The S in IoT stands for Security: mitigating new entry points to the jewels presented at BSidesCairo 2019

by Denis Makrushin,

Summary : Nobody cares about his smart-home security, and nobody seems to care about smart-city threats that affect billions people. However, what about threats in connected medicine that are able to change the life of a patient? Patient-doctor confidentiality is a sacred bond. A time to share anxieties and concerns with an entrusted caretaker and no one else. So how do we account for that silent third-party watching the doctors? Medical infrastructure is a highly sought after target for motivated cybercriminals. That ‘infrastructure’ is in reality a combination of unusual outdated devices coupled with unpatched forgotten machines. That combination is riddled with entry points into medical networks allowing threat actors to sit alongside doctors and administer their hostile brand of bedside manner. The threat is far from theoretical. This year alone has been riddled with healthcare related headlines: “WannaCry Malware Caused Chaos for National Health Service”, “Two major Indonesian hospitals attacked in ‘ransomware’ storm”, “Hackers publish private photos from cosmetic surgery clinic”. But just how big is this threat? The numbers are staggering. Our research will show that more than 70% of medical organizations have faced some kind of malware attack in the last six months. One in ten was the subject of an attempted ransomware attack. And that the healthcare industry alone accounts for 30% of recent data leaks. Is your anxiety peaking yet? Well, pop a Xanax and join us for a therapy session on the dreadful state of medical infrastructure. Based on research of various smart-city and connected medical devices, this session will offer a guide which will answer the following question: how to survive in the connected world? Techniques of the Social Engineering Pirate QueenSharka PekarovaN/AN/ASocial Engineering has many different faces from using open source intelligence (OSINT), phishing,vishing, smishing and all the other '-ishings',dropping weaponized USB flash drives to eventually getting right in middle of your target's own office and pwn all things! As there are many tools and described ways of all the -ishings and almost all of them do not require any interaction with target because it does not require to leave your warm chair in front of your machine at home. But everyone wants to break into buildings like a pirate queen, am I right? To do that , we will have to interact with our target directly and that requires certain knowledge of techniques and skills. I will describe techniques using knowledge of facial expressions, body language, psychology behind influence and persuasion and how to manipulate targets into believing my pretext and comply with my (evil) plans. I will step over to the defensive side as well and explain how to defend against the attack techniques I use. Side DiscussionsN/AN/AN/AN/A