 We certainly appreciate being here today. We're going to give our attention to Jason Street. Who's that? Have you given anybody awkward hugs lately? I've given a few. All right. We're going to give our attention to Jason Street. His theme is how to protect your banks and enterprises. A talk by someone who robs banks and enterprises. So I like to start these kind of talks with a legal disclaimer. I'm not a lawyer, but I've played one on the internet. And this is it. I'm adorable. Okay. I will not try to steal from you, kill you, or ruin you financially unless you pay me first. There's always a contract. So when I talk about some really horrible things, and in some of these versions of this talk, every talk I've done this year has been different. It's like, but every version has one thing in common. It's really, really evil. So when I get to some of those points, just remember the kittens. I'm adorable. I'm not a bad guy. I'm just really good at playing one, you know, for good reasons. So the key thing about this talk, you're going to see a common threat. And it's just how we suck at risk assessments and how we're not worried about trying to defend our stuff so much of what's really going after us. We're defending our stuff, defending ourselves from things that really may not actually be going after us. And we need to go and start scaling back and actually defending the stuff that we need, that we can do immediately and effectively right now instead of worrying about all those other threats that are coming out there. This is the perfect example because this was the Super Bowl from this year. Vice President was there, 5,000 police officers, secret service, probably some in the audience right now, hi guys. And a lot of other kinds of law enforcement and feds there at that event. High security event, tier level one security. Three teenagers went through a chain link fence. They found a ladder and they were like, hey, let's just carry this ladder in and see what happens. And guess what happened? Everybody let them through. There's three guys carrying one ladder, 5,000 cops, they're like, yeah, seems legit, yeah, go through. What's up with that, right? The best part about it is the YouTube part of it. Guy Fia and TMZ made camos on this YouTube video. It was amazing. So there's your high level security event. It's like they weren't worried about all these other kind of threats, but they were, you know, not prepared for teenagers and a chain link fence with a hole in it. It's like you may want to worry about those things. Least important slide, but it's got to be in there. I'm a blue team and a red team guy. So I don't just try to destroy the stuff. I like try to fix it as well. How can you properly defend your networks and your companies and your corporations and your enterprises if you don't really know how they're attacked? And that's one of the other main themes of this talk, is how do you attack them? So, because we suck at risk assessment. Remember in 2015, it was the Ebola's. Oh my God, the Ebola's came to America. Everybody flipped. This is worst in Shark Week, right? Or the summer of the shark. Like Ebola's came to America. How many people died from Ebola in America? Two people. Two people died. And that's tragic. That's not funny. Two people died from Ebola. That's horrible, right? Fifty. Why are you laughing? You are horrible. Now you made me laugh and I look like a jerk. It's like, okay. At that same, well, yeah, okay, yes, that is true. I am a jerk. But still, it's like that same year that two people died from Ebola. Fifty-five thousand Americans died from the flu. So while you were out there preparing for the Ebola to come and get you, maybe you should have taken a flu shot. That's all I'm saying. I mean, I'm saying to them, because they're dead and that's still once again tragic. Okay? But seriously, that's their threat they were looking at was something so out there and scary that the news kept reporting. But what they could have been doing is taking basic care of themselves and maybe surviving. And because what do we fear and what do we actually go after? The leading cause of death and perspective. Leading one, heart and circulatory disorders. That's something I'm worried about. You know how much bacon I consume every day? It's like, that's horrible. I got to worry about that. That's a big threat for me. I've already had cancer, so, yolo. But look at the very, very, very, very, very bottom. The little bee, the little bee, the little bee. Top right there, terrorism. You know? But what do we fear the most? What's driven our economy so much? It's like what's empowered the TSA to be so idiotic? Terrorism. I have to grab your caught serves for the security of America. You know? And that leads to another problem. Because once again, we may not even know what we're supposed to be protecting ourselves from. But what we do is we put in these institutions policies and these things of saying, and telling the employees and not informing them properly of what they need to look at, so they do pattern matching. They'll go like, well, this is the scenario and this is how I need to react. We don't give them the leeway to actually think critically. There's no critical thinking in a lot of the security postures of a lot of corporations, enterprises, and let's say governments. Because this is my actual USB drive that was confiscated by that TSA agent. Do you know why that USB drive was confiscated? Because it looked like a grenade. That's it. It matched the pattern, exactly. Well, no, I tell you, I pulled the top off, showed them that it was a USB drive and then they're like, we can't take it. We have to take it. I'm like, no, I got to destroy it. Because I actually had some malware that would actually mess with their machines and if they plugged it in by default, then it's like, I mean, I was like, no, I got to destroy that one because I'm not getting another wrap, right? I now carry a USB drive, grenade, and my bag. But I take the top off and put it in another pocket. It goes fine. It's good. I've got a machine gun and a pistol in my bad USB drives. But I put them separately in two different pieces. It's like, they're totally cool. It's like, because it doesn't match the pattern. Don't we all feel secure when we fly out of Vegas on Monday? Right? So that's one of the problems as well. And what are we actually looking at? It's like it doesn't just go from physical, it's also from online. Everybody's worried about zero days. Zero days. Oh my gosh, they're dropping O-days in here. Oh my God. We're not here in this talk, obviously. But you know, it's like they're dropping O-days. We've got to worry about this. Worry about that. Sequel Injection has surfaced as the number one attack in 2015, probably 2017. Sequel Injection is not a security vulnerability. It's crappy coding. Stop treating it as a security vulnerability. And people will say, well, Jason, still, you know, crappy coding can be a security vulnerability. Sequel Injection is not a security vulnerability. It is crappy coding. But if you're getting owned by Sequel Injection, you need to talk to your coders, not to your security department. Well, you need to talk to your security department to watch out for those coders because they're up to some sketchy stuff if they're still putting in Sequel Injections and their stuff. Right? But who's coming after you? What are your threats? Is it nation states? Are you worried about nation states? I mean, I wouldn't be worried about nations, well, maybe a little bit. But look at these, you know, it's like you got nation states. Unless you're running a centrifuge in Iran, maybe, or maybe you're owning a telecom company, maybe, or you're the pope. Seriously, we spy on the pope. Not that sketchy one with the red shoes, but this pope, the current one, the guy who dresses up as a regular priest in Vatican City at night and feeds to homeless. He's like the Batman of Popes. He's awesome. And it's like, and they still spy on him. What's up with that? And also, we don't have to worry too much. This was actually from the seven lulls. The root password for the SSH system was 1-2-3-A-B-C-D-E-F. So it's nice that our government is actually using, you know, upper and lower case and numbers, I guess. So that's awesome. Are you worried about anonymous? How many people in here is from anonymous? You failed! So I was like, are we really worried about them? And it's like, I mean I like that last article where it says, could the hacker group anonymous do any real damage to Donald Trump's campaign as it's foretold or threatened? No. Sorry. It's a moment of silence for that one. How about criminals? Maybe criminals are out to be your threat. Maybe you should worry about getting robbed. Maybe they're the ones that are actually nation states with nation state tools hacking activist groups. Yes, those are threats and potential threats for certain areas. But the majority of people, you need to worry about your stuff getting stolen. They don't want to rob you. It's like, you know, you don't want to be a target of cyber crime that could resist the pun. Sorry, that was awesome. Target lost over $100 million from that breach so far. So far. It's still losing. It's like, sorry. Did they their security controls were they the vector of compromise? It was an HVAC system company that had a trust relationship. They compromised the HVAC system with a spearfishing campaign that they like to say was a sophisticated attack. Whatever. And they attacked the target. And that's how they got compromised because of the trust relationship. It's like, and that's one of the things we're going to go after a little bit more as well. And talking about spearfishing emails, you talk about zero days, fish gets me every time. It's like majority workers blindly open email attachments especially if they think this is from someone they know. Because why would someone send you something, you know, that's malicious. That's just me en route, right? So what I usually do at this point is when I gave this talk in South Africa I Googled Biggest Bank in South Africa. That totally didn't work as well as I thought it would. But when I went to Paris I Googled Biggest Bank in France and I randomly would pick a target from that search. So I would be, and every single one of those I actually the person who was an employee from that bank in all those different countries were in the audience. It was sort of awkward, but fun. And it shows you that it can be that much of an impact. It can be that random and arbitrary you're being attacked right now. But this is DEF CON and it's like I didn't want to just go after our Biggest Bank because y'all would be all cheering me on and go woohoo and the little banker person doesn't care. So it's like they're probably not in here, right? So I decided to do a little twist because Chris you know, he was like inviting me here. I wanted to make something special for him. So I decided to put a little bit of a different theme on it and let's go F-society on this one. Let's take down the government. Anybody with me? Awesome. So just like F-society I'm just going to go random and I'm going to try to find and it's based in New York. So let's go after one of those 1% or 1% or companies. The Power 100 in New York. That's where they list all those fancy companies making all those money with the hedge funds and the Ferraris and all those people, right? Evil Corp. See, the might have been best exemplified by related companies. Hold on. Related companies. I didn't even know that was real. I mean that's just like E-Corp, right? That's just like a random name that doesn't sound like it's real. That's one of those generic names. So yeah, let's attack them, right? So I'm going after related companies now. So this is my now target. So as I'm targeting related companies I just Google related companies. It's that easy. I know the CEO's name. I know their headquarters. I know the founder. I know when it was founded, the subsidiaries, whatever. The type of businesses and the profiles because they're on YouTube and Instagram because they're hip related companies, right? So let's go look at some of their stuff. Let's go to their website. That's a pretty website. And that's how normal people see the website. When normal people go to a company's website this is what they see. Have I ever been accused of being normal? Never. So how do I see and an attacker see this website? Well, with this wonderful thing called extensions. So now, from just going to the website, all I have is their IP addresses, their hosting information, the NS lookup numbers. It's sort of disappointing because they're actually really well protected and sort of irritating because they're using a lot of third-party services to help them, like SunGuard DNS and pphhosted.com for their mail server. Really no joy. I was really unhappy about that because usually I've got a lot more information at this point and you're all going, ooh, wow, but now you're just like, yeah, it's lame, Jason, you're right. But I did come up with this. All the domains that are listed on that IP address were things like onewarpark.com, related.com, then a whole bunch of .cnn. I mean, a .cnn, .cnn, there we go. A lot of China domains and I'm F society, right? So there's dark army involved in this? I don't know. I'm a little nervous now, though. I'm a little nervous about this to see what happens. So it's like I go on from there. Let's look at some of their social media profiles. There's YouTube because he wants to, I mean, Bloomberg seems very exciting and interesting. Yeah, they've got a lot of views on that one. What was it, 36 and three months? Yes, so y'all. Sorry, I don't mean to disrelated.com. But here's our Instagram. That's hip and those are some nice pictures of buildings. But they've got 1,800 followers and they're only following 170 because they're very selective. That's nice. Let's go over their LinkedIn profile. Here's, I love LinkedIn. LinkedIn's like the Facebook of corporations. I will accept, by the way, I will accept every LinkedIn invite that I've gotten. I've accepted all of them and it's like because that helps, you know, spread my connections. So if you want to send me a LinkedIn invite, feel free. I'll take it. And so right here in LinkedIn, you see on the related companies, you see there's 1,600 targets, I'm sorry, employees on LinkedIn that I can go after, which is awesome. And then we look over here, that's sad because everybody knows I love to tweet. They're following four people. They have 309 followers that got one like and they haven't tweeted yet. How do you get 309 followers without even tweeting? I don't know how that happens. But they manage that. Here's their social profile, Facebook, because I usually like to go after Facebook to go after employees. I mostly, every attack I've done, successfully through a company has gone through their Facebook profile or their Twitter profile. But remember, I'm F society. Okay. I'm going after the man. I ain't going after the employee. Okay. So here's the about page. This is where I usually go and pick my targets. So I'm looking at this long list of, you know, diversity here and I'm trying to figure out which person I'm trying to attack, right? And I come across this one guy it's like that's straight out of Mr. Robot, right? Timmer F. Gayland. If that's not a made up name then it's like, that's a name that's easy. He did something shady in his youth right now. You can tell that's really poorly done. Sorry, Timmer, Tomer or whatever it is. He's the executive vice president. He's going to be my pat see. He's the guy I'm going to act like I'm going to assume his identity. And it's like, and how do you assume identity? You've got to find information about him. So here's already something right now. He's been around. He was at Goldman Sachs. So he's part of the Man of Silver, you know, part of the 1% there. These are some of the things that he's done. Some of the places he's been that's good information. I do a little bit more Googling on him get a little bit more information. I get to his LinkedIn profile. Sad. Alias, right? That does not look like a legit profile. Some kind of executive person in the company. He created it and stopped that way when he realized how horrible LinkedIn is. It's like, I'm just done. But I didn't stop there, right? So I don't need to find that much information out about him, you know, because I'm just trying to assume his identity. It's not like I need to really find out where he lives, his home phone number, his address and where he was born. But I did. So that's cool. It's like, you know what? Maybe we want to like send him off onto the Hamptons and take over his apartment. It's like, and that's cool because we can Google map it and we know where it's at. We can do something like that. So now we've got a pretty good amount of information on Mr. Timmer, right? What are we doing now? We need to find out the victim. The person we're going to attack and compromise. So we can take over everything, right? Let's go back to this wonderful list here. I literally let's just look down the list and I see that poor guy at the very bottom just like, oh, what about me? It's George Perez. So let's go after George Perez. He seems like real... I don't know what movie he was in, but it was a bad one, right? It's like, he's a scene. That guy's got like a Persian cat somewhere, the big armchair that he's done. He's done horrible things in his life with all I'm saying. Sorry. Here's some more information about him. He's a vibrant urban sinner. He's really a nice guy. He helps with the art and he's like, he's not going to stop me from attacking him, but I just want to note that he seems like a really nice guy even though he does wear those shorts in public. So that gives me some information about his art. It gives me some more information about where he lives. All information that I can use to make the spearfishing email real. I want as much information that I can make the spearfishing email real. How do I send the email though? I got to figure out what their email addresses are and that's hard. No, it's not. Sorry. I go to email-format.com I type in the domain name and then they give you a nice little list of first name, last name, how their emails are sent out. And this one was actually sort of funny. Because when I did this one it came up with another that comes up with another tab. And this tab actually shows you where those email addresses have been used. And when it did I saw that one that was highlighted right there it was really weird it was Union Square leasing at related.com and it went to this website and it said guest and it had a number. And usually I don't do this but all about hacking is usually just going on your instance and just going, well what if I do this? So I went there. That doesn't look good. Does that look good to anybody? I mean I got into social engineering so I wouldn't have to be technical but even from my perspective that don't look good. So I went through that code a little bit it's like I try to act like I did like CSI but not typing on two keyboards and I went to the main website and I'm thinking yeah that's not good for them so they may want to fix that FYI I don't give warnings I just let you see it and see so hopefully they'll fix that eventually or start the restraining order. So now the next step is very important. This is the part where I do have to do an extra kidding warning, okay? Because if I send you an email about something good something nice, like you won money what are you going to do? What the ever, that's fake. No one sends me anything free ever. So that doesn't usually work. So what happens if you send them something bad? Something that's horrible that's happened. After the Boston bombing, within a day or so I got an email it said Boston news. It literally had an IP address on it slash Boston. That was it. Your daughter was running in the Boston Marathon that day. You had relatives that live in Boston. You didn't know what was going on. CNN was giving you news about what was happening. Did you click that link? When tragedy strikes we want to know more information. During different times in this talk, in different places I've used the murder of two girls. I've used a terrorist attack in Paris. I've used political unrest in South Africa to create my emails. Remember the kittens? But I'm an evil mother because I'm trying to steal from you. What part do we forget about that? Have you ever been robbed by someone going I'm sorry about having to do this dude. I know this is a little overkill. No pun intended, but I need all your money in your wallet. This shouldn't have to be necessary, but I will kill you if you don't give me your money. Please, I'm sorry. But I need your money. You don't get mugged like that unless you're in Canada, right? It's like, seriously. I am trying to steal from you. I've broken into a building in a wheelchair before. I'm a horrible person. I'm trying to rob you. So of course I'm going to use deaths of people. I'm going to use tragic events. You know why? It increases my odds of you clicking the link. And that's what I want. So what do I need to do now? I need to google up some tragedy. Albums in Miami quote related group. Which is their company. You know how hard it is to google freaking related anything? This was like the worst assignment I gave myself ever. Usually this thing takes under an hour to get ready and done. It took me forever. Like at least two hours. I was not even playing Overwatch at the time. It was like horrible. But I did find some dirt. This was at the beginning of July of this year. Did Miami's biggest developer avoid labor taxes? The feds are investigating. Go on. Right? It's like, this is by Nicholas Nihamas. And it talks about the at the very bottom. Yeah. That building complex. So, I got it. Let's send an email. Please note it's in red. I used to comment on a dot. I didn't do anything bad. This did not actually go out. This is a demo for hypothetical demo purposes. So I went to George.Perez from Timber.Gay. I didn't send it out. Subject line is this is very concerning. We need to respond immediately. Three exclamation points. One exclamation point. I'm sort of excited. Two exclamation points. I'm shouting. Three serious business. Okay. That means you got to pay attention to this one, mother. Something's going down. Right? So, greetings, George. I've just been contacted by Nicholas Nihamas who says he's been reporting on our issues with that place. He just published a more disturbing article that the accusations regarding you bear out will be leaving us with some tough decisions. I've already made inquiries to some old colleagues from Goldman Sachs and Moscow to find out what they can. We need to get ahead of this situation before it sinks our whole enterprise. Take care. Timber of Galen sent from a mobile device. Did I tell him to click that link? No. Did I tell him he really needed to click that link? Did that S.O.B. click that link? We're going to go out on a limb for the demo person. I probably think he would have clicked that link because he's like, because you want to know what's going on. I'm not telling you to do something. I'm telling you about something horrible that's happening and I'm giving you a way to find out more. And that's all that's necessary. So, I also have a confession to make. It's like, you know, just a little bit of one. I lied. I'm sorry, my friends, but my confession is I couldn't trust you. So, a little bit more to this than I was letting you onto because I'm trying to disrupt the government. I'm trying not to just take out like therelated.com. So, what else did I decide to do? This wasn't random. All my other talks were pretty random and arbitrary, but there was for a particular reason why I picked George here. Just a small one. I like that. George's bestie pals is somebody that I may actually do want to attack. So, what do I need to do? I needed to compromise George first. Now I've compromised George and now I can send emails out as George. Who am I going to be sending out an email to? Right. But how? You know, someone exactly through Twitter. It's like, so how do I contact him? I don't have this, you know, how do you get the president's personal information? Maybe a paceman. Please note to the feds, okay, I did obscure information that was necessary to obscure because I heard that he'd be pissed on. I'd be pissed off. If I let this out of information, Secret Service did tell me, that you're in trouble. And so I wouldn't do that. So, this is his official, there's his birthday, his social security number, all of Trump's personal email addresses that he uses, also all his family members, personal email addresses, all his Twitter's, his YouTube's, all of that on paceman. So, yeah, that happened. But now that I've got a way to email him on his personal email address, look at all those cameras coming up. And I'm a horrible person because I should be clicking to the next slide, but I'm waiting. Are we good? Hold on, I got it. Okay. Had to be taking pictures of private Secret Service to scream me later, but you know, whatever. So now I need to find a way to get him and create the target, right? The email, I got to create an email that would make him click the link. So I just googled, reporter Trump hates the most. That sounds like it's going to work, right? So I found this guy, Wayne Barrett, who authored a book that painted Trump's financial history at the least shady. Really? That's my shocked face, by the way. Okay, clutching the pearls and everything. So now I've got everything I need to know to create an email. And yes, there is a little thing because I really didn't change the first one very much. Here it is to chaos, our Q at Yahoo, which is his. George from George Zapparaz. This is looks, it's going to be a huge issue. No matter our differences, we need to get ahead of this. Three exclamation points. Now two things, it's like I needed to do misspellings because that way you'd understand it better. And two, they've had a falling out. It's like actually George Donald actually had a falling out. So it's like I need to make sure that I understood that because I'm actually coming in like I'm trying to be concerned. So greetings, Donald. I've just been contacted by Wayne Barrett who says he's been writing a new book about you. He just published a very disturbing excerpt for his new book, which of the accusations regarding you will be leading us with some tough decisions. I've already made inquiries to some old colleagues from Goldman Sachs and Moscow, which he probably knows too, and we need to get ahead of this situation before it gets worse. I still consider you a friend. I do not want you to see you being attacked this way. Take care, George Perez, send it from a mobile device. No way he's clicking on that link, right? Be even funnier if he did it from his Android phone that he's no longer using, and I had a stage fright exploit on there. So I think that's successfully how you would disrupt the government, you know. It's like you taking over the control of the person who's actually supposedly leading him. And you say, I'm sorry not to get too political. I promise you, if you look at my DEF CON 18 talk, I showed you how to assassinate President Obama. So I'm an equal opportunity attacker. So... And also another thing is I sent from a mobile device. And the reason why I do that is because why? Because when you see that, you make allowances. I don't know how they say hello, greetings, salutations, what's up, dude. You know, I don't know those. I don't know how they say take care, see you later, hasta la vista. It's like, I don't know. But when you see sent from a mobile device, the person goes, okay, well they were just in a hurry, they're just typing it out. And so that's the reason why all my emails, no matter what client I'm using, always say it's from a mobile device because I don't care about spelling. So I think we can all agree, job done, right? Okay, now guess what? This is my dessert and vegetables talk. Because I just gave you the dessert. I hope we all had a good laugh. We all realized more importantly how simple and easy it is to craft an attack. How an attacker will look at your system and use your social media, use the information that you're willing to give out against you, right? Can we all agree that that was a good way to explain that and show it as an example? So let's actually see what we can do now. Give up? Maybe. How many people have been to a talk here where someone has gone and said and this is how I broke this and I dropped the O-Day and it's broken and I just trashed it. The whole GUI needs to be written. The company didn't know what to do. They're not responding properly. It's horribly trashed. Okay, I'm done. See you later. You're like, how do you fix that? Well, I don't know. I just showed you how to break it. Those suck. If you're going to show me how something is broken, you better have some ways to show me how I can fix it or you're wasting my time. Period. So that's the way I look at this situation. So let's start doing some defensive stuff now because this is what the whole thing is all about. This next thing is this is a defensive talk. Surprise. One of the things you can do for your company, if you don't know how to do OSINT, if your employees don't know how to do OSINT, there are assets and ways for them to learn and to get resources for that that you don't have to work on. OSINTFramework.com will be one of those resources. It's a dropdown list for your employees to go through to start looking at your site, your company, as an attacker would. Because you have to look at your company like an attacker would because attackers are looking at your company. Here's another thing. I went to the April for pointing this one out to me. Mike Basil actually has a distro that you can boot up on for nothing but OSINT and social engineering purposes. It's like the Kali Linux for OSINT. It's like the Uber for hacking. But still, that's a great resource right there to give you all the tools preconfigured, pre-scripted out to help you do OSINT. To start looking at your employees profiles that may be damaging to your company that may be used against you. Also, we've learned how awesome Pac-Bin is, right? We already know that. Do searches on Pac-Bin. Pac-Bin has an alert feature. Your company's name Hackered, Haxord, Carded, Bin Number List. It has the way to send you an alert when you put in the keywords to let you know, hey, you just showed up on Pac-Bin. And I just, heads up, there's hardly ever any reason you show up on Pac-Bin that's good, okay? I have never heard of one yet, okay? I'm like, oh, look, oh, Pac-Bin, yeah. Awesome. Another thing that you could do is see what your devices are doing out on the internet. That's showdown. And look at all the, look at this. Just like in a zombie movie, that many red dots is not going to end well for you, right? That's never a good thing. It's like all those are exposed and possibly compromisable machines and servers. And you know, a normal person would just leave it at that and just let you know to worry about it. But no, I'd like to go further. Let's look at one of them. This guy right here, 154.16.5.170. That's a lot of ports to be open to see. It's like, I mean, a lot, right? So let's go and look at them. Here they are, they're net stack limited and they're going to be even more limited after this is over. There's the ports, they got open SSH running, that's nice. And look at the versions. That's what I like looking at. The versions of all these different servers. It's makingmoneycoach.com is their post fix SMTPD server. Awesome. There won't be making much money after this, right? Not my fault, it's already out there. I go a little bit further. I see the Apache. They're running an Apache server 2.4.25. Yeah, that's concerning, but we'll get to that a little bit later. What's on that Apache server? Oh, that is. Who wants to guess the user ID and password is admin-admin? I would not know. I'm not a bad person. I didn't actually check. I'm just saying it probably is. Okay. But I was more concerned about the version because you can just Google the Apache 2.4.25 and see vulnerabilities and see what comes up and stuff like this comes up. They may be having some issues if not now in the near future, like by Monday. Okay. Well, Jason, who's really going through Shodan and trying to find vulnerabilities on servers and companies? Why would someone do that? That's just mean. This mother does it every day. Right? I mean, he's doing this just why, you know, because he can. Look at the things that he's found. It's like, and before WannaCry came out, before WannaCry hit 1.17 million host scammed 33,000 1468 found infected. I mean, that's what he wants to do on a Friday night. I'm not going to judge, you know. It's like cool. You know, it's all, we all have hobbies. So it's like, that's already out there. People are attacking when you're physically at your house. You need to, you forgot to go to the store real quick and pick something up. You feel safe. Let me leave the door open, you know, or unlocked and just run out there. My neighbors will watch me. When you connect a computer onto the internet, your neighbors are now China, Russia, Paraguay, Texas, you know, New York. It's like, it's everywhere, especially Paraguay. You gotta watch out for the Paraguayans. Any Paraguayans in here? Okay, I just like saying Paraguayans. Okay, so you gotta watch out for that because those are your neighbors and they are constantly scanning. They are looking not for you. They're not looking for you. They're looking for an IP address that shows vulnerable, that shows that it's available to be attacked. That's all they care about. Not nationality, not political correctness, just your vulnerable I attack you. If your teams are small and limited, start using blue teams and boxes. You got tenable, you got rapid seven that's some good stuff. Pony express some good stuff. V-thread is really cool because it actually does virtual intel for your corporation's internal network. Actually shows you what an exfiltration attack looks like. So I'm not here to hype products. I'm just here to tell you that those are some cool things that you can do. But literally the biggest tool in my toolbox that I use more than any other tool ever is this. Or being if you want to get adventurous, you know. It's like, I mean, like I said I attack everybody equally. So now what else can we do? What are some of the key things that we can do? Well, here's some things that I learned from UBICS that I want to share. This is one of my favorites. WPAD WPAD, if you've got WPAD on your network, you're going to have a bad day. Microsoft is anything but helpful. I mean, everything and helpful, right? That's what I was trying to say. Of course, Microsoft. Love you guys. So what do they do? They made it where if there was a host name on the internal network or the corporate network and the host name was WPAD, well, that means all your workstation traffic should go through it. Guess what every attacker in the world's computer name is? Yes. Well, after they changed it from Cali Linux they changed it to, you know, WPAD. Right? So here's what you need to do. Make a null route to 127.0.01 and the DNS entry for WPAD. So that way, just null routes. It doesn't go anywhere. Keep WPAD from communicating. And if you possibly can, just disable NetBios. Unless you're running Windows XP, if you're running Windows, don't even raise your hand to make me sad and cry. It's like, that's bad and you feel bad. So you're probably not running Windows XP so maybe not so much with that. Another thing to use, and I love this one. I love this one the most. But please understand, my qualifier, if you don't do step four, you're screwed, not my fault. Step one, create a user called domainadmin underscore temp. I mean, literally, create that in your domain controller. Put a password in the description. Say, password is, let me think, I want to be secure, password two. Delete account by July 2016. Make it realistic, right? And then, you add it to the domainadmin's group. You literally make it a domainadmin account. And you're saying, Jason, are you f'ing insane? Yes, but that's not the point. Step four, under the login hours, you set to zero. What that means is they can never log in. The password is correct. It doesn't send an error that the password's wrong. It just doesn't log in. So, you set up an email alert in December, an event viewer that someone used that account. You now have a zero false positive that someone is attacking your network and is a compromise in your domain controller. Zero false positives, zero dollars, very little evidence, you detected a breach. No blinky boxes required. That's something you should be using on Monday. So, what else do we do? Credit where credit is due, that's all Rob Fuller, Twitter is Mubix. Cool guy. Another thing that I see way too often that really makes me sad, and I'm going to wait because everybody's taking pictures of Mubix's info. Okay, there we go. There we go. Unsegmented networks. What's up with that? Why are we keeping our networks all nice and open on the inside? I literally had to stop an engagement on the first day tell the client that I was not charging them that they had to use the money to actually put someone in how to create a network. It was a flat network. I say flat, I mean the web servers were on the same 10.xxx network as the accountants HR web developers, CEOs. Email server on the same network. The kicker. The guest wireless access point that was unencrypted had the name of the company's name and guest, where was it? On the same 10.xx network. I literally was like how can you try to pay me to pen test a network when you're just, it's open. It's like you're asking me to break into a house and you forgot to put walls up. It's like, I don't know how to do this. You win. I don't know. I literally have no idea. If you're trying to confuse the attacker, you worked. It's like segment your networks. Is there any reason why HR needs to talk over the network to the web developers? No. Is there any reason why the accountants need to talk over the network to the web developers? No. Is there any reason why the CEOs need to talk over the network to the web developers? Does anybody need to talk to the web developers? What I'm trying to say. It's like, no. It's like segment those networks. Make it like a submarine. It's like if one part goes down it's like if a submarine gets hit and it doesn't destroy what happens one part is breached but the rest is saved. That sucks for Bob and engineering. But still, the rest of the sub is okay. So you want to do that. You want to segment. Now here's a list of tips and tricks that I want you to start using. The very first one is patch. Are we tired of hearing that? You know what's even more tiring? Having to keep saying it. That's pretty tiring. Remember 2 months after the patch came out and you're thinking that's horrible, they should have known better. Listen here. DEFCON 2002 the vulnerability for SQL slammer came out. September of 2002 Microsoft came with the patch. February 2003 2,003 SQL slammer hit. That's not the sad part by the way, I'm getting to it. Check your firewall logs when you get back. Guess what you're going to see? Traffic for SQL slammer. I don't want to go through the line but you understand that's an unpatched system that's running SQL that's unpatched on the internet that's infected still going on. That doesn't make you want to drink. I don't know what does and I don't drink. It's things like this that make an impact but it's also a false impact because when something like this people take notice. When it gets this bad like on the second day they really take notice. There are probably more people patched for MSO 1117 than MSO 867 because MSO 867 if you do pen testing is the golden ticket. Everybody thought MSO 1711 was going to be okay it's the new one but now because I want to cry it's like no they're all patched for that you're like oh no we got to get that patched but what about those ones from 2008 oh no he will leave those let's make sure we got that one patch on that's how they think you have to make sure your policies dictate patching every month and not just the OS but all the applications that are out there make sure you're patching your Adobe and your Java and your Adobe and Java the Java and the Adobe like every week on maybe on those but still make sure you have a patching policy for them. Another thing to do is a one by one pixel GIF and I literally googled trust me you can see that I googled 1.1 pixel GIF and there's actually one there put it on your website put a link to it to a page that does nothing but record the IP address, the operating system and user agent string of whoever clicked it because how many people do you know they're on a website going I wonder if there's a secret pixel I wonder if there's a secret pixel okay I did that once but I was bored and it was like three in the morning okay don't judge me okay but what does click on those links bots phishing people scraping the whole website for a phishing attack Nicktoe, OpenVas and trust me there is no if you run a bank site and Nicktoe's perusing your website they're not looking for their mortgage loan okay Nicktoe's never there to check to see if they're if they qualify it's just not going to happen so make sure you're alerting for those and better yet just not alerting to the fact that those user agents are going on to your website and people are scanning it but then start blocking them your user agent strings you have a list of bad user agent strings that you can tell your web server to refuse it's like you know no Nicktoe no OpenVas no internet explorer sorry that was my web server sorry you can just say no to these user agent strings and shut them down they don't eliminate your risk but it helps to narrow it I'm not trying to tell you how to solve everything I'm trying to help you be a little bit better secured another thing is start blocking countries anybody here doing business in Paraguay you're shady but if you don't do business in Paraguay why is Paraguay allowed to see you on the internet if you don't do business in Canada because you know Canadians it's like you should be blocking Canada from seeing your website your whole entire network to be blocked at the firewall the ASN number should be blocked if you don't do business in those countries it's like limiting the attack vector also limit spam and you tell that to your executives and they'll sign off on it immediately okay it'll help lower our spam oh yeah let's let's get that going let's get that done so you want to do that speaking of spam it's like in spearfishing and emails do you own all the different domains and variations that could be used against you this is one of the saddest slides I've ever created this was a talk I did in 2012 and the reason why it was so sad is as you can tell PearsonFoundation.org and PearsonEd.com one with a zero and the other one with a one were available seriously they're not available anymore it's like I don't know who owns it hopefully Pearson does but I doubt it they were available at the time that I gave the talk that's sad you should own the variations of your website it's not going to solve your fishing problems but once again it helps lower the risk it helps to mitigate it another thing is sometimes your employees need to click on a link they need to click to upload an attachment first of all you teach them how to be suspicious of those when someone is sending them but the next thing you can do is tell them to go to places like virustotal.com tell them to upload the url or the package if the attachment only has non-private, non-secret confidential information tell them to upload the attachment this site is owned by Google they probably already have it it's not as rich as something they already got so tell them to do that scan it to see if it's actually a virus to see if it's actually something there yeah it's sort of 5 minutes but maybe a little more so now one of the next ones is web developers should be building good code which makes it more secure SQL injection is not a security vulnerability it's crappy coding so last but not least see them to the last and not least part it's like create teachable moments for your employees your employees don't always this is going to be a shock to you but maybe just maybe your employees don't learn the best lessons by taking that 20 question quiz multiple choice that they can go back and change the answer if they got it wrong on their internet every quarter or year maybe not create teachable moments for them go and have your security team go around every building every site that you own and look under the key words for passwords sad part is they'll probably find some but more importantly the employees will know that you're looking for those things that you have a security team that actually exist and actually in the real world that could do something like that it's like that creates a teachable moment I gave a talk a couple years ago where I went to all these different security conferences these are all results from those conferences on a wifi pineapple showing people oh look y'all connected on those that's sad it was very sad it was even sadder I went to RSA they invited me to speak, never since but within 7 minutes 42 people connected to my wifi pineapple RSA a security event full of security people I heard a lot of sysps go there 7 minutes 42 I could have gotten more but come on lucky number 7 and the answer for the life university and everything I had to stop there but you're thinking Jason that's an old example what's a teachable moment for us now how many people have gone to this website? raise your hand the answer is none none of you have gone to this website all you guys went to this website see you thought you were going here you went there to make it a little bit more clear I've put a different graphic on the website now that I showed you the first time it's this one social-engineering.org cgi-bin.email slash confirmation slash index.php if you actually go there right now you will see that llama judging you harshly as it well it should I own cgi-bin.email so that means I can make everything my sub-domain humans when they're looking at the web even if it's eastern culture or western culture no matter which way they write on a website they read left or right computers always read right to left on a web address bar so they don't care what my sub-domains are but humans look at the email they look at the URL they go social-engineering.org that seems legit I've seen cgi-bin before email this is an email that they sent me I'm getting a confirmation yeah I should click on this oops so there you go now I want to leave it with one last important thing okay there are good employees this is an example of an actually pretty good response from mandalay bay for black cat coming in this first part of the week they used that conference as a teachable moment for their employees not by going saying oh close down we don't accept usb drives now because only email attachments because we're going to get poam because the hackster's in town ups but no they didn't do that okay what they did was say hey this is a good time to be security weak learn here's a good security tip on email phishing it actually tried to teach them a lesson using this as a way for a teachable moment by having the conference there that's a proper way to do it and once again that's a positive thing to do are you doing positive messages to your company to your executives when they do something right when they actually get security right do you create a positive teachable moment or is it always negative something that someone's failed at results may vary so I'm going to leave it there but I got 14 seconds so screw the questions sorry we're just going to go with several minutes of uncomfortable silence and I'm going to drink here no I'm serious it's done thank you