Under the Black Hat
August 27, 2014
Daniel Nelson, C|EH, CIPP/US
© 2013 Armstrong
© 2013 Armstrong
Teasdale Teasdale
LLP
LLP
How Bad is the Hacking Threat?
 “Hackers” write sophisticated computer code to invade
computer networks
 Hackers do this to target personal information which is
then used for identity theft
 “Hacking” is the digital equivalent of robbing a bank:
hackers break into a system, rob it, and make their get-
away
 Hacking leaves digital fingerprints that can be traced back
to catch the thief
© 2013 Armstrong Teasdale
LLP
What’s the Real Story?
© 2013 Armstrong Teasdale
LLP
Who’s The Hacker?
© 2013 Armstrong Teasdale
LLP
Who’s The Hacker
Berkley Blue & Oaf
Tobark
Adrian Lamo
Kevin Poulsen
© 2013 Armstrong Teasdale
LLP
Mercedes
Haefer
John “Captain
Crunch” Draper
Robert Morris
They Hack for Profit
Sometimes, but:
 Revenge
 Information
 “A Cause”
 Street Cred
 Boredom
 “Because It’s There”
© 2013 Armstrong Teasdale
LLP
They Are After Our Personal
Information
 Says who?
--Brian Krebs, KrebsonSecurity.com
© 2013 Armstrong Teasdale
LLP
Hackers Are Computer “Black Belts”
© 2013 Armstrong Teasdale
LLP
Everything A Hacker Needs
Over 100 Hacking Tools Preinstalled
© 2013 Armstrong Teasdale
LLP
Tools such as:
 John the Ripper (Password Cracking)
 Angry IP Scanner (Scanning)
 THC Hydra (Password Cracking)
 Cain & Abel (Anything you can imagine on a Windows
System)
 Burp-Suite (Web Apps)
 Social Engineering Toolkit (“SET”)
 Wire Shark (packet sniffer)
One of the biggest challenges is to choose from among
a plethora of tools
© 2013 Armstrong Teasdale
LLP
Nessu
s
© 2013 Armstrong Teasdale
LLP
How Bad for
You/Good for Me
Vulnerability Name: So I Can
Find It Easily
Trespassing At Will?....Priceless
Kali
Linux……………………
The Included
Tools…………
Nessus…………………
…….
© 2013 Armstrong Teasdale
LLP
FREE
FREE
FREE
But the Two Most Powerful Hacking
Tools?
© 2013 Armstrong Teasdale
LLP
Google
 Pre-hack Reconnaissance on Target:
• System configurations
• Usernames
• Passwords
• Email Addresses
• Reporting Relationships
 The Answer to Any “How Do I” Question You
Could Ever Ask
© 2013 Armstrong Teasdale
LLP
YouTube
FUD: Fully Undetectable
Remote
Administration
Terminal (a Trojan)
© 2013 Armstrong Teasdale
LLP
True Hackers…
 Love to Share
• Know-how
• Exploits
• Data
• Updates
© 2013 Armstrong Teasdale
LLP
Hacking Is Easily Detected
© 2013 Armstrong Teasdale
LLP
Hacking Leaves Digital Tracks
© 2013 Armstrong Teasdale
LLP
Quick Overview of Hacking
 Basic (but still dangerous) hacking
requires access to YouTube and a
willingness to learn
 Hackers have many different targets
 Good Hackers may lurk in a system for
months
© 2013 Armstrong Teasdale
LLP
What Can Be Done
 Combat Social Engineering
• Understand the Threat
• Train
 Engage With Security
• Understand what “IT” really means
• Take Charge
 Understand Current Legal Requirements
 Avoid The Compliance Trap
 Be Your Own CISO
© 2013 Armstrong Teasdale
LLP
Social Engineering
 “Hacking the Wetware”
 The most direct, efficient and effective form of attack
 One simple goal: generate an emotional response
 Takes Many Forms:
• Phishing/Spearphising
• Physical Intrusion
• Remote
 Odds are strongly in Hacker’s favor
© 2013 Armstrong Teasdale
LLP
Phishing/Spearphishing
 Phishing: Impersonal “blast” email
 Spearphishing: Uses personal information about
“sender” or recipient to encourage recipient to trust
the email
• Vacation plans
• Recent promotions
• Company events
• Hobbies
 This information is all too easy to find:
© 2013 Armstrong Teasdale
LLP
Spearphishing Takes Many Forms
© 2013 Armstrong Teasdale
LLP
There’s An App For That
© 2013 Armstrong Teasdale
LLP
Phishing With SET
© 2013 Armstrong Teasdale
LLP
Physical Intrusion
First Rule of Hacking: If you can touch it, you will
own it.
© 2013 Armstrong Teasdale
LLP
Social Engineering
Countermeasures
 Build Awareness
• Every Employee is Part of Your
Security Plan
 Train
• Recognize the Common Attack
Vectors
• Appreciate the Dangers
© 2013 Armstrong Teasdale
LLP
Engage With Security
 Understanding “IT”
• The field is highly specialized
− Network
− Desktop
− Database
− Programming
− Website
 Security is 10% IT, and 90% Everybody Else
• Physical Security
• Mobile Device Security
• Anti-Phishing
© 2013 Armstrong Teasdale
LLP
The Biggest Mistake
 Ignoring Counsel’s Essential Role in Data
Security
 What You Give Up:
• Privilege
• Participation in decisions when it matters most
• Independent analysis
© 2013 Armstrong Teasdale
LLP
Protecting Privilege
 Attorney-client privilege can be invoked
between the victim company’s outside legal
counsel and hired third-party forensic firms
that perform a review of the system during a
breach. Invoked privilege allows the forensic
company to report breach results directly to
the law firm.
http://www.secretservice.gov/ECTF_best_practic
es.pdf
© 2013 Armstrong Teasdale
LLP
Being There When It Matters Most
 Data Security incidents often have legal
consequences
• Regulators
• Insurance coverage issues
• Lawsuits
 IT won’t be representing the company!
 You can be there when decisions are made, or
you can be there when the die has been cast.
© 2013 Armstrong Teasdale
LLP
Independent Eyes
 Why do we have outside auditors?
 Same principal holds true for data forensics:
often outside eyes see more clearly
• Independent evaluation of what went right,
and what went wrong
• May well be more qualified for forensic work
• Better expert witnesses
• Detect the “inside job”
© 2013 Armstrong Teasdale
LLP
The Second Biggest Mistake
 Failure to have a plan
 Data Incidents take many forms, and
involve complicated questions that
demand real-time answers
 Regulators (and underwriters)
increasingly looking to whether you had
a plan
© 2013 Armstrong Teasdale
LLP
What’s the Next Step?
 Front Desk Security calls: There are two FBI Agents
in the Lobby asking to speak to the head of
Information Security.
• Do you meet with them?
• Do you allow them access to your network?
• What is your company’s policy with respect to
cooperation with law enforcement?
© 2013 Armstrong Teasdale
LLP
What’s the Next Step (Part II)
 Your CEO receives an email containing the private
financial information of ten of your customers. The
sender informs you that they have all 10,000 such
records, and intend to release them unless your
company pays a ransom within 12 hours.
• What is your company’s policy for this?
• Do you involve law enforcement?
• What is your media strategy?
• Does your cyber policy cover this?
• How do you evaluate whether the threat is real?
© 2013 Armstrong Teasdale
LLP
Understand the Legal Requirements
 Fast Changing Landscape
 The “Law” Simply Can’t Keep Up
 FTC “Common Law” on Security
 HIPAA
 State Data Security Laws
 Long on Recommendations, but
Short on Specifics
© 2013 Armstrong Teasdale
LLP
Recent FTC Enforcement Actions
 Cbr Systems, Inc.
• Cbr’s privacy policy promised to handle personal
information securely and in accordance with its
Privacy Policy and Terms of Service
• After unencrypted data contained on storage media
and a laptop were stolen from a Cbr employee’s car,
the FTC charged Cbr with deceptive trade practices
because Cbr failed to meet its promised security
promises. In particular, the FTC focused on Cbr’s
failure to employ secure data transport practices,
failure to encrypt data, and retention of data for which
Cbr no longer had a business need
37
© 2013 Armstrong Teasdale
LLP
Enforcement Actions
 TRENDnet
• SecurView cameras for home monitoring
• Software issue allowed anyone with camera's web
address to view the live feed
 FTC charged:
• Failure to utilize reasonable measures to test security;
• Unencrypted transmission of user credentials, and
unencrypted mobile storage of login information.
© 2013 Armstrong Teasdale
LLP
Massachusetts Data Security Laws
 Requires “Comprehensive” data security program
that includes:
• Designated responsible employee(s)
• Identification & assessment of risks
• Employee security policies
• Oversight of service providers (including requiring
such providers, by contract, to maintain appropriate
security measures)
• Encryption of data that will “travel across public
networks” or that will be “transmitted wirelessly”
39
© 2013 Armstrong Teasdale
LLP
Encryption
 Growing body of regulations and enforcement
actions requiring some form of encryption
 Encryption may come in many forms:
• Encryption in transmission (e.g. PCI Rules, TSL/SSL,
PGP Email)
• File level Encryption
• Full disk Encryption
© 2013 Armstrong Teasdale
LLP
The Compliance Trap
 Compliance can be Security’s
Worst Enemy
 “Check the Box” is not the same as
“Secure”
 Compliance: Do you have a home
alarm?
 Security: Do you actually turn it
on?
© 2013 Armstrong Teasdale
LLP
Be Your Own CISO
 Update & Patch
• Very little “Zero Day” Malware
• Significant Amount of Malware is Reverse Engineered
from the Patch
 Password Security
• Wrc$5oo93=T
• Longer is Better
• PollyWants1Cracker
 Secure Physical Access
 Change Default Passwords
• Computers/Wireless Access Points
• Home Alarms
© 2013 Armstrong Teasdale
LLP
Questions?
Dan Nelson, C|EH, CIPP/US, Partner
314.552.6650 dnelson@armstrongteasdale.com
http://twitter.com/DanNelsonEsq
www.linkedin.com/in/danielcnelson
43
© 2013 Armstrong Teasdale
LLP