Events Add an event Speakers Talks Collections
 
Duration 40:01
16+
Play
Video

Hacker’s Paradise: Top 10 Biggest Threats When Working From Home

Paula Januszkiewicz
CEO at CQURE
  • Video
  • Table of contents
  • Video
RSAC 2021
May 20, 2021, Online, USA
RSAC 2021
Request Q&A
RSAC 2021
From the conference
RSAC 2021
Request Q&A
Video
Hacker’s Paradise: Top 10 Biggest Threats When Working From Home
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
75
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speaker

Paula Januszkiewicz
CEO at CQURE

Paula Januszkiewicz is security expert, penetration tester, trainer, and the Founder and CEO of CQURE, an IT and cybersecurity consulting company which predominantly conducts IT security audits and penetration testing. Januszkiewicz is a Cloud and Datacenter Management Microsoft MVP, honorable Microsoft Regional Director for CEE, and a world-class cybersecurity expert, consulting customers all around the world. Januszkiewicz is also a top speaker at global conferences including Microsoft Ignite, RSAC (2019—a keynote speaker, 2017—her two sessions were amongst the five hottest sessions), Black Hat (in 2019, Januszkiewicz’s presentation was voted best of Black Hat Asia 2019 Briefings!), and Gartner Security Summit. Januszkiewicz holds an MBA from Harvard Business School and has an access to source code of Windows.

View the profile

About the talk

Paula Januszkiewicz, CEO, Cybersecurity Expert, CQURE Inc. - Top Rated Speaker Privacy and security are always top of mind for IT, but never more so than at this moment when the reality continues to impact how organizations operate today. Remote workforce is becoming a common practice. It is not only perceived as a necessity, but also as an improvement of work-life balance, which could increase flexibility. Unfortunately, working remotely introduces various risks.

Share

I welcome to my presentation Hacker's, Paradise, top 10, biggest rats when working from home. My name is two letters carriage and I'm blessed day of the year, was the original director of Microsoft and also a person who has access to actually do the source could have Windows for the past 10 years and I'm absolutely happy to share insights that are covering the current situation where we are all working from home in order to cover the biggest threats that we have em curtain to I'm done. Within the last projects. And also, interesting observations of what to do in order to

become more secure while technically as sitting at home. So, regarding the agenda for today on there, a couple of things here to cover. First of all, we going to discuss the security awareness ideas. So what's happening right now in this world, then we're going to begin into top 10 biggest threats and then of course, we're going to get into the summary. So as we already know, we are in the stage where we are working from home are working from locations, that's are not necessarily being in our offices and there are different recommendations and

different organizations that are creating those recommendations regarding the remotes work. For example, one of the agency which is sisa. They have actually issued a recommendation that organizations shoot adults to the conditions of the gas currently in the world in order to Enforce I or and the reach our Security Solutions to avoid known of vulnerability, stand and known threats, that are out there. For example, when we take into consideration fishing being number one threat Carl in the

world, that is the judges are generic recommendation. That they are making these are being one of their organizations to order. It is it's technically the Department of Homeland, Security, cyber and agency, but they are of course, not the only ones here. So we've got stuff. For example, check on that shirt, research shows that cybercriminals are actually using coronavirus pandemic to Sprite, for example, spam activity, through both email campaigns and submerged amazed story. What, whenever we take into consideration, some other aspects that are related

with that remote work. We're serving that we've got in place, of course, sometimes Using their personal device for work or eventually sharing that the particular device with some other people. For example, members of the family. We've got employees connecting, for example, to the company's network, from their home Wi-Fi, or some public unknown Wi-Fi, which technically creates different situations that are very comfortable for hackers to be eventually misused and at the same time allowing us to access the invoice

computer. So that could be working device personal Levi's and eventually maybe hopes to do that corporate Network. And here we are discussing, of course, many types of a text that could be through fishing that's could be for example, through being in the same stopping and then eventually affecting the traffic affecting the communication does employee. If is using over here in order to burn simple tube roast simply websites. Or in general, these kind of problems are also usually starting when we are mixing Two Worlds. So our private world with our, a corporate, our

original work world where, for example, we are using applications origin or what size with the social media. So things like Facebook, and someone who cheat codes for example, lead to an attack to a code execution on our computers. Too loud. If you can allow that and then spread across the organization, I was at work. So, whenever we are thinking, of course about the top 10, biggest threats, when working from home, some of them are simple and some of them are little bit more advanced. So, let me start with something simple for us to warm up. And that is

actually related with the situation where we disable firewall, or in general different Security Solutions that are working on our, for example, personality-wise. It could be used for work-related. Eater that you forgot to post ability to affect Security Solutions on the word, a device that could be a list of the case. Are you could be also miss consecration of the firewall that allows the different processes that are technically suspicious nuts. Not allowed within our organization's policy to be communicating out-of-network, which brings me actually it to a technical

explanation, where we've got for example, certain micro that we are receiving live in the fishing email and then my Chromebook opens up a child process, that's child support. Child process could be, for example, power show. Which technically, it's an allowed process within the windows platform and then eventually that particular process is communicating out to the networks to the internet in general. In order for example to fetch some other items that could be used within the attack as old as the second part. It's something else about what is important is that there is a child

process. Play power show. That's from macro opens up and then tries to establish communication, which is clearly an anomaly is that perfect example of that? Let's have a look how through a malicious macro, we are able to take over a certain workstation privilege. Escalation know, it's just going to be listening for the incoming connections for Microsoft online. Don't see how you're probably. Microsoft, right? That's the domain that they use for fishing activities, but it's so similar to the my Christmas one

similar to change document. The whole thing over here. It is an image that we are unable to user clicks somewhere inside of the There is a reverse show and that's reivers show is in the form of executive all this time and it's a create a connection to the hacker. Let me check out the bathroom over here. You can see that there's just one big button and the others here is a URL download to file and we are downloading certain Executives in the text fall asleep.

So then we are remaining that an executive or so. Exe and all we are running. Rough. Collie. Go to eat and then going to have her side. So you can see. We are just using right now. So we managed to become a user. As you can see, this user is just a loser because of the Privileges that are listed for, this is how we are able to recognize for. We are so we can hear and definitely our machine. Chris stack and then and then eventually we're going to be running. Zach PS1. So that's the power show and that is the script that eventually we

are able to use for the price, escalation for the privilege, escalation in this a computer. For this moment. We will be able to run script. As our nasty 35, you can always do it tomorrow. And the right now, when we run our first escalation of crap, that's at the end of hijacking. You are able to see that we are using some dll. And the death particularly allow reason to be loading by the task scheduler on the service, start up. And here we are. You doing also that internal Windows mechanism. So, ever

think it's a screw something in particular. Body until we are able to recognize also was running from this user's computer to effectively around and there was $55 in 2017. And we're going to be leveraging this particular deal album, by the way, we can hide yes to put it in some kind of a deal o and in some kind of a folder and eventually he'll know. It's not this time maybe amongst other two yellows that are also not sign out for dissolution, going to shut down the computer. We still set up a listener and on the client

side. We have set up. Also, the persistency and the particular dll, when it's going to be loaded by the one of their mechanisms, one of the solutions, even in Windows, operating system that allows us to connect. The listening Packer and a Vestige. We are actually escalating to system. Because from the moment, when we were starting the service and someone that was actually running system. So because we were able to drop a dll into the starting rotation, we could at the end of run it

with that escalated or elevated. Privileges. So as you can see guys, we were able to take over a certain machine just because we were able to run the codes through to micro now. It was not to the simplest possible that we got pickles underneath we, where you think that system mechanism in order to gain persistency. So these kind of situations might lead to a father execution. And of course, there were many problems here that we could cover ESO. One thing will be use their awareness, and I depart would be why in general this email,

mates are a mailbox and other parts might be related. Why that's cold even executed? Why there were no attic surface reduction rules. So there are plenty of situations that might not be covered on the personal work station that might be used. For example, for the work purposes and other part that I would like to touch base on, it's over the simple password and security questions. And that's in general cover situation. Where companies Not have yet implemented multi-factor authentication. That's one thing. And you think that simple as examples that I've got women, that one of the latest

project is, when I was doing that password spraying for the organization goes, that's technically my job. And I'm not leaving to acknowledge, even though I got a business role within the company. I did it as simple as possible, a sport at approximately 6,000 users, and they did not have multi-factor authentication, and then it appeared that 2129 actually of users. In this example. They had the password, which coasted off the company name and also a year. So again not very surprising fries, but that is just enough to use,

for example, one user in order to be able to spread father, a tendon, send fishing, which is no longer fishing because this is an email that is actually sent by our friends. So let's have a nuke. That kind of situation could be escalated. Father would like to show you, it's a situation. How for example, we are able to sometimes give away our password cuz multi-factor authentication is one thing. But the second thing is simply fishing that is encouraging us to give away credentials. That could be later potentially use within the fodder components of a

structure secure, academy.com. Admin, like you see, then we can enter and usernames to do that,. I'm certain password and then you going to happen back through. Norway are able to successfully login.com and over here. We going to be also launching the website that is as well. Are creepy as well Ashley GPS and over here, we could do such Adamo and enter the password and then there was a bad record, so stupidly looking websites, but these are really two different website where we are able to extract

passwords that are that Sage from the Lord's uniform. Yes, sir. This is that settled. Now we can just close the cards on here and will be. Our goal is to verify that IP address of teacher academy.com and compare it with your academy.com. Here. We are not toxic on the DNS yet. It's just near two different sized. So, we've got an IP address given and the name, and then we've got out of the secret Academy Jessie, it's different. Now, the next thing I'm going to pretend that I'm connecting to

the network through that malicious access point. So I'm somewhere at the airport. I'm going to take the freeway. And it doesn't really matter. I do not control my access point. So here, I entered it. That he mistook your academy.com., So Charmin. Intestacy to Academy and it's just something wrong because we enter the correct address. How could it be that? Our credentials are actually leaking here and it's the same. In this case, username and password that I typed and answer to this

question is actually very straightforward demo. Don't stick your academy.com that certain IP address and also secure, academy.com, the sisters, an address. Why does it's possible? Because we control the access point that the user is connecting to So as you can see, we've got a situation. We were not only, we were able to get the password off of a user that was searched. But also through the ability to control the access point, we were able to the spooky website and replace the

website eventually, either on the fly or just play with the DNS record. In order to give me direct the user to the incorrect website to give away credentials and not a problem over here. It's no network segmentation. And what I mean by this is that if there is a certain code running on that user's computer, then, for example, user is connected using a VPN. We've got a problem with that, the situation with the user sees, something like VPN people think I got It's Perfectly working here to just mentioned, but that attack is based on the situation where I took her

manages to be in the same network as the you Manages to get access to the user workstation, maybe through fishing, maybe through that, kind of activity that you just go by. So I could see in a demo and eventually The Next Step would be to treat users workstation as a proxy. And that's what's cool dep and people think because user is connected using VPN connection to the organization and then the Hockers Able by using their workstation if proxy to see exactly the same stuff that the user, see in labor structure. And if for example, user sees servers from Outer services

that are critical from the perspective of their organization that eventually record Shadow, y, t at the end, because there might be something that's misconfigured, not to check with Independence, or maybe check, but not corrected. Adding still there. Then, this is something that could be possibly use within the attack. So, whenever we think about that, there's one thing that actually comes to my mind as well, and that's that lack of SMB signings. The hacker is able to see the seams. That the user could see being connected through VPN. For example, by using VPN people think we are

able at the same time to try to lunch. The attacks are people listening, and then eventually listen to the SMB a related Communication in between house. And when you combine that all together with and they'll inversion tables indication protocol, which is used in berlitz a burn instead of Kerberos, for example, of cross local account, for example, of cross service account, or older when you use the short name, for example, back says, back such files or when you back says back says IP address, then you trigger buy diesel engine version 2 and then this thing challenge. Response

mechanisms is actually be able to be spooked and then you can relay the response to that Target. And that is something that I would love to show you with in the SMB really attacked. SMA relay in general is relying on the situation where we have no S&B signing in the infrastructure. And at the same time, we're using end to the emergency protocol for authentication works and vast majority of organizations. And a problem is that it's easy of the same time.

There is a certain to execute will be great. Of course, to know what are two ways to figure out that, that particular coded as actually executed. So I'm going to use Miralax by the script and mine is going to be 10, 10, 10, 250, and actually, a reverse show that is customized. Turn on Discovery by antivirus Edition at the end of show or hunger for the incoming connections. And I have over here, which I have simply set up as you see that everything. So that's why I dislike that handling

of connection that are about to come. If they run very first show in general is going to be running next because it seems related self in order to establish a connection to assure the Sash. And someone has to run its own executive, which we would like to trace afterwards. And I was going to be a very interesting situation to her. Play NSYNC here. We just need to run the script. Now. What I'm going to do my side, it's going to be basically that query from a

certain type of my stuff from one house to another in order to a query or trigger until am version 2 oz indication. Now that the situation is actually orange and straightforward because the clearing by IP address different types, of course in infrastructure, it's a Kwanzaa typical think, right. So basically my IP address, I'm going to hear listen to incoming connection. So please help now. I have queried, a certain IP address and infrastructure. Here. We come to see us

to list processes. And over here. I'm able to see that, for example, if she goes running as Auntie Authority system, Let's do that sneak, right? This is a typical exploitation date of the memory address base where we are right now in that system. So hard-pressed. She'll hear it with your grandma and you are able to see that we are actually system in that Target system. So what is the old good? But expressions, of course, how are we able to investigate?

That's okay. And this is something that would like to show you. So we were able to see or hear that it's from 2909. And once we did, she'll then basically, your there has been processed created. So let's have a look. Reflect basically on our targets machine. If it happens, for example, 6 months ago. Now, question is, how do we know that that actually happened? And there are a couple of things that could indicate I even offered. It's time that there is something bad going on. The first of all, what we going to do. We can't

find a present ideas. For the simplification of This research is not because there is an S&P not being signed. We actually do it to see that girl's us but we don't have 2904. If we look for 2904 that process does not exist anymore. Now. Why, because when we first 146 2904 just finished. Now, 24, that is this one. Basically. It is here. We've got this one. That's just because that's the show. But, of course, if the hooker close is it, you won't see it anymore. And now. Long story, short of first of all, we can Avenue, next.

And with the ocean am baby, let's do more and hear with golf pro societies that are related. Words, is that if you haven't established connection because it clearly stands out where is 2904. But hey, we just say that, that process astonished exactly. Because, unfortunately, that's got to tell you the truth. That's. Unfortunately. I will show you only the connections or the process that was used when we were establishing your connection and that's it. So we can have trust it. So is there someone to

trust in the operating system assuming that that happened a long time ago? Well, yes, we've got something that basically we cool prefetch and women window Springs Ranch, which is out there running. We've got a possibility to verify where the process is running since you have set up your windows. So I start. And here I have sorted, these things by day, 25, so you're able to see that eventually, we've got more nuts. Where am I? And that we've got this strange guy? That's this, i y j r and so on. So this is quite interesting because it looks dirty. But of course,

it might have a really nice name. That's in general for the sake of our research here. Verify, if this could be this bad prozess. So what I'm going to do is I'm the right now on the hackers machine and this is this attic, that we were delivering it over here. You can see that was made and then we've got up loading file a, i y j r. So that's this one and that was also, do I confirm this situation? What school am I, for example, or something? Then it won't look that strange. So, how can we look inside? Of course. Just right click

and over here. I'm going to go to our tools where I'm going to use secure. And in this case prefix Carson, this particular one for file beginning, pay stub off, and then we're going to do -8 for analysis and we are able to analyze And the runtime of one indicates that this particular executive has been running only ones and that is already quite suspicious. We can see when you see what kind of deal are. Those are loaded over here. So if this Farm has a name no spots and it is actually more

than we are always able to compare for example than this load dll. Where is the same as original nose, but in general I was asked to indicate what kind of executive with running in the operating system even though it's tracking. For example, as one of the login necklace wasn't turned on so pretty fragile. It's not that detailed. But in a worst-case, it helps you to understand if there was something suspicious actually running on your machine. Over here, you were able to find a history of everything that has been ever running in this operating system. That's one thing. Second stanza. Need,

it worked pretty much candy. Did he just buy a long story? Short is Hawker knows what he or she is doing in this person. Can go to the prefix, father and then eventually delete the trace on the Situation's box, actually, during this time. We're really see that it's being deleted. What if it is, what it is. Is it possible to recover? For example, of course, we can always do that. So, I suggest you guys, we've got a possibility to I'll play with the network

network traffic. And then at that point, we are able to affect the way how people can authenticate to take over server or workstation ever show you a couple of things here. So there was a code that was executed and that is something that is technically a bit of a mistake because nowadays, especially dealing with ransome, work. We are allowing are in some organizations that ran somewhere to execute that way. We know that, for example, from the news to having this in mind. We've got the boss abilities to implement. What is think or something? That's cool. All of

this thing, eventually. And this is something that would prevent us that cold like that from running. And we're not the only talk to hear about SMB relay, which could be fixed in many ways, for example, by implementing a Zumba sign. It could be supported by implementation of why this thing and that is has nothing that we considered as a gracious. No mistake. And the problem of the current times that I forget people on the personal workstations, and we've got that one. That's not going to figure it out yet. So, whenever we think about some other stuff, we've

got over here, old protocols order, diesel settings. So, it really depends on the business applications that people are afraid of abusing, like, we might have applications that sorry using connection to SQL server. And that is actually one of my favorite things that I'm checking with independent us. So, when you are sniffing today traffic, then you can sniff, for example, traffic, all are like a tabular data street. So that stands at the TDI stand. For example, with Wireshark, you are able to use TDS as a filter TTS. It's a communication to us. Who's ever. So

for example, queries to database, that will be running within the clear text in Boss, majority of obligation, especially the older ones that is actually cleared, which is best for the Panthers are pretty other group because that's something that you can as proof. And that's something that's good. For example, creature in additional account in sequel server. If you going to have a problem query, so that's one thing. And another one is trusting Solutions Without Really knowing how to break them to. For example, if we are using that multi-factor authentication,

is that something that could be by busting ass. And so that's when we take over, for example, the cookies, 40, certain application, that user is using your way to buy bus multi-factor authentication. Or another part is, if we've got antivirus solution. Are we able to stop it by modifying that as the DL and approximately? 2% of antivirus Edition. They're actually allowing that to that is something that we will need to check how we're able to stop our Security Solutions in general, are the way by bus. That we are using. So, that is a bit of a thinking problem here,

and then not apart its misusing service accounts. And in general privileged accounts. And for this one, I got a super quick demo. Where you guys going to read, how we are able to extract passwords from the service accounts. Let me show you one of our favorite tools, which is seeking Secrets number to over here. You guys can see pool service and it's running on the account secure, Freddy Krueger. So this is clearly not a building account. And there is a risk that to this account or under his account. We are strength phosphorus in the registry of this particular system. So how we are able to

extract. Well that is actually data protection API system and we're going to to four. And I was actually program for many organizations through your weave in the Logan area, secure Freddy Krueger and then eventually Darius this particular password and that is something that we're going to be extracting from the registry, normally is not stored in a clear text in the registry of this operating system. So we will have to decrypt it and then eventually we going to be able to use it later. Maybe he was in the attack Coronavirus. That's pretty sure your secret. It

is actually start over the registry and it is used because eventually service production manager has to use it. So I wouldn't see why we used to take your secrets, and we speak to buy service PJ service and in the moment you guys going to see that because we are running this particular tool truck to privileges. Then eventually you can see that's great requested registry oxygen unlock. Well clearly because that is a system secret and it is technically stored within the security Hive do we have to run PS x. Minus x minus. I mine is DCM

heat of the existing to elevate ourselves in the separate window to the local systems or the option. Do not wait and eventually here, you can see that we are, where am I? And the other system. And there, when we moved our two kids, we can run against Service and we're going to name PJ service and you can see that's password. This time is actually to be extracted in the clear text. So I've never seen organization by the way, that's did not eventually have this problem. So it's in the interests of Security to

verify what kind of services, you got that are potentially run on the regular account because a hundred percent password. It's stored in the registry over there because this is how, by the way, Logan as a service works that you guys are actually able to extract passers-by who can do it. As you could see, it could be extracted only system, but you could also use that perform volume maintenance tasks privilege. For example, to copy that system and security high and as well extract, the password offline like this. So these are the possibilities while extracting passwords

from the service accounts from Okay guys, so you are able to see how is it. So it could be that potentially miss, configuration of the workstation could be used as one of the steps that occur technically could use in order to do one step daughter and the extracting passwords from the server. The ground is just one of the twenty places. So it depends of course, what kind of solutions you got where we are able to just find that Xbox password from the confederate confederate service. So here we go. That last month, we've got stolen

Quarryville tools. And what we mean by this is that we already saw it and so, yous solution at end of the same time that surgeon might appear not to be safe. So that is the general concept of the solutions that we decide to use. Especially of independent times. When we forgot about our switch immediately to the remote work. And we are enforced you something, or did you stay? Something that users are simply not used to and that is something that I would have to show you in terms of multi-factor authentication and also the ways of how we are able to take over user workstation, or

in general, users of mailbox access through cold as you won't, because we can escalate this attack butter, but at the same time, it is relying on that team's communication or something. That looks like things are coming to Cajun. Okay guys, so I'm leaving you with this 11 key cyber security questions, which is an important thing to note because I ever going to Vacation security the first. But having this, for example, 10, but there's definitely more mistakes situation that we are doing work. When working from home. Maybe we are able to improve the security of the

current user workstation or in general, our security poster, your we've got the information and questions like A dozen were business culture. Support at a secure cyber environment or live in the second set of questions here. Are we currently resource and ensure? So by having cancer does 11k security questions that I'm always sharing with Caesars, particularly. We are able to everything our rema's work strategy in order to prepare for. Not not to be missed. And definitely, and

awfully happening shift to, to remove to work and then within the summary of Best Practices understanding. It's definitely keep the security which means that the more we look at our infrastructure from the Hawkers perspective. The more of the issues, we are able to sponsor especially within that users. Remos work whenever we are thinking about the room addition and trucking. So the Monitoring Solutions, that's another perspective that gives us Basically The View on what kind of things are exit, you think on the user workstations, or on the server? So the internal

well-designed monitoring and smart analysis about what's happening right now. So there ain't that segmentation of the network. I do all of this thing starts Wallace, things to prevent things that are unknown on workstation. Things like, Alex surface reduction rules. These are the things that are very easy to implement. But at the same time, being a good answer for the current remote work problems. Thank you so much for listening to my presentation. I'm full in the Chevy and enjoy your day.

Cackle comments for the website

Buy this talk

Access to the talk “Hacker’s Paradise: Top 10 Biggest Threats When Working From Home”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 2021”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Tim Bandos
VP at Digital Guardian
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Brad Arkin
SVP at Cisco
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Pere Monclus
VP & CTO Network and Security BU at VMware
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Hacker’s Paradise: Top 10 Biggest Threats When Working From Home”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
816 conferences
32658 speakers
12329 hours of content