:18:18,960 --> 00:18:23,880
week ago this one so this one's pretty
513
00:18:21,630 --> 00:18:25,919
hot right now and they're already
514
00:18:23,880 --> 00:18:28,919
starting to skin them with the office
515
00:18:25,919 --> 00:18:31,500
365 brand new ones or the 2019 version
516
00:18:28,919 --> 00:18:33,299
that just came out the same colors same
517
00:18:31,500 --> 00:18:35,880
fill they're gonna say things like these
518
00:18:33,299 --> 00:18:37,470
compatibility mode and essentially what
519
00:18:35,880 --> 00:18:39,590
they say is two things an able editing a
520
00:18:37,470 --> 00:18:42,840
naval content take me out of my sandbox
521
00:18:39,590 --> 00:18:45,750
run a script take me on a sandbox run a
522
00:18:42,840 --> 00:18:48,408
script if you don't want that docx file
523
00:18:45,750 --> 00:18:50,520
to run a script on a machine an able
524
00:18:48,409 --> 00:18:53,820
content should be viewed the same as
525
00:18:50,520 --> 00:18:55,529
like let's run this Exe well that makes
526
00:18:53,820 --> 00:18:56,939
your hair stick I don't want our exe but
527
00:18:55,529 --> 00:18:59,220
I do want to see the invoice that guy
528
00:18:56,940 --> 00:19:02,539
said that's delinquent right yeah I'm
529
00:18:59,220 --> 00:19:05,070
not as customer but I'm really curious
530
00:19:02,539 --> 00:19:08,158
again these are all shown because they
531
00:19:05,070 --> 00:19:09,360
work this works this is probably one
532
00:19:08,159 --> 00:19:10,140
rampant right now there's probably
533
00:19:09,360 --> 00:19:11,610
people doing it right now
534
00:19:10,140 --> 00:19:14,970
hopefully nobody in this room but this
535
00:19:11,610 --> 00:19:17,219
works you have these amazing things like
536
00:19:14,970 --> 00:19:19,169
hey check your password and see if it's
537
00:19:17,220 --> 00:19:22,350
a good password that's a terrible idea
538
00:19:19,169 --> 00:19:24,960
by the way because especially on this
539
00:19:22,350 --> 00:19:25,379
site right I don't know why the site
540
00:19:24,960 --> 00:19:27,929
saying
541
00:19:25,380 --> 00:19:29,669
however definitely had a user got
542
00:19:27,929 --> 00:19:31,380
reported to me how to deal with this
543
00:19:29,669 --> 00:19:33,360
this is a site they went to put in their
544
00:19:31,380 --> 00:19:39,510
password I just want to see if it was
545
00:19:33,360 --> 00:19:40,260
secure it might have been it's not
546
00:19:39,510 --> 00:19:42,270
anymore
547
00:19:40,260 --> 00:19:44,940
that passwords gone you gotta get rid of
548
00:19:42,270 --> 00:19:47,039
that and then these things still work
549
00:19:44,940 --> 00:19:48,779
this was a this was actually few months
550
00:19:47,039 --> 00:19:50,760
bags probably april-ish these things
551
00:19:48,779 --> 00:19:54,210
work you go to a site they have some
552
00:19:50,760 --> 00:19:55,440
shady ad and the ad renders this thing
553
00:19:54,210 --> 00:19:57,690
it takes over your whole screen right
554
00:19:55,440 --> 00:20:01,799
and people are like I don't know I'm
555
00:19:57,690 --> 00:20:03,869
just gonna click the blue things there
556
00:20:01,799 --> 00:20:05,668
what was that talk this morning I you
557
00:20:03,869 --> 00:20:07,499
know where to put you I and make you do
558
00:20:05,669 --> 00:20:09,179
the right choices I don't know this one
559
00:20:07,499 --> 00:20:11,309
I think by giving you two options both
560
00:20:09,179 --> 00:20:13,499
terrible we're more likely to pick one
561
00:20:11,309 --> 00:20:16,200
of them probably you really I guess
562
00:20:13,499 --> 00:20:17,669
install flash flash is a good thing
563
00:20:16,200 --> 00:20:20,639
insecurity world right let's put flash
564
00:20:17,669 --> 00:20:22,440
in there and then these ones this I had
565
00:20:20,639 --> 00:20:24,629
a helper friend with this he was an
566
00:20:22,440 --> 00:20:26,700
elderly gentleman and he gave them money
567
00:20:24,629 --> 00:20:27,869
right his screen got taken over and this
568
00:20:26,700 --> 00:20:30,360
one's really hard to see but it's like
569
00:20:27,869 --> 00:20:32,519
hey malicious pornographic spyware slash
570
00:20:30,360 --> 00:20:35,039
risk where detected let's just cover all
571
00:20:32,519 --> 00:20:36,899
the things it's either pornography or
572
00:20:35,039 --> 00:20:38,639
spyware or risk where like you know
573
00:20:36,899 --> 00:20:42,809
between that combination you'd in it
574
00:20:38,639 --> 00:20:45,119
right and you need a cost immediately do
575
00:20:42,809 --> 00:20:46,619
not do not ignore this and on mobile
576
00:20:45,119 --> 00:20:48,539
phones on someone they will take over
577
00:20:46,619 --> 00:20:50,129
the whole screen and people freaked out
578
00:20:48,539 --> 00:20:52,019
like reboot it shut it down like you can
579
00:20:50,129 --> 00:20:53,759
hit the back button right just hit the
580
00:20:52,019 --> 00:20:54,960
back button and sometimes depending how
581
00:20:53,759 --> 00:20:56,700
they coded it that back button will just
582
00:20:54,960 --> 00:20:59,159
load it again it again but you just open
583
00:20:56,700 --> 00:21:02,190
the app drawer and close it but people
584
00:20:59,159 --> 00:21:05,450
will just like stop and worse call them
585
00:21:02,190 --> 00:21:07,739
right Microsoft doesn't ever call you
586
00:21:05,450 --> 00:21:10,679
they don't they don't call you like hey
587
00:21:07,739 --> 00:21:12,989
I know you need support today right I've
588
00:21:10,679 --> 00:21:15,269
not seen that I've got hey we got an
589
00:21:12,989 --> 00:21:17,399
audit I've got that for Microsoft but I
590
00:21:15,269 --> 00:21:19,919
don't get a call hey let's help you with
591
00:21:17,399 --> 00:21:24,018
support today right but yet people pay
592
00:21:19,919 --> 00:21:24,019
him this stuff works
593
00:21:24,259 --> 00:21:29,580
any questions went on the fishing this
594
00:21:28,289 --> 00:21:31,049
came around Facebook a while there's
595
00:21:29,580 --> 00:21:32,759
been years ago but this was around like
596
00:21:31,049 --> 00:21:34,019
this is so and so and I tweaked it and
597
00:21:32,759 --> 00:21:36,570
was like quit sharing all this crap on
598
00:21:34,019 --> 00:21:37,649
Facebook anyway who knew they'd be
599
00:21:36,570 --> 00:21:41,820
sharing with everybody in the world
600
00:21:37,649 --> 00:21:43,439
right all right we can I can chat with
601
00:21:41,820 --> 00:21:45,928
anybody after is there any questions or
602
00:21:43,440 --> 00:21:48,690
at the end of the talk to let's talk
603
00:21:45,929 --> 00:21:51,029
about creds passwords so I put in there
604
00:21:48,690 --> 00:21:53,009
just walk through the front door so a
605
00:21:51,029 --> 00:21:55,950
lot of times on the engagement whatever
606
00:21:53,009 --> 00:22:00,149
the client is I just take their domain
607
00:21:55,950 --> 00:22:02,669
name and just check that domain name for
608
00:22:00,149 --> 00:22:04,459
already known creds out there what are
609
00:22:02,669 --> 00:22:06,779
the chances they've changed them
610
00:22:04,460 --> 00:22:08,190
actually it's not bad most are changing
611
00:22:06,779 --> 00:22:10,980
I'm I probably say 60 70 percent
612
00:22:08,190 --> 00:22:13,270
probably changed it but it's something
613
00:22:10,980 --> 00:22:19,500
like spring 2017 something
614
00:22:13,270 --> 00:22:22,420
oh let's try summer fall write the note
615
00:22:19,500 --> 00:22:26,050
so there there are you can absolutely go
616
00:22:22,420 --> 00:22:29,710
get dumps of these breaches be care oh
617
00:22:26,050 --> 00:22:32,350
where do you get probably how I've been
618
00:22:29,710 --> 00:22:34,090
part I should know better I do a V I'm
619
00:22:32,350 --> 00:22:37,060
supposed to repeat his question he asked
620
00:22:34,090 --> 00:22:38,949
where can he check to know that if his
621
00:22:37,060 --> 00:22:40,360
domain has been compromised right if
622
00:22:38,950 --> 00:22:42,550
there's known creds out there probably
623
00:22:40,360 --> 00:22:44,649
Troy hunts have I been poned is probably
624
00:22:42,550 --> 00:22:46,540
your safest place to do that you just
625
00:22:44,650 --> 00:22:48,340
put in your email address it validates
626
00:22:46,540 --> 00:22:50,500
you own it and it will send it to you
627
00:22:48,340 --> 00:22:53,379
the part I don't like about that is I
628
00:22:50,500 --> 00:22:55,270
wish he would tell me what he has I said
629
00:22:53,380 --> 00:22:57,460
he just says yes it was in there and it
630
00:22:55,270 --> 00:23:00,040
was a part of this breach and but it
631
00:22:57,460 --> 00:23:01,390
doesn't say they had your password and
632
00:23:00,040 --> 00:23:02,379
had this and this is your password and
633
00:23:01,390 --> 00:23:03,670
if you see this anywhere else you're
634
00:23:02,380 --> 00:23:06,010
still screwed right you didn't go change
635
00:23:03,670 --> 00:23:07,420
that I wish they would once you
636
00:23:06,010 --> 00:23:09,070
validated you own that domain I wish it
637
00:23:07,420 --> 00:23:10,930
would actually give you that data but
638
00:23:09,070 --> 00:23:12,460
what he's doing is a great service
639
00:23:10,930 --> 00:23:14,830
already and that dad is already out
640
00:23:12,460 --> 00:23:16,990
there if you're more into more advanced
641
00:23:14,830 --> 00:23:18,970
stuff you can absolutely go in get these
642
00:23:16,990 --> 00:23:21,070
dumps the problem is is sometimes they
643
00:23:18,970 --> 00:23:24,430
are other malicious files so you needed
644
00:23:21,070 --> 00:23:25,960
to have really good sandboxing and a lot
645
00:23:24,430 --> 00:23:27,970
of times getting on tour and get
646
00:23:25,960 --> 00:23:29,620
validated on some form and you can get
647
00:23:27,970 --> 00:23:31,540
access to a lot of this stuff it's
648
00:23:29,620 --> 00:23:33,969
probably it's over 101 that's not 101
649
00:23:31,540 --> 00:23:35,260
101 go - have I been poned comm putting
650
00:23:33,970 --> 00:23:36,970
your email address and see if you've
651
00:23:35,260 --> 00:23:38,710
been poned right
652
00:23:36,970 --> 00:23:43,060
in fact this stack came from Troy hunts
653
00:23:38,710 --> 00:23:46,480
site 500 million creds different creds
654
00:23:43,060 --> 00:23:49,810
and of that I think he said 80% are
655
00:23:46,480 --> 00:23:51,160
terrible right so these are creds so the
656
00:23:49,810 --> 00:23:53,950
first thing you do is just go look at
657
00:23:51,160 --> 00:23:55,660
that and see if we must log in right
658
00:23:53,950 --> 00:23:57,250
hey you'll hope that username go check
659
00:23:55,660 --> 00:23:58,120
LinkedIn all that guy's an IT guy
660
00:23:57,250 --> 00:24:01,570
perfect
661
00:23:58,120 --> 00:24:02,919
he's got privileged access right so the
662
00:24:01,570 --> 00:24:04,810
password guidelines are kind of changing
663
00:24:02,920 --> 00:24:07,690
I put this in here because people are
664
00:24:04,810 --> 00:24:09,550
still pushing for this hard the every
665
00:24:07,690 --> 00:24:13,120
rotated every 90 days and that
666
00:24:09,550 --> 00:24:15,129
absolutely has purposes for like IT and
667
00:24:13,120 --> 00:24:17,649
escalated people on people having
668
00:24:15,130 --> 00:24:19,600
persistent access and if you're using
669
00:24:17,650 --> 00:24:22,510
vault managers it can still work the
670
00:24:19,600 --> 00:24:24,280
reality is most people just make even
671
00:24:22,510 --> 00:24:25,870
worse passwords they use spring they use
672
00:24:24,280 --> 00:24:26,540
fall they use summer they use quarter
673
00:24:25,870 --> 00:24:28,939
one quarter two
674
00:24:26,540 --> 00:24:30,290
corta 3 they use some variation they
675
00:24:28,940 --> 00:24:32,240
just keep adding a 1 an exclamation
676
00:24:30,290 --> 00:24:34,250
point you know to some extent until they
677
00:24:32,240 --> 00:24:37,250
get past whatever role don't care one
678
00:24:34,250 --> 00:24:39,080
exclamation point right so what they've
679
00:24:37,250 --> 00:24:40,820
come out with NIST and all the other
680
00:24:39,080 --> 00:24:42,350
guidelines are sensor saying of all the
681
00:24:40,820 --> 00:24:43,669
studies of us telling people to rotate
682
00:24:42,350 --> 00:24:45,709
their passwords it's actually been
683
00:24:43,670 --> 00:24:48,140
counter it's been making passwords worse
684
00:24:45,710 --> 00:24:50,390
and so they just changed it to this is
685
00:24:48,140 --> 00:24:51,770
the new standard it's still being pushed
686
00:24:50,390 --> 00:24:54,130
out through different things but most
687
00:24:51,770 --> 00:24:56,270
have adopted it most compliant
688
00:24:54,130 --> 00:24:58,070
frameworks and compliance are on this
689
00:24:56,270 --> 00:25:00,440
but not in a dictionary so that's what
690
00:24:58,070 --> 00:25:02,870
we just talked about it cannot be on a
691
00:25:00,440 --> 00:25:04,430
known breach password if that your
692
00:25:02,870 --> 00:25:05,889
password is already compromised
693
00:25:04,430 --> 00:25:08,480
somewhere you put in a Russian portal
694
00:25:05,890 --> 00:25:09,920
it's gone you can't use it again that
695
00:25:08,480 --> 00:25:11,870
password is gone just assume it's gone
696
00:25:09,920 --> 00:25:14,420
that's a token that tokens expired you
697
00:25:11,870 --> 00:25:16,100
need a new token ok don't reuse them
698
00:25:14,420 --> 00:25:17,300
services system your business shouldn't
699
00:25:16,100 --> 00:25:18,379
take down your personal life your
700
00:25:17,300 --> 00:25:20,990
personal life shouldn't take down your
701
00:25:18,380 --> 00:25:22,370
business there are things and and some
702
00:25:20,990 --> 00:25:24,650
people take this to the the umpteenth
703
00:25:22,370 --> 00:25:27,409
degree and I would say just classify
704
00:25:24,650 --> 00:25:29,210
your life right if you have a Yelp
705
00:25:27,410 --> 00:25:31,340
account and you don't really care about
706
00:25:29,210 --> 00:25:33,530
your Yelp account who cares about your
707
00:25:31,340 --> 00:25:34,699
password to some extent right that can
708
00:25:33,530 --> 00:25:36,350
be something that you maybe share with
709
00:25:34,700 --> 00:25:38,450
something else however if you're like a
710
00:25:36,350 --> 00:25:40,760
buddy of mine who is an avid Yelp person
711
00:25:38,450 --> 00:25:42,950
who spends all their time there and has
712
00:25:40,760 --> 00:25:44,960
like hundreds if not thousands of things
713
00:25:42,950 --> 00:25:46,790
it's really important to him well maybe
714
00:25:44,960 --> 00:25:49,340
you want a segment segment that write
715
00:25:46,790 --> 00:25:50,720
your Netflix well they take over from it
716
00:25:49,340 --> 00:25:53,030
they might increase your account they
717
00:25:50,720 --> 00:25:54,020
might change something depending on your
718
00:25:53,030 --> 00:25:55,670
effort how much you care about that
719
00:25:54,020 --> 00:25:57,350
maybe that's a lower classification to
720
00:25:55,670 --> 00:26:00,410
you and you don't care as much but my
721
00:25:57,350 --> 00:26:01,939
banking my work email my personal email
722
00:26:00,410 --> 00:26:03,890
the things that I reset passwords to
723
00:26:01,940 --> 00:26:05,960
those are different they have to be
724
00:26:03,890 --> 00:26:07,700
different there's no way one should take
725
00:26:05,960 --> 00:26:10,310
down the other one you have to assume
726
00:26:07,700 --> 00:26:11,750
that website like this is the best
727
00:26:10,310 --> 00:26:13,340
example when I started in the
728
00:26:11,750 --> 00:26:16,010
information security or way actually
729
00:26:13,340 --> 00:26:17,570
before that I got I got this website was
730
00:26:16,010 --> 00:26:19,940
breached I was restoring this old truck
731
00:26:17,570 --> 00:26:21,260
called a it was for truck enthusiasts
732
00:26:19,940 --> 00:26:22,640
calm I think it still exists
733
00:26:21,260 --> 00:26:23,990
I was restored in this old truck and I
734
00:26:22,640 --> 00:26:26,090
was posting photos to the world of how
735
00:26:23,990 --> 00:26:27,620
amazing my truck was right and it got
736
00:26:26,090 --> 00:26:29,149
breeze and I like took out my email took
737
00:26:27,620 --> 00:26:31,969
out my binky and it took out and I was
738
00:26:29,150 --> 00:26:34,580
it's like what right I didn't know any
739
00:26:31,970 --> 00:26:36,860
better but for truck enthusiasts of your
740
00:26:34,580 --> 00:26:38,480
life should not take down your banking
741
00:26:36,860 --> 00:26:40,439
shouldn't take down your email shouldn't
742
00:26:38,480 --> 00:26:42,030
take down your org though should be
743
00:26:40,440 --> 00:26:43,530
broken out by service if you have
744
00:26:42,030 --> 00:26:45,480
something critical some database
745
00:26:43,530 --> 00:26:47,460
administrator password separate that
746
00:26:45,480 --> 00:26:49,490
make you something unique vault manager
747
00:26:47,460 --> 00:26:52,800
your friend will touch touch on that
748
00:26:49,490 --> 00:26:56,250
length is the preferred it's harder for
749
00:26:52,800 --> 00:26:57,659
cracking rigs right they don't say that
750
00:26:56,250 --> 00:26:58,800
in the compliance thing but length is
751
00:26:57,660 --> 00:27:00,840
prefer the longer your password the
752
00:26:58,800 --> 00:27:04,440
harder it is for computation to crack it
753
00:27:00,840 --> 00:27:06,959
in a hat to factor is your friend but
754
00:27:04,440 --> 00:27:08,160
don't just rely on two-factor right the
755
00:27:06,960 --> 00:27:10,350
company I own we also have developers
756
00:27:08,160 --> 00:27:13,530
around deaf shops I we we take over a
757
00:27:10,350 --> 00:27:15,330
lot of bad code and two factors not
758
00:27:13,530 --> 00:27:16,889
always implemented properly if you're
759
00:27:15,330 --> 00:27:20,100
like I can use whatever crappy password
760
00:27:16,890 --> 00:27:22,080
I want like p @ s-- word one exclamation
761
00:27:20,100 --> 00:27:24,990
point because i have to factor on I
762
00:27:22,080 --> 00:27:26,189
think you should elevate that a little
763
00:27:24,990 --> 00:27:28,230
bit right
764
00:27:26,190 --> 00:27:29,700
you should Security's always layers it
765
00:27:28,230 --> 00:27:32,130
shouldn't be assuming there's one thing
766
00:27:29,700 --> 00:27:34,220
that stops everything right multiple
767
00:27:32,130 --> 00:27:36,720
things to factor is your friend I
768
00:27:34,220 --> 00:27:38,370
absolutely been on engagements where
769
00:27:36,720 --> 00:27:39,720
we've got their complete credentials
770
00:27:38,370 --> 00:27:42,060
through a portal through whatever other
771
00:27:39,720 --> 00:27:45,000
means we log in and it sends them an
772
00:27:42,060 --> 00:27:47,010
alert hey we're logging in and when a
773
00:27:45,000 --> 00:27:49,320
valid a this is you and they're like new
774
00:27:47,010 --> 00:27:50,160
right you get shut down and they know
775
00:27:49,320 --> 00:27:52,230
you're doing it
776
00:27:50,160 --> 00:27:53,610
two-factor is your friend put it on all
777
00:27:52,230 --> 00:27:56,160
the important things in your life your
778
00:27:53,610 --> 00:27:58,290
email your banking course switches
779
00:27:56,160 --> 00:28:02,190
routers firewalls put on the things that
780
00:27:58,290 --> 00:28:03,480
are important to factor is is actually
781
00:28:02,190 --> 00:28:05,250
one of those like I'm not gonna say
782
00:28:03,480 --> 00:28:07,380
silver bullet but it helps a lot of
783
00:28:05,250 --> 00:28:08,940
things it really mitigates a lot of
784
00:28:07,380 --> 00:28:11,480
things it's that extra layer of control
785
00:28:08,940 --> 00:28:13,320
behind a user making a terrible decision
786
00:28:11,480 --> 00:28:14,790
if you don't know a two-factor is
787
00:28:13,320 --> 00:28:16,350
googling and multi-factor doesn't count
788
00:28:14,790 --> 00:28:17,790
a lot of people like us to factor I put
789
00:28:16,350 --> 00:28:20,490
a username password in and then another
790
00:28:17,790 --> 00:28:22,590
password might you need something
791
00:28:20,490 --> 00:28:24,510
separate that if you only have a key
792
00:28:22,590 --> 00:28:27,990
logger on machine a you will also have
793
00:28:24,510 --> 00:28:31,110
both of those things right vault
794
00:28:27,990 --> 00:28:32,640
managers are your friends depending on
795
00:28:31,110 --> 00:28:34,050
your level paranoia you can have
796
00:28:32,640 --> 00:28:36,300
anything from an online one that sinks
797
00:28:34,050 --> 00:28:38,190
everything for you to a local version
798
00:28:36,300 --> 00:28:40,290
that if your hard drive crashes you lose
799
00:28:38,190 --> 00:28:42,240
everything right somewhere in there is
800
00:28:40,290 --> 00:28:43,649
probably safe regardless it's still
801
00:28:42,240 --> 00:28:46,320
probably better than what you're doing
802
00:28:43,650 --> 00:28:48,570
without you can get into some errant
803
00:28:46,320 --> 00:28:50,639
toppings and stuff with password cards
804
00:28:48,570 --> 00:28:52,530
and stuff and and get really crazy and
805
00:28:50,640 --> 00:28:54,090
that guy's amazing it's all math and
806
00:28:52,530 --> 00:28:56,610
entropy and wizards
807
00:28:54,090 --> 00:28:57,840
but password vault managed your friend I
808
00:28:56,610 --> 00:28:59,939
people always ask me what do you
809
00:28:57,840 --> 00:29:01,320
recommend envelop managers the answer is
810
00:28:59,940 --> 00:29:03,360
whoever looks at a security
811
00:29:01,320 --> 00:29:04,770
vulnerability and mitigates it you can
812
00:29:03,360 --> 00:29:06,209
never say a code will be perfect from
813
00:29:04,770 --> 00:29:07,800
vulnerabilities but whoever's looking at
814
00:29:06,210 --> 00:29:09,770
and mitigating it there's probably two
815
00:29:07,800 --> 00:29:12,060
primary ones out there that you know of
816
00:29:09,770 --> 00:29:13,560
the small ones that nobody looks at the
817
00:29:12,060 --> 00:29:14,610
code it's like a wordpress plug and
818
00:29:13,560 --> 00:29:15,120
that's just been hanging out there for
819
00:29:14,610 --> 00:29:22,560
ten years
820
00:29:15,120 --> 00:29:23,820
treat it skeptical okay moving on yeah
821
00:29:22,560 --> 00:29:26,040
any questions on that yeah this just
822
00:29:23,820 --> 00:29:29,639
happened like yesterday Cisco just
823
00:29:26,040 --> 00:29:31,110
announced another hard cred password in
824
00:29:29,640 --> 00:29:33,540
their program that's like the sixth one
825
00:29:31,110 --> 00:29:36,629
this year I'd pretty sure which is just
826
00:29:33,540 --> 00:29:37,560
crazy okay show Dan I bring this up and
827
00:29:36,630 --> 00:29:39,330
I'm actually gonna tell the story
828
00:29:37,560 --> 00:29:41,520
through somebody else there's this guy
829
00:29:39,330 --> 00:29:43,320
his name is vist on Twitter he's great
830
00:29:41,520 --> 00:29:44,460
he does a lot of things in show Dan I've
831
00:29:43,320 --> 00:29:46,620
done a lot of things that showed in but
832
00:29:44,460 --> 00:29:48,840
his stuff is like extra but this story
833
00:29:46,620 --> 00:29:51,540
tells a perfectly new egg got breached
834
00:29:48,840 --> 00:29:55,290
this whole magic art thing price of
835
00:29:51,540 --> 00:29:57,210
their own and he essentially was telling
836
00:29:55,290 --> 00:29:58,860
the story about how this is probably
837
00:29:57,210 --> 00:29:59,250
worse than you think right so he posts
838
00:29:58,860 --> 00:30:01,350
up there
839
00:29:59,250 --> 00:30:03,570
Oh new egg got compromised let's have a
840
00:30:01,350 --> 00:30:03,899
look oh yeah $5 says it's worse than you
841
00:30:03,570 --> 00:30:05,490
think
842
00:30:03,900 --> 00:30:07,170
and the reason I share that is because
843
00:30:05,490 --> 00:30:08,520
the four screenshots he attaches is
844
00:30:07,170 --> 00:30:10,830
better than any way I could teach how to
845
00:30:08,520 --> 00:30:12,420
you shown it essentially he posts the
846
00:30:10,830 --> 00:30:15,929
terminal output a showdown that just
847
00:30:12,420 --> 00:30:19,290
says here's the ports that are open from
848
00:30:15,930 --> 00:30:20,670
new egg right then in there there's a
849
00:30:19,290 --> 00:30:22,170
prettier graphic interface that says
850
00:30:20,670 --> 00:30:23,370
here's the ports that are open and
851
00:30:22,170 --> 00:30:27,180
here's the services that have been
852
00:30:23,370 --> 00:30:29,699
enumerated on said ports now he is not
853
00:30:27,180 --> 00:30:31,830
ran a vulnerability scan against them he
854
00:30:29,700 --> 00:30:34,680
is not even touched them he's literally
855
00:30:31,830 --> 00:30:36,710
just logging in to show it in and showed
856
00:30:34,680 --> 00:30:38,910
in if you don't know is essentially a
857
00:30:36,710 --> 00:30:40,950
search engine for all the vulnerable
858
00:30:38,910 --> 00:30:43,200
things on the Internet it's probably the
859
00:30:40,950 --> 00:30:44,670
best way to describe it but in there
860
00:30:43,200 --> 00:30:45,900
you're seeing some things and if more
861
00:30:44,670 --> 00:30:49,040
security people might start seeing red
862
00:30:45,900 --> 00:30:51,900
flags like RDP is open on their server
863
00:30:49,040 --> 00:30:53,550
weird right to the world this is to the
864
00:30:51,900 --> 00:30:55,560
world is not behind a VPN is to the
865
00:30:53,550 --> 00:30:57,240
world okay so we already have a terminal
866
00:30:55,560 --> 00:30:58,470
output of ports you already have a
867
00:30:57,240 --> 00:31:00,210
graphical interface reports some
868
00:30:58,470 --> 00:31:02,220
enumeration already so you know that
869
00:31:00,210 --> 00:31:03,060
that wikiHow a little right but you
870
00:31:02,220 --> 00:31:04,770
don't even you have to go through that
871
00:31:03,060 --> 00:31:07,389
effort anymore no I just go to show Han
872
00:31:04,770 --> 00:31:10,210
I look at that looks wide open
873
00:31:07,390 --> 00:31:12,610
next it even will take screenshots of
874
00:31:10,210 --> 00:31:14,560
the things shown and will try to hit a
875
00:31:12,610 --> 00:31:16,540
service like RDP and take a screenshot
876
00:31:14,560 --> 00:31:18,520
of it and just leave it in their portal
877
00:31:16,540 --> 00:31:20,920
so you don't even have to hit their
878
00:31:18,520 --> 00:31:23,350
server to know hey look we got a banner
879
00:31:20,920 --> 00:31:24,910
here that says IT this is an IT
880
00:31:23,350 --> 00:31:27,100
department server oh cool
881
00:31:24,910 --> 00:31:28,780
that might be useful right invite you to
882
00:31:27,100 --> 00:31:31,929
tell you exactly what server Edition
883
00:31:28,780 --> 00:31:33,250
they're running and this is newer on
884
00:31:31,930 --> 00:31:35,740
showdown which is pretty cool but it
885
00:31:33,250 --> 00:31:37,570
actually will dump you the CVE for the
886
00:31:35,740 --> 00:31:40,120
vulnerabilities that it was able to
887
00:31:37,570 --> 00:31:42,070
numerate off that server so some of this
888
00:31:40,120 --> 00:31:44,290
is pretty interesting kind of scary you
889
00:31:42,070 --> 00:31:45,700
can check it yourself it's always good
890
00:31:44,290 --> 00:31:46,899
to check yourself for that but if you're
891
00:31:45,700 --> 00:31:48,610
getting hit just a client first thing
892
00:31:46,900 --> 00:31:50,350
you do is just hit that a client on
893
00:31:48,610 --> 00:31:51,639
boards wants to look at their security I
894
00:31:50,350 --> 00:31:52,600
go put them in the show tin well what
895
00:31:51,640 --> 00:31:55,600
does the rest of world already know
896
00:31:52,600 --> 00:31:59,409
about you it's this you got some work to
897
00:31:55,600 --> 00:32:01,389
do right alright let's briefly touch on
898
00:31:59,410 --> 00:32:03,520
ransomware I mean I spent a ton of time
899
00:32:01,390 --> 00:32:06,610
on it but yeah it's definitely been
900
00:32:03,520 --> 00:32:09,400
aided by crypto coin it's definitely
901
00:32:06,610 --> 00:32:11,979
made it a lot of it was these developers
902
00:32:09,400 --> 00:32:13,870
are creating malware and that malware
903
00:32:11,980 --> 00:32:16,180
would then have to get sold to somebody
904
00:32:13,870 --> 00:32:18,010
to go implement or sometimes they would
905
00:32:16,180 --> 00:32:19,240
do that piece direct and a lot of this
906
00:32:18,010 --> 00:32:21,550
was around credit cards credit card
907
00:32:19,240 --> 00:32:22,240
fraud was going nuts right you write the
908
00:32:21,550 --> 00:32:24,220
shady malware
909
00:32:22,240 --> 00:32:25,930
somebody would buy it or you would do it
910
00:32:24,220 --> 00:32:28,420
you would find a way of vulnerability
911
00:32:25,930 --> 00:32:30,010
put it on a system then you would
912
00:32:28,420 --> 00:32:32,110
collect all the cards you'd have to send
913
00:32:30,010 --> 00:32:33,670
it to Carter's Carter's would duplicate
914
00:32:32,110 --> 00:32:35,830
it then people out there would buy them
915
00:32:33,670 --> 00:32:37,900
and use them right it's this operation
916
00:32:35,830 --> 00:32:39,909
go through a lot of steps and when
917
00:32:37,900 --> 00:32:40,870
cryptic coin came out the same
918
00:32:39,910 --> 00:32:42,550
vulnerabilities that they're putting
919
00:32:40,870 --> 00:32:44,139
malware on a machine they're just like
920
00:32:42,550 --> 00:32:46,300
spirit may not even care about your
921
00:32:44,140 --> 00:32:47,560
credit cards anymore I'm just gonna put
922
00:32:46,300 --> 00:32:49,870
ransomware on all your point-of-sale
923
00:32:47,560 --> 00:32:51,700
systems and you're gonna pay me to get
924
00:32:49,870 --> 00:32:53,139
it back and it cut out all the middlemen
925
00:32:51,700 --> 00:32:54,550
Carter's are out all the other people
926
00:32:53,140 --> 00:32:57,550
out developers getting paid direct it's
927
00:32:54,550 --> 00:32:59,740
a win-win right crypto coin directly to
928
00:32:57,550 --> 00:33:01,480
me hey everybody else is out and it's
929
00:32:59,740 --> 00:33:03,520
just amazing that things like this you
930
00:33:01,480 --> 00:33:05,410
know wanna cry are still wrecking
931
00:33:03,520 --> 00:33:08,080
companies like do is aren't like two
932
00:33:05,410 --> 00:33:10,210
days ago just took down somebody this is
933
00:33:08,080 --> 00:33:12,490
just a known patch that hasn't been
934
00:33:10,210 --> 00:33:14,200
patched and let alone like SMB v1 go
935
00:33:12,490 --> 00:33:16,540
turn that off that shouldn't be in your
936
00:33:14,200 --> 00:33:18,190
org no need for that pretty much ever
937
00:33:16,540 --> 00:33:20,190
and if there is you need mitigation
938
00:33:18,190 --> 00:33:22,560
control but
939
00:33:20,190 --> 00:33:24,180
it's just amazing like these things are
940
00:33:22,560 --> 00:33:25,409
just coming around wrecking orgs in some
941
00:33:24,180 --> 00:33:28,380
of these one of these companies some
942
00:33:25,410 --> 00:33:29,670
shipping carrier like estimated hundreds
943
00:33:28,380 --> 00:33:32,190
and hundreds of millions of dollars to
944
00:33:29,670 --> 00:33:34,680
recover from it that's wild that's wild
945
00:33:32,190 --> 00:33:38,250
for something not patched or some
946
00:33:34,680 --> 00:33:40,560
mitigation between it right and one you
947
00:33:38,250 --> 00:33:42,810
know who's paid ransomware who hasn't
948
00:33:40,560 --> 00:33:43,980
paid ransomware right Atlanta make some
949
00:33:42,810 --> 00:33:46,620
news ransomware
950
00:33:43,980 --> 00:33:48,290
Idaho makes news ransomware I think I
951
00:33:46,620 --> 00:33:52,110
don't actually pay it as what I read
952
00:33:48,290 --> 00:33:54,060
that was exciting and I'm not gonna sit
953
00:33:52,110 --> 00:33:57,120
here and tell you to you you to never
954
00:33:54,060 --> 00:33:59,730
pay around somewhere because like if you
955
00:33:57,120 --> 00:34:01,050
got your grandma's pictures encrypted
956
00:33:59,730 --> 00:34:02,760
and you had nothing else and that was
957
00:34:01,050 --> 00:34:05,250
super important to you that might make
958
00:34:02,760 --> 00:34:06,570
sense I would just advocate to put
959
00:34:05,250 --> 00:34:09,330
something in place where you wouldn't
960
00:34:06,570 --> 00:34:11,340
have to make that choice and what they
961
00:34:09,330 --> 00:34:13,230
encrypt is everything we've had people
962
00:34:11,340 --> 00:34:14,820
with their box accounts and Dropbox
963
00:34:13,230 --> 00:34:16,260
accounts and Google drive's accounts
964
00:34:14,820 --> 00:34:17,850
some of those have other mitigation
965
00:34:16,260 --> 00:34:20,280
controls reversion history roll backs
966
00:34:17,850 --> 00:34:22,918
more enterprise of things you pay the
967
00:34:20,280 --> 00:34:24,000
more options you have but they
968
00:34:22,918 --> 00:34:26,279
definitely will try to encrypt
969
00:34:24,000 --> 00:34:28,440
everything you can write to there's a
970
00:34:26,280 --> 00:34:29,550
reason you should reduce access to just
971
00:34:28,440 --> 00:34:32,130
their jobs not because you don't trust
972
00:34:29,550 --> 00:34:36,980
them it's because they can just encrypt
973
00:34:32,130 --> 00:34:36,980
everything right just check in time here
974
00:34:38,510 --> 00:34:44,070
crypto jacking yeah so this is
975
00:34:41,969 --> 00:34:47,159
interesting so they're the rise of
976
00:34:44,070 --> 00:34:48,810
crypto coin ballooning last year around
977
00:34:47,159 --> 00:34:50,250
December going nuts ever made a lot of
978
00:34:48,810 --> 00:34:52,650
money right everybody cashed out and
979
00:34:50,250 --> 00:34:54,630
December hopefully most people didn't
980
00:34:52,650 --> 00:34:58,110
most people last a lot of money right
981
00:34:54,630 --> 00:34:59,700
but since then this is just this year
982
00:34:58,110 --> 00:35:02,460
alone and what this graph shows you from
983
00:34:59,700 --> 00:35:07,950
the back is the top 10 crypto currency
984
00:35:02,460 --> 00:35:10,560
hacks of 2018 and of that 854 million
985
00:35:07,950 --> 00:35:11,850
dollars which is astounding we're gonna
986
00:35:10,560 --> 00:35:14,970
hit a billion dollars this year guys
987
00:35:11,850 --> 00:35:16,860
installing crypto coin and what this is
988
00:35:14,970 --> 00:35:18,419
to me I'm just gonna simplify it and
989
00:35:16,860 --> 00:35:19,800
there's probably some crypto crypto coin
990
00:35:18,420 --> 00:35:21,390
person who's just gonna go nuts on me
991
00:35:19,800 --> 00:35:22,860
normally ever to just calls us crypto
992
00:35:21,390 --> 00:35:26,910
but in the InfoSec world you gotta say
993
00:35:22,860 --> 00:35:29,520
crypto coins people get mad but what
994
00:35:26,910 --> 00:35:31,560
this says is this is another software
995
00:35:29,520 --> 00:35:32,820
application or applications that exist
996
00:35:31,560 --> 00:35:33,940
that keep getting forked of each other
997
00:35:32,820 --> 00:35:36,000
with libraries
998
00:35:33,940 --> 00:35:38,700
that are vulnerable to something and
999
00:35:36,000 --> 00:35:41,619
these companies are suddenly worth
1000
00:35:38,700 --> 00:35:45,609
billions of dollars right either
1001
00:35:41,619 --> 00:35:46,210
exchanges or directly themselves the
1002
00:35:45,609 --> 00:35:47,589
icos
1003
00:35:46,210 --> 00:35:49,150
they're suddenly worth billions of
1004
00:35:47,589 --> 00:35:50,470
dollars and they don't have security
1005
00:35:49,150 --> 00:35:53,109
people or people who are looking at this
1006
00:35:50,470 --> 00:35:55,419
stuff and so criminals hackers are just
1007
00:35:53,109 --> 00:35:57,970
like this is literally like compromising
1008
00:35:55,420 --> 00:35:59,680
all this ransomware but I can just go
1009
00:35:57,970 --> 00:36:01,868
still in crypto coin and they can't even
1010
00:35:59,680 --> 00:36:04,210
track it so cryptic coins going nuts
1011
00:36:01,869 --> 00:36:05,680
people exploiting people I suspect we
1012
00:36:04,210 --> 00:36:08,470
will continue to hear in the news of
1013
00:36:05,680 --> 00:36:10,839
more i CEOs more wallets more blockchain
1014
00:36:08,470 --> 00:36:13,328
vulnerabilities that will come out why
1015
00:36:10,839 --> 00:36:15,099
because there's incentive to do so
1016
00:36:13,329 --> 00:36:17,530
it's not that there any more vulnerable
1017
00:36:15,099 --> 00:36:20,230
a lot of them moved faster than they
1018
00:36:17,530 --> 00:36:21,760
could structure for that didn't help but
1019
00:36:20,230 --> 00:36:23,530
yeah we're almost hitting a billion
1020
00:36:21,760 --> 00:36:24,789
dollars already by the end us here I
1021
00:36:23,530 --> 00:36:26,530
think we're hit a billion dollars we can
1022
00:36:24,789 --> 00:36:28,119
maybe have a cake party right billion
1023
00:36:26,530 --> 00:36:29,710
dollars because we're all hackers we
1024
00:36:28,119 --> 00:36:32,289
think with a hacker mindset billion ours
1025
00:36:29,710 --> 00:36:33,700
is a lot of money so if you ever touch
1026
00:36:32,289 --> 00:36:36,339
in the crypto world assume that stuff is
1027
00:36:33,700 --> 00:36:38,788
vulnerable to some extent such as every
1028
00:36:36,339 --> 00:36:42,009
other software application that exists
1029
00:36:38,789 --> 00:36:44,230
any questions off the cusp on any
1030
00:36:42,010 --> 00:36:45,970
cryptocurrency and that I wanted to
1031
00:36:44,230 --> 00:36:49,510
touch on that just cuz it is booming it
1032
00:36:45,970 --> 00:36:51,368
was like credit card wave ransomware for
1033
00:36:49,510 --> 00:36:53,440
a while and now we're in the crypto
1034
00:36:51,369 --> 00:36:55,119
currency just because it's easy it's
1035
00:36:53,440 --> 00:36:56,500
lower hanging fruit I don't think we
1036
00:36:55,119 --> 00:36:58,599
even go in and encrypt your system I can
1037
00:36:56,500 --> 00:37:00,400
just take your money just take your
1038
00:36:58,599 --> 00:37:02,920
money I don't have to do anything put in
1039
00:37:00,400 --> 00:37:05,079
mono flip it to Apple gift cards go on
1040
00:37:02,920 --> 00:37:09,279
ksl sell bunch of a MacBook Pros for
1041
00:37:05,079 --> 00:37:11,529
three grand right I do if we have to I
1042
00:37:09,279 --> 00:37:14,380
think we got a little bit of time I I've
1043
00:37:11,529 --> 00:37:15,490
shared this before but I think to make
1044
00:37:14,380 --> 00:37:17,440
you think like a hacker and teach you
1045
00:37:15,490 --> 00:37:20,288
I'm gonna walk through an actual
1046
00:37:17,440 --> 00:37:21,940
engagement right and the goal here is
1047
00:37:20,289 --> 00:37:23,770
we've now fished this person and got
1048
00:37:21,940 --> 00:37:25,359
them their creds we've got some access
1049
00:37:23,770 --> 00:37:27,190
of their box of whatever access they had
1050
00:37:25,359 --> 00:37:29,650
and that's relatively easier than it
1051
00:37:27,190 --> 00:37:31,750
sounds in a lot of scenarios and so you
1052
00:37:29,650 --> 00:37:33,819
have some goal set out you want to get
1053
00:37:31,750 --> 00:37:35,619
local admin on that machine and we'll
1054
00:37:33,819 --> 00:37:37,089
talk wide a second and then you want to
1055
00:37:35,619 --> 00:37:40,049
get system access on that machine and
1056
00:37:37,089 --> 00:37:42,038
some of these will vary depending on how
1057
00:37:40,049 --> 00:37:44,049
hardened or kind of posture they have
1058
00:37:42,039 --> 00:37:45,700
and obviously if it's a this is a
1059
00:37:44,049 --> 00:37:47,290
Windows environment but I'd say this is
1060
00:37:45,700 --> 00:37:50,839
a typical environment right
1061
00:37:47,290 --> 00:37:53,450
and a lot of cases the user that you get
1062
00:37:50,840 --> 00:37:55,880
access to is a local admin which is like
1063
00:37:53,450 --> 00:37:57,819
amazing for a criminal or somebody doing
1064
00:37:55,880 --> 00:38:00,050
something malicious on your machine so
1065
00:37:57,820 --> 00:38:01,670
with that local admin they can do
1066
00:38:00,050 --> 00:38:05,300
whatever they want in that box right and
1067
00:38:01,670 --> 00:38:07,970
local admin means if somebody sends like
1068
00:38:05,300 --> 00:38:09,260
hey go go download this file and you
1069
00:38:07,970 --> 00:38:11,689
download it and you can install that
1070
00:38:09,260 --> 00:38:13,640
file 99 percent of time your local admin
1071
00:38:11,690 --> 00:38:15,890
google chrome has some weird tricks it
1072
00:38:13,640 --> 00:38:19,220
doesn't temporary profile but for the
1073
00:38:15,890 --> 00:38:21,049
most part local admin is that you can
1074
00:38:19,220 --> 00:38:22,970
install something and you can defeat and
1075
00:38:21,050 --> 00:38:25,040
turn off pretty much every other control
1076
00:38:22,970 --> 00:38:28,669
that is put into place
1077
00:38:25,040 --> 00:38:29,840
by anybody else but with local admin you
1078
00:38:28,670 --> 00:38:31,790
want system and the reason you want
1079
00:38:29,840 --> 00:38:35,540
system is because with system you can
1080
00:38:31,790 --> 00:38:37,040
read in memory so in a typical place a
1081
00:38:35,540 --> 00:38:39,200
typical environment if you have local
1082
00:38:37,040 --> 00:38:41,120
admin on machine how hard is it to go
1083
00:38:39,200 --> 00:38:45,950
from local admin to the system access
1084
00:38:41,120 --> 00:38:48,410
any thoughts very easy very hard
1085
00:38:45,950 --> 00:38:50,000
complicated it depends we've had things
1086
00:38:48,410 --> 00:38:51,799
that have blocked this but it is if you
1087
00:38:50,000 --> 00:38:53,750
run this wonderful tool you know if
1088
00:38:51,800 --> 00:38:55,820
anybody's ever used Metasploit in here
1089
00:38:53,750 --> 00:38:58,640
it's worth downloading and playing with
1090
00:38:55,820 --> 00:39:02,960
probably get a VM of that getting Cali
1091
00:38:58,640 --> 00:39:05,299
but it is type git system type get
1092
00:39:02,960 --> 00:39:09,650
system hit enter escalate the system and
1093
00:39:05,300 --> 00:39:11,390
with system you can type things like and
1094
00:39:09,650 --> 00:39:14,060
it will show your password in like clear
1095
00:39:11,390 --> 00:39:15,770
text here you go there's your clear text
1096
00:39:14,060 --> 00:39:17,450
you can read memory with memory your
1097
00:39:15,770 --> 00:39:19,910
password is sitting there and clear text
1098
00:39:17,450 --> 00:39:22,129
so with that you have one machine and
1099
00:39:19,910 --> 00:39:23,480
you want to take down more of that organ
1100
00:39:22,130 --> 00:39:25,880
machine one access and if that was your
1101
00:39:23,480 --> 00:39:27,470
target goal you're done but a lot of
1102
00:39:25,880 --> 00:39:29,720
cases you want to go further you want to
1103
00:39:27,470 --> 00:39:32,569
get domain access you want the IT staff
1104
00:39:29,720 --> 00:39:34,580
you want to escalate that to people who
1105
00:39:32,570 --> 00:39:36,830
have more privileged than a reception
1106
00:39:34,580 --> 00:39:38,990
desk or a kiosk or something that's
1107
00:39:36,830 --> 00:39:40,730
sitting there right and so you just
1108
00:39:38,990 --> 00:39:42,680
started numerating that domain i've been
1109
00:39:40,730 --> 00:39:43,760
playing a lot with bloodhound females is
1110
00:39:42,680 --> 00:39:45,620
playing with it they just keep adding
1111
00:39:43,760 --> 00:39:50,480
more and more tools bloodhound is just
1112
00:39:45,620 --> 00:39:53,150
an enumeration tool you whatever box you
1113
00:39:50,480 --> 00:39:54,380
have access to you give it those access
1114
00:39:53,150 --> 00:39:56,540
and it just goes through and crawls
1115
00:39:54,380 --> 00:39:58,220
through the art and essentially will say
1116
00:39:56,540 --> 00:39:59,250
like hey you're one hop away from a
1117
00:39:58,220 --> 00:40:01,529
computer that
1118
00:39:59,250 --> 00:40:02,760
highly privileged users log into so
1119
00:40:01,530 --> 00:40:04,170
instead of trying to attack everything
1120
00:40:02,760 --> 00:40:07,230
in the organization you can go after a
1121
00:40:04,170 --> 00:40:08,610
very specific machine to know well if
1122
00:40:07,230 --> 00:40:11,400
the privileged persons on that machine
1123
00:40:08,610 --> 00:40:14,250
that means their creds are sitting in
1124
00:40:11,400 --> 00:40:18,330
memory on that machine right as we just
1125
00:40:14,250 --> 00:40:22,890
went through so you know a host you know
1126
00:40:18,330 --> 00:40:24,779
to get them in this scenario what we did
1127
00:40:22,890 --> 00:40:27,000
is we just took the credentials
1128
00:40:24,780 --> 00:40:28,470
this was like a PS attack tool you
1129
00:40:27,000 --> 00:40:30,690
essentially said with the credentials I
1130
00:40:28,470 --> 00:40:32,669
already have so I already have access to
1131
00:40:30,690 --> 00:40:35,220
one machine right with those credentials
1132
00:40:32,670 --> 00:40:37,890
what other machines in the org can I log
1133
00:40:35,220 --> 00:40:40,259
into already doing nothing else but just
1134
00:40:37,890 --> 00:40:41,910
my credentials they have and this is
1135
00:40:40,260 --> 00:40:44,970
again from a legitimate engagement but
1136
00:40:41,910 --> 00:40:48,960
it is sometimes surprisingly a lot that
1137
00:40:44,970 --> 00:40:51,240
same person who or kiosk or service out
1138
00:40:48,960 --> 00:40:53,760
there for some device that was installed
1139
00:40:51,240 --> 00:40:55,620
a lot of times can login to almost every
1140
00:40:53,760 --> 00:40:56,790
other machine in the organization well
1141
00:40:55,620 --> 00:41:00,470
if that's the case and it's really easy
1142
00:40:56,790 --> 00:41:02,550
right you just go get that computer that
1143
00:41:00,470 --> 00:41:06,600
bloodhound shows you that the privileged
1144
00:41:02,550 --> 00:41:10,260
person is on login to it with the creds
1145
00:41:06,600 --> 00:41:11,850
you already have dump the hash see their
1146
00:41:10,260 --> 00:41:16,740
passwords you have full domain access on
1147
00:41:11,850 --> 00:41:18,569
that system so in some scenarios oh yeah
1148
00:41:16,740 --> 00:41:19,919
yeah so once you grab that I do want to
1149
00:41:18,570 --> 00:41:22,200
show that one but yeah this is a clear
1150
00:41:19,920 --> 00:41:25,830
text password of once you run that this
1151
00:41:22,200 --> 00:41:27,240
is me me cats another hacking tool but
1152
00:41:25,830 --> 00:41:29,279
it will actually just dump your password
1153
00:41:27,240 --> 00:41:31,319
straight out password 99 exclamation
1154
00:41:29,280 --> 00:41:33,540
point three times per this one that I
1155
00:41:31,320 --> 00:41:36,270
was doing to show you that it can be
1156
00:41:33,540 --> 00:41:38,910
done and this is not to say it's always
1157
00:41:36,270 --> 00:41:40,560
that easy cuz sometimes it's definitely
1158
00:41:38,910 --> 00:41:42,690
not sometimes it's a pain and really
1159
00:41:40,560 --> 00:41:43,950
hard and takes a lot of effort but
1160
00:41:42,690 --> 00:41:46,170
sometimes it's actually even easier
1161
00:41:43,950 --> 00:41:47,520
there's some really oh this is a picture
1162
00:41:46,170 --> 00:41:50,310
of like a firewall I actually like
1163
00:41:47,520 --> 00:41:53,759
compromised right like I penetrated that
1164
00:41:50,310 --> 00:41:56,700
firewall that happened but sometimes it
1165
00:41:53,760 --> 00:41:57,990
is it is easy but sometimes sometimes
1166
00:41:56,700 --> 00:41:59,819
it's hard but sometimes it's even easier
1167
00:41:57,990 --> 00:42:01,770
there's a couple cool tools that are
1168
00:41:59,820 --> 00:42:02,820
just coming out or getting better I
1169
00:42:01,770 --> 00:42:04,170
guess I've been out for a little bit
1170
00:42:02,820 --> 00:42:07,530
they're getting better to the place
1171
00:42:04,170 --> 00:42:09,570
where they're pretty much automating
1172
00:42:07,530 --> 00:42:10,770
what I just walked you through and the
1173
00:42:09,570 --> 00:42:12,470
tool I know about I playing with they're
1174
00:42:10,770 --> 00:42:14,540
kind of cool angry puppy and desktop
1175
00:42:12,470 --> 00:42:16,040
and of course they have cool names right
1176
00:42:14,540 --> 00:42:17,450
that's ironing your puppy but
1177
00:42:16,040 --> 00:42:19,400
essentially you put in what you have and
1178
00:42:17,450 --> 00:42:21,319
they will go and automate enumerate jump
1179
00:42:19,400 --> 00:42:23,180
box-to-box get you the creds bring them
1180
00:42:21,320 --> 00:42:25,099
back here you go you've compromised this
1181
00:42:23,180 --> 00:42:26,779
whole domain right and sometimes it's
1182
00:42:25,099 --> 00:42:28,880
even easier right depending what
1183
00:42:26,780 --> 00:42:35,480
mitigation or lack of mitigations are in
1184
00:42:28,880 --> 00:42:38,270
place sometimes it's even worse security
1185
00:42:35,480 --> 00:42:41,510
is no longer about just protecting your
1186
00:42:38,270 --> 00:42:43,970
perimeter it is about defending it in
1187
00:42:41,510 --> 00:42:44,630
layers right it used to be we just put
1188
00:42:43,970 --> 00:42:47,899
up a perimeter
1189
00:42:44,630 --> 00:42:50,000
we don't care is on the inside we just
1190
00:42:47,900 --> 00:42:52,099
cares on the outside and that can work
1191
00:42:50,000 --> 00:42:53,780
but pretty much won't for most
1192
00:42:52,099 --> 00:42:56,330
businesses because we like things like
1193
00:42:53,780 --> 00:42:58,130
email and web browsing and we
1194
00:42:56,330 --> 00:43:01,369
intentionally want those to circumvent
1195
00:42:58,130 --> 00:43:03,650
our perimeter right if it wasn't for
1196
00:43:01,369 --> 00:43:04,550
those you could run a pretty secure
1197
00:43:03,650 --> 00:43:05,810
network for the most part you have
1198
00:43:04,550 --> 00:43:07,220
insider threat you some other things to
1199
00:43:05,810 --> 00:43:08,779
worry about but for the most part that
1200
00:43:07,220 --> 00:43:10,459
would be a pretty good network just a
1201
00:43:08,780 --> 00:43:12,260
good firewall firewalls are pretty legit
1202
00:43:10,460 --> 00:43:14,300
just put up a PF sense box put up
1203
00:43:12,260 --> 00:43:16,250
anything but if that Cisco box maybe not
1204
00:43:14,300 --> 00:43:17,990
that one but one like it put those up
1205
00:43:16,250 --> 00:43:19,910
and your perimeters good you have a good
1206
00:43:17,990 --> 00:43:21,439
perimeter but suddenly you let people
1207
00:43:19,910 --> 00:43:23,629
through you let users through we want
1208
00:43:21,440 --> 00:43:26,359
that through and security can no longer
1209
00:43:23,630 --> 00:43:28,310
just be perimeter it has to be layers
1210
00:43:26,359 --> 00:43:31,400
there has to be some group policies it
1211
00:43:28,310 --> 00:43:33,619
has to be mitigation some will touch on
1212
00:43:31,400 --> 00:43:36,320
that I got more it has to be these kind
1213
00:43:33,619 --> 00:43:37,670
of things right is getting rid of local
1214
00:43:36,320 --> 00:43:39,680
admin on users is not hard
1215
00:43:37,670 --> 00:43:42,500
I am I personally my laptop's I never
1216
00:43:39,680 --> 00:43:44,330
run his local admin on him why cuz
1217
00:43:42,500 --> 00:43:45,770
that's scary that is like root access in
1218
00:43:44,330 --> 00:43:47,359
that box I will create a separate
1219
00:43:45,770 --> 00:43:49,730
account run it as a limited user and
1220
00:43:47,359 --> 00:43:52,369
that's what I use I know the password I
1221
00:43:49,730 --> 00:43:53,810
will use it when I need it but if I go
1222
00:43:52,369 --> 00:43:54,950
to a page and it pops up and like hey
1223
00:43:53,810 --> 00:43:57,320
putting your ministry your passwords
1224
00:43:54,950 --> 00:43:59,540
that's a big problem but if you're
1225
00:43:57,320 --> 00:44:02,690
already an admin sometimes those just
1226
00:43:59,540 --> 00:44:04,250
run right so getting rid of local admin
1227
00:44:02,690 --> 00:44:05,660
is a big deal it's kind of hard to do in
1228
00:44:04,250 --> 00:44:06,890
some works it is achievable I've
1229
00:44:05,660 --> 00:44:09,259
absolutely been through orgs that have
1230
00:44:06,890 --> 00:44:11,000
achieved it it can work and it can work
1231
00:44:09,260 --> 00:44:12,140
really well but there is some pain there
1232
00:44:11,000 --> 00:44:14,510
to go through if you haven't done it yet
1233
00:44:12,140 --> 00:44:18,560
so get rid of local admin reduce the
1234
00:44:14,510 --> 00:44:20,599
access write ransomware if if Karl from
1235
00:44:18,560 --> 00:44:23,359
accounting only has access to a Karl
1236
00:44:20,599 --> 00:44:25,099
from accounting needs to do his job well
1237
00:44:23,359 --> 00:44:26,270
suddenly accounting doesn't take down
1238
00:44:25,099 --> 00:44:28,910
marketing doesn't take down
1239
00:44:26,270 --> 00:44:30,320
operations right Carl should only take
1240
00:44:28,910 --> 00:44:31,580
down what he can take down those files
1241
00:44:30,320 --> 00:44:34,250
that get ransomware it shouldn't be like
1242
00:44:31,580 --> 00:44:36,259
we had to pay out the ransomware
1243
00:44:34,250 --> 00:44:37,970
for the entire organization a hundreds
1244
00:44:36,260 --> 00:44:40,340
of millions of dollars it should be like
1245
00:44:37,970 --> 00:44:42,080
well Carl's counts are gone do we pay to
1246
00:44:40,340 --> 00:44:44,690
get Carl's counts back or can we restore
1247
00:44:42,080 --> 00:44:46,160
that somehow right reducing access is
1248
00:44:44,690 --> 00:44:47,630
important a lot of people are always
1249
00:44:46,160 --> 00:44:50,480
like they get offended when you take
1250
00:44:47,630 --> 00:44:52,370
away stuff oh I've been here for 20
1251
00:44:50,480 --> 00:44:54,170
years you can't take this away and it's
1252
00:44:52,370 --> 00:44:55,790
not that you're worried about them you
1253
00:44:54,170 --> 00:44:59,030
obviously trust them you hire them you
1254
00:44:55,790 --> 00:45:00,950
keep them there it's that what can their
1255
00:44:59,030 --> 00:45:02,090
computer do there on their behalf what's
1256
00:45:00,950 --> 00:45:06,109
happening on that computer when they're
1257
00:45:02,090 --> 00:45:08,360
not there right backups are very
1258
00:45:06,110 --> 00:45:09,710
important it's not a sexy topic but you
1259
00:45:08,360 --> 00:45:12,200
know do backups on-site off-site
1260
00:45:09,710 --> 00:45:13,460
revision control is your friend things
1261
00:45:12,200 --> 00:45:15,140
you can encrypt and shove up in the
1262
00:45:13,460 --> 00:45:16,730
cloud yourself also your friend to keep
1263
00:45:15,140 --> 00:45:19,609
other people from getting access to
1264
00:45:16,730 --> 00:45:21,520
those you can come to tinfoil hat talks
1265
00:45:19,610 --> 00:45:24,500
talk about that a different time
1266
00:45:21,520 --> 00:45:26,270
patching also not really sexing topic
1267
00:45:24,500 --> 00:45:27,740
but absolutely orgs get completely
1268
00:45:26,270 --> 00:45:29,420
wrecked by patching we just went through
1269
00:45:27,740 --> 00:45:30,740
walkthrough on Newegg I don't know if
1270
00:45:29,420 --> 00:45:32,390
that's been remediate or not it's out
1271
00:45:30,740 --> 00:45:33,709
there on the internet though showdown go
1272
00:45:32,390 --> 00:45:36,710
look at it go see what the world already
1273
00:45:33,710 --> 00:45:38,750
knows about your IP addresses sometimes
1274
00:45:36,710 --> 00:45:40,670
it's scary but patching fix a lot of
1275
00:45:38,750 --> 00:45:43,610
that stuff patching if you have a good
1276
00:45:40,670 --> 00:45:44,330
patch box even in a dirty Network you're
1277
00:45:43,610 --> 00:45:46,700
pretty good
1278
00:45:44,330 --> 00:45:48,740
that means they gotta like burn an O'Day
1279
00:45:46,700 --> 00:45:50,080
on you I'm not saying there's nobody in
1280
00:45:48,740 --> 00:45:52,490
this room that they would do that for
1281
00:45:50,080 --> 00:45:55,430
but most of people in this room nobody
1282
00:45:52,490 --> 00:45:56,959
would do that for right nobody's using a
1283
00:45:55,430 --> 00:45:59,450
vulnerability that nobody knows about
1284
00:45:56,960 --> 00:46:02,690
generally on you right patch your
1285
00:45:59,450 --> 00:46:03,620
systems mitigating controls there's a
1286
00:46:02,690 --> 00:46:06,230
bunch of other stuff in your anti
1287
00:46:03,620 --> 00:46:08,029
exploit kids things that are actually
1288
00:46:06,230 --> 00:46:09,380
kind of cool you know it's just simple
1289
00:46:08,030 --> 00:46:11,570
stuff right you hit an organ it's like
1290
00:46:09,380 --> 00:46:13,700
they have no SPF record installed on
1291
00:46:11,570 --> 00:46:16,280
their their domain which means that you
1292
00:46:13,700 --> 00:46:18,410
can fish from their domain as them and
1293
00:46:16,280 --> 00:46:20,270
they're none the wiser that's a simple
1294
00:46:18,410 --> 00:46:22,399
thing legitimately takes five minutes to
1295
00:46:20,270 --> 00:46:23,930
implement depending some words you get
1296
00:46:22,400 --> 00:46:26,150
really long like their ticketing comes
1297
00:46:23,930 --> 00:46:27,770
from this and this comes from this but
1298
00:46:26,150 --> 00:46:29,900
you can figure that out and implement
1299
00:46:27,770 --> 00:46:32,000
some like dkm signing there's some easy
1300
00:46:29,900 --> 00:46:34,610
stuff to do go get rid of crappy go get
1301
00:46:32,000 --> 00:46:37,610
rid of crappy apps flash Java do you
1302
00:46:34,610 --> 00:46:38,240
need them maybe you do if you do keep
1303
00:46:37,610 --> 00:46:39,890
them patched
1304
00:46:38,240 --> 00:46:40,160
if you don't well they're free they're
1305
00:46:39,890 --> 00:46:42,348
easy
1306
00:46:40,160 --> 00:46:44,779
just delete it see if you actually do
1307
00:46:42,349 --> 00:46:46,609
need it that is actually a method I've
1308
00:46:44,780 --> 00:46:48,799
done going to Nord just remove all a
1309
00:46:46,609 --> 00:46:50,420
Java off to all the systems you start
1310
00:46:48,799 --> 00:46:51,380
getting the calls hey can't log into the
1311
00:46:50,420 --> 00:46:52,940
HVAC system
1312
00:46:51,380 --> 00:46:54,470
hey I can't hit this okay I know that
1313
00:46:52,940 --> 00:46:56,630
computer needs it for this purpose
1314
00:46:54,470 --> 00:46:58,279
documented make sure that keeps patched
1315
00:46:56,630 --> 00:47:00,650
that one needs it for this document and
1316
00:46:58,280 --> 00:47:02,450
make sure it's patched right but we took
1317
00:47:00,650 --> 00:47:05,299
it off 900 machines and three needed it
1318
00:47:02,450 --> 00:47:07,009
I'd say that's worth it things like that
1319
00:47:05,299 --> 00:47:08,839
depending on your risk tolerance of boss
1320
00:47:07,010 --> 00:47:11,990
is yelling yet yet maybe implement that
1321
00:47:08,839 --> 00:47:13,609
slow or aggressive tough to you but
1322
00:47:11,990 --> 00:47:15,589
there's some simple ones a user training
1323
00:47:13,609 --> 00:47:18,529
is key I do think if you have controlled
1324
00:47:15,589 --> 00:47:20,569
user interfaces some of those talked
1325
00:47:18,530 --> 00:47:22,369
said this morning is important to like
1326
00:47:20,569 --> 00:47:23,720
give them alerts at the right times I
1327
00:47:22,369 --> 00:47:25,099
think during shutdown patching is a
1328
00:47:23,720 --> 00:47:26,930
great idea I love that idea
1329
00:47:25,099 --> 00:47:29,059
why isn't more things do that you and
1330
00:47:26,930 --> 00:47:31,460
I'm gonna close Excel it should patch me
1331
00:47:29,059 --> 00:47:33,109
then right not to start that makes a lot
1332
00:47:31,460 --> 00:47:34,970
of sense but most of us don't have
1333
00:47:33,109 --> 00:47:37,160
control for those things right we don't
1334
00:47:34,970 --> 00:47:38,959
we generally off control for that but we
1335
00:47:37,160 --> 00:47:40,819
do have control of some of our users and
1336
00:47:38,960 --> 00:47:43,180
I can absolutely tell you when you have
1337
00:47:40,819 --> 00:47:46,700
an engaging security awareness training
1338
00:47:43,180 --> 00:47:48,020
more people adhere to it more and more
1339
00:47:46,700 --> 00:47:49,848
people will come to you and be like hey
1340
00:47:48,020 --> 00:47:50,690
I saw that URL and I didn't like it
1341
00:47:49,849 --> 00:47:52,940
something something didn't feel right
1342
00:47:50,690 --> 00:47:54,380
because it was a resume but I'm not
1343
00:47:52,940 --> 00:47:56,329
hiring you're like yeah now you're
1344
00:47:54,380 --> 00:47:57,980
thinking right now you're thinking why
1345
00:47:56,329 --> 00:48:00,770
would somebody Sameer somehow I'm not
1346
00:47:57,980 --> 00:48:02,150
hiring right attachments backups and to
1347
00:48:00,770 --> 00:48:03,500
exploit when I first started doing
1348
00:48:02,150 --> 00:48:04,549
security awareness training I use this
1349
00:48:03,500 --> 00:48:05,630
one in every single one so if you ever
1350
00:48:04,549 --> 00:48:07,220
sat through my stuff you'll see this
1351
00:48:05,630 --> 00:48:08,660
again but I started doing this thing
1352
00:48:07,220 --> 00:48:10,220
called breach Plaza so this will tell
1353
00:48:08,660 --> 00:48:12,589
you kind of the time period when this
1354
00:48:10,220 --> 00:48:14,480
was happening and I did update it for
1355
00:48:12,589 --> 00:48:15,890
Home Depot I wasn't in the first one or
1356
00:48:14,480 --> 00:48:17,480
a target I had to go add those because
1357
00:48:15,890 --> 00:48:19,038
they were just big enough but it was
1358
00:48:17,480 --> 00:48:20,329
breach Plaza and I kept saying like hey
1359
00:48:19,039 --> 00:48:21,890
just keep your organization's how to
1360
00:48:20,329 --> 00:48:24,710
breach Plaza like what can you do and
1361
00:48:21,890 --> 00:48:26,089
grant it you will never be unhackable
1362
00:48:24,710 --> 00:48:28,069
you'll never be compromised but it
1363
00:48:26,089 --> 00:48:29,270
should be like a user email account got
1364
00:48:28,069 --> 00:48:31,250
compromised it shouldn't be your whole
1365
00:48:29,270 --> 00:48:32,720
domain is down and you got to pay
1366
00:48:31,250 --> 00:48:34,130
somebody money to get it back it
1367
00:48:32,720 --> 00:48:36,140
shouldn't be that kind of scenario some
1368
00:48:34,130 --> 00:48:37,940
mitigation in place the unfortunate
1369
00:48:36,140 --> 00:48:39,529
thing breach Plaza filled up really fast
1370
00:48:37,940 --> 00:48:40,760
like really fast when I first started it
1371
00:48:39,529 --> 00:48:41,900
was like I need another one I need
1372
00:48:40,760 --> 00:48:43,789
another one and then it was like gone
1373
00:48:41,900 --> 00:48:45,140
right and then I started feeling about
1374
00:48:43,789 --> 00:48:47,450
breach mom then breach mom was like gone
1375
00:48:45,140 --> 00:48:49,700
like it's just too much I can't maintain
1376
00:48:47,450 --> 00:48:53,000
this but that said breach mala is ever
1377
00:48:49,700 --> 00:48:53,930
expanding we really just want to keep
1378
00:48:53,000 --> 00:48:56,300
your or gotta breed
1379
00:48:53,930 --> 00:48:59,149
small right to a large extent you can
1380
00:48:56,300 --> 00:49:01,130
have a compromise of some some scenario
1381
00:48:59,150 --> 00:49:02,300
but it should be contained right you're
1382
00:49:01,130 --> 00:49:06,260
never gonna be perfect
1383
00:49:02,300 --> 00:49:10,250
sad but true as a hacker maybe that's to
1384
00:49:06,260 --> 00:49:12,170
your advantage right things like this
1385
00:49:10,250 --> 00:49:13,940
should be red flags as hackers right or
1386
00:49:12,170 --> 00:49:15,410
is walking in these are these is like
1387
00:49:13,940 --> 00:49:17,869
old-school wiretap that I found in a
1388
00:49:15,410 --> 00:49:20,420
building is just like straight up they
1389
00:49:17,869 --> 00:49:23,750
stripped the wires and legitimately
1390
00:49:20,420 --> 00:49:24,859
tapped into it right you would think the
1391
00:49:23,750 --> 00:49:28,099
world is on fire
1392
00:49:24,859 --> 00:49:29,869
great the more you sorry this thing
1393
00:49:28,099 --> 00:49:30,829
keeps slipping down the world would seem
1394
00:49:29,869 --> 00:49:32,059
like it's on fire
1395
00:49:30,829 --> 00:49:33,559
there seems like there's so much
1396
00:49:32,059 --> 00:49:36,589
negative so much bad out there and what
1397
00:49:33,559 --> 00:49:38,630
I would tell you is relax breathe air
1398
00:49:36,589 --> 00:49:40,520
ISM there is some sting there you will
1399
00:49:38,630 --> 00:49:41,690
feel some sting there is pain out there
1400
00:49:40,520 --> 00:49:43,369
in the world there are malicious people
1401
00:49:41,690 --> 00:49:45,800
who want to do you and your organization
1402
00:49:43,369 --> 00:49:47,809
harm that's truth it will be there
1403
00:49:45,800 --> 00:49:50,420
somebody will try to compromise you but
1404
00:49:47,809 --> 00:49:52,309
relax try to take some basic steps if
1405
00:49:50,420 --> 00:49:54,500
you walk out of here and your password
1406
00:49:52,309 --> 00:49:56,270
is password and you just want to update
1407
00:49:54,500 --> 00:49:58,700
that that's a win that's a win for
1408
00:49:56,270 --> 00:50:00,559
everybody right take a logical step you
1409
00:49:58,700 --> 00:50:02,750
might not suddenly be to a one password
1410
00:50:00,559 --> 00:50:05,210
card using a ball on your machine with
1411
00:50:02,750 --> 00:50:06,079
this proprietary rsync pushing it up to
1412
00:50:05,210 --> 00:50:07,579
some cloud service that you're
1413
00:50:06,079 --> 00:50:09,079
encrypting you might not get there
1414
00:50:07,579 --> 00:50:10,910
really fast maybe you'll never get there
1415
00:50:09,079 --> 00:50:12,920
but what you should do is take a logical
1416
00:50:10,910 --> 00:50:15,170
step to improve your posture maybe it's
1417
00:50:12,920 --> 00:50:17,660
just at the end of the day you shut down
1418
00:50:15,170 --> 00:50:20,119
all your emails and you patch your
1419
00:50:17,660 --> 00:50:22,308
machine that might be a win right maybe
1420
00:50:20,119 --> 00:50:24,049
it is you do take the time to reduce
1421
00:50:22,309 --> 00:50:25,430
your account to not be local admin I
1422
00:50:24,049 --> 00:50:28,819
think that'd be a big win
1423
00:50:25,430 --> 00:50:30,950
take a logical step I do want to share
1424
00:50:28,819 --> 00:50:33,230
this with you here's a legitimate 70
1425
00:50:30,950 --> 00:50:34,970
sites that you can go to and hack
1426
00:50:33,230 --> 00:50:36,799
against them validate that the list
1427
00:50:34,970 --> 00:50:38,750
still current but it is but you want to
1428
00:50:36,799 --> 00:50:40,280
get your hacking skills as a hacker of
1429
00:50:38,750 --> 00:50:41,599
all the things you just learned go run
1430
00:50:40,280 --> 00:50:43,940
some angry puppy and Deathstar in their
1431
00:50:41,599 --> 00:50:46,059
organization those are a little you want
1432
00:50:43,940 --> 00:50:49,160
to do is in a windows box somewhere but
1433
00:50:46,059 --> 00:50:51,890
this is legit as a backroom sec and you
1434
00:50:49,160 --> 00:50:53,480
can go and hit against this there's a
1435
00:50:51,890 --> 00:50:55,460
lot of really cool CTFs here at saint
1436
00:50:53,480 --> 00:50:57,109
con as well and you can do some of those
1437
00:50:55,460 --> 00:50:58,549
well there's some computers downstairs
1438
00:50:57,109 --> 00:51:01,098
in the village I have some hacking
1439
00:50:58,549 --> 00:51:04,369
competitions that are pretty entry level
1440
00:51:01,099 --> 00:51:05,569
go work on those and I'd say even if
1441
00:51:04,369 --> 00:51:06,890
you're just like I don't want to be
1442
00:51:05,569 --> 00:51:07,579
hacker I don't want to do any of those
1443
00:51:06,890 --> 00:51:09,379
things
1444
00:51:07,579 --> 00:51:11,059
it's still advantageous for you to do
1445
00:51:09,380 --> 00:51:13,160
that how do they do this why do they do
1446
00:51:11,059 --> 00:51:15,319
this what is the mindset behind it what
1447
00:51:13,160 --> 00:51:17,569
is this you know you get an executive to
1448
00:51:15,319 --> 00:51:19,130
go in like pop a windows box and
1449
00:51:17,569 --> 00:51:20,749
suddenly they're coming back and like we
1450
00:51:19,130 --> 00:51:23,029
gotta patch things and you're like yeah
1451
00:51:20,749 --> 00:51:25,038
you gotta patch things so there is some
1452
00:51:23,029 --> 00:51:26,420
advantage of sending people to do these
1453
00:51:25,039 --> 00:51:29,989
things to just understand that like
1454
00:51:26,420 --> 00:51:32,299
these things are possible right and but
1455
00:51:29,989 --> 00:51:34,130
be careful when you do hacking stuff you
1456
00:51:32,299 --> 00:51:37,130
get things like this like dry you know
1457
00:51:34,130 --> 00:51:38,839
digitalocean send you emails like you
1458
00:51:37,130 --> 00:51:40,940
know you go you go login and it's like
1459
00:51:38,839 --> 00:51:42,288
uh we don't really like you we're gonna
1460
00:51:40,940 --> 00:51:42,890
send you an email to tell you if we like
1461
00:51:42,289 --> 00:51:45,950
you right
1462
00:51:42,890 --> 00:51:49,430
and sometimes that emails like yeah
1463
00:51:45,950 --> 00:51:51,140
we're done taking your money right so
1464
00:51:49,430 --> 00:51:53,749
just be careful when you do some of your
1465
00:51:51,140 --> 00:51:55,549
hacking stuff that you know dude on
1466
00:51:53,749 --> 00:51:58,009
things you own do things that are legal
1467
00:51:55,549 --> 00:52:00,819
and you still might piss off your VPS
1468
00:51:58,009 --> 00:52:00,819
thank you
1469
00:52:01,960 --> 00:52:11,140
[Applause]
1470
00:52:09,080 --> 00:52:11,140
you