Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.



No description

Tom Brookes

on 15 March 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Hackers

Cyber Threats and Vulnerabilities....

By Tom Brooke

The Art of Exploitation
- Unix ‘hacked’ together
- Cap ‘n Crunch phone exploit discovered
- Morris Internet worm crashes 6,000 servers
- $10 million transferred from CitiBank accounts
- Kevin Mitnick sentenced to 5 years in jail
- 15,700 credit and debit card numbers stolen from Western Union
Code Red exploited bug in MS IIS to penetrate & spread probes random IPs for systems running IIS had trigger time for denial-of-service attack
Nimda -used multiple infection mechanisms email, shares, web client, IIS
– Slammer Worm brings web to its knees by attacking MS SQL Server
- Blaster Worm - The worm was programmed to start a SYN flood against port 80 of windowsupdate.com
- Conflicker, largest known computer worm infection since the Welchia Worm
- Comodo CA hacked by the 'ComodoHacker' and went on to compromise DigiNotar
- Hacker's For Hire - Compromised Bit9

A Short History of Attacks...
Origin, History & Why people hack?
frank abagnale

Palo Is the Hackers Firewall

Common Cyber Security Threats

The Art Of Exploitation
Basic Steps for an Attacker
Demystifying common attacks

Security Best Practice Guidelines
Demystifying Common Attacks
Common Cyber-Security Threats

Are a type of malware that when executed, replicates by inserting copies of itself into other computer programs, data files, or the boot sector of the hard drive

Viruses often perform some type of harmful activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data, spamming their contacts, or logging their keystrokes.
Computer Worms
Are a standalone malware computer program that replicates itself in order to spread to other computers.
Unlike a computer virus, it does not need to attach itself to an existing program.
Worms almost always cause at least some harm to the network, even if only by consuming bandwidth
Advanced Persistent Threat
Is a set of stealthy and continuous hacking processes often orchestrated by human targeting a specific entity.
Usually targets organisations and or nations for business or political motives. APT processes require high degree of covertness over a long period of time.

process signifies sophisticated techniques using malware to exploit vulnerabilities in systems.
process suggests that an external command and control is continuously monitoring and extracting data off a specific target.
process indicates human involvement in orchestrating the attack
The Four Amigos... Stuxnet, Flame, Gauss and DuQu

- which targeted the computer hardware of Iran's nuclear program.
Like a flying espionage-type drone attack – it sought specific systems and networks.
- Attacks computers running Windows operating system – mostly Windows7 and XP from what we understand.
The malicious program was being used for targeted cyber espionage in Middle Eastern countries
- Steals passwords – specifically banking credentials, and browser cookies from browsers.
Similar to Flame in that it is coded in a similar fashion and shares the same module structures and means of communication with the command and control servers
- Think of DuQu as a child of Stuxnet since its’ executable's seem to have been developed after Stuxnet because they use the same Stuxnet source code.
Central to DuQu was its’ ability to capture keystrokes and computer system and network information
Currently, "hacker" can be seen as:
General term for hacker...
As someone who is able to subvert computer security; if doing so for malicious purposes, the person can also be called a cracker.

A hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge.

Know Your Enemy... Hackers
Bit9 offers a trust-based security platform that runs off of a cloud-based reputation service combined with policy-driven application control and whitelisting to protect against cyberthreats.

Bit9 compromise was only a small piece of a much larger watering-hole operation known as the
VOHO campaign, which impacted hundreds of organisations in the United States

Hidden Lynx managed to break into Bit9’s network using an SQL injection attack, Due to an operational oversight, a public-facing server that wasn’t protected with the Bit9 platform allowed the attackers to gain unauthorised access. The attackers installed Backdoor.Hikit, a Trojan that provides extremely stealthy remote access to compromised systems.
Security Compromise
Is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks.
This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks.
There are plenty of methodologies around, detailing the breakdown of steps involved in hacking and exploiting a network or system, but first you need to understand the Open System Interconnection (OSI) model, which defines a networking framework developed by the International Organisation for Standardisation (ISO).
Basic Steps for an Attacker
Ripe - Whois - Linkedin - Google - DNS - SMTP - Archive.org - Netcraft

2: Nmap - SuperScan - Nessus - Saint
HP Webinspect - Burp Suit Pro - Qualys

Kali Metasploit - Armatige - CoreImpact
Canvas - neXpose - Burp Suit Pro - BeEF
Evader AET - Cain&Able - John the Ripper
Ophcrack - Spoofing - Seshion Hijacking

Worms - Virus - Beast Trojan - Poison Evy (RAT)

Delete log files - Windows event - Command history - Remove installed programs - Tunneling Steganography
NetBIOS / NBNS Spoofing
Modern operating systems use DNS as their preferred method for resolving names – especially within a domain environment. An overview of the methods in which Windows machines resolve names of other machines on the network is as follows
Windows first looks in its local hosts file at
It will then check its own DNS cache to see it has been recently resolved.
If this fails, it will send a request over to its configured DNS server(s).
If the DNS server cannot resolve it (and assuming the name is in the non-standard DNS format) the client will send the request to its configured WINS server (if specified).
If at this point the client has still not received a reply, it will send out a series of NetBIOS broadcasts.
Finally, if all else fails, it will look inside its LMHOSTS file at
Demystifying common Attacks Cont...
Reflected XSS It is the most common example of cross-site scripting. This type of scripting targets vulnerabilities which happen when websites send the input data to the server for processing and then the generated results are sent back to the users.

This type of attack succeeds when the intruder can send code blocks to the server and those blocks are reflected in the results too
By configuring three simple modules within metasploit:


You can capture LM and NTLM Hashes over the network for cracking off line
Netbios Spoofing Cont...
In addition to this, a tool was released last year called Responder that includes all these attacks, plus WPAD poisoning, NTLMv1 downgrading, ICMP redirection and many more. It also has better safety measures in place to minimize disruptions on the network. So get out of here, and go check it out :)
Security Best Practice Guidelines...The Basics
Encrypt your data:
Stored data, filesystems, and across-the-wire transfers all need to be encrypted.

Use digital certificates to sign all of your sites:
Save your certificates to hardware devices such as routers or load balancers and not on the web server as is traditionally done.

Implement a removable media policy:
Restrict the use of USB drives, external hard disks, thumb drives, external DVD writers, and any writeable media. These devices facilitate security breaches coming into or leaving your network.

Secure websites against MITM and malware infections:
Use SSL, scan your website daily for malware, set the Secure flag for all session cookies, use SSL certificates with Extended Validation.

Use a spam filter on email servers:
Use a time-tested spam filter such as SpamAssassin to remove unwanted email from entering your users' inboxes and junk folders.

Use a comprehensive endpoint security solution:
Symantec suggests using a multi-layered product (theirs, of course) to prevent malware infections on user devices. Antivirus software alone is not enough. Antivirus, personal firewall, and intrusion detection are all part of the total approach to endpoint protection.

Maintain security patches:
Some antivirus programs update on what seems like a daily basis. Be sure that your software and hardware defenses stay up to date with new antimalware signatures and the latest patches. If you turn off automatic updating, set up a regular scan and remediate plan for your systems.

Network-based security hardware and software
: Use firewalls, gateway antivirus, intrusion detection devices, honey pots, and monitoring to screen for DoS attacks, virus signatures, unauthorized intrusion, port scans, and other "over the network" attacks and attempts at security breaches.

Implement DLP and auditing FIM:
Use data loss prevention and file auditing to monitor, alert, identify, and block the flow of data into and out of your network.

Implement Security Information and Event Management (SIEM):
SIEM technology provides real-time analysis of security alerts generated by network hardware and applications

Educate your users:
it might be the most important non-hardware, non-software solution available. An informed user is a user who behaves more responsibly and takes fewer risks with valuable company data, including email.

A web application firewall (WAF):
is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified

Enhanced Mitigation Experience Toolkit (EMET):

Have Regular Audit's:
TIGER TEAM ATTACK, White Box, Grey Box and Black Box test... Social Engineering Attacks

Focus on the kill-chain approach & The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner
Get Offensive!!
Any Questions....
Full transcript