In about a month, myself and other team members from CynergisTek (as well as the rest of the healthcare IT industry) will be gathering in sunny Orlando for the HIMSS 2017 conference. I am excited to have the opportunity to present demos around a few hot topics during the exhibition.
I spend my days steeped in the world of security, performing penetration tests, security assessments, education, and much more. As I said in my previous blog post, we need to get back to basics to better understand what we have before we can make new things better. To that end, I will be discussing three main topics during my sessions, as outlined below. It should also be noted that this is by no means the extent of what I am willing to discuss. If you would like to talk about any security related topic, I will be available throughout the event at booths 1734 and 2093.
Today’s technology has been striving for a single purpose for some time: freedom from wires. In that pursuit, our devices – whether they be a phone, computer, watch, or even Bluetooth headphones – have become more and more reliant on wireless signals. These wireless signals we rely on vary in their safety and types. The most common is Wi-Fi, which we use daily at work, home, and sometimes out and about. Unfortunately, there is not nearly the amount of security that our general confidence suggests. Wireless networks are a great method for attackers to gain critical information, access to systems, and even the keys to the kingdom if they play their cards right.
In this demo, we will review some of the wireless attacks that could be used against you and your organizations using some of the latest tools available. For example, I will show how the purpose-built Wi-Fi Pineapple can be used to gather critical hotspot names based on probes sent out from devices. I will show how this information can then be used by attackers to fool users into connecting to illegitimate access points that look familiar. I will also go into some details of how Bluetooth, NFC, and other wireless protocols can be used against us, despite their usefulness.
Mobile Devices and Portable Hacks
It is very easy to limit the category of mobile devices to our mobile phones. While the tiny computers we carry with us everywhere are mobile devices and have some serious security and safety implications, they are not alone in this category. Laptops, tablets, hybrid devices, smart watches, and maybe even your car should also be considered mobile devices. Traditionally (a funny term to use when discussing IT), we have relied on perimeter security to keep our devices safe. However, we no longer live in an age of distinct borders.
This demo will show some of the techniques and devices that attackers can use to compromise mobile devices while they are outside of the perimeter and how they can be used to bring back the attacks. I will show some examples of how mobile devices can be used to geolocate user’s home wireless networks as well as how malware can be used to infiltrate less protected devices and bring their malicious code inside of our “walled” fortresses.
The Problem with Wetware
Wetware, better known as people or users, are not the sole reason that we have IT, but they are likely the biggest security issue. People, even the best and the brightest, make mistakes. These mistakes can cost us and our organizations dearly. People fall for scams because they want to help. Phishing and social engineering attacks work so well because of our human nature and desire to be helpful.
In this demo, we will discuss some of the tactics that attackers use to exploit the wetware that your organization relies upon. We will also discuss a few ways to help users better prepare for scams and attacks and how we can test their response to simulated attacks. We will also go over some of the common pitfalls and how to properly educate our users to avoid them.
See You in Florida
I sincerely hope to meet many of you and your colleagues next month in Orlando, and I look forward to answering your questions on these and other security topics. Travel safely, and I will see you all in Florida. View our HIMSS17 page for a schedule of my demos and more information on our show activities.