Anatomy of a Data Theft Attack For Sacramento ISACA January 2016 - - PowerPoint PPT Presentation

Anatomy of a Data Theft Attack For Sacramento ISACA January 2016

Mike Landeck Cyber Security Consultant

Agenda

• 1. USB Attacks
• 2. QR Code Attacks
• 3. Advanced Phishing Attacks
• 4. Malvertising
• 5. Watering Hole Attacks
• 6. How Simple Browser Modifications Would Have Stopped These
• 7. Name Your Own Adventure (Time Permitting)

DISCLAIMER

• I do not speak on behalf of my employer. The information and

perspectives I present are personal and do not represent those of my employer.

• When I say “We have seen” I’m typically referring to the industry

in general and not necessarily my current employer or any previous clients.

• While it may look like we’re hacking on the Internet, everything

we’re attacking today exists solely on my laptop. No laws are being broken

Rubber Ducky Downloads

• OSX Internet

Protocol Slurp

• OSX User Backdoor
• Android 5.x

Lockscreen

• Basic Terminal

Commands Ubuntu

• batch wiper drive

eraser

• Chrome Password

Stealer

• copy file to desktop
• create wireless

network association

• grab

passwords and email

• ducky phisher
• EICAR AV test
• fork bomb
• ftp download

upload

• generic batch
• hide cmd

window

• Information

Gathering Ubuntu

• local dns

poisoning

• netcat FTP

download and reverse shell

• non

malicious auto defacer

• OS X Wget

and Execute

• OSX Ascii

Prank

• OSX Grab

Minecraft Account Password and upload to FTP

• OSX iMessage

Capture

• OSX Internet

Protocol Slurp

• OSX Local DNS

Poisoning

• OSX

Passwordless SSH access (ssh keys)

• wifi

backdoor

• WiFi

password grabber

• deny net

access

• disable avg

2012

• OSX Root

Backdoor

• OSX User

Backdoor

Rubber Ducky Downloads

Self-inflicted Gunshot Wounds

QR Codes and Millennials

Self-inflicted Gunshot Wounds

Self-inflicted Gunshot Wounds

Risk Path for a Data Theft Attack

Physical Infiltration

Near-Site Attack Remote Cyber Attack- Human Target “spear phishing” Remote Cyber Attack- Perimeter

Name a Major Breach that DIDN’T Start With One

• f These

Phishing Malvertising Watering Hole Organized Crime   Nation States   Hacktivists  

Making it Personal

Attacking ISACA

Attacking Sacramento’s ISACA Chapter

   

Go-time Email Examples- Malware

To: vicepresident@isaca-sacramento.org From: president@isaca-sacramento.org Subject: Sacramento Chapter Account Discrepancy Maria- This just came in from ISACA about some missing money. I don’t have David’s address in my phone. Can you please forward this to him ASAP? Thanks, Howard Attached: SacError.pdf

To: president@isaca-sacramento.org From: communications@isaca-sacramento.org Subject: For Web Site

Katheryn- Please post this to the website ASAP as the registration deadline is coming up. It’s the registration form for the CRISC exam. Also, please have David forward it to the membership. Thanks, Howard

Attached: June-2016-CRISC-Exam-Registration- Form_frm_Eng_1115.pdf

Please contact Mike for a clean copy. Please contact Mike for a clean copy.

Phishing Email Demo- Malware

Writing and Distributing Malware using the Social Engineering Toolkit

Phishing Email Demo- Credential Harvesting

Phishing the Webmaster’s Credentials

Go-time Email Examples- Getting the Webmaster’s Credentials

To: webmaster@isaca-sacramento.org From: communications@isaca- sacramento.org Subject: Web Site Problems

Katheryn- I think something is broken in the members’ section. Can you take a look at this page? Thanks, David Please contact Mike for a clean copy.

How I View the Attack Process and Awareness Training Opportunities

Profile

Friends/Colleagues Professional Interests Web Site Memberships

Delivery

Vectors Who do you trust? What are you emotional about?

Tech

Corporate IT Personal IT

Exposures from social media data

Social Media Google Research Sites Employee Profiles Religion Organizations Professional Associations Job Sites LinkedIn Scanning

Phishing & Social Engineering Awareness Role-Based IT Security Training

Phishing Emails

Actual Phishing Logins

Exchange.pitt.edu.auth.logon.aspx.bluebird.vn

Subdomain Domain

Images.google.com

Subdomain Domain Image credit: University of Pittsburg, pitt.edu

Actual Phishing Logins

Phished ISACA Login- Is it or isn’t it?

Malvertising

Google’s Double Click and Yahoo! Ads Have Both Fallen Victim

Malvertising

Examples:

• 1. JavaScript
• 2. Flash Malware (#1 Attack Vector)
• 3. Full Server Compromise

Image Credit: riskmanagementmonitor.com

Watering Holes

Nation State’s Newest Attack Vector

Watering Holes

Example: Watering Hole Example Image credit: http://blog.smartekh.com/

4 Things You Can Do Right Now

Prevent What I Have Demonstrated

Sign in with a GUEST Account (Not Administrator)

Can be downloaded from cybersecology.com/harden-firefox.pdf

Modify Your Settings: Options

Can be downloaded from cybersecology.com/harden-firefox.pdf

Modify Your Settings: Add-ons

Can be downloaded from cybersecology.com/harden-firefox.pdf

Modify Your Settings: Add-ons

Can be downloaded from cybersecology.com/harden-firefox.pdf

How Well Does This Work?

Common Browser Attack Vectors

• Psuedo-malicious Flash
• Psuedo-malicious JavaScript

Antivirus

• Infected ISACA PDF

QR Code Sticker

• CyberSecOlogy Sticker URL

Watering Hole

• Watering Hole Example

Hardened Browser Settings Default Browser Settings Full AV

Adobe Flash JavaScript Infected PDF QR Code

Watering Hole Attack Malvertising

Contact Info

@MikeLandeck www.CyberSecology.com linkedin.com/in/mikelandeck MikeLandeckCyberSec gmail.com Please provide me feedback by taking the survey at https://www.surveymonkey.com/r/WXFY2CG

Questions