 To introduce Mike Benstra, this is the photographer. What the hack, fortifying your security by understanding your adversary. Mike Benstra is a threat analyst at work guns. He believes that the best way to understand something is to try and teach it to someone who believes they'll never understand it themselves. The internet is a pinnacle of human collaboration. At the same time, it can seem prohibitively difficult to make proper use of for the labor scene. By making tricky concepts as digestible and accessible as possible, we stand to greatly improve the experience not only for the organization's building for our presence, but for the future users as well. So, please give him a hand. Good morning everybody. So, with everybody able to hear me in the back, I don't really want to shout so much. I was out pretty late last night. So, yeah, this is what the hack, fortifying your security by understanding your adversary here in the next hour or so. We're going to be talking about how websites get hacked and how organizations themselves get hacked from the perspective of the people doing it. And by understanding that, you're going to be in a much better position to defend against it rather than trying to defend against some devious concept of a hacker. We'll see that. You know, trying to defend against a devious hacker that just has these seemingly magical powers seems pretty possible. So, if we can make that part of the lesson fade, we can probably do a little bit better at the job. So, my name is Mikey. I'm a threat analyst at Defiance. We're the company that makes WordFence. You've probably seen me over at the WordFence booth. Raise your hand if I've taught you how to pick a lock yesterday. That's awesome. It's probably why you're here right now. So, in addition to that, I'm a global information assurance certification advisory board member and a certified web application penetration tester. That's all a bunch of lofty language to say that I've done some studying and through some tests and people seem to like what I have to say about it. What I do at Defiance is threat analysis or threat intelligence. So, I look at data from millions of websites, the firewall logs, malware scan activity, and I try to use that data to paint a picture of how all WordFence sites are getting attacked, who's doing it, and how we can better stop it from happening in the first place. Outside of all that, I'm just sort of a standard issue geek dad. I've got a beautiful two-and-a-half-year-old daughter and she is way cooler than me and way smarter than me too, so look out. So, lately, probably the last year and a half or so, it really seems like information security news is just constantly dropping. Every 45 minutes or so, you hear about some major service getting breached and all hell is breaking loose and they lost all of our passwords and all of our credit card data and what was made. But there's actually a silver lining here. Despite the fact that that can be completely terrified for the late person, we know that awareness is going up and this is happening both at the vendor level and the consumer level. We know vendors are becoming more open to security because responsibly the school of your policies are coming out, where if you are a security researcher and you identify a flaw in some software or some service or some website or anything, more and more vendors are willing to hear about it. They want you to tell them, hey, I found this gaping hole in your security posture. Please kindly fix this before somebody else does that isn't maybe quite as ethical as me. And they can do this now without as much fear of uprising because before, if you were sending something like this to a company saying, hey, I found something, do something about it, that reads like blackmail and we want to avoid that and so by opening the door preemptively to this sort of thing we establish that you can trust us, please just come tell us what's going on and then now we're seeing more and more bug-bounding programs as well. So in addition to a lack of appraisal for finding this sort of thing we're also seeing where companies are paying out cash bonuses to individuals who report security vulnerabilities. Google specifically has an amazing bug-bounding program. If you follow security news just about every couple of months you're going to hear about some researcher in Chile or Singapore anywhere around the world who found some interesting vulnerability in a Google service, reported it and then got cut a check for like $17,000 two weeks later and it's more and more common and that's excellent because it's removing a lot of the incentive to be a bad guy. It used to be, you know, if you've got some skill in hacking you're not immediately working for the government or working in security at a company you're kind of out of luck so you might as well sell data and exploit stuff and steal credit cards or what have you. On the consumer level though we know that awareness is rising because the security consciously person is becoming a demographic that it's just actively marketed to. About a year and two months ago well, September 2017 does anybody know a little company called Aquafax? No. Raise your hand if you don't know what I'm referring to. That's awesome. So in September 2017 the credit reporting bureau Aquafax disclosed that there had been a massive security breach at the time they said that there were about 143 million accounts of user data that had been leaked to God knows where and even later on there was even more than that. And following that we see this wave of, I mean if you listen to the radio in your car there's about a billion percent chance that you've heard of Dark Web Analysis Service where there's a company that's promising you that we're going to listen to chatter on the dark net and where all the evil bad guys talk to each other and we're going to tell you if we hear your name or your email address or the name of your company. And having audited some of those I can pretty confidently say that don't waste your time but the fact is they see a market there. They know that people are more conscious of their security posture than ever before and just because some of them are a little exploitative that doesn't mean that they haven't recognized that people care now. But despite this improved awareness these attacks keep succeeding so and these aren't really all super sophisticated attacks either that are just unpreventable golden bullets that can kill the sky. Aquifax's data breach the one that leaked 140 something million user accounts was a vulnerability in Apache Struts vulnerability itself had been patched two months prior to the breach even beginning and they failed to patch it until they identified it two months after it started so there is this four month long gap where they knew that there was a patch to be done and hadn't gotten around to doing it and saying hadn't gotten around to it is a little reductive. I mean we all work in places where maybe an update needs to be fed first but something that serious there's sort of no arguing that they dropped the ball at least a little bit there more recently the Atlanta Georgia city government was hit by a ransomware attack this was in March of this year anybody not heard of that that one's a little bit less publicized if you don't live in Atlanta or you're not in the security space you maybe wouldn't have heard it but they did most the entire Atlanta city government city network was taken down by the Sam Sam ransomware and there hasn't been a public disclosure of the vector of that attack yet but circumstantial evidence and just the type of attacks seems to suggest that the eternal blue vulnerability was responsible that one I bet even less people have heard of but you may have heard of Wanakrai the ransomware that swept Europe and took down hospitals and all that Wanakrai was almost exclusively distributed through this vulnerability in the windows file share service and it comes down to everybody seems to think they are the exception and they know that there's an update they know it's a security patch but for some reason I put it off it'll be okay it's at this point that I want to get a little bit of audience participation especially because it's the morning on second day of a word camp so all of you are zombies just like me so raise your hand and you don't even have to move or get up or anything but you do have to shout you want to improve the security posture of your business by 30% in 5 seconds okay uh what's your name? Glenn I want you to say my name is Glenn and I am not the exception I am not the exception anybody else want to do it just go do it I am not the exception alright so now that we've gotten past that we can start fixing this a little bit so we're all on WordPress it's kind of why we're here WordPress powers 30% of the internet right now and that is insane and it's 60% if you only count sites that are using some distributed content management system um a 30% market share of anything is sort of legendary um I mean and there's you cook or Pepsi or whatever um it's the simplest sort of supply demand there is if there is a market using something it is profitable to exploit that it couldn't get more basic than that um and the example I like to give here for this is uh who remembers 2007 I hope so it's a wild year um so uh between 2007 and 2009 well it was you know the first couple of years the iPhone was out the smartphone was coming to the vote this was also the years that we were seeing the get a Mac campaign on TV I really remember uh hi I'm a Mac, hi I'm a PC hi I'm cool and trendy, hi I I play chess by myself or something but the entire this was back when uh macOS 10 had about a 4% market share in the desktop space and this was this you know oh I'm only for office software oh I'm cool and I have friends and do photoshop stuff and more than any of that you would see I'm a PC and I'm sick I have a virus because that's what PCs do is they get viruses, woe is me um and just as long as sitting there like doing a kickflip on a skateboard or something it's fun because Macs don't get viruses that's just how it works and we see uh best for about 2011 so this has been going on for 4 years now Macs market share is about double it's about 8% now still a little smaller than 30% um and you stop seeing this whole Macs don't get malware thing anymore and if we have any guesses why because they do because they do um and not only is it so the market share increased so more people want a piece of that pie because it's a bigger pie now um but also there's sort of this concept in uh the hackers base and you'll see it in just about everywhere but hackers are a little bit notorious for this um and it's the law of challenge acceptable uh you know you tell me I can't and let's watch what happens now um so we start seeing backdoor malware like OS 10 PINDA and uh the black hole remote access tool uh they come out of the scene and we stop hearing this whole Macs don't get viruses thing much anymore I mean the the general populace had already allowed it to enter into their consciousness and so you hear Mac fanboyism that still kind of echoed that but their official marketing stopped leading so heavily into that I bring this up because well here we are WordPress 30% of the internet if you're spinning up a new website there's about a 70% chance you're going to click WordPress in your hosting account and there's a knee-jerk reaction in the web hosting community in the sysadgen communities of uh the joke that I heard was WordPress is a really excellent remote web shell with blogging features and it's clever it's kind of a funny turn of phrase but it makes me mad because I love WordPress and I hope you guys do too and WordPress is not insecure uh WordPress has an amazing security team that's doing reviews of things as they can all of them are human and humans make mistakes that's a whole other talk I give and um need to make an insecure WordPress site WordPress is not insecure does that distinction not retain you? cool I'm not here telling you that WordPress is insecure and here's how to stop that um but here's how to make more secure sites with WordPress so with awareness on the rise and the knowledge that WordPress sites are common targets um you've probably come across a guide of security best practices things to do to help secure your WordPress site and I would honestly be astonished if I was the first person to be in front of you or write something to you that says update your plugins uh is this the first time anybody's heard of that? no okay because we'll fix it but wow um and in my opinion the gap here has to do with the difference between knowing something like factually speaking and understanding it so for example I'll call myself out here I can tell you that factually speaking the sun is about 10,000 degrees fahrenheit I'll also sit here and tell you that I have no meaning for understanding of what 10,000 degrees fahrenheit is like my brain just auto corrects it to really hot and when you don't understand how a hacker is getting into a WordPress site and you hear that there's security epidemic and you need to do these things to secure your site it can kind of feel like you're doing emergency prep for an eventual like drag and attack like I don't know the rules of dragons what are they going to do I don't have and so by personifying this in a little bit more of a manageable way and explaining what happens in this process hopefully uh just by making it understood how this stuff happens you can at least take a look critically at your site and tell yourself some things that you can and we're going to do that by putting our hat if you've been to the word fence booth you've heard us say think like a hacker improve your security posture that way the line put your hacker hat on is something that by one of my sans instructors used to rattle off a lot and it makes a lot of sense because if you're a dev or you're in content or you're an agency design you look at everything through those eyes and then it's tough to switch your eyes out but you want to be able to look critically at this stuff from the perspective of somebody who wants to do something bad to you and to do this we're going to be taking a look at two sets of examples from start to finish and two attacks one attack is going to be from a script kitty have you ever heard that term before but yeah k-i-d-e-i-e not like a small cat or anything so script kitty is sort of a derogatory term in the security community for somebody who paints themselves as a hacker and does naughty things up there on the internet using tools other people build without understanding how they work it's okay to use a tool somebody else built it's less okay to not know how it works and then you just sort of throw stuff out and so lower sophistication much higher volume and you're also going to see low effort bot attacks fall under this same sort of field the other one we're going to look at is a bit more sophisticated though this is going to be an organized crime person I started that weird somebody involved in organized crime or a nation state level attacker this is somebody where they have some sophistication they have the skill to do what they need to do and money is probably no object if a nation state wants to break into something they've got some budget behind it so we're going to be looking at it from these four phases now if you get into security theory you're going to see a much more detailed tree than this you can look up the lighter attack matrix it's ATT Ampersand CK because hackers love that but for our purposes an attack has about four steps discovery intrusion infection and response like I said this isn't an industry standard thing and your attackers definitely not sitting there like oh I mentioned the intrusion phase it's over but it's handy to differentiate what stage each thing happens at because we're going to talk about a layered security model where we're assuming failure so dividing this into nice management chunks gives us a perspective to look at this from and hopefully prevent future attacks so really getting a meat of container than this now so in our first example of the discovery phase we've got the script kitty has anybody seen an output that looks kind of like this does anybody recognize that I would like to figure out who's who here but this is the output of a tool called WPScan it's a very very popular WordPress, black logs vulnerability scan utility you can point WP you shouldn't point WPScan at any site on the internet that you do not personally own but were you to do that it can enumerate a lot of things it can find say probably most of the usernames of that account WordPress doesn't care so much because usernames are not secrets in WordPress but we can also enumerate quite a bit of the plugins that you've got installed and this is me as an unauthenticated attacker just looking for things like readme files on your server in this case the text might be a little small this is a small screen but we can see that there is an item that was founded from one plugin on this site and it was a plugin called flicker the picture back up it says it's up to date it also says the last update from 2014 so that's not super great we'll talk about the specific vulnerability in the next step but the idea is there's not a lot that you're really going to reliably keep secret about your infrastructure trying to do that is something called security through obscurity the hot take on security through obscurity is it's pointless don't ever do it in reality, sure you don't make it the only thing you do but it can slow down on sophisticated attackers sure our second example though with a more sophisticated attacker the biggest dichotomy in this step is between an unsophisticated attacker and a sophisticated one the script kitty is kind of just going to put out a wide ad they don't care who they're getting they just want to get back doors and malware on as many sites as many services they can they don't care who you are they don't care that you think that you're a small site and nobody knows you exist because as we discussed already nothing's a secret on the internet but a more sophisticated attacker probably has a target in mind maybe this is an organization a government organization maybe this is just a big business whatever the case may be they've got somebody in mind and now they're going to do a little bit more of a drill to find a way in the first step of this is going to be intel gathering this process usually begins with a process called OSINT or open source intelligence and this is where attackers are gathering data about you, about your company about your website we're compiling it into just this big portfolio so that we can later refer to it and we know all the stuff we need to so we're looking at any publicly accessible information LinkedIn is a really big one if you want an example of why if I'm curious to know if business ABC what are they using on the back end for their web framework well if I go and I find their company's LinkedIn profile and then from there I find all of their engineering staff and every single one of them mentions being an excellent Rails developer they're probably using Rails same with WordPress but WordPress you could probably guess that they're using somewhere statistically speaking things like Twitter and Facebook if I'm looking for a weak link in that organization if I'm looking for maybe a money stressed sysadmin maybe he's complaining on Facebook about debt or not being able to make ends meet or oh boy Christmas is coming up and that's a nightmare and I find it well I'm a nation's big attacker I can give this guy it's just a pittance worth of money for me but it's life changing for them and they'll probably plug a USB stick into a server if I wanted to for that won't they and that's not super great but this Intel gathering stuff is where I'm figuring this out so I'm scraping the internet for email addresses because maybe now I want to know how your usernames are set up you know is it last name is it last name first name you know so if I can find email addresses I can do that if I can spider out from there find your employees personal email addresses well now I might be able to identify a password breach because I've got a handful of those sitting around ready to be sifted through for a password and and this one is a little bit more security theory but there's a tool called cool WL it's a word list generator so you can throw cool at a website or a set of sites and it's going to just spider this site looking for instances of unusual words and phrases well by default it looks for everything but a practical application we don't care about the word of but scanning a website for all these different words and then assorting that by how common they are in the effective way to start guessing passwords so where's the takeaways during this discovery phase because we're looking at every phase one at a time with the idea of preventing somebody from getting past it example one our script kitty probably would have been sent back if that vulnerability scan they launched didn't find anything or if there's a web web application firewall in the way preventing it from successfully scanning or in some cases feeding indirect information back to send wild goose chase but that's more just somebody being asking example two is a little bit tougher though you can't be super draconian with all of your employees and say I don't ever want you to say anything about work on social media ever turn off your LinkedIn get off the Twitter it might be a little bit more secure but you'll just kind of like scare all your employees away and you need to deal with all that but you can do some training build some awareness of the sorts of things that probably shouldn't be shared with the internet and this is going to help to mitigate that kind of non-critical data leakage that could be compiled into a portfolio or our next step so after the discovery phase we've got intrusion an important part of the vulnerability disclosure process is to produce a proof of concept so if you find a vulnerability and you want to prove that you've found a vulnerability to the people responsible you build a thing that exploits it and you just ship it to them and say here it is here's how to do it fix it now so from our earlier example that Flickr picture backup plugin now the intended functionality of this plugin is so in your admin dashboard you can feed it a URL of a Flickr photo Flickr is an image hosting service nobody ever uses anymore if you do I'm sorry but the idea was you can point your admin dashboard plug in this field and your site will reach out to Flickr and import that photo into your media library maybe not the way I would have implemented that but here we are it's a plugin in the repo it might not be anymore but this plugin never did any well let's start from the top here so it didn't check to see that what you were downloading was from Flickr it didn't check to see that what you were downloading was an image and then maybe I'm burying the lead on this a little bit but it didn't even check to see if you were logged into WordPress now it's starting to come together so you could effectively just send a PHP request to this script if you can find the plugin on somebody's site with a free tool called WBscan and just point it at any URL maybe a GitHub raw maybe a pastebin link or pulling down an arbitrary PHP code storing it on their server in a place that we can identify later maybe it's a web shell maybe it's some other malware dropper because now I'm infecting a website because it had a plugin installed that by the way was up to date so we can talk about the virtues of not using a plugin that's been deprecated four years later but it's pretty bad and so if you've identified that vector exists the intrusion step is trivial you just point it at a site you control or a shell that you like and then you're in example two it's going to be a little bit more up in the air depending on what you find during this intel gathering phase so with our gather complete our professional attackers is gearing up to attempt their intrusion and fortunately for us the attacker, not you guys we have a handful of email addresses that we found and these belong to corporate accounts but we've also gone further than that and associated a corporate account with a personal account maybe multiple personal email accounts Bob Zermakul a few of them are associated with password reaches from a while back and so who's heard of how I've been phoned have I been phoned that's the domain have I been V-W-N-E-D it's a service started by Troy Hunt a security researcher out of Australia and it's a really amazing tool of me that you can go and plug in your email address it'll tell you all of the the known breaches that that address is associated with now they won't spit back out yes you have been phoned and here's the password so you can't just like plug anybody's email into that and get passwords or access keys back but what you can do is look and see if you appear on it because they'll tell you what breaches you're in and if this is a breach that your attacker has a hold of and that password that they've got is still active anywhere now they can kind of walk through the front door they know your password they know your email address and there we go now the odds of any one individual's breach password from four years ago appearing on your WordPress site well their WordPress site is kind of low if we're being honest but it's a numbers game how many of these users did I identify how many of those passwords did I identify it only takes one to make a meaningful step into an organization's infrastructure and if it's an unprivileged account unprivileged escalation is much easier than going from nothing at all you have a quick question so if they get the password from a personal email or if that person uses the same password professionally yes so this is an attack called credential stuffing where we've identified a number of passwords that have been previously associated with you we don't know if they're still associated with you but we're going to throw stuff at the wall and see what sticks depending on the scope maybe we'll try directly on your WordPress site but maybe we'll use all these other accounts we found maybe we'll try to get into your Facebook or your Gmail account maybe now we can do some password resets elsewhere so the sophisticated attack is a lot of taking a step pivoting taking another step this direction pivoting again because it's not always as straightforward as oh they have a vulnerable plugin let's attack it in this case though for the sake of our argument we're going to say that they were successfully able to authenticate as an administrative user and upload malicious code through the WordPress plugin installer it's a very common about the operandi where if you've got admin just upload a shell and then spread it back from there so what is the takeaways during this intrusion stuff this is where most of your typical security best practices show up so our target from example one probably shouldn't have been running a plugin that hadn't been updated in four years this is for number two though we can all but entirely prevent credential stuffing attacks by A using password managers and never reusing the same password twice I know exactly one password and it is the one that unlocks my password manager and the rest of them are 20 to 40 characters of garbage that I will never memorize because I'm just pasting it in everywhere another thing Trojan loves to say is the most secure password is the one you don't know we can also use so there's through how they've been pwned there's a service called the Pwned Passwords getting to the technicals might be a little waste of time in the conflicts of this talk but effectively you can put your password in it checks in anonymously not actually shipping your password off to Trojan but it will tell you if that password has appeared in breaches certain security plugins WordFence included will tell you if you log in to your site and that password appears in a breach so if you just installed it and then you try to log in again and it won't let you it's probably because that password has been seen somewhere and we don't want you to use that anymore and then also implementing two factor authentication is really important that way even if your password gets breached they still can't log into your site without also having a physical device that you control still a big deal that they have your password but maybe not quite so operational now the infection step is where it gets a little bit more freeform because now we're in we've gotten in for the first time which is a landmark in an attack the first time you get into a system that doesn't want you there is where we're doing all this OSN gathering exploiting vulnerabilities and plugins and stuff but once we've gotten in once we kind of have free reign to enable ourselves to come and go as we please in the case of our less sophisticated attacker we're going to see kind of a staple of internet malware a spam mailer it's a real spam mailer it's a pretty basic one the idea is even if you're some why would anybody have me have a nobody kind of website your outgoing mail relay on your hosting account probably hasn't been put on any spam blacklist yet I would like to fix that so we can throw a spam blog on there and start sending out spam email maybe this is no sketchy pills advertising maybe this is some other kind of spam marketing but maybe we're launching other types of attack from here what we see in a lot of cases is these spam mailers are going to use to send out phishing emails everybody know phishing a lot of the cases where you're going to see somebody getting phished is they're getting an email that says hey I'm from DHL and your package is stuck somewhere tell me what to do with it or hey we found some weird activity on your PayPal account log in and let's figure it out and there will be a link in that email that takes you to bobsquiltingsite.com slash PayPal and now it looks like a PayPal site but it's definitely not PayPal don't put anything in there but using this as a platform to direct recipients to phishing and malware droppers is a very large and lucrative thing to do and that's how a lot of these cases take place in our second example, does everybody know what that this is there anybody seen this before thermal what's that? thermal yeah it's a credit card skimmer on an ATM so you can actually see the plastic shell that somebody's pulled off of the identical plastic shell and that's going to have a little chip in it that can read your card as it goes into the little chip in ATM card we see things like that on e-commerce sites where we're harvesting credit cards, we're harvesting userings and passwords of these accounts and this isn't something where we can just throw an SSL certificate or TLS, I don't really need to get out of that habit TLS encryption TLS encryption is not going to stop this because they're not snatching it out of the sky they're making a copy before they even send it to the payment processor and then they're sending that off to themselves or just logging it somewhere to get picked up later and they're doing this by just injecting a little bit of JavaScript into the website really really hard for the layman to detect some JavaScript running quietly on a payment gateway so if they're able to get something like that in place then potentially every credit card transaction that goes through it is compromised and what they'll do is they'll find themselves scraping data out and selling it wholesale rather than using every individual card bad news here is if they've reached this point they've likely got a pretty serious foothold in your account and the worst part is is you're not even aware of it yet so taking care of the infection itself falls under the next step and today's a simply to become aware of the infection as early as possible so I kind of have to hurry I was going fairly slow so response for our example one so a site infected with a spam mailer is probably sending out a lot of email the idea here is to keep your finger on the pulse of what's happening in your server if you're seeing a big use of outgoing mail relays if you're seeing CPU spiking with no subsequent increase in traffic if you're monitoring this stuff you can identify what something is happening better yet, you can use some kind of intrusion detection system like a malware scanner and that will at least let you know something has been found malware scanner is not necessarily going to clean up every possible backdoor but the earlier that you can be notified that something has happened the more time you have to respond to it before everything completely explodes out on the other hand a prose card skimmer is generally going to be brought to the attention of the site owner through something called a common purchase log where I've seen 60 breached credit cards on Visa or something at this point and I've had 60 breached credit cards and 59 of them have all made a recent purchase from your website they're going to notify you of that and then you can do an audit there in the middle of all the legal trouble you're probably about to try to dig out of in the case of resource theft attacks like spam mailers keep an eye on your server use of stats and then for a card skimmer cleaning services and stuff like that are going to help mitigate that but this is why we're always making backups again don't rely on a malware scanner to completely clean everything for you if you've got a malware scanner and it's telling you we found three things and we cleaned three things you're definitely good man it's all good well maybe they didn't find something there's a detection it's an indicator of compromise it's not a list of everything wrong with your website and at the same time try to ignore the desire or at least not hacked on the desire to hunt down and kill your attacker because it's not going to work first of all and the IP address you're going to see in your logs probably doesn't really have anything to do with the geographical location of the person attacking you VPNs are cheap and the odds are they're probably attacking you from another server they've infected in any way threat modeling is a big thing it can probably be its own talk by itself but it can be summed up into one question what do I have and who might want it and then subsequently kind of a footnote there is how hard will they work to get it in the context of say larger organizations you may have personal records of employees that I want you may have client data that I might want to exfiltrate and while that particular information may not be sitting on your WordPress site I can probably use that to pivot and get somewhere else so the largest thing here is assume reach at every stage of this process through every step of the way you want to assume that the previous one has failed you cannot really adequately plan for incident response when you confidently believe that nobody will ever get to the step in the first place threat modeling and risk analysis is a big thing and I'm not an expert in that specifically but if you assume breach it's better than the only alternative which is to assume that you have not been breached and I'll tell you which one of those is more secure questions there's a microphone in the middle there I think he's probably going to copy it today I was just wondering if you had any recommendations as far as a researcher who is looking at your business and trying to find personal information any resources out there for seeing what you have that's public so that you can identify things that maybe shouldn't be public and take care of that so there is a lot of it's just going to be what can you do yourself there are aggregators out there if there was one thing to write down it would be OSM framework it's a website you can go and it's just this really really enormous by your tree of different categories of stuff that you can use for information gathering and it will provide its own set of tools from there another part of it is just kind of understanding at some level what is valuable data and where that kind of thing can live so like the LinkedIn thing where I want to know what infrastructure an organization is using so I'm going to see what their engineers are bragging about on LinkedIn that's just going to kind of come from understanding of the human element and getting into things like social engineering which is a whole other talk there's a lot of data that can be manipulated in a bad way even so much as telling somebody what service your office uses tells them what uniform to buy or steal to get unlimited access to your business so it's it's tough to say because this is kind of like simultaneously everything and nothing so it's something that you want to look at case by case and see what's going to be relevant to your specific business and so OSM framework is a good one for that but really just Google the names of employees Google email addresses see where things have shown up as far as actual breach data really need to have that component because it's a really good resource anybody else? you mentioned password managers I've kind of been staying away from those because I'm afraid if somebody gets in there they've got all of them then so how do you know how to pick one that's trustworthy so that's a really good question having a single point of failure with your password managers is a scary case to begin at the same time if you are your own single point of failure then you're in the exact same spot you left so there's a lot of cloud based password managers out there last pass, one password and you hear cases where somebody's last pass account gets breached and that can be devastating but it is a much smaller surface area and much smaller likelihood of compromise than having one universe password that you keep in your head and use everywhere I personally use key pass it's not cloud based it can be made cloud based if you sync it through Dropbox or I use a personal next cloud account my password goal is on every one of my devices synchronized to each other but never talks to a third party that I do not control you are not necessarily me that might not be necessary but any third party service like last pass or one pass is going to be better than nothing hands down I'm curious on what your opinion on the company out here that has the QR scanner to get into WordPress instead of username and password is that a valid step that we should take so that one is unique so I haven't had time I don't want to I haven't had time to personally vet it I haven't had time to personally vet that particular implementation from my understanding it's the theories sound so it's not that this is some magic QR code that gets you into a site what it is is we are showing a QR code to a user on a desktop and then their phone which is authenticated is associated with this account so whichever device shows us this QR code brings that account to that computer so it's if somebody else has a phone and snaps that QR code it's not that your account is getting exact to their phone it's that their account is getting exact to your computer I couldn't confidently tell you the effectiveness of that implementation but the theory is there is there time for one more? yeah anyway, I just asked if there is time for one more for nothing so you have two basic profiles I was wondering if you had an idea of if there was actually like a hate group who was targeting somebody for political reasons like where they would tend to fall along that kind of spectrum that's a really good question unfortunately the answer to a lot of these is going to be it kind of depends so it depends on the resources it plays it depends on how official this activity is if you've got some internet hive mind on your side they have an agenda that's really up to the level of the sophistication of each individual member of that hive mind on the numbers side of it it's probably going to be more of a sophistication screw kiddies like Oscar and Pulse kind of thing but if this is a group with a lot of money and they're not afraid to use it and they can buy it professionally or they may already have again comes into the concept of risk analysis who wants what I have I just contributed to the answer oh yeah this is Mark Monder the CEO we're good one of the ways that you've seen an industry activist and journalist so on targeted is your vision and so the attacker will use open source intelligence which might be something to talk to build a really good person oscillations if they have and so on and that's part of the very sophisticated spirit machine campaign perhaps an email that says hey this is Joe from such and such company and Joe is now an associate want to talk to you about the meeting on Tuesday because I want to hear about it again open source intelligence check out this document for something that has an exploit so that's a company that the industry has seen a fair amount of it yeah so for the people at home not on the microphone or anything spearfishing campaigns have been seen and that is what would fall under more sophisticated you don't really need to be a super legit computer hacker to do a spearfishing campaign you just need to know how to trick someone but it is a little bit higher effort than throwing a scanner or something but it is very real where we see cases of somebody building this profile and then launching an attack on an individual just because we know how to talk to them and but if you like them to do what we want thanks