3. Legal Disclaimer
ALWAYS GET PERMISSION IN WRITING.
– Performing “scans” against networked systems without
permission is illegal. Password cracking too
– You are responsible for your own actions!
– If you go to jail because of this material it’s not my fault,
although I would appreciate it if you dropped me a postcard.
– This presentation references tools and URLs - use them
at your own risk!
4. Accepted Security Principles
• Confidentiality
HOW DO I
• Integrity ACHIEVE THIS IN A
CLOUDY WORLD?
• Availability
• Accountability
• Auditability
5. Welcome to the 3rd Age of Hacking (It’s Easier)
• 1st Age: Servers
• Servers
• FTP, Telnet, Mail, Web.
• These were the things that consumed bytes from a bad guy
• The hack left a foot print
• 2nd Age: Browsers:
• Javascript, ActiveX, Java, Image Formats, DOMs
• These are the things that are getting locked down
– Slowly
– Incompletely
• 3rd Age: Passwords: - Simplest and getting easier
• Gaining someone's password is the skeleton key to their life and
your business
• Totally invisible – no trace
6. Cyber Crime – Cloud Attack
Welcome to the Future of Hacking
• Channels: web, mail, open services
• Targeted attacks on premium resources
• Carpet bombing for most attacks
• Secondary infections through controlled
outposts
10. Password Surfing ☺
"login: *" "password: *" filetype:xls
• This returns xls files containing login names and
passwords.
11.
12.
13. Auto Meta Data Mining
• Automated doc search via Google/Bing
• Specify domains to target
• Automated download and analysis of docs
14. The Weapons
Key loggers both software and hardware
So easy
And many more
15.
16. ToR
• ToR is a network of virtual tunnels that allows people
and groups to improve their privacy and security on the
Internet and is being used by Governments World Wide
17. 100 Government & Embassy Passwords
I uncovered last year on a hacking forum – reported to Hi Tech Crime Unit
Indian Embassy in Oman 65.109.245.38 da da01877y
Kazakhstan Embassy in Russia 81.176.67.157 akmaral@kazembassy.ru 86rb43
Kyrgyztan Embassy in Iran 212.42.96.15 embiran asdfgh
Uzbekistan Consulate in France 57.66.151.179 Parij_C p2a2r0i9j
Kazakhstan Embassy in Russia 81.176.67.157 alla@kazembassy.ru vhs35
Kyrgyztan Embassy in kazakhstan 212.42.96.15 kaz_emb W34#eEDd
Kazakhstan Embassy in212.34.224.157 m0006614 Berlin_C b5a6h7o8r9 dol57
Uzbekistan Consulate in Germany 57.66.151.179
Indian Embassy in Italy Russia 81.176.67.157 askarest@kazembassy.ru
srpq86m
Uzbekistan Embassy in Russia57.66.151.179 Dehli_C i1n9d5u6
Kazakhstan Consulate in India 81.176.67.157 b.kuatbekova@kazembassy.ru bk145
Indian Embassy in Belgium 212.100.160.114 commercial@indembassy.be india01
Uzbekistan Consulate in New York 57.66.151.179 Nyu_York_UN t2r7d31ln8
Kazakhstan Embassy in Russia 81.176.67.157 baimenche@kazembassy.ru 1956
Mongolian Embassy in USA 209.213.221.249 esyam@mongolianembassy.us temp
Uzbekistan Consulate in South Korea 57.66.151.179 Seul_C s1e7u0l7c
Kazakhstan Embassy in Russia 81.176.67.157 den@kazembassy.ru bek70
Mongolian Embassy in USA 209.213.221.249 j.mendee@mongolianembassy.us temp
Uzbekistan Consulate in USA 57.66.151.179 Vashington_c s7a9s5h3a1
Kazakhstan Embassy in Russia 81.176.67.157 emo@kazembassy.ru art35
Mongolian Embassy in USA 209.213.221.249 n.tumenbayar@mongolianembassy.us temp
Uzbekistan Embassy in Afghanistan 57.66.151.179 AfghanQ a1f2g3h4a5n6q
Kazakhstan Embassy in Russia 81.176.67.157 galikhin@kazembassy.ru aGC4jyfPassword
UK Visa Application Centre in Nepal 208.109.119.54 vfsuknepal@vfs-uk-np.com
The Office ofEmbassy in Afghanistantlc@dalailama.com tsephell
Uzbekistan Dalai Lama 65.19.137.2 57.66.151.179 afghanm a1f1g0h1a0n2m
23. What’s the solution
Some options are more secure than others
• Create a password policy
• Improve your password security
• Implement Two-Factor Authentication
24. Solving the password problem
User productivity requires simple, flexible, continuous and
secure access to information
Internal people Branch Offices PDA Users Remote Users 3rd Party Access
Users and their workspaces
Password Solution to password problem
Two-factor authentication – a unique identity
for every user, every time they log in, using:
something they know + something they have
Your Cloud
Business processes,
applications and company
assets
25. Jason Hart CISSP CISM
Blog: www.twofactor.blogspot.com
Jason.Hart@CRYPTOCard.com
Thank you