Insecurity demos, or how I learned to stop worrying and start loving digital security trainings
Training others about security is tough. Digital security even more so. The often invisible threat manifests itself without noticeable harm to the user. Its almost impossible to imagine pervasive and expansive Internet surveillance, nor is it easy to picture the physical infrastructure that our bytes traverse as they leave the computer to update our Facebook status. To most digital security training participants, the threat exists in hearsay and in the trainer's expansive and well practiced imagination.
We have the methodology and have grown the pedagogy. Yet the uptake still leaves much to be desired. Our participants leave happy and entertained but no more than 10%-20% continue to use the tools and methods we teach. This talk will engage the audience in a discussion of what these missing elements may be and how do we conquer them as a community. It will posit that insecurity demos (or emotional blackmail) is a useful strategy for proving the reality of the digital threat. We will demonstrate password hacking through profiling, social engineering and brute force. We will examine tools to help us visualise the network and the information flowing through it. We will look at malware infections and commercial tools for surveillance and tracking. We will ask the audience to present their own insecurity demos. We will of course discuss the boundaries a trainer should not cross and the ethics of hacking to prove a point. We will collate and present a series of recommendations and crowd-sourced examples of insecurity demos.
|Applied Threat Modeling & How I Learned to Start Loving Digital Security Trainings (1hr Session)|
Some lightweight notes from the session:
camera - take a photo - this data can be recovered - needs a demo of how to do it.
can use recuva on windows to undelete file
Very easy to do this incorrectly and reveal participant private data!!!
- Password cracking
use a randomly-generated, but short password-protected word doc plus to demonstrate password cracking
elcomsoft (free trial version) advanced password recovery
- important to demo in windows to show it's not some crazy linux thing**
Can also take in PII to better target password cracking:
cupp - osint based password cracking suggester / tool https://github.com/Mebus/cupp
xhydra to launch a password attack https://apps.ubuntu.com/cat/applications/precise/hydra-gtk/
- network sniffing
etherape to show local network connections