SlideShare une entreprise Scribd logo

All your bases belong to us

Alessio Pennasilico
Alessio Pennasilico

Slide sull'approccio hacker alla sicurezza, passando da lockpicking, biometria e penetration test fantasiosi

Technologie
1  sur  19
Télécharger pour lire hors ligne
All your bases belong to us! Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico
$ whois mayhem Security Evangelist @ Board of Directors: CLUSIT, Associazione Informatici Professionisti (AIP/OPSI), Associazione Italiana Professionisti Sicurezza Informatica (AIPSI), Italian Linux Society (ILS), OpenBSD Italian User Group, Hacker’s Profiling Project All your bases belong to us! mayhem@alba.st 2
Hacker? The Tech Model Railroad club is an MIT student activity founded during the 1946-1947 school year, making this our 60th year, and making TMRC one of the oldest clubs at MIT. The Tech Model Railroad Club (TMRC) caters to model railroaders, railfans, and hackers alike. Our activities involve all aspects of model railroading, including the application of computer technology and timetable passenger and card-order freight operation. All your bases belong to us! mayhem@alba.st 3
Hacking?
Lockpicking Quanto è facile aprire una serratura? All your bases belong to us! mayhem@alba.st 5
Quanto ci vuole? http://www.youtube.com/watch?v=pgE1YJWQzTA All your bases belong to us! mayhem@alba.st 6
Come funziona? http://www.youtube.com/watch?v=_sQ9gcjtLQM All your bases belong to us! mayhem@alba.st 7
Per tutte le serrature? http://www.youtube.com/watch?v=g0Zw4JI4cxs&feature=related All your bases belong to us! mayhem@alba.st 8
Dove sono le serrature? All your bases belong to us! mayhem@alba.st 9
Biometria Uso cosciente? “Qualcosa che si possiede” Change Password All your bases belong to us! mayhem@alba.st 10
Social Engineering è più facile decriptare una password o chiederla? All your bases belong to us! mayhem@alba.st 11
Facebook Hacking “The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook.” […] “We also populated the profile with information about our experiences at work by using combined stories that we collected from real employee facebook profiles.” http://snosoft.blogspot.com/2009/02/facebook-from-hackers-perspective.html All your bases belong to us! mayhem@alba.st 12
Fiducia “Upon completion we joined our customer's facebook group. Joining wasn't an issue and our request was approved in a matter of hours. Within twenty minutes of being accepted as group members, legitimate customer employees began requesting our friendship. […] Our friends list grew very quickly and included managers, executives, secretaries, interns, and even contractors.” All your bases belong to us! mayhem@alba.st 13
Risultati “We used those credentials to access the web- vpn which in turn gave us access to the network. As it turns out those credentials also allowed us to access the majority of systems on the network including the Active Directory server, the mainframe, pump control systems, the checkpoint firewall console, etc.” All your bases belong to us! mayhem@alba.st 14
Come mi proteggo? (Pen)Test Analisi (efficacia? deterrente?) Formazione All your bases belong to us! mayhem@alba.st 15
Conclusioni
Conclusioni Non fidarci di misure di sicurezza il cui scopo è farci sentire sicuri non quello di proteggerci All your bases belong to us! mayhem@alba.st 17
Conclusioni Dobbiamo rifuggire la pigrizia mentale Chi vuole i nostri dati lo farà per certo All your bases belong to us! mayhem@alba.st 18
These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution- ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :) Domande? Grazie per l’attenzione! Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico

Recommandé

Protecting online data unit 1
Protecting online data unit 1Protecting online data unit 1
Protecting online data unit 1callum321
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...mdevtalk
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
Web 2.0
Web 2.0Web 2.0
Web 2.0luca menini
 
Come passare al sl e vivere felici padova
Come passare al sl e vivere felici padovaCome passare al sl e vivere felici padova
Come passare al sl e vivere felici padovaluca menini
 
Cittadini e cristiani custodi dell'ambiente
Cittadini e cristiani custodi dell'ambienteCittadini e cristiani custodi dell'ambiente
Cittadini e cristiani custodi dell'ambienteluca menini
 
Cosa Sono I Sistemi Informativi
Cosa Sono I Sistemi InformativiCosa Sono I Sistemi Informativi
Cosa Sono I Sistemi Informativiluca menini
 
RSA vs Hacker
RSA vs HackerRSA vs Hacker
RSA vs HackerAlessio Pennasilico
 

Recommandé

Protecting online data unit 1
Protecting online data unit 1Protecting online data unit 1
Protecting online data unit 1callum321
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...mdevtalk
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
Web 2.0
Web 2.0Web 2.0
Web 2.0luca menini
 
Come passare al sl e vivere felici padova
Come passare al sl e vivere felici padovaCome passare al sl e vivere felici padova
Come passare al sl e vivere felici padovaluca menini
 
Cittadini e cristiani custodi dell'ambiente
Cittadini e cristiani custodi dell'ambienteCittadini e cristiani custodi dell'ambiente
Cittadini e cristiani custodi dell'ambienteluca menini
 
Cosa Sono I Sistemi Informativi
Cosa Sono I Sistemi InformativiCosa Sono I Sistemi Informativi
Cosa Sono I Sistemi Informativiluca menini
 
RSA vs Hacker
RSA vs HackerRSA vs Hacker
RSA vs HackerAlessio Pennasilico
 
Sl valido strumento di condivisione del sapere
Sl valido strumento di condivisione del sapereSl valido strumento di condivisione del sapere
Sl valido strumento di condivisione del sapereluca menini
 
Wikinomics
WikinomicsWikinomics
Wikinomicsluca menini
 
Internet o Web? Tecnologie o reti di relazioni? Hardware o software?
Internet o Web? Tecnologie o reti di relazioni? Hardware o software?Internet o Web? Tecnologie o reti di relazioni? Hardware o software?
Internet o Web? Tecnologie o reti di relazioni? Hardware o software?luca menini
 
Presentazione osm e mapillary
Presentazione osm e mapillaryPresentazione osm e mapillary
Presentazione osm e mapillaryluca menini
 
Reti di monitoraggio tradizionale e monitoraggio ambientale partecipato
Reti di monitoraggio tradizionale e monitoraggio ambientale partecipatoReti di monitoraggio tradizionale e monitoraggio ambientale partecipato
Reti di monitoraggio tradizionale e monitoraggio ambientale partecipatoluca menini
 
Sistema Informativo Ambientale
Sistema Informativo AmbientaleSistema Informativo Ambientale
Sistema Informativo Ambientaleluca menini
 
Il Software Libero
Il Software LiberoIl Software Libero
Il Software Liberoluca menini
 
I dati ambientali per la certificazione e l'innovazione
I dati ambientali per la certificazione e l'innovazioneI dati ambientali per la certificazione e l'innovazione
I dati ambientali per la certificazione e l'innovazioneluca menini
 
Perchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliPerchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliAlessio Pennasilico
 
10 anni di indicatori ambientali
10 anni di indicatori ambientali10 anni di indicatori ambientali
10 anni di indicatori ambientaliluca menini
 
Sistemi Informativi Aziendali
Sistemi Informativi AziendaliSistemi Informativi Aziendali
Sistemi Informativi Aziendaliluca menini
 
Lezione inquinamento acustico
Lezione inquinamento acusticoLezione inquinamento acustico
Lezione inquinamento acusticoluca menini
 
User Experience is Everything
User Experience is EverythingUser Experience is Everything
User Experience is EverythingWebRTCConferenceJapan
 
issue15
issue15issue15
issue15Christine Trujillo
 
Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceHitoshi Kokumai
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password SystemHitoshi Kokumai
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 
Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Hitoshi Kokumai
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Hitoshi Kokumai
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 

Contenu connexe

En vedette

Sl valido strumento di condivisione del sapere
Sl valido strumento di condivisione del sapereSl valido strumento di condivisione del sapere
Sl valido strumento di condivisione del sapereluca menini
 
Internet o Web? Tecnologie o reti di relazioni? Hardware o software?
Internet o Web? Tecnologie o reti di relazioni? Hardware o software?Internet o Web? Tecnologie o reti di relazioni? Hardware o software?
Internet o Web? Tecnologie o reti di relazioni? Hardware o software?luca menini
 
Presentazione osm e mapillary
Presentazione osm e mapillaryPresentazione osm e mapillary
Presentazione osm e mapillaryluca menini
 
Reti di monitoraggio tradizionale e monitoraggio ambientale partecipato
Reti di monitoraggio tradizionale e monitoraggio ambientale partecipatoReti di monitoraggio tradizionale e monitoraggio ambientale partecipato
Reti di monitoraggio tradizionale e monitoraggio ambientale partecipatoluca menini
 
Sistema Informativo Ambientale
Sistema Informativo AmbientaleSistema Informativo Ambientale
Sistema Informativo Ambientaleluca menini
 
Il Software Libero
Il Software LiberoIl Software Libero
Il Software Liberoluca menini
 
I dati ambientali per la certificazione e l'innovazione
I dati ambientali per la certificazione e l'innovazioneI dati ambientali per la certificazione e l'innovazione
I dati ambientali per la certificazione e l'innovazioneluca menini
 
Perchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliPerchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliAlessio Pennasilico
 
10 anni di indicatori ambientali
10 anni di indicatori ambientali10 anni di indicatori ambientali
10 anni di indicatori ambientaliluca menini
 
Sistemi Informativi Aziendali
Sistemi Informativi AziendaliSistemi Informativi Aziendali
Sistemi Informativi Aziendaliluca menini
 
Lezione inquinamento acustico
Lezione inquinamento acusticoLezione inquinamento acustico
Lezione inquinamento acusticoluca menini
 

En vedette (12)

Sl valido strumento di condivisione del sapere
Sl valido strumento di condivisione del sapereSl valido strumento di condivisione del sapere
Sl valido strumento di condivisione del sapere
 
Wikinomics
WikinomicsWikinomics
Wikinomics
 
Internet o Web? Tecnologie o reti di relazioni? Hardware o software?
Internet o Web? Tecnologie o reti di relazioni? Hardware o software?Internet o Web? Tecnologie o reti di relazioni? Hardware o software?
Internet o Web? Tecnologie o reti di relazioni? Hardware o software?
 
Presentazione osm e mapillary
Presentazione osm e mapillaryPresentazione osm e mapillary
Presentazione osm e mapillary
 
Reti di monitoraggio tradizionale e monitoraggio ambientale partecipato
Reti di monitoraggio tradizionale e monitoraggio ambientale partecipatoReti di monitoraggio tradizionale e monitoraggio ambientale partecipato
Reti di monitoraggio tradizionale e monitoraggio ambientale partecipato
 
Sistema Informativo Ambientale
Sistema Informativo AmbientaleSistema Informativo Ambientale
Sistema Informativo Ambientale
 
Il Software Libero
Il Software LiberoIl Software Libero
Il Software Libero
 
I dati ambientali per la certificazione e l'innovazione
I dati ambientali per la certificazione e l'innovazioneI dati ambientali per la certificazione e l'innovazione
I dati ambientali per la certificazione e l'innovazione
 
Perchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliPerchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminali
 
10 anni di indicatori ambientali
10 anni di indicatori ambientali10 anni di indicatori ambientali
10 anni di indicatori ambientali
 
Sistemi Informativi Aziendali
Sistemi Informativi AziendaliSistemi Informativi Aziendali
Sistemi Informativi Aziendali
 
Lezione inquinamento acustico
Lezione inquinamento acusticoLezione inquinamento acustico
Lezione inquinamento acustico
 

Similaire à All your bases belong to us

Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceHitoshi Kokumai
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password SystemHitoshi Kokumai
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 
Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Hitoshi Kokumai
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Hitoshi Kokumai
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Bring healthy second life to legacy password system
Bring healthy second life to legacy password systemBring healthy second life to legacy password system
Bring healthy second life to legacy password systemHitoshi Kokumai
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Hitoshi Kokumai
 
Explaining SSI to C-suite executives, and anyone else for that matter
Explaining SSI to C-suite executives, and anyone else for that matterExplaining SSI to C-suite executives, and anyone else for that matter
Explaining SSI to C-suite executives, and anyone else for that matterSSIMeetup
 
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterPasswords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterIT-oLogy
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationJeff Zahn
 
Fend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryFend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryHitoshi Kokumai
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
The Future of ECM: Collaborative Workspaces
The Future of ECM: Collaborative WorkspacesThe Future of ECM: Collaborative Workspaces
The Future of ECM: Collaborative WorkspacesAIIM International
 

Similaire à All your bases belong to us (20)

User Experience is Everything
User Experience is EverythingUser Experience is Everything
User Experience is Everything
 
issue15
issue15issue15
issue15
 
Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity Assurance
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password System
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Bring healthy second life to legacy password system
Bring healthy second life to legacy password systemBring healthy second life to legacy password system
Bring healthy second life to legacy password system
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
 
Explaining SSI to C-suite executives, and anyone else for that matter
Explaining SSI to C-suite executives, and anyone else for that matterExplaining SSI to C-suite executives, and anyone else for that matter
Explaining SSI to C-suite executives, and anyone else for that matter
 
Invenio Conquer-Password-Mgmt
Invenio Conquer-Password-MgmtInvenio Conquer-Password-Mgmt
Invenio Conquer-Password-Mgmt
 
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterPasswords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim Salter
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
 
Fend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryFend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic Memory
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
The Future of ECM: Collaborative Workspaces
The Future of ECM: Collaborative WorkspacesThe Future of ECM: Collaborative Workspaces
The Future of ECM: Collaborative Workspaces
 

Plus de Alessio Pennasilico

Odio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritteOdio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritteAlessio Pennasilico
 
Sistemi SCADA e profili criminali
Sistemi SCADA e profili criminaliSistemi SCADA e profili criminali
Sistemi SCADA e profili criminaliAlessio Pennasilico
 
Come il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogicoCome il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogicoAlessio Pennasilico
 
ICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieAlessio Pennasilico
 
Linux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZLinux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZAlessio Pennasilico
 
Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?Alessio Pennasilico
 
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster RecoverySmau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster RecoveryAlessio Pennasilico
 
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIPSmau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIPAlessio Pennasilico
 
Smau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla securitySmau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla securityAlessio Pennasilico
 
Linux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security DemystifiedLinux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security DemystifiedAlessio Pennasilico
 
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione SicuraSmau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione SicuraAlessio Pennasilico
 
e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le Alessio Pennasilico
 
Porte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster RecoveryPorte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster RecoveryAlessio Pennasilico
 
ESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)securityESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)securityAlessio Pennasilico
 
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazioneSeminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazioneAlessio Pennasilico
 

Plus de Alessio Pennasilico (20)

Odio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritteOdio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritte
 
Rischi o vulnerabilità?
Rischi o vulnerabilità?Rischi o vulnerabilità?
Rischi o vulnerabilità?
 
Sistemi SCADA e profili criminali
Sistemi SCADA e profili criminaliSistemi SCADA e profili criminali
Sistemi SCADA e profili criminali
 
Come il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogicoCome il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogico
 
ICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologie
 
Linux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZLinux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZ
 
Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?
 
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster RecoverySmau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
 
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIPSmau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
 
Smau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla securitySmau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla security
 
Linux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security DemystifiedLinux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security Demystified
 
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione SicuraSmau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
 
e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le
 
OpenOffice
OpenOfficeOpenOffice
OpenOffice
 
Vpn Mobility VoIP
Vpn Mobility VoIPVpn Mobility VoIP
Vpn Mobility VoIP
 
Porte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster RecoveryPorte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster Recovery
 
Paranoia is a virtue
Paranoia is a virtueParanoia is a virtue
Paranoia is a virtue
 
ESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)securityESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)security
 
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazioneSeminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazione
 
Internet (in)sicuro
Internet (in)sicuroInternet (in)sicuro
Internet (in)sicuro
 

Dernier

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 

Dernier (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

All your bases belong to us

  • 1. All your bases belong to us! Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico
  • 2. $ whois mayhem Security Evangelist @ Board of Directors: CLUSIT, Associazione Informatici Professionisti (AIP/OPSI), Associazione Italiana Professionisti Sicurezza Informatica (AIPSI), Italian Linux Society (ILS), OpenBSD Italian User Group, Hacker’s Profiling Project All your bases belong to us! mayhem@alba.st 2
  • 3. Hacker? The Tech Model Railroad club is an MIT student activity founded during the 1946-1947 school year, making this our 60th year, and making TMRC one of the oldest clubs at MIT. The Tech Model Railroad Club (TMRC) caters to model railroaders, railfans, and hackers alike. Our activities involve all aspects of model railroading, including the application of computer technology and timetable passenger and card-order freight operation. All your bases belong to us! mayhem@alba.st 3
  • 5. Lockpicking Quanto è facile aprire una serratura? All your bases belong to us! mayhem@alba.st 5
  • 6. Quanto ci vuole? http://www.youtube.com/watch?v=pgE1YJWQzTA All your bases belong to us! mayhem@alba.st 6
  • 7. Come funziona? http://www.youtube.com/watch?v=_sQ9gcjtLQM All your bases belong to us! mayhem@alba.st 7
  • 8. Per tutte le serrature? http://www.youtube.com/watch?v=g0Zw4JI4cxs&feature=related All your bases belong to us! mayhem@alba.st 8
  • 9. Dove sono le serrature? All your bases belong to us! mayhem@alba.st 9
  • 10. Biometria Uso cosciente? “Qualcosa che si possiede” Change Password All your bases belong to us! mayhem@alba.st 10
  • 11. Social Engineering è più facile decriptare una password o chiederla? All your bases belong to us! mayhem@alba.st 11
  • 12. Facebook Hacking “The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook.” […] “We also populated the profile with information about our experiences at work by using combined stories that we collected from real employee facebook profiles.” http://snosoft.blogspot.com/2009/02/facebook-from-hackers-perspective.html All your bases belong to us! mayhem@alba.st 12
  • 13. Fiducia “Upon completion we joined our customer's facebook group. Joining wasn't an issue and our request was approved in a matter of hours. Within twenty minutes of being accepted as group members, legitimate customer employees began requesting our friendship. […] Our friends list grew very quickly and included managers, executives, secretaries, interns, and even contractors.” All your bases belong to us! mayhem@alba.st 13
  • 14. Risultati “We used those credentials to access the web- vpn which in turn gave us access to the network. As it turns out those credentials also allowed us to access the majority of systems on the network including the Active Directory server, the mainframe, pump control systems, the checkpoint firewall console, etc.” All your bases belong to us! mayhem@alba.st 14
  • 15. Come mi proteggo? (Pen)Test Analisi (efficacia? deterrente?) Formazione All your bases belong to us! mayhem@alba.st 15
  • 17. Conclusioni Non fidarci di misure di sicurezza il cui scopo è farci sentire sicuri non quello di proteggerci All your bases belong to us! mayhem@alba.st 17
  • 18. Conclusioni Dobbiamo rifuggire la pigrizia mentale Chi vuole i nostri dati lo farà per certo All your bases belong to us! mayhem@alba.st 18
  • 19. These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution- ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :) Domande? Grazie per l’attenzione! Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico