SUMEDT JITPUKDEBODIN SENIOR WEB APPLICATION SECURITY SPECIALIST

NCLA,LPIC-1 ,COMPTIA SEC+,C|EH,ECPPT

Fundamental Of Computer Security

Who am I?

● Sumedt Jitpukdebodin ● Jobs

○ Senior Web Application Security Specialist @ACIS i-Secure ○ Instructor Of “Introduction to Ethical Hacking, Mastering in Exploitation” Course Of

CITEC ○ One Of Committee Of CSAT(Cyber Security Association of Thailand) ○ Writer Of Information Security and Linux forum of Hackazine ○ Writer Of “Hacking & Security – First Step Of Penetration Tester” Book.

● Hobby ○ Hacking ○ Whitehat ○ Writing

● Experience ○ Speaker in many universities ○ Speaker at “Hacker Secret #2,#3” seminar ○ Speaker at “Computer Security” seminar at BOI Fair. ○ Writer Of “How to pentest famous CMS” in Web App. Pentest Magazine. ○ Etc.

Threats Of Today

1. Social Engineering ○ Phishing ○ Owning with PDF

2. HTTP, HTTPS 3. Fake Wireless 4. Encryption Of Wireless Network 5. Strength Password 6. Fake Call Center 7. Social Network Threats

Social Engineering

● What ● Why ● When

Phishing

● How ○ Spam mail ○ Same or similar interface

● For ○ Steal credential ○ Exploit the web browser

Phishing Video

● Example 1 ● Example 2 ● Real Case (http://r00tsec.blogspot.com/2012/04/phishing-

site.html)

Owning with PDF

● How ○ Exploit PDF Reader Software ○ Use the interesting name ○ Use the interesting content email

● For ○ Take the Bot ○ Compromise

Owning with PDF video

HTTP,HTTPS

● HTTP(Secure) ○ Identify the website ○ Protect sniffing attack

HTTPS

Certify Authority(CA)

Message with certificate

Identify the web

Self Sign Certificate

HTTP, HTTPS Video

● Try to sniffing traffic HTTP and HTTPS

Fake Wireless Access Point

● How ○ Similar name of true hotspot ○ Use ‘Public’ name

● For ○ Steal credential ○ Change destination to hacker website

Fake Wireless Access Point Video

Encryption Of Wireless

● Mode ○ Public ○ WEP

! RC4 Streaming Encryption ○ 64,128bits Encryption. ○ IV

○ WPA ! TKIP Encryption (Base on RC4) ! AES(Advance Encryption Standard) Encryption ! ICV

○ WPA2 ! AES Encryption

○ 256bit Encryption

○ *WPS(Wifi Protected Setup)

Brute Force Time

● WEP < 10 minutes ● WPA – 21 character > 4x10-20 years ● WPA2 > WPA

Break The Encryption Of Wireless

● WEP ● WPA/WPA2

Strength Password

● 1 Website/Username/Password ● > 8 Characters ● Upper Case ● Lower Case ● Special Characters: @, #, !, $, etc. ● Not in dictionary and personal information, company

name.

Show time for use Keepass

Fake Call Center

● How ○ ถกูรางวลัตา่งๆ ○ คนืภาษี ○ หนี4บตัรเครดติ ○ แอบอา้งเป็น DSI

● Fr0m ○ จีน ○ ไต้หวัน

Fake Call Center Video

Social Networking Threats

Facebook Impact 2o11

Example Of Social Network Threats

● Likejacking ○ Facebook User ○ Interesting Picture ○ Spread to friends and user’s group.

Likejacking (Continue)

How to Learn Computer Security

● Love ● English ● Forum ● Share ● E-Book

Q & A

Thank You

● ☺