En Tus 5 Minutos: Abordando el Impacto Emocional de los Hackeos

me llamo fernando valdez el es marco el es mi mentor y amigo y cofundador de pacifica que es entonces es un honor estar aquí con ustedes y los puntos de vista son y opiniones expresas en este presentación sueños y no representan las opiniones de mi empleador importante decirlo ok esto es todo lo que he hecho a lo que me he dedicado ahorita estoy como website de pacifica que trabaje con la unam as an IT and IoT consultant in several projects, including Stanford and ISF MoMA. I am a cybersecurity consultant at BrainTech and I was co-founder of EnviarTech, which we dedicate to covering obstacles in times of pandemic. Plus my 15-year experience in IT plus the certifications.

- foreign . Okay, first of all, why in your five minutes? Well, I came up with the name because it seems that Murphy's law always attacks when you are in those five minutes where you are tired, tired, hungry, and suddenly you get a call, an extortion message, we need to confirm your bank details, whatever you want, right? So, there you go, you give the data because you are not focused, you are worried about other things, and that's where everything goes to hell, right? . In the past, the company has focused on governments and important people. And to Fernando's point, many times we think that we are not vulnerable, that they are not going to attack us, or things like that. Unfortunately, at this point, and I always tell

my clients, no matter how big or small an organization is, they will always be affected by a cyber attack. And in terms of personal level, we have seen many cases in which people, as usual, again, it does not have to be a celebrity to be So, Okay, these three cases that I'm going to present are a base, they are real cases in which I was able to support and it's a base of how I was helping the victim because in the end, they are taken away from security, trust, since they were vulnerable, they feel insecure, they don't know what they can do, what not, and then they say, no, but I want to get out of all the

networks, but it's not that easy in a society that lives on social networks and all the communications out there, right? This is called "El Atóxico", a 25 year old person. For a year and a half, she was literally suffering harassment. She had an internet page, and every time she accessed it, she magically lost access to her social media. And they started posting on those social media, nonsense, things that affected her emotionally. One thing is one against one, and another thing is when you are exposed to more than 50 people, 100 people on social media. So, he approached the authorities, they couldn't help him, he no longer knew anything about them. And when he approached me,

he said, "I've been under stress, anxiety, depression for a year and a half." And that was from the moment he found out that the networks were stolen and everything. And then, there started to be a pattern, right? You're going to be a hacker. This is one of the most common attacks we see. A 28 year old person receives an email one day and is threatening him, "Hey, I'm going to burn you with your family, with your friends, I had access to your camera, I was recording you and I'm going to send all these private photos that I have of you to your family, friends and family." And then, "Oh, and I asked for 500 Bitcoins

in 38 hours and if not, well, goodbye." So, what happened again? Just after receiving the email and not knowing so much about how this type of attack works, It generated despair, depression, anxiety, there were sleepless nights. And so, even if you assure them that it's not a bluff, they still don't stay calm. And that's where you have to start digging a little more and update them and say, "Okay, we're going to do this kind of thing to help you and make you feel more calm." and the next one, the saver, the classic of companies or also educational staff and that. They ask for a software, the universities or whoever tells them, "Oh, yes, borrow the

computer," and it turns out that it is a cracked software. Here the curious thing was that, well, why do I put the age? Because despite the fact that there were younger people who were vulnerable, the same fear causes being vulnerable, being a victim. And then, for example, in this case, I knew about programming and that, but I didn't know about security. I didn't know what it meant to install a cracked software. I just wanted to, as an academic, get my stuff out. And then, every time they installed it, they received an email with the current password. And I said, "Ok, same as the last case, we have, we have your devices, and if you don't

pay us as much as you can, whatever, we will send your family and friends your personal information, the photos, everything we take." And well, indifference, depression, despair, fear, anxiety, it becomes something usual, sadly. Ok, let's talk about social engineering. in the last few years this has been one of the most successful methods by hackers to access organizations that's what is called human hacking basically it's about talking to people and trying to see how much information you can get from them or how much you can access a curious fact, I didn't know until I started studying in this field I didn't know that since I was 10 I was a social engineer I mean, at 10

years old I made my first falsified credential. At 15 years old I falsified with the school principal. Basically I asked her questions and those were her passwords. I didn't know that that meant social engineering. And that you could really do that in a career. Another curious fact is that the best people to do social engineering are women. Especially, as long as you're more mature, no more. - - Think about it. Don't take the conversations you have with strangers lightly when they talk to you and ask for information, etc. As I said before, this is one of the most successful methods. Last year, in September, a casino chain, MGM, was affected. It was installed, etc. I can tell you that in my past life I was a

systems manager in casinos. One of my clients was GM. It's one of the organizations that have the best technology, etc. What happened? Someone made it through one of the executives, he called the help desk and said, please change my password because I need it now, blah, blah, blah. Well, from there they started making other types of calls to acquire the account of one of the administrators. From which, really already having the administrator's account, you can install ransomware without the need to do other things. Basically, you use the same tools to defend the uses to destroy. So that was one way to do it. Okay, so I don't know if you have any idea of what percentage of social engineering is responsible for hacking. It's above 90%. So, why is

it good to know? Because you avoid things like MGM or things in different companies that have been vulnerable. Now I'm going to talk about the different techniques. Phishing. Phishing is the most common. The email that sends, "Hey, I need this PDF," or "I'm sending you this PDF with the payment information." Others say, "Follow this link for a discount." Commonly there are There are many... Even though email is the most common, there's also the SMS, the smishing, which is, you get there and, "Hey, a BBVA transaction is being applied for 3,000 pesos, blah, blah." One goes into panic, they give you a link to disallow it, and well, you're done. And apart from the calls, right?

So that's one of the things... -Can I go back? -Yes. -Can I go back? -No, that's fine. This video is a sci-fi story, but it's not very far from sci-fi. especially when we send our phones to fix, we don't know who is touching us. So, even though it's fiction, it's also giving an alert to say if where I'm sending it are trustworthy people, etc. So, this is another attack that... um Well, yes, this part is science fiction, but in the IT part, where I was for 15 years helping people with their computers and all that, I did learn about people... Suddenly hard drives came with damaged sectors and in raw format. So when I repaired them and started reading what was inside, it turns out that it was the

hard drive of another computer, of another owner, and obviously with water, with address, all that. So... And that's because you trust, or well, you don't know, "Hey, I know that this guy can fix it for me, and it's trust and all that." There are many technicians who abuse the client's trust and pull from private photos, passwords, and well, it becomes a nightmare, right? And the deception can also be from software offerings. You will always try to see a... In social engineering, the best thing that can be done, or well, what should not be done is, there will always be a manipulation by the attacker. So, Ideally, a successful attack, if you do it as a test, you have to leave the person better than what came, because

if not, it awakens alerts. In this case, threats and manipulation also work, but that is more complex and more destructive. Let's talk a little about social engineering using artificial intelligence. Really, two years ago, almost two years since CharityPT started, it made our lives easier. In other industries, they have been told that their jobs are about to end because of artificial intelligence. But the point is that artificial intelligence came to improve our lives, but it also came to make it very difficult for many reasons. But the issue that makes it difficult for us when we do social engineering is that you can basically recreate a person. Something that many people don't realize is that when you receive a call, And the person is only selling

something, but he is talking to them. This person is recording their voices. What can an artificial intelligence do now? Recreate their voices. Now, how much do we put in our social networks? Photos, right? Okay, well, we can upload photos and recreate that. So, the video I'm going to show you right now, is a video that was created a little before ChaiGPT came out. Artificial intelligence, let's say it like this, is not something new. It's been invented for more than 30 years, even if you don't believe it. I'm not Morgan Freeman. What you see is not real. At least in contemporary terms, it's not. What if I were to tell you that I'm not even human?

What do you believe in? What is your perception of reality? Is it the ability to capture and process and make sense of the information our senses receive? If you can see, hear, taste or smell? If you can see, hear, taste or smell? I am not Morgan Freeman. I would like to welcome you to the era of synthetic reality. What do you see?

- um create a conversation with their family members. So, what the co-workers do is call them, ask for money, or simply tell them, "You know what? I'm stuck here on the border. I need more money. Can you deposit this account for me?" And what happens? The family does it. Eventually, well, I mean, it reaches the point where eventually the family knows that it's not that person anymore, but it's very, very difficult. Even, it's a... Yes, there are tools so that you can see that it's real, that it's not real, but, in any case, it's still very difficult. That's the explosion of psychology. Presenting something you think is, but it's not. At this point it's not real anymore.

So, back to the video. What is real? What is not real? And that's what you have to pay attention to. Especially when you call, when you talk to other people. Many years ago, and that, I mean, there have always been imitators. And many times people call their relatives trying to imitate their voice. At this point it's no longer necessary. A computer can do it. Okay. don't approach anyone. Because many times they don't know someone who can help them recover social media, to put security protocols, to install cameras on social media. All of this, despite being all over the internet, not everyone knows how to look for it, or how to apply it. So, the victim, returning to the first three cases, the victims

were vulnerable, I mitigated the attack, and they were like, "Okay, thanks for helping me." And then what? What do I do? They were left with that loss of trust, vulnerable, and it's like, "Okay, what I can provide you is more information." Because we can be preventive, if you have children, I can help you, if you have social networks, I can be sure, I can educate you, not to upload photos, not this, not that. But, to a certain extent, it's good to have a degree of paranoia because that's what will make you implement the necessary security methods to keep your mind calm. And so, many times I tell my clients, "Okay, this happened. Do you want

more information? I have books, we can sit down and talk." Sometimes it's just like, "Okay, maybe you want to learn personal defense to get back to having your trust." Or, "If you need psychological help, I know very good psychologists, I'll give you the number." - Many of these things are repetitive, or you've heard them before, but I can tell you that my full-time job is to defend organizations. Something I can tell you is that depending on the security posture of a company, is how much the impact of the attack is going to be, of an incident. Let's go back to the bases. The pillars of security are people, technology and processes. It's basically a triangle. The problem

is that this triangle will never be perfect. Many people, especially depending on the mentality of those organizations, many people will have good technology, but they will not have good processes, or the staff, whether it is both the technical staff and the company staff, no van a tener la educación correcta. Entonces, para que una persona, una organización pueda tener una postura, tiene que tener esos tres puntos. Entre esos procesos, etc., existe el activar lo que le llamamos two-factor authentication, que es crear otra capa de seguridad. Las contraseñas. Ahorita, Google ha creado lo que le llaman el PaaSky, que es básicamente lo que le llaman powerless. . - . What we've already said about not using pirate programs, if you receive calls to medrentando,

whatever. I recommend that you better try to contact the person by WhatsApp or something. And if you are a direct family or whatever, you can even have codes among you, in case one day we hope you never kidnap them or something. Know that it is actually a real call. And I say, the attacker in theory does not know, but at this point. And the photo thing, I don't know. . How easy is it for a person who is dedicated to doing this for a full time, when you upload photos, knowing where the photos are coming from and who is seeing them. This tool, last year in B-Sides, here in Mexico, the D is from Cyber Chef. This year also the D is from San Francisco. So, obviously I'm

just going to give a case. But this tool is very good in many cases. In this case we are going to use what is the Awesome.

So basically this is CyberChair. You can look for it on Google. This is the page. But basically this tool was created by an intelligence agency in England. Similar to what is the NSA in the United States. And basically these are the ingredients. And CyberChair what you're going to do is a recipe. This is a recipe that you're going to cook. So what I'm going to do right now is upload a photo that I took last year on Visites.

By hand, there's not much information. But what happens when I add the extract exit recipe? It will give me a lot of information about that photo. When it was taken, what phone it was taken, what was the resolution, at what time, and most importantly, where the locations were taken. That's what an attacker is really going to do. If you take photos at home and upload them to your social media, what do you think? um So, what I just did here is extract the coordinates of the GPS. So, what do I do now? Well, here you can practically do everything. What you're going to do is, we're going to put it all at the same level. So we're going

to replace the paragraph and we're going to put it in the same line. Now, what do I do after here? Well, who is the provider that gives the best maps? And the truth is, because Apple Maps is really a scam. Who is the best? Google. Ok, well, we're going to use Google. So what we're going to do is add those coordinates to Google. And here I just gave the coordinates. So what I have to do is copy them, go to a tab, paste them, and boom. is We have to depend on the mobile phones. As you can see, it's very easy. You can do it from your phone. You don't need an extra app. It's a

web app. It works for many things, but in this case we focus on what the OSP is. The other one. How many people have run out of battery and need to charge? um In addition to the photos, you can turn off the geographic location. The second in this case is to turn off that when one connects to the USB, what is it going to do? Normally what we have to do is put the load mode. Now, what I'm going to show you right now is this adapter. It was created by Electronic Arts, not so much, and they have it there in the villas. They have this device. Basically, what this device does is block the communication. If you connect

your cable to a computer and the computer sometimes asks you, "Oh, do you want to save your photos?" etc. It will not tell you, "You're just going to load." Automatically, if you have an account in the cloud, it will tell you, "Do you want to load the photos?" What it will do is block it. Number one, block it. Number two, it will give you the best energy to charge your phone faster. So, if you are interested in this, Electronic Arts provided it to us. It is something that you can have. In another way, there are Some that you can get on Amazon are not that good, but they do the job. So, let's see if

I can mention this video quickly. Basically, this is called Power Protector. There's another USB called USB Killer. When you connect it to your computer, it destroys your computer. So, basically, they did the test here of what happens if I connect the USB Killer with the Power Protector. Well, it will actually kill the Power Protector, but it won't kill the computer. So, what we're doing here is... If it's true. By the way, the USB Killer is sold on Amazon. It's practically illegal but... um Basically, there are several ways to do this. But yes, I will try to see how you can move in different ways. We already mentioned it in the question of artificial intelligence, we already mentioned what social engineering is, we already mentioned

several things, we already gave you certain steps, there are many more. But basically it is your posture, honestly how paranoid are you? um the complete recipe to do what I taught you a while ago. Basically, this is one of the recipes or ingredients, which is to extract the exit, then acquire it through a regex, then change it to the time of UNIX, and then eventually acquire the coordinates of the GPS to eventually be able to put it in Google and make the work easier. My question is about what you were showing. On social media, if I'm not mistaken, you can find all those metadata of the exif in the photos you upload. If I upload a photo, for example, and

you want to download it from my profile, I don't know what, I don't have the geolocation, I don't have it. Do you say yes? There are some that yes and some that no. I can tell you, at some point I worked for a social network and they didn't remove it. Facebook yes, Instagram too. The others I can't tell you. Ok, well, let's say that now just to finish, since let's say that some do take away, what is it that nobody takes away that can be useful for someone? Basically that of when you go to the settings, at that point there are many configurations that you can remove, right? Something I'm going to say is that technology has been created in the last

30 years, but not with security in mind. They do it to make life easier for them, to make it look nice, etc. And I say it this way because I live in Silicon Valley. That's literally what I do, or many companies come with me. to see exactly that, that even their programmers do not have that mentality of security. They want to create a product because they want to sell it, they want to take it to the next level. And the last thing they do is call someone from security to really see that. So, at this point there are many configurations on your phone. One of them is the one we call geolocation, but there are others. So it's really, back to

the question, how much information do you want to share? I can give you a good example in which you can share this information. And it has happened. There in California, a lot of people go hacking and a lot of people get lost. So, what they do is take a photo, send it to the rescuers and tell them, "Here are my coordinates." So, that is a good case in which you can share this information, but not with everyone. Thank you very much to B-Sides for having us here and thank you to Marco for joining me.