Live hacking demo at CBI Cyber Security Conference

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone see I'm gonna show you a couple of demos some stuff so I was introduced quite well there so I think I can skip that bit so yeah I guess I'm gonna demonstrate two things and the first one I'm gonna demonstrate to you I'm gonna try show what happens when your data gets leaked by somebody else you've trusted so when you trust like some third party with your information like you give them your email address say it's a service you've signed up to be a LinkedIn or Dropbox or social networking sites like MySpace or dating sites or online shopping or whatever when you give them your stuff they sometimes may not tell you they've lost it or they might even know that they've lost it so you have to be careful about what happens to your stuff when somebody else loses it for you where you've done nothing wrong you've used the Internet in a normal way like everyone else use it you've given a third party your data and they go and lose it how does this impact you so I'm gonna try and shows a couple of starts and stuff to show how this could affect you and your business why data leakage stuff matters so there's a website have I been owned rammed by an Australian chap called Troy hunt and he indexes 233 unique website breaches containing emails usernames passwords and like which is a very small slice of how much data is out there how much people's personal information has been leaked he's just indexed a small amount of it and I'm gonna use starts from his side see index is only 233 data leaks which accounts to 4.7 billion breached accounts which is a lot of people mean the plants got watched six and a half seven billion people there's four point seven billion breached accounts and it's actually a bit more than that now and there's only a small slice demanda leaked information that's out there so it's pretty big pretty scary numbers and you know it's a lot of data floating around and again Troy's website only index a small amount of what's actually out there she only gets what's public so again that's only the publicly available data out there which is all we have to work with there's a lot more being so-called dark web websites and you know on the black American stuff personal information is valuable because it allows people do stuff like fraud so it's the impact of this well if you search for companies you'll find that the a hundred percent of the footsie 50 are impacted by third party leaks you'll find every single one on the top of the footsie fifty that some of their data has ended up in some third party service that's ended up being negligent with that data and leaking it with Fortune hundred again we've this wonderful number of a hundred percent everybody's affected affects everyone equally it doesn't matter how big you are how good your security is once you start trusting your data to somebody else it's gonna go walkabout and that's problematic so aside a demonstrated zactly happens very quickly when your password winds up on the internet you know okay so your myspace passwords gotten leaked or your snowboarding calm or your last minute account you know the password gets leaked and you just kind of like oh well I'll just change my past from that website how does this impact me why does this matter people try use it criminals and likes they'll come along and they'll take that email and password and they'll test just about every web service they can find they'll think oh what if they reuse their password on say Amazon or PayPal or Facebook or Twitter or LinkedIn or everywhere else so what happens next generally with normal people who reuse their passwords all the time is their email gets compromised the LinkedIn the Facebook their PayPal they can end up with phishing emails sent to their colleagues with spam sent from their accounts or money stolen or general bad things and it doesn't take particularly long to check if a person's password has what you know if they've reused it somewhere so we set up some test accounts on a few services and wrote a quick script that I demonstrate this and I hope it works so this this just demonstrates how fast we can test a set of passwords across 20 different web services we're adding support for more rhythm to our little tool we use it protesting for clients and stuff if their stuffs gotten leaked or rather if their stuff is being reused anywhere and it just takes less than a minute or so to run and what it does is it takes username password which isn't being displayed in the screen for obvious reasons so don't when ru logging in to a test account it tries logging into 20 different sites and in about a minute it quickly dumps out a list of sites that log in work done now imagine if this wasn't test accounts and this was just and this was your email and password that got leaked from say a dating site say make one Razoo switch have been breached in the past somebody gets those passwords and then tries on Facebook Twitter Amazon github Gmail PayPal LinkedIn whatever how would that impact you you might you know you go my facebook skin hacked it wasn't your Facebook got hacked it was some third party service and then your password just got recycled and used and that ends up being a pretty crap situation because within a matter of like a couple of minutes most your online life can be just taken away from you somebody now has control over your stuff they can pull more of your information from it commit fraud for example with PayPal they could empty your balance or they could buy a bunch of stuff on Amazon or they could send loads of horrible messages to your friends on Facebook or whatever it is that you can imagine they can do this bad they can probably do it and you can go and check if you go - have I been on comm you put in your email address it'll tell you how many sites your passwords or your email has shown up in leaked information from those sites and it gets pretty scary because when you're real you can sign up for notifications well you can sign up as a business for notifications from them and they'll tell you if I know your employees stuff's been leaked and it can be pretty terrifying when you first put your email in you go oh I didn't know about that you know it can often be Troy's I can be the first time do you get notified of your stuff has been leaked so it's useful to kind of have a think about who you're trusting your information with where that information goes what happens if somebody you trust isn't very trustworthy with your stuff you know maybe they you know maybe all the new regulations GDP or and all that the result of fines or something not holding out to much hope people just continue being negligent with stuff you give them so as for mitigating this if you mitigate the risk to yourself and to your business of password reuse style attacks which are very common they happen all the time you can do a couple of things and if corporates like three simple takeaways that you can use to mitigate the risk of third party breach is impacting you your customers your employees whatever so the first one is user password manager that generates unique per site passwords you can use LastPass - lankey pass whatever I'm not going to share for any particular product or vendor they're all pretty much the same they all have their pros and cons have a look maybe read some reviews see which one suits you best the key pass is free they're the two are commercial services and that's a good first line because that means that if your passwords are actually unique and strong across all the services that you use it means that when they leak from one it's isolated it's contained it's the damage is segregated it'll only affect that service and won't affect everything else the second one is you should definitely use two-factor its 2017 we've got loads of lovely products and services that allow you to use two-factor this stuff like Yubikey which is the USB thing I forgot to bring mine with me today but it's a little gadget the plug-in and does the second step for them patient a lot of services support it there's also Google Authenticator and all--they which are mobile apps so you can you know authorize with one-time codes from your phone some Bank supports similar things like to bank on with they post at me a little little key fob type thing that I type in a pin and it generates a login code you should definitely use something like that at very minimum have stuff like Gmail set up sort of texts you every time somebody tries login you have to put in a code because that means that even if somebody Nix your password it's completely bloody useless they can't go anywhere further than that unless that unless horrible things on the service that they're trying to login tend like broken two-factor implementation but that's not really something you can defend against and the third thing you can do is if you're signing up for like dating sites or whatever or arbitrary service and I see a lot it's mostly dating sites we actually find data leaks from that affects corporates for some reason people seem to think I'll sign up for Ashley Madison my work account because nobody at home will find out what happens is a chore don't look too kindly on that when you know some create new email accounts it takes like what two minutes set up a burner gmail account for whatever service you're putting your stuff into just have a think before you trust things your information like if you just do those three things you're not gonna have that money you know you've mitigated a ton of the problems that you could have had otherwise the second thing I'm going to talk about is kind of to it the wanna cry yet your things which impact is like to want to cry at you ransomware is that happened this year they impacted pretty much most businesses had some kind of horrible experience with them I reckon a lot of people haven't said that they were affected but if you just look at the impact in yet near where I think was Marisa the shipping company had to switch to paper or some nonsense you know just took out everything and the wanna cry and yet you things were completely avoidable they were you know there was they were totally avoidable incidents and they're a very good case study and why installing patches on time for your end points is really important why when the little Windows Update thing pops up in the corner you shouldn't just like oh bugger off we'll do it tomorrow you should do oh I should probably do this now or else all my stuff might get locked away forever so we all know what happened there I mean the media covered it was wall-to-wall coverages we all know that people's stuff got encrypted they didn't get a lot of a back horrible bad things happen the NHS got wrecked somebody saves the day in the case - wanna cry thing you know it's a fairly well-known story but instead I'm going to talk about three guys that is Emma 1710 which is basically probably the biggest thing in probably cyber security stuff that happened this year was just how universal it worked and it was every single version of Microsoft Windows was vulnerable is unauthenticated which means no login required remote exploit that gave you system privileges the highest privilege level on basically anything so it's like a skeleton key for every unpatched Windows machine at the time and when it leaked absolute bloody mayhem occurred and we had the ransomware and stuff kick off so it affected everything like literally every version of Windows from Windows 2000 up to Windows 10 and Server 2016 their exploits available in public for these the only Windows the probably wasn't a fact was like Windows 95 or something but if we was connect the Internet and it was running Windows and it's not patched it's probably already compromised you need to unplug it set it on fire and get a new computer or reinstall it or whatever and you probably need to shoot your system in if you've not patched the question you should be asking across your organization is why haven't we patch this why haven't we applied mitigations and fix this and then when somebody gives you a reason you need to go is that good enough reason and I've heard read like I've gone to client sites and I found they're still vulnerable to this and they've told me oh we just haven't had time to you know have like an hour of scheduled downtime yet and like mate the patch came out months ago you know you're being willfully and criminally negligent at this point with your client information you know there's no way that you can't schedule a one-hour outage or you know do rollout over a week or so there's no good reason for not having patched like literally none so I'm going to show you how fast this thing works and hopefully this demo works but this just shows how fast and how simple it is to infect an unpatched Windows machine with ransomware using the MS 1710 exploit the wanna cry and yet you used to spread so here we've got our lovely Windows XP machine I'm using XP because about the only thing that I can run the VM on my laptop without turning into a space heater and here we have just a quick demo exploit that I'll hit run stuff happens prints add a bunch of debug output and then we wait a minute and we should see within about 60 seconds something awful happened just have to wait a bit for the horrible pop-up screen of Oh God oh yeah there we go that's the now it's completely toast you can kiss goodbye to any files on that machine you can try pay a ransom I wouldn't trust them with my bitcoins but yeah it happens in a couple of seconds and the tools for doing this are publicly available free online any idiot can just download them package up their own little bit of ransomware and then spam it out at every Windows machine they can think from the Internet that's vulnerable to this just indiscriminately and then suddenly oh no my files are gone well we should have had some backups generally not a good day for anyone especially not for the IT department are going to be getting lots of unpaid overtime so that it all happens ridiculously fast a better killed I'll just be a second I'll just turn that machine off in case it does nothing horrible well I'm not looking like in fact something else so as you can see it just happens instantaneously like there's a couple of seconds for the malware at x-cubed but the infection takes like no time at all and this is terrifying because unless you've patched you're kind of screwed and it comes to defending against this and it's entirely silent there's no user interaction required like the user doesn't have to open a dodgy link in an email they just have to have their computer connect to the network and not have installed a required patches and this ends up being like users workstations they've you know their laptops they take home their bring your own backdoor policy whatever that ends up being like a little infection factory that screws everyone so what can you do regarding mitigations and the obvious one is patch patch of stuff install the updates on time they don't you know I I mean we all probably have our gripes about Microsoft and patches and stuff and their products but like they don't deliver a patches and updates for no reason they don't do it just to piss you off and cause downtime they do it because their product is acting defectively and they're trying to repair defect and that's the other thing we should see this is not a bug we see this software defect as in defective product and this is a repair for the defect it's not just fixing some glitch you should segregate your networks you should make it harder for worms such as want to cry and yet you to spread you should put things on you should talk to your IT department about putting things on isolated separate networks because otherwise if like most large enterprises that are visited in the UK their networks just this glorious big flat line which is like a playground for any kind of nasty that wants to zip around and it's a playground for me when I go there to ruin their stuff when they pay me for that of course if you segregate your networks and put in access controls on top of patching you're gonna make people like me or people like the wanna cry people have a really really hard time and finally you should you should manage privileges on your networks a lot of a lot of stuff gets in because and gets around because people don't have effective privilege management they just have oh yeah of course their users can run everything as admin if they want you know we trust our users no don't trust your users you users are actively hostile to your business they'll click stuff they'll ignore the update prompts consider them to be like bloody children right you don't want to give them enough rope to hang themselves with you don't want to give them Forks near power sockets whatever you know they will screw you up they will lose you money so don't give them a ban rights don't give them you know a way to hurt you it's you know it's something that we should all be doing but you end up with like that annoying power user is like oh no I need admin to do blinds I know actually mate you don't you don't need to be logged in as admin you know nobody does I mean what do most people do they send emails to do some excel in office they need a limited user account for that they run a couple of bits of whatever software they do they don't need local up in their computer they need in fact some of them don't even need computers but that's beside the point yes you if you do those three things like few make sure to patch stuff segregate your networks and have good privilege management and good policies around that you couldn't be not gonna say it mean but you're gonna be far lower on the risk scale than everyone else this whole thing you just want to be less at risk than everyone else and that kind of sums up the main points want to make so I guess I'll leave and the damn actually worked there retrying them a few times way ahead of time so guess I'll leave it open to questions and stuff yeah I mean it's great how we've gone from humans being the best line of defense to take away all the computers and I'm gonna start running Windows 95 if I didn't realize that was the best way to stay safe does anyone have any questions straight off the bat I've got one for you which is I mean you were there on the frontline safer want to cry analyzing the malware through the night ruined everyone's weekend when you'll see now what do you see is the big trends to come in terms of what adversaries are doing what hackers are looking at so I honestly think that like we've seen a big uptick in it's gone towards ransomware as opposed to previously was out of banking malware to steal your banking logins and stuff that's proving a lot harder for criminals to cash out so we're seeing a lot of like from the organized criminal groups who are just in it for the money it's moving towards ransomware model which is very smashing grab they hit you encrypt all your stuff demand some money you pay up really quick and then they're gone it's all about faster cash it's all about automation and doing stuff fast doing stuff easy we're gonna see a lot more horrible run somewhere in the future you know it's just getting the buyers being lowered people are paying off and that's the thing happy days and what I mean with the 100 you say these row of really old systems and HIDA patching Microsoft announced it but what's it like for business so that exploit was discovered allegedly again keep using that word by the equation group which is the NSA American equivalent GCHQ they're hacking group you know one of the most best resorts hacking group in the world one the most adventurous their secrets were stolen and then they were exploited by this one acquired potentially by allegedly North Korean hackers Lazarus group then you've got the poor NHS in the middle of all of that does it stand a chance against these sort of nation-states fighting over all this cyber turf cyber turf what an awful phrase but honestly probably not that's like honestly the NHS kind of to put it bluntly completely toast when it comes to trying to protect because they don't have the budget they don't have the budget or the manpower and they've got huge networks with you know thousands and thousands of users if something gets in it's gonna be a really bad day and one akroy was just a wonderfully horrendous example of it especially what with the timing and just how destructive it was you know when it hit stuff up until the kill switch was discovered and although when it found stuff it just toasted everything you know everything got encrypted no way recovering stuff there was eventually a few ways to recover things which relied on the computer not having them powered off etc but there's not much chance effectively offending against nation-state attackers that would be a problem for GCHQ they should be protecting their country against nation-states against other nation states but they should you know it shouldn't be their problem they should be able to defend themselves against your lesser resourced criminals and they should have the budget to defend themselves and they should be able to hire the expertise to do so but at the moment they can't cool ok great Oh - yeah sorry nice you guys yeah Caroline opal from James Crawford PLC we talked about governments and no obviously there's been a lot of press about what the US government did or didn't know about wanna cry but if you take the next film which was PT or not PT or whatever you want to call it and there's a lot of commentary afterwards about large cyber security companies and their interests with government or links to government that are not necessarily to support us as a as a UK nation should we be worried as IT leaders by what software what companies will use for cyber security this is I mean presumably reference to Kaspersky which has been alleged by the FBI wasn't there yet and they denied but it Simpson because you know some I think it's worth getting the name out just to talk about not talk about Kaspersky in particular but is that something vendor should be worried about there should be some concern with that particular case I don't I leave the lot of the accusations are somewhat baseless but there should be people should be at least somewhat concerned where the software they're running comes from you should have a look into your vendors you know if you're trusting a security product vendor to put stuff on your network which effectively has maximum privileges over your stuff like an anti-virus can you know can look at all your files it sends them home it can do an awful lot of really horribly invasive stuff so you want to have a good you know good trust between you and the vendor and be you know you choose a domestic vendor from you know if you uk-based you could choose a UK vendor I guess but I mean you should probably base it on who's the most trustworthy but also who does the job the best if you're paying for a product it should work and you should you know it's a difficult one because countries are going to sling model you know the AV vendor of another country and now that that kind of game is started it's not going to stop it's a difficult one but yeah you should kind of I guess you should kind of think about who you're trusting to run stuff on your network it's definitely something of concern because if it turns out the defender is kind of subject you know if they're behaving in a way that's not exactly in the best interest their customers should definitely run away from them it's you should wait for proof though as opposed to accusations because baseless accusations without any publicly viewable evidence help nobody yeah unquestionable yes I just wanted what's your insight into malware that's delivered through video it's a new trend resist is it similar to any other delivery mechanism or is it something we should be worried about pretty much all delivery mechanisms are almost I treat them all almost equally a way to run code on a computer is a way to run code you know wait execute your malware in somebody system is you know they're all pretty much equal some of them for a time will have a higher probability of success than others like I remember age we used to be able to just email somebody an attachment they'd open it because that's what people do with attachments they open it and now I guess it's you know if it's video files or bugs in video players I guess sitov II have a higher chance of execution than sending them like dodgy Exe but you should treat it the same as every other kind of delivery vector because the actual thing you should be worried about isn't the delivery vector it's the payload the bit that gets run you should ideally be concerned about anything getting run on your computers you don't want getting wrong there you should try block as many delivery vector as you can but realistically it's the payload the counts because they'll just find another way to get it to you um don't thank you very much [Applause]
Info
Channel: CBI - Confederation of British Industry
Views: 101,759
Rating: 4.7371664 out of 5
Keywords: CBI, darren martyn, cyber security, confederation of british industry
Id: 49RGwDcDFLc
Channel Id: undefined
Length: 24min 57sec (1497 seconds)
Published: Thu Sep 14 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.