Mais conteúdo relacionado


Pichman privacy, the dark web, & hacker devices i school (1)

  1. Privacy, the Dark Web, & Hacker Devices Brian Pichman Twitter: @Bpichman
  2. • 9:00 The Dark Side: Privacy, Dark Web & Hacker Devices Brian Pichman, Director, Strategic Innovation, Evolve Program Pichman walks through the tools that help provide anonymity and some ways to help mitigate the ease of being tracked. He goes beyond private VPNs and Tor Browsing to provide other tips and tricks. He gives an overview of some of the common devices, either hardware- or software-based, that are used by the Dark Side, and some easy-to-use defenses that you and your users can employ to protect yourselves from these attack vectors. Think of it as a Defense Against the Dark Arts class! And bring your device to actually try it out!
  3. Disclaimer • Technology is inherently neutral. • It can be used by bad people to bad things • It can be used by good people to do good things. • This presentation is provided for informational and technical training purposes only. • It is intended to familiarize you with some of the methods, tools, and services used to provide Internet anonymity. • It may, at times, “pull back the veil” and offer a look at the other side of the Internet. • We do not encourage or support using the information presented in this session for illegal or unethical purposes.
  4. Why do People Attack? • Financial Gain • Stocks • Getting Paid • Selling of information • Data Theft • For a single person • For a bundle of people • Just Because • Malicious
  5. How to navigate and prevent wrong turns • Who are the people we’re trying to void? Hacker Groups • Lizard Squad. ... • Anonymous. ... • LulzSec. ... • Syrian Electronic Army. ... • Chaos Computer Club (CCC) ... • Iran's Tarh Andishan. ... • The Level Seven Crew. ... • globalHell.
  6. Tools For Anonymity Making yourself more “invisible”
  7. Onion Routing, Tor Browsing • Technique for anonymous communication to take place over a network. The encryption takes place at three different times: • Entry Node • Relay Node • Exit Node • Tor is made up of volunteers running relay servers. No single router knows the entire network (only its to and from). • Tor can bypass internet content filtering, restricted government networks (like China) or allow people to be anonymous whistle blowers. • Tor allows you to gain access to “.onion” websites that are not accessible via a normal web browser. • Communication on the Dark Web happens, via Web, Telnet, IRC, and other means of communication being developed daily.
  8. Some History • Originally grew with help from the U.S. Military as a way to communicate without detection. • In 1995 the concept of “onion routing” was born. • The Deep Web was coined in 2001 by BrightPlanet which specializes in locating content within the dark web. • In 2004 the U.S. Naval Research Lab released the Tor code to the public, and in 2006 it was retooled as the Tor Project.
  9. Cloak of Invisibility Anonymous Browsing tools like the Tor Project
  10. Cloak of Invisibility Top reasons why people want to hide their IP address: 1. Hide their geographical location 2. Prevent Web tracking 3. Avoid leaving a digital footprint 4. Bypass any bans or blacklisting of their IP address 5. Perform illegal acts without being detected
  11. Cloak of Invisibility How do you Hide an 800lb Gorilla? • Use Free Wifi (To Hide your location) • Use a Secure Web Browser • Use a Private VPN • Go back to Dial-up • Setup RF Data Transfer over CB Radio Waves • Use Kali linux to hack someone else’s Wifi Encryption. • Setup long-range Wireless Antennas
  12. Cloak of Invisibility • How to hide yourself? • Private VPN • You want a TOTALLY anonymous service. • Look for one that keeps no log history (Verify via reviews) • Look at Bandwidth & Available Servers • Recommendations: • Private Internet Access (PIA) • TorGuard VPN • Pure VPN • Opera Web Browser • Avast AntiVirus (SecureLine) • Worst Case: Free WIFI
  13. Using a VPN Client
  14. Normal Users and How They Appear:
  15. VPN Protected Users
  16. Cloak of Invisibility • How Tor anonymizes – “You”. • How VPN keeps ”You” protected.
  17. Dial Up? • Use an ISPs like NetZero that can be registered with fictitious personal information, and to which you can connect with caller ID disabled • Makes it a bit more difficult to identity “you”
  18. Free WiFi • Sometimes a good alternative if you need to do something anonymously • Nothing is ever 100% anonymous • Some public wifi does track websites you access, what you do, etc. • Make sure your computer name you are using doesn’t include your actual name
  19. Hacked WiFi – Cain and Abel
  20. Best Tips and Practices Do • Use a device that you’ve never signed into anything ”personal on”. • Pro Tip: buy a computer from a Pawn Shop or Garage Sale • If using public WiFi; don’t make purchases with a credit card. Don’t • While on a VPN or any other anonymous tool; don’t sign into personal accounts (banks, social media, etc). • If posting, don’t use anything that could be associated to you
  21. Q and A
  22. Tools to become a hacker Explore tools hackers use to exploit companies and us
  23. How do you Hide an 800lb Gorilla? • TorBrowser • Mainstream browser that helps gain access to a private collection of websites and servers. This runs on a separate, “Parallel Universe” on the Internet. • Telnet to a BBS • Bulletin Board Systems never died. They just got modernized! • Kodi • Leverage tools for your entertainment.
  24. Tools to become a hacker • Get a router that allows for VPN at the router • Install a second VPN Client on the PC • Use Tor Browser for Browsing • Access Kodi • Use other tools form this point • Keeps everything anonymized
  25. Tools to become a hacker • The Basics. • Social Engineering • Get a Voice that’s not behind a computer. • Write a Batch File • Odd, but Windows still has DOS hidden underneath
  26. Top Hacker Tools • #1 Metasploit. • #2 Nmap. • #3 Acunetix WVS. • #4 Wireshark. • #5 oclHashcat. ... • #6 Nessus Vulnerability Scanner. ... • #7 Maltego. ... • #8 Social-Engineer Toolkit.
  27. BackTrack can get you ALOT • BackTrack was a Linux distribution that focused on security based on the Knoppix Linux distribution aimed at digital forensics and penetration testing use. In March 2013, the Offensive Security team rebuilt BackTrack around the Debian distribution and released it under the name Kali Linux.
  28. Attacks • Man in the Middle • Sitting between a conversation and either listening or altering the data as its sent across. • DNS Spoofing ( lan-redirect-traffic-your-fake-website-0151620/) set up a fake website and let people login to it. • D/DoS Attack (Distributed/Denial of Service Attack) • Directing a large amount of traffic to disrupt service to a particular box or an entire network. • Could be done via sending bad traffic or data • That device can be brought down to an unrecoverable state to disrupt business operations. • Sniffing Attacks • Monitoring of data and traffic to determine what people are doing.
  29. More Sources • • DuckDuckGo.Com doesn’t track searches • Also lets you search of .onion sites when using TorBrowser to access.
  30. Other tricks • 10 Minute Email • • Temporarily get an email box that’s anonymous and disappears after 10 minutes • Dr Cleaner (Mac) or Eraser (Win) can overwrite files on your computer with “blank” data to make file recovery near impossible. • Tools like Recuva is free softwares to allow you to restore deleted files.
  31. Your Library • Administrative Accounts are easy to figure out if they are something like “administrator” ”root” or “power users”. At the same time, no employee should have their account as a full admin. • Instead, give them their own username for admin access (like brian.admin) • Change the default “login” pages for sites to something that’s not Bots look for this and attack. • My Drupal Site login page is • User Awareness is key to any secure organization. Teach users how to identify potential threats and how to respond quickly. • Avoid shared accounts. One account should only be used by one person.
  32. You • Sites to protect yourself all the time (not free) • • • Sites to monitor when breached data gets related (this is free) • • Password Management Sites (like • Don’t have the same password for all your sites. • Don’t write your passwords down on a post-it-note and leave it at your desk
  33. Google Isn’t Always Your Friend
  34. Dual Factor Authentication • After logging in; verify login via Email, SMS, or an app with a code.
  35. Credit Card Tools for Online Shopping • Check out Privacy.Com • 73XB shameless plug
  36. Q and A
  37. • 10:00 Attacks & Responses • Brian Pichman, Director, Strategic Innovation, Evolve Program • Includes a look at social media privacy: how do we keep the advantages of social media participation? What are the differences between institutional versus personal social media practices and privacy? Bring your own issues to share with participants and speakers.
  38. Evolution of Hacking • Hacking has evolved because of Social Media • Core values haven’t changed • But Social websites have pushed this Hacktivism to the mainstream. • The news keeps covering to drive more awareness.
  39. Hacking • With Social Media & a new found Cause, “Hacktivism” • Born in the era of the Internet • Rooted in Hacker Culture/Ethics with ties related to Free Speech, Human Rights, and Freedom of Information. • Cyber attacks ensue • Most with a purpose • Some for fun • Minimal for Personal Gain
  40. Digital Identity • Everyone (institution or personal) uses Social Media to define their online identity • Many children actually have a digital identity before they are born (Ultrasound pictures) • Digital Identities are just another target for access into: • A business / personal information • Reputation Management
  41. Basic Tips • Accept only people you know to personal and professional accounts • Never click on links from people you don’t know. • Especially if they are using a url shortner:,, etc • - test the website to see if its safe • gets a screenshot of what will load on the site • If there are people claiming to be you on social media, it’s best to get your account “verified” on those social media platforms • This lets users distinguish that you’re the actual official account • Dual factor authenticate all of your social media logins
  42. Myths • I’m not worth being attacked. • Hackers won’t guess my password. • I have anti-virus software. • I’ll know if I been compromised.
  43. Understanding Breaches and Hacks • A hack involves a person or group to gain authorized access to a protected computer or network • A breach typically indicates a release of confidential data (including those done by accident) • Both of these require different responses if breaches/hacks occur.
  44. Examples of Hacks/Breaches • An employee/family member allows a hacker to access their machine through: • Email Attachments • Social Engineering • Walking away from their computer unattended • An employee/family member sends information to someone thinking they are someone else • “Hi, I’m the CFO assistant, he needs me to collect all the W2s” • Or more intrusive – • There is an attack on a database or server that then allowed a hacker in (SQL Injection) • There is a brute force attack or someone guessed the password on a key admin account, on servers/networks, etc.
  45. The Costs Of Breaches • This year’s study found the average consolidated total cost of a data breach grew from $3.8 million to $4 million. The study also reports that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158 [IBM 2016] • Data Breached Companies Experience… • People loose faith in your brand • Loss in patrons • Financial Costs • Government Requirements, Penalties, Fees, etc. • Sending of Notifications • Payment of Identity Protection or repercussions.
  46. Responses • If someone (SPAM) constantly tags your social brand, you need to report that account as SPAM • Sometimes may need to submit a ticket with the social media provider • Send out communications • If your account gets hacked, you need to share with your users what occurred and what you’re doing to resolve the issue.
  47. cyber-insurance • Policies can be purchased from most major insurance carriers for between $5,000 and $10,000 per $1 million in protection. • Policies will generally cover: • Legal Fees • Forensic Fees • Costs for providing customer credit monitoring for those impacted • Any court costs related to civil litigation and class actions. • Some policies include access to portals/support so if and when an attack occurs, you can get guidance and support on what to do.
  48. • Evolve Project • • Twitter: @bpichman Brian Pichman Contact

Notas do Editor

  1. These are also the people that use TorBrowser as well to hide themselves
  5. Cult of the Dead Cow, also known as cDc or cDc Communications, is a computer hacker and DIY media organization founded in 1984 in Lubbock, Texas. The group maintains a weblog on its site, also titled "Cult of the Dead Cow". New media are released first through the blog, which also features thoughts and opinions of the group's members. The term was coined in 1994 by a Cult of the Dead Cow (cDc) member known as "Omega" in an e-mail to the group.[2][3] Due to the variety of meanings of its root words, hacktivism is sometimes ambiguous and there exists significant disagreement over the kinds of activities and purposes it encompasses. Some definitions include acts of cyberterrorism while others simply reaffirm the use of technological hacking to effect social change.[