Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iSymposium 2018 - Live Hack with Ben and Kassie Holt

iSymposium 2018 - Live Hack with Ben and Kassie Holt

Talk given on 4/26 at Adobe campus in Lehi with three live hacking demonstrations that included a physical drive removal, Google Gruyere Privilege Escalation and Remote Desktop network scan and bruteforce attack.


Ben Holt

April 26, 2018

More Decks by Ben Holt

Other Decks in Technology


  1. Live Hack: Even an 11 Year Old Can Do It

    Ben Holt | Stoel Rives Kassie Holt | Beehive Science & Technology Academy For iSymposium on April 26, 2018
  2. 53,000+ Number of Confirmed Incidents 2,216 Confirmed Data Breaches Source:

    2018 Verizon DBIR
  3. WannaCry NHS NotPetya Maersk 143 Million People 143 Million People

    Employee Data, Episodes Employee Data, Episodes 60,000 Customers 60,000 Customers Cryptocurrency $133 M Cryptocurrency $133 M 57 M Users’ Data 57 M Users’ Data 2017
  4. Types of Threats External Internal Physical

  5. Physical Security Let’s Talk About

  6. Source: 2018 Verizon DBIR

  7. Source: 2018 Verizon DBIR

  8. Definition: To Pwn • To utterly dominate • Comes from

    a map designer in WarCraft that misspelled a message that “Player has been Pwned” ◦ Urban Dictionary
  9. Physical Security To: Kassie From: Dad Can you retrieve my

    customer list? I can’t remember my password. But it is in my user folder on the computer. Let’s Talk About
  10. What Happened? • Bypass computer protections • Physically Moved the

    Drive • OS Level Password/User Restrictions Ignored • Can Also Change Password File
  11. Physical Access is Dangerous Mitigation is Important • Full Disk

    Encryption • Limit Access to Servers • Limit Number of Password Retries • TCM (Trusted Computing Module) If you learn one thing from me: Use Full Disk Encryption on All Computing Systems
  12. External Security Let’s Talk About

  13. Source: 2018 Verizon DBIR

  14. Source: 2018 Verizon DBIR

  15. External Security To: Kassie From: Dad I’m thinking about using

    Google Gruyere Software for our social media platform. I want to be hip and cool. Can you check it out? Let’s Talk About
  16. What Happened? • Didn’t Sanitize the Inputs • Looked at

    Cookie and Discovered Username | Role • Application Did Not Forbid “|” in Username • Create New Username with Role In It • Logout • Login • Deny Service
  17. Security by Design is Critical Mitigation: Contracts & Oversight •

    Security Needs to Be “Baked-In” • How Do They Test Security? • What Responsibility do They Take? • What is Their Response Plan? • How Do They Store Your Data? Free Services Are Not Free - They Take No Responsibility
  18. Internal Security Let’s Talk About

  19. Source: 2018 Verizon DBIR

  20. Source: 2018 Verizon DBIR

  21. Internal Security To: Kassie From: Dad The IT group is

    trying to pass policies that make my remote work so much more difficult. Can you show them that I am secure? That way I can tell them to back off and let me work remotely in peace. Let’s Talk About
  22. What Happened? • Remote Access Was Enabled • Attacker Scanned

    Network • User chose a common password • Admin Did not Mitigate • Roll Through Many Password Tries Per Second
  23. If a User Can Get In, A Hacker Can Too

    Mitigation: Training and Understanding • Policies are Only as Good as They Are Followed • Train for Understanding with Compliance • Limit Access • Use Two Factor Authentication • Exponential Backoff • Monitor Stupidity is a more dangerous enemy of the good than malice. One may protest against evil; it can be exposed and, if need be, prevented by use of force. Evil always carries within itself the germ of its own subversion in that it leaves behind in human beings at least a sense of unease. Against stupidity we are defenseless. --DIETRICH BONHOEFFER
  24. Wrap-Up

  25. What Should I Worry About? Source: 2018 Verizon DBIR

  26. Questions? Thank You! Ben Holt Ben.Holt@stoel.com Kassie Holt www.bionicporcupines.com www.facebook.com/bionicporcupines/