This is the final part of Jayson E. Street’s Defcon talk where he explains how easy it may be to harvest company data and provides a summary of the presentation.
People are so busy protecting their stuff from these very high-level attacks that they are forgetting SQLI (oops, sorry Sony). Sometimes it’s a low-hanging fruit, and it really is the low-hanging fruit they are going to go after. So you got to be protecting that as well, you got to be protecting from these kind of threats as well.I love this one. This is the “Pwn Plug” from Pwnie Express. I took these pictures at a bank branch on the West Coast. I did 4 branches: 4 attempts, 4 successes. After the 4th one they told me to stop. The reason why is because I walked in, I was wearing a blue Defcon work shirt with warning labels, and I told them: “We have been having brownouts at the corporate office, and we need to check to make sure that the power fluctuations aren’t affecting your operations here. So what I’m gonna do is plug this device into your network so that I can take the readings and report back to the home office. And by the way, I need to go in and make sure all the computers have proper power surges and the UPS system is working.”
I used a false name that I had no ID, or identification, for. I used a fake company and a fake phone number. I signed in to their vendor log. If I would have come in there with a ski mask and a shotgun, every single person would have reacted exactly the right way – they have been trained to handle that. They did not expect the geek factor and they walked me through the teller area, the drive-through area, and through the backrooms where the actual money is, not the shiny little volt thing but the big safe with the actual money in it. What kind of damage could I have done? What I did do was I plugged in my Pwnie device. This one with the power unit on the right – I liked that one the best because I had to get the bank manager to get out of her seat so I could plug it in behind her desk. What I do right after that – it’s like…I don’t have to go to my car, I don’t have to phone home; I go to the bank lobby and I’ve got BackTrack 5 on a Xoom tablet, and I’ve got it already connected to the Pwnie Express. I’m pwning you before I even get out your door.So, what are some of the countermeasures? There is only one major countermeasure, and that, frankly, is just going to be – stop printing! What happens to those papers in an office, for gosh sakes? Make sure you’re doing proper DLP (data loss prevention), make sure you’re talking about it. There’s a recent report about how some of these data leakages are mostly coming from inside, from the actual employees themselves. So make sure that not everything is being shared open. So now, what can we do? Like I said, I’m the blue team. I like it when we win. I kid you not, I’m rooting so hard for the good guys when I go on an engagement. I look at some of those employees sometimes, thinking: “Do you believe what I just said? Seriously?” And when they let me in, I’m like: “Oh, dude! Obviously, I was a bad guy!” So what do we need to do though? We need to educate, empower and enforce our workforce, our employees. And the best way to educate them is to stop this one simple phrase: “stupid users”. Stupid users clicked on an email; stupid users went to a website they weren’t supposed to go. You know what? If I’m in the security department, stupid me for not educating my employees properly on how to handle those kind of threats.
And another thing is, if I hire an employee and they don’t even have a driver’s license; if on their first day of work I’m telling them: “Here’s the keys to my Bentley, go do some deliveries”, and they crash that car – who’s the idiot? The one that started driving, or the one that gave them the keys? If we’re giving them technology they don’t know how to use, they need to start being educated properly on how to use it. Then, when they screw up we can say it, but not until then. We need to educate our employees and let them understand what they are going to do. We also need to empower our employees. We need to let them know one simple fact: they are part of the security team. From the CEO to the mailroom, you are part of the security team. It is part of your job and your duties to make sure you’re protecting the Company data. They need to know that and they need to enjoy that. They need to understand: you as information security have access to the biggest intrusion detection systems known to man. All those employees on the frontline are saying: “Oh, that looked weird. That shouldn’t have happened. Let me call somebody.” That’s what you need to start doing. You need to start empowering them and letting them know that it’s required.
I’ve got a guy who sends me 15 frickin emails a week on a phishing scam or some kind of other thing he thought was weird, and he wanted to make sure I knew about it. You know what I say every single time? “Awesome! Thank you very much, I appreciate it!” Because that 16th one is not going to be a false positive, it’s going to be something we need to respond to. I’d rather get 1000 false positives from people that are actually thinking about it, because to me that means they’re thinking about security. We do walkthroughs in our facility during our day job, and we look under keyboards for passwords. And we actually started finding them, that was bad. But then we started not finding them, but we still do it. You know why? Because every time you do that, everybody in that area is going: “Oh, they’re checking for something, we got to make sure everything’s okay.”
Creating that security awareness without shoving it down the throat – that’s how you do it and you enforce it. Not with a baseball bat (oh gosh, that would be fun), but with positive enforcement. When someone stops me when I don’t have a visible badge, I report them to their supervisor, and I say: “Awesome job!” That person did what they were supposed to do, that person is protecting our data. We’ve put a list on our bulletin saying: “People who got kudos for security”. They did the right thing, they did it the right way. And you know what that breeds? Competition. ‘Cause that frickin Suzie in accounting – she’s always getting the credit for doing that stuff. Well, I can do it too! You know, I can stop someone if I don’t think they have a proper badge. That’s how you enforce it. It doesn’t have to be negative. You’ve got a workforce, you’ve got a human intrusion detection system out there just waiting to be used – start using them. So, as soon as you stop saying “stupid user” and start saying “my coworkers in the information security department”, we’re gonna start winning.