Professional Documents
Culture Documents
Meetup PTS Ciber 2 - El Arte de Hackear Datos Medicos - A.Casares
Meetup PTS Ciber 2 - El Arte de Hackear Datos Medicos - A.Casares
datos médicos
Nov 2020
Agenda
2 Examples
3 Recommendations
Insiders
Hacking Blackmailing
Data Breaches
Phishing
Account Impersonation
Takeover SE
66
© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.
77
© 2019 4iQ.com ** DO NOT DISTRIBUTE ** Company Confidential. All rights reserved.
5 Birthday
Before Dec. 2015 Before June 2012 Be June 2013
11 Email
3 Names
7 Phone number
? 9 Security questions
Before March. 2015 Before Feb. 2013 Jun. 2016
Where
Everything
Healthcare Documents
Records
Has a Price
(passports, bills)
$20-$50 $50-$300
----------------
PASSWORD DECRYPTED
EMAILS BREACH/SITE
ALGORITHM PASSWORD
mzuckerb@fas.harvard.edu Linkedin SHA1 dadada
dadada
mzuckerb@fas.harvard.edu MySpace SHA1 *****fee
mzuckerb@fas.harvard.edu Last.fm MD5 *****v3a
mzuckerb@fas.harvard.edu Adobe 3DES dadada
dadada
zuck@facebook.com Tumblr SHA1 *****nis
mark@facebook.com Dropbox SHA1 *****325
mark@facebook.com Fling None *****980
mark@facebook.com VK None *****123
mark@facebook.com Adobe 3DES dadada
dadada
The backbone of any Bank customers are The websites of professional Phishers know precisely
successful phishing attack popular targets of those businesses and organizations are how to design spoofed
is a well-designed spoofed who engage in phishing generally sleek and stylish. If you emails to look like their
email or spoofed website, attacks visit one that seems to look a little legitimate counterparts.
which is why ramshackle, there’s a very good
chance that you’ve stumbled
upon a spoofed site.
PHISHING
1. Classic Phishing Email
1 2 3
INSIDERS
Insider Example
Feb 4, 2019
745780626 ICQ ME
VIP impersonation
SOCIAL ENGINEERING
HTTP-based path,
FTP, email, etc.
Phishing email, spam with
malware, phone call, dress
like the night janitor, etc.
INFRASTRUCTURE WEAKNESS
DATABASE AND
FILE SERVER
SQL Injection, vulnerability exploitation, Personally identifiable information (PII), credit card
session hijacking, etc. numbers, email addresses, other social details, etc.
Dropbox breach
Difficult to detect
Permanent
High Damage
Personal Records
exposed
* Publication 800-63B
5 Authenticator and Verifier Requirements
5.1.1.2 Memorized Secret Verifiers
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that
contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to :
● __________________________________
Passwords that are used and obtained from previous data breaches.
● Words that are from Dictionary.
● Usage of repetitive or sequential characters for example; ‘abcdefghij´ or `ssss12345´.
● Context-specific words, such as the name of the service, the username, and derivatives thereof.
“ “
“I’ve learned that people will forget what you said, people will forget what you
did, but people will never forget how you made them feel”
– Maya Angelou
#Cybersecurity
alberto.casares@4iq.com #Research & Development
_albertocasares #Digital Risk Management
#e-Crime
#OSINT
Alberto Casares