1. All your bases belong to us!
Alessio L.R. Pennasilico Roma, 7 Aprile 2011
mayhem@alba.st
twitter: mayhemspp
FaceBook: alessio.pennasilico
2. $ whois mayhem
Security Evangelist @
Board of Directors:
CLUSIT, Associazione Informatici Professionisti (AIP/OPSI),
Associazione Italiana Professionisti Sicurezza Informatica (AIPSI),
Italian Linux Society (ILS), OpenBSD Italian User Group,
Hacker’s Profiling Project
All your bases belong to us! mayhem@alba.st 2
3. Hacker?
The Tech Model Railroad club is an MIT student activity
founded during the 1946-1947 school year, making
this our 60th year, and making TMRC one of the
oldest clubs at MIT.
The Tech Model Railroad Club (TMRC) caters to model
railroaders, railfans, and hackers alike. Our activities
involve all aspects of model railroading, including the
application of computer technology and timetable
passenger and card-order freight operation.
All your bases belong to us! mayhem@alba.st 3
5. Lockpicking
Quanto è facile aprire una serratura?
All your bases belong to us! mayhem@alba.st 5
6. Quanto ci vuole?
http://www.youtube.com/watch?v=pgE1YJWQzTA
All your bases belong to us! mayhem@alba.st 6
7. Come funziona?
http://www.youtube.com/watch?v=_sQ9gcjtLQM
All your bases belong to us! mayhem@alba.st 7
8. Per tutte le serrature?
http://www.youtube.com/watch?v=g0Zw4JI4cxs&feature=related
All your bases belong to us! mayhem@alba.st 8
9. Dove sono le serrature?
All your bases belong to us! mayhem@alba.st 9
10. Biometria
Uso cosciente?
“Qualcosa che si possiede”
Change Password
All your bases belong to us! mayhem@alba.st 10
11. Social Engineering
è più facile decriptare
una password
o chiederla?
All your bases belong to us! mayhem@alba.st 11
12. Facebook Hacking
“The social reconnaissance enabled us to identify
1402 employees 906 of which used facebook.”
[…]
“We also populated the profile with information
about our experiences at work by using combined
stories that we collected from real employee
facebook profiles.”
http://snosoft.blogspot.com/2009/02/facebook-from-hackers-perspective.html
All your bases belong to us! mayhem@alba.st 12
13. Fiducia
“Upon completion we joined our customer's
facebook group. Joining wasn't an issue and
our request was approved in a matter of
hours. Within twenty minutes of being
accepted as group members, legitimate
customer employees began requesting our
friendship. […] Our friends list grew very
quickly and included managers, executives,
secretaries, interns, and even contractors.”
All your bases belong to us! mayhem@alba.st 13
14. Risultati
“We used those credentials to access the web-
vpn which in turn gave us access to the
network. As it turns out those credentials also
allowed us to access the majority of systems
on the network including the Active Directory
server, the mainframe, pump control systems,
the checkpoint firewall console, etc.”
All your bases belong to us! mayhem@alba.st 14
15. Come mi proteggo?
(Pen)Test
Analisi (efficacia? deterrente?)
Formazione
All your bases belong to us! mayhem@alba.st 15
17. Conclusioni
Non fidarci di misure di sicurezza
il cui scopo è farci sentire sicuri
non quello di proteggerci
All your bases belong to us! mayhem@alba.st 17
18. Conclusioni
Dobbiamo rifuggire la pigrizia mentale
Chi vuole i nostri dati lo farà per certo
All your bases belong to us! mayhem@alba.st 18
19. These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution-
ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :)
Domande?
Grazie per l’attenzione!
Alessio L.R. Pennasilico Roma, 7 Aprile 2011
mayhem@alba.st
twitter: mayhemspp
FaceBook: alessio.pennasilico