Security BSides Warsaw dzień 3 ścieżka 1
Show transcript [en]
I have been working on blockchain since the beginning of 2011-2012. Since 2017 as a professional programmer. I support various projects related to blockchain technology. I have been teaching at the SGHU, a postgraduate school, for six editions of blockchain technology, two editions at the University of Economics in Poznań. I am in charge of the management of the new technology blockchain management and I help with tokenization of projects of companies and startups that are engaged in this. And this black face in the corner is my alter-egro on the forum bit-coin.pl, where I am a very bad moderator. The oldest forum on Bitcoin and not only in Poland. I invite you to watch it. What I have prepared
today, because it is a conference on security, so technical elements on the security of blockchain and cryptocurrencies technology, i.e. how it works and why it is very difficult to break. So we have 256 bits of possibilities, i.e. the 256th area. What is the blockchain? what are the differences between the DLT blockchain and cryptocurrencies. Private key, which is asymmetrical cryptography, a few words. Mnemonic, which is the registration of private keys in the form of such, which can be nicely We will also talk about consensus methods, first of all Proof of Work, which, of course, works, the rest not necessarily, but a few words about it. When does blockchain make sense in business in general? Because it is a very often abused solution. And a few myths related to how
cryptocurrencies work and how they work. what can be done with them and what not. So the basis of the whole security of cryptocurrencies and blockchain technology is secured by large numbers. 2 to 256, i.e. 32 bytes of information, gives us a lot of possibilities. These are even cosmic numbers. 2 to 256 is over 100 billion decillion. Decillion is nice 10 to 60. It is not normally used. If we wanted to count from 0 to 2256, it would take us 10 to 59 centuries of the Universe. To compare, the number of sand grains is estimated at 7.5 times 10 to 18. Here, I will remind you all the time, we have 10 to 77. The number of stars in the observable
Universe is 10 to 24. So it is still not enough, if we count atoms in the observable universe, it is 10^80. So we have a number bigger than we have in 2^256, that is 256 bits of information. If we invented a magical hard disk to record all the possibilities that the SH-256 gives us, in such a way that in one atom of hydrogen we would record one H, we would need one seven hundredth mass of the universe to build such a disk. So if you get any information that someone or that it searches for private keys, these are just fairy tales. The possibility of finding the same thing, if we use the appropriate entropy, is practically impossible.
These are cosmically small scales of information. The possibility of finding the same number or the same number at such a large range of availability. to equip every human being in the world, that is, we have 8 billion people, with 1000 servers, each of these servers with 8 processors, every processor with 64 cores and everything screwed to 5 GHz. If we wanted to count the whole world cluster again from 0 to 2 to 256, it would take us again 10 to 34 centuries of the Universe. So there is no such possibility. This is the basis of the large number in blockchain technology. The thing that helps us a lot is the hash function, i.e. the shortcut function. In crypto, either SH-256 or SH-3K are
commonly used. Most often, these are both shortcuts that have 256 bits of information at the output. What characterizes the shortcut function? What does the hash function give us? First of all, the hash function is deterministic. It's like multiplication, like 2 times 2 is always 4. Likewise, if we give a specific the same hash function, we will have the same result every time. The hash function is irreversible, one-way, that is, having a result, having a hash, we are not able to guess in any way, and not calculate what this hash comes from. The hash function has a constant length, regardless of the length of the input. So no matter if we hash one sign, a picture,
an encyclopedia, the whole or half of the Internet, at the output we will always have exactly the same amount of information. The result of the hash function is pseudo-final. If we change anything to the entry in the hash function, the exit will always change, because 2/20 is the 56th possibility, so there is practically no possibility that we would have the same two information that hashes to the same result. Of course, it depends on the length, in the hashing function, because if we have 250 8-bits, there is no problem. If there are much shorter hashing functions, or also CRC32MD5 functions from HA1, practically out of use, because we are able to create two different information that
hashing or give the same result from the shortcut function. Hashing functions also have a very large variability, that is, any change in the input information, adding a space, an additional dot, a comma or a change of one letter it makes the hatch turn to the left. It's not that it's a little bit even, it's just that you can see something has changed. The addition of a magic or a chronicle, which we all remember, would have caused something to change if we used a versioning system. No one could ever change something like that. And adding one space literally causes such an effect. Resistance on the collision depends on the length of the function. In the crypto
world, we use a of 256 bits, practically 512 is not yet encountered, but changing the hash function to the longest is also not a problem. Another element that protects data stored in blockchains is simply the hash tree. This is what a tree of hash looks like in nature. At the top we have data and hash of data, i.e. leaves that are later combined together with the purchase order to the root of the hash tree. This information is stored, for example, in the head of the block of information saved to the chain of blocks. It looks a bit nicer from the bottom. So at the bottom we have some information from L1 to L4, which we hash to the shortcuts S1 to S4, then we connect these shortcuts
with each other and call them in the shortcut point again. So from the shortcuts S1 and S2 we get S12, and from S3 and S4 we get S34. We connect these again until we get one last one - the root of the hash tree. which is only saved somewhere. What does it give us? Any change in information from L1 to L4 causes that the root of the hash tree calculated from this information changes, it turns to the left. There is no way to change any information at the bottom so that the root of the hash tree still matches us, of course, having the appropriate hash function. So it is the protection of data that is
saved in the block chain, It does not give us the information what has been changed, it does not give us information where or when, but we know for sure that this information is no longer correct, it has already been modified in some way. So, having this technological basis, we can define the blockchain as a data structure in which we must also consider the hash of the previous information when adding further information. So, for example, We have a block chain, we have a shortcut from the first block, we have data 2 that we have to add, and now when we add another data 3, we have to calculate the shortcut from data 1 and from the
shortcut 1, we get a shortcut 2, data 3 and another block chain. And the other elements are added in the same way, so any change in this structure that we have drawn, for example in the data 2 point, causes the shortcut 2 to stop agreeing with us. So if we want to calculate the short 3, it will stop agreeing with us. This is again protection only before we can recognize that the information has been modified, that the information we have stored, read or received from another server, depending on which side we look, that this information has been modified and we can simply consider it wrong. This data structure does not give us anything. In addition to resistance to any change,
it does not give us anything, it does not give us any security. We need to add a few more elements that will allow us to The data structure was actually resistant to some kind of deception. So a blockchain was created, a bitcoin was created, which added elements such as peer-to-peer, i.e. we have copies of the same blockchain scattered across all the servers that participate. We have security, i.e. SH-256, cryptography, which is the signature. These are the elements that allow us to verify that the information that is recorded is signed by someone. We can then verify whether the person who added the data could actually add this data. Proof of Work protects against changes, which means
that adding any information to the blockchain chain in the case of Bitcoin or cryptocurrencies requires something else, except that the data is properly formatted and signed. and you still need to work on it. And above all, every public blockchain is verified by every member of the network. We have a set of rules, a set of rules, in the form of code, of course, which just verifies whether the information we get from other servers is actually the same and they do not have to be modified and they actually agree with the set of rules that we use. And we come to the blockchain trend, which says that it is not possible to build a system that is both safe, fast and decentralized. If we put on speed and
safety, At this point, we will have a DLT, i.e. a centralized, unsealed database, several servers cross-connected, in some data centers, somewhere connected with light sources, so that this data transmission, in fact, The information that is stored there could be thousands, tens of thousands per second, when such a need, of course, occurs. However, decentralization of such a system in the current system is not yet possible. Although the information we had from Japan about 6G and the speed of the Internet shows that these barriers may be overcome soon and in fact the data transmission of a width of not gigabytes, but hundreds of gigabytes per second It will not be a problem, but I suspect it will be in the future.
So we have Bitcoin, which is not fast. We have a few transactions per second on-chain in Bitcoin. We have decentralization, because we have several dozen thousand copies of the Bitcoin blockchain in the world. And security due to Proof of Work. We are not making a system that is fast and centralized, because if it is not safe, why such a system? We can have the same good Excel on the pulpit, right? And in the middle of the question mark, there is no such system that would be both fast, centralized and safe. If any project tells you that it is, it is lying or does not add something completely. The basic two principles that exist in the world of crypto, blockchain, digital currencies and DLT, We verify all information.
If we are in the role of a node, i.e. the software element that stores and verifies data blocks that are stored in a given block chain, we can verify all information on our own, without any help, having the algorithms set up in Freg. to verify that the information that is being sent is actually correct. And the code is low, i.e. all the information that is encoded in a given node, in a given implementation, is unchanged. If we create more than one implementation in a different programming language, we must assume that the implementation that is considered as a reference. In the case of Bitcoin, there is a Bitcoin Core, in the case of C++, in the case of Ethereum, it is a Get-Go, for example, every blockchain has its own
reference implementation, which is considered a template and if others are created in other languages of programming, other versions, they must be agreed, i.e. even if some error is made, more or less accidental, other implementations must accept this error and which has happened in the crypto world a few times, but this is a topic for a separate presentation. What is the difference between blockchain and DLT, from cryptocurrencies? There are common elements, first of all blockchain technology, i.e. data security, and writing them down in such a way that it is possible to find the place where the continuity of information has been interrupted, we have a mechanism of consensus, i.e. a definition of which version of the truth is more true. If we have information about a specific blockchain from two
equal nodes, from two equal places on the Internet that do not agree with each other, the mechanism of consensus allows us to choose which of these two versions, or more than two, is correct, which we should follow and continue to build or verify other blocks accordingly. We have a peer-to-peer mechanism, i.e. exchange of information between the nodes, some communication, some sending, some data distribution. And what does Bitcoin equal to DLT? This is a reward for the block, which drives the whole economy of Bitcoin, how it works and why anyone wants to spend money on equipment, electricity to maintain the blockchain, to protect it. This is not in DLT. DLT is a corporate system or a private system in which rather work together.
There is no internal attack, but in the case of cryptocurrencies, there is a assumption that anyone who joins the network can be a so-called bad actor, i.e. he wants to break something. At this point, the block reward causes an economic aspect that allows It's not worth playing against systems, it's more worth strengthening the network and building blocks according to the rules than trying to write down the story. The whole mechanism of consensus is that we must somehow solve the so-called Byzantine generals' problem, that is, in an unsafe system, where information transmitted between participants of the system can be deceived, intercepted, distorted or modified, how to protect yourself from such a before such an event. The problem of
the Byzantine generals is described as an army composed of many elements that is to attack or not attack a given city. The problem is that the couriers between the fragments of the army can be killed, captured or bought to convey wrong information. The mechanism of consensus used in blockchain systems, allows for a certain tolerance for the whole system, that this system will not be modified, and the rules will not be changed. often the threshold is about 50% so at least half of the active participants of the network must be operating in accordance with the network, so not to attack the network then there is no problem, all possible attacks are simply more or less ignored. In the crypto world,
starting from Bitcoin, the basic The proof-of-work mechanism requires additional work to be done before any new information is added to the block chain. The information is added in information blocks, each transaction made by users is grouped and only in the case of Bitcoin, in the case of Ethereum, every 15 seconds, these information is collected together and added to the block chain as another transaction block. The assumption of Proof of Work is that this version of the truth, if we have a comparison click, in which more work is put in, It is true. It is very easy to calculate because of the way in which the difficulty is written, i.e. the amount of additional work that needs to be put into the block
chain. It is very easy to verify, but very difficult to perform. We have a fast proof of work mechanism, but the proof of work itself is much more complicated. 100 blocks is a magical element through forks, it doesn't happen at the moment, because the branches, i.e. the equal versions of the truth, are longer than one or two blocks, and the next ones practically no longer happen, so one happens by accident, two practically not at all. However, let's say in 2010-2011, even three or four blocks of the same mine were able to dig out, and then comparing this chain of blocks that had more work put in which was most often associated with the fact that it was more blocks, was shown as the chain to follow.
Proof of Work, apart from the advantages of being a decentralized mechanism, anyone can join it, all you need is equipment and electricity, and of course, the software is running. However, the problem of energy consumption is very often indicated. There is a page, the links are in the presentation, showing how much the whole mechanism of proof of work absorbs electricity. Of course, these are estimates of the approximate power of the entire network of currently available equipment and how much electricity this equipment consumes. And it's practically changing all the time, almost every day. However, the biggest problem of a single transaction here is that it consumes one transaction made on a block chain of about 400 kg of
carbon dioxide, which is comparable to 60,000 hours of watching YouTube. So that's a lot. However, the disadvantage of Proof of Work is that it is possible to intercept the network when exceeding 50% of the available computing power. This is also a topic for a separate lecture, how it can actually be carried out. However, focusing on such power is practically technically impossible. It would have to be a few tanks of electronic equipment plus some small power plant to power it all, so that it has a range of legs. Moreover, more and more power is needed because this system is still developing and more and more people are joining in with their equipment. to perform this proof of
work. However, I have made a small experiment. If we assume that every user or every person in the world has one small device that receives 1 watt of electricity, For example, a charger from a phone connected somewhere, or a TV on the stand by, or a display, or an hour on a microwave oven. 1 watt per person per day. It turns out that we get 68 terawatts per hour, which in comparison to the annual consumption For Bitcoin, which I prepared for this presentation, it is about 78 terabytes per hour, which is not much more. And we ask ourselves the question: do we have only one device at home that consumes 1 watt of electricity, because I assume that not
necessarily. So here is this element indicating that Bitcoin is bad because it is not eco, so let's focus on other things. which consume more electricity than even mining bitcoins on a global scale. What is Proof of Work actually like? It is another myth that is often circulating on the web, that when you mine cryptocurrencies, you help NSA or some other 3-digit agencies, you hack the Internet, you don't know what else. In fact, proof of work is only performing a hash function. In the case of Bitcoin, it is a double SH256. The whole scheme looks like this: we have to ... I think I can't show it on the screen. The little cloud in the upper left corner is a new transaction, i.e. these are transactions
made by users. They are all announced on the network, each node individually verifies whether such a transaction is correct. This node that makes a proof of work, that copies, of course, adds its generation transaction. From all these transactions, a hash tree is built, which I mentioned at the beginning, and the root of this hash tree as a security, i.e. a record of all these transactions, is written in the head of the block. This rectangle in the middle is the head of the block. There is a little more information there, but we have, first of all, the hash of the previous block, so we have the protection of previous information at this point. The root of
the hash tree of all these blocks that are ... But I'll have to twist here. We'll handle it. This is the only slide to describe. Thank you very much. So, once again, the hashtag of the previous black, the root of the tree, the hashtag of current transactions, the current difficulty of Proof of Work, i.e. what conditions we must meet, Then there is the time stamp, which is the time mark of the block being produced, and the so-called nonce, which is the number that we can modify in search of this hash. What is proof of work? After building this block header, we do SH256 on it twice and see what we get at the output. At
the output, we get some pseudo-loss value, because we have a hashing function, so we don't know what the result will be, we have to calculate it. and check if the number we got as a result of the hashing function is less than the current target, which is written in the block header. If our hash is too large, we have to modify the block header. How can we modify the block header? By changing the nonce link. In the days of the "little stone", that is, at the very beginning, when it was not yet dug on the Nasiq, not on the GPU, but on the CPU itself, it was actually enough, because the processing of all the possibilities on the
counter, on these 8 bytes, if I remember correctly, it took more than a second for a given server, so we changed the timestamp per second, So we had the counter from zero again and we were looking for our result hash from the block header to be less than the current goal. The goal is defined by the algorithm, which means that the block chain can be added, the next blocks can be added at a certain time. Since the hash function is a random function, this time is of course It is not always correct. In Bitcoin, it is averagely 10 minutes each, the regulation is every two weeks. If more time has passed from regulation to regulation
than two weeks, the difficulty is reduced, i.e. the target is raised, i.e. we can get a greater chance of hitting the right hash if new miners, new equipment connect. then the time between regulations is less than two weeks, the difficulty is increased, i.e. the target is reduced, i.e. our result hash must be a smaller number. And only in such a situation, when our result hash on the block header is a smaller number than the current target, then we can declare such a block, this is a correct block. What does verification look like? After receiving such a block, we only have to perform the hash function once, i.e. the block head twice, and then we know
whether the proof of work has been performed correctly or not. Because we have all the information in the head of the block. Of course, we check all transactions and so on earlier, If such a block meets all conditions, i.e. all transactions are correct, all hashes are correct and the proof of work is correct, then we will consider such a block as correct. If such a block is incorrect, then we will of course ban the node that sent us an incorrect block in our system, because we do not want to participate in some network attack attempt. That's all. These hashes are not sent anywhere, they are not stored anywhere, they are not verified anywhere other than
in the mine itself. Only another block is coming back to the whole network, so there is no possibility that by digging crypto we are helping any magic agencies or other strange things. This is of course a fairy tale. Having such a digger, we have a choice: either we dig solo on our own or in the pool. A long time ago, digging solo was the only option. Pools appeared when it turned out that our home computer did not have enough power to dig at least one block in a certain time, for example, within a week or a month. The difference is that when we are digging with a solo we need to have a specific fragment of the power of the calculation to have any chance of hitting
the block. and our mine has a fraction of power and statistically we would dig a block once a year, then we can never dig it out, because during the year, the next miners will join, the power of the calculation will increase and our chances will be higher all the time. of joining a group of miners. Of course, there is a software responsible for this, which allows you to save information about less difficulties, it is transmitted to the server, to the pool, and then the reward division, when finally these miners dig out a block, depending on what power they actually put in. The difference is that in the case of solo digging, when we dig ourselves,
the whole reward per block is given to us, In the case of the pool, it is divided into all users who have been digging at a given time. In addition, it also happened that pool operators simply disappeared with the money. This was the biggest threat. If someone did not pay money from the pool and the pool simply disappeared, it was a problem. It rarely happens, but it is also a matter of time. In addition, the pool operator decides how the reward is divided. However, if we are only using a small power, we can never hit blocks. When we are using a pool, we will always get some breaks proportional to our pool power, to the power of the entire network. So if we have a small power, we generally
use a pool, unless we want to play lottery. No problem, then it is a small chance, We agree to it, but if we want to treat it as a profit, then we have to decide on some pool. Of course, we should not join the largest pools in order not to centralize the mining, which is also one of the problems, that the largest three pools have over 60% of power, so theoretically, if they would agree, they could try to censor the network. Of course, it would be noticed by the rest of the network, You always have to worry about some problems that may happen. What are the other elements of consensus, other schemes of consensus than
Proof of Work? The most popular is actually Proof of Stake in various variants. In the world of crypto, we have a situation that instead of investing in the power of calculation, we invest in some coins. We have a system like Ethereum at the moment, where 32 ETH is required to be able to participate actively, to be a block producer, to generate new blocks. The alternative is delegated proof of stake in various cryptocurrencies, i.e. the situation is that we, as owners of some coins, we select someone, of course, by address, who we consider to be a good operator and he will earn instead of us. I mean, there is also a division, possibly this reward, also depending on of the system that is invented.
Masternode is also a solution similar to Proof of Stake, which requires launching your node, requires blocking certain coins, a certain amount, also depending on the blockchain. We can't move these coins, they must be frozen all the time and then we can be a block producer and earn on transaction fees and on the reward for the block. Proof of Authority is most often used in all systems private ones, where we don't perform proof of work, where we don't have coins, because we don't need them, it should be a database that works. But proof of authority says that a given address that is signed with some public key can produce new blocks and each newly produced block has an additional signature, which is used to generate new blocks. Delegated
Proof of Work, sorry, Delayed Proof of Work. This is the protection of one blockchain from another blockchain. This is used, for example, in the Komodo blockchain, which stores such an operation, so we have some type of Proof of Work blockchain, we have another blockchain in which other blockchains are notarized, in this way, any change, attempt to rewrite the blockchain, with a small amount of Proof-of-Work, is secured by blockchain with a much larger amount of Proof-of-Work. This also works in some way. BFT, or Byzantine Fault Tolerance, is the second version of Proof-of-Authority, also approved for the production of blocks, for routing. It is often used in systems that have high transactionality. where there is usually one
node that decides in what order transactions are added to the block chain and who is going to add them later. Here, again, the limitation is that at least two or three nodes must be there, of which one could be taken over by some bad actor to make this system work further. So we practically don't have decentralization here. It is always a very strongly centralized system. There is information about private keys, so we have a way in the world of crypto in which private keys are registered, described by several standards. It is very often, if you meet somewhere on YouTube or not only in the materials, I am not talking about seed, you should talk about mnemonic correctly. SEED is a binary
information of 512 bits from which all private keys derived are used by the user. Mnemonic is a way to save SEED in a formal form for a person, so most often English words are used here. It is the 2048 words dictionary, from which we take 12 to 24 words according to the standard. Of course, it can be any, but the standard says about 12, 15, 18, 21 or 24 words. from which the SID is calculated and only from this binary SID are all private keys derived according to the next standard, from the private key the public key is calculated and from the public key the address is generated. So there is a bit of calculation
on the software side, but for the user the most important thing is that the registration of these 12 or 24 words means that he has a copy of the security of all his private keys, he does not have to have anything else saved except for the mnemonic. In addition, to make it more fun, we can secure such a mnemonic with an additional word, phrase or anything. It is usually empty, but we can write anything there, except the verb, which causes a completely different set of keys to be generated again. So we can have a copy of one mnemonic plus any number of id's, which gives us any number of addresses. the amount of portfolios we
can have at any address. So, securing yourself in such a way that we want to have several portfolios divided, having one copy of the security, is also not a problem. It is a very nice solution, because somewhere around 2012-2013, when it was introduced, The security copy was a copy of the file, a physical copy of the wallet file. If we didn't keep it in check, people would lose their money because the copy was broken. Or they didn't do it properly often, because in Bitcoin, a new address is generated at each transaction. It was not done deterministically, only then, randomly. At the moment, every other address is generated deterministically, so there is no problem to open
it later. It is about how words are used, how it is generated. There are so-called VIPs, i.e. Bitcoin Improvement Proposal 39, which describes exactly how and with what algorithm we have to treat these words to get a binary seed. And the whole, actually all private key addresses are broken down. Actually, there are three such standards, namely BIP-39, which describes what words we have in the mnemonic, how the control sum is calculated there. BIP-32, which is earlier, says how deterministically to generate further words from such a binary seed. private key, BIP44, which describes which path of derivation we should use to maintain software compatibility between wallets. Thanks to this, having a wallet generated in some software, having
a security copy, having a copy of these 12 or 24 words, we can open this copy on another wallet and we should get the same addresses and we can easily change. Of course, it is not entirely true, because sometimes portfolios introduce their own standards, which are not entirely consistent. There are solutions that appeared before, for example, BIP44 appeared or before There are other numbers that say how it should behave for other coins, so sometimes there are some disagreements, but we always have it described in the documentation of a particular wallet. We are always able to escape to another solution, to keep all the funds. There is practically no such possibility at the moment that we,
having made a copy of the majority in the form of a mnemonic, could lose access to our funds. What are the addresses of the crypto network? In the case of Bitcoin, we have several address standards. We distinguish them at first glance with the help of the very beginning. The most commonly used are still the addresses with the three in the front, i.e. Paytos, CryptoHash. Addresses from BC1 should actually be used first of all, because they are cheaper and in fact safer at some level. Pay2Width is public kh. Long time ago, addresses with 1's were almost out of use. Pay2Public kh and Pay2Public k addresses, which were used at the very beginning of bitcoin, went to the lambo very quickly, because at every transaction
we were revealing our private key. If the address is a hash of the public key, a fragment of the hash, or if somewhere between the public key and the address we have a hash function, it is not possible to get the public key from the address itself. And if we don't have a public key, of course, we can't get to the private key in any way. There is a security threat from the end computers, which theoretically have the ability to recreate the private key on the basis of the public key and a signature test. the Shor algorithm and all its surroundings. However, it is still a song of the future, but if we use a
new address every time, Our funds are safe because we have an irreversible hash function and there is no way to open the public key with the address itself. Only when issuing funds, one of the components of the signature is the disclosure of the public key. In this situation, such an address is already endangered. Therefore, in the world of crypto, in the case of bitcoin and the like, we do not use a new address every time. We don't use the same address key more than once. In the Ethereum and other places, we use one address in a circle most often. These systems are much more exposed in the long run than, for example, Bitcoin for attacks from
quantum computers. So we're back to the basics. I have to speed up. First of all, we have 15 minutes. Yes, but I will have my money short. Okay. What are the threats in the world of crypto? First of all, if it's not your keys, it's not your bitcoins. So all the wallets, all the systems that store your crypto are generally a threat to you because they can disappear with your funds. You don't have access to private keys, you don't have direct access to funds. Someone can just take it away from you. The most common problem is the white interface, i.e. a person sitting in front of a computer who will do something that he should not do. I will say a few words about
how these private keys should be generated and phishing, which always appears to us. Things that happened, which are actually historical, curious, but in fact had a very big impact on the loss of funds most often. In times when there was no mnemonic, Someone once thought about how to keep a private key. So maybe we can generate a private key from something deterministically. And why not make it from any text? And so Brian Wallet was created, he took any text that was written to him, hashed it through SH-256 and the result function, this result number was our private key, which was a public address key, and in this way you didn't have to write anything, just remember from what I had this address generated, from
some word. And of course it was hacked very quickly, to put it briefly. because people used very short phrases, fragments of some texts, poems, Bibles and similar things so this vulnerability was used very quickly, it was created, it is even on GitHub all the time, the so-called "Brainfire" where you could just enter what dictionary we want to check, the address we want to try to break This way, the person who invented it cleaned a lot of such wallets and then gave them back. But it was a very cool way, which of course is completely pointless at the moment, because we have mnemons that handle it safely. But it was a solution, an attempt to save a private key using a word that unfortunately ended badly.
Online wallets were hacked, the website www.bitadres.org was changed, it was used to generate paper wallets, so you could click there with a mouse, or a private key was placed in the browser, which could be printed and hidden somewhere. This is practically no longer done, but... Sorry. The attack was caused by the fact that a fragment of the library was changed, which was used to to generate addresses and instead of full 2:256 it was narrowed down to 2:32 so the one who changed it knew exactly what addresses could be generated and he just observed them and took the money as soon as something appeared. So it was very nice to be carried out and if someone from GitHub was collecting such things, there would be
no problem because it was not changed on GitHub, but someone just went to the www page to the server, and literally replaced one library. A similar problem was once in Blockchain.info, at the moment Blockchain.com, also Blockchain.info was very often used as a portfolio online. They supposedly did not have access to the media, all information was not on the client's side, but it turned out that the way in which the portfolio was generated was also not It didn't have the full 250-360 bits that it could have and at some point the users, creating new addresses, got the addresses that were already used or on which there were the means. So someone would put another wallet and clean the people's wallets. Again, not
your keys, not your bitcoins. We didn't do it on our side, but on the server's side, which had a mistake in the random number generator. And such on hardware wallets, or rather on users of hardware wallets, you can very often meet with phishing websites, with advertisers who lead us to buy a wallet or connect a wallet and there is a letter in the address, most often leads us to a page that looks like an original and very often these solutions inform users that their wallet is in danger because the equipment is damaged or an update is required and please enter your mnemonic and people very often on such an internet page that looks like a normal Trezor or Ledger website introduced a mnemonic
that of course went to the attacker who cleaned this wallet very effectively and quickly We do not enter mnemonics anywhere, except for the device itself, if we use a hardware wallet. Unfortunately, people can still get it. The Electrum wallet is one of my favorite Bitcoin wallets. It also had its time, very effective, as it turned out. The Electrum wallet is a so-called light wallet, so it does not require its full node, but all the keys are stored in our device, on the computer or on the phone. But they require operating servers that are also maintained by the community, just like the entire Bitcoin ecosystem. One of the features of these servers was the fact that there was information about the new version,
but the possibility was that such a server could serve us a hot link directly to download a new update, which of course was used by attackers, and so it was very widely covered. DDoS was made for all practically known public servers of Electrum. At the same time, those were set up that they were giving that there is a new version of their hacked one, which behaved and looked like a normal e-wallet, but when we opened the wallet, the wallet was automatically sent to the thief and also very quickly to the wallet. The functionality of this hot link was immediately caught as soon as it was noticed that something was going wrong. But anyway, a lot
of people and then lost the money. Now we have such a hardware wallet, we want to generate keys, we want to generate our new mnemonic, our new wallet. When can we decide that such a wallet is actually safe? First of all, we have to use the right amount of time to generate such a mnemonic and no one can look through our shoulder or record us when we do it, so that we simply cannot open the conditions from which this generation was used. And there should also be no copy of this information on the computer on which we do all this. Equipment wallets generally do it on their own, so to speak, but we can also not trust equipment wallets and then we have to play for
ourselves, for example, a Linux live distribution connected to a pendrive, then, of course, nothing is saved on the disk, only in memory, nothing is left in the password. We must then also, of course, write an analog copy of such a mnemonic. We don't take pictures that fly somewhere to the cloud of Google, Amazon or Apple, but it must be a copy in the real world, to put it simply. And now what are the number generators? Of course, the worst number generator is a human, so all systems that are based on typing random characters or waving a mouse, you can immediately mark them. There was research on randomness, for example, pressing the hitmap key showed that it was not random at all. random sequence of signs, several dozen of
them, could be predicted with a fairly large probability or very much narrow down which keyboards were used in which order and actually randomize such things. Another element is pseudo-random generators, i.e. what the browser can generate in the JavaScript or in the operating system that does not have a physical module. These are mathematical operations that can be created. There was a video in Firefox showing that having several more calculations from the JavaScript generator, you could recreate the state of the generator and generate everything that was before and after. This is obviously bad. Another element that is actually being made real are the generators of real randomness, T-RNG. These are in TPM modules, i.e. generating some kind of noise,
operating most often on the noise enhancement on resistors. This is often the case, because these are operations that are practically unreliable, they depend on electricity, voltage, temperature and actually generating the same series of signals again. and the best version is physical events, dice, coins, card tossing, etc. which are always the best coincidence, which is in fact used by Kautler. The lava wall, lamps used to generate the first keys, from which the next keys are generated. There was a system a long time ago online casino which he used physically how is it called? Dicetower? Mechanically made, that is, a machine that threw dice all the time. The camera recorded the dice and the result of the ranking was used for the generator.
And based on that, you played poker, you had some kind of handing out cards or roulette and so on. It was all used to power the gambling system. to the casino and you could watch the live stream, of course with delay so that you could not use it, you could observe that it was used for the draw. We have solutions that allow us to generate in a safe way. Equipment wallets in the crypto world are most often for safe storage private keys outside the computer system such hardware wallets are usually the simplest of course, but quite effective are the so-called signatures, i.e. devices that store private keys to which a transaction is sent using a USB cable, Bluetooth or any other way,
which this device is to sign and send back. There are many solutions They work in different ways, but the user must confirm on the device that he wants to sign such a transaction. There is also a screen that allows you to compare the information received by the hardware with what is displayed on the computer or phone screen, in order to verify whether we have any error in the software that replaces the information displayed on the screen. So on such hardware wallets we most often use many cryptocurrencies, many wallets, many addresses. Is it a pretty convenient solution? Of course, all the time in the case of wallets, we balance between safety and convenience. Solutions that are the most convenient are some
software wallets or even custodial, i.e. where we do not have private keys, then we do not have to copy the security, because someone is doing it for us. These are very nice and convenient solutions, but they have little to do with security. On the other hand, we have solutions that are just offline and hardware solutions that require, for example, transferring transactions, not even by cable, but on an SD card. But of course, at this point we are saying that it is of course safe, but it stops being convenient. When making a large amount of transactions, it just becomes bad. However, if we operate with some large funds, it is still worth It is worth making
your life a little more comfortable and safe. In the case of Bitcoin, the Cold Card wallet is a very cool solution. This is the third version, and it is already the fourth in total, which has two secure elements. On the printed plate it is even written which chip needs to be destroyed if we want to physically destroy such a device. In the new one there are two arrows because there are two chips. Very nice wallet, the only drawback is that it is only for Bitcoin, it does not serve any shitcoins. It is very safe, all information must be transferred to the SD card, the USB connector is only for powering the device, the rest is
done on the device. Phishing that threatens us on the Internet is always, most often, there are two directions to such phishing. The first is to force us or convince us that we should, for one reason or another, hand over our mnemonic, write it somewhere to anyone. Of course, at this point we lose all the portfolio, all the funds, all the cryptocurrencies that we had on a given mnemonic, because one mnemonic can serve several hundred cryptocurrencies and several portfolios for each of them. So we have everything drawn out. We get ads on Google, on YouTube, on social media, all of it. There are just a lot of them. Portals do little with it. An attempt to
advertise on Facebook ends most often with a three-day notice. We checked this ad. It does not violate social standards. Cool. There was a leak of Ledger emails, for example, all those who bought directly from Ledger's wallet got a new Ledger, which was already made up of equipment, or there were fakes, give back the wallet, because the same things can happen wrong. It is a problem. Data verification should always take place, i.e. we should always check if what we have on the device is the same as what we have on the computer or phone screen. To make it fun, the attackers are already fighting with it, so to speak, and they can, for example, generate addresses
similar to those we use. on the fly, so if we want to send a transaction, it appears immediately, the address is generated, which, for example, has the same beginning and end. If we check more than four characters, it may turn out that it looked similar, but the middle was different, because the whole address, of course, cannot be generated so quickly, because it is 2:56 p.m. from the very beginning, but a similar address that will start or end the same way can be done, so it always needs to be verified. We have a lot of hardware portfolios, color choices, big and small displays, some don't have displays, for example, HW1 is a device that connected without
USB, there was no user verification at that time, you just had to insert it and pull it out, but the whole thing was in the software. There we have Raspberry Pi, which of course as a microcomputer we can also use as a hardware port Open Dime is a pretty cool solution for physically transferring bitcoins without making a transaction There is a solution that generates a private key to one address, because there is only one address It's only on the device, you can't pull it out in any way, in addition to physical damage, it is also shown with a arrow which path to break in order to make another connection to reveal to us that I am an Open Dime,
but I am already open, this is my private key. And this is how he only gives us the address and we can check how many funds are sitting on this address. Of course, in the case of damage, we lost everything because there is no backup, so it's a bit awkward, but can also work as a curiosity. Programming wallets for a change. If we have a large-sized hardware wallet, then for convenience we use it for smaller funds, some frequent transactions of a programming wallet. Wallet.sunity website, which shows us which wallets are less or more trustworthy. Of course, the ones we have in the Play store, i.e. on the website Android can be verified as a whole, so we can confirm that the code that is
shown generates the same application for us. In the case of Apple, this is not possible, so this category of the safest, i.e. the most secure portfolios does not exist. There are also hardware portfolios. I recommend it if you want to check what you use, if it's worth trusting or not. A page to look at. How can we save a copy of a mnemonic? As I said, in real life, on a piece of paper most often, but there are also more sustainable solutions. If we want to hide such a mnemonic somewhere in a bunker, under a bunker, wall, in a wall, bury it in a garden, CryptoSteel, CryptoCapsule, where we just write four letters from each
word, because this mnemonic dictionary I mentioned earlier is so well constructed that the first four letters are always different. We can also generate more mnemonics using mnemonics, for example, using a quadcard, which allows us to generate, there is also a standard, of course, that describes to generate the desired amount of mnemonics, so if we want to have a copy of a safe mnemonic well generated sitting on the hardware portfolio and to the software portfolio we introduce a new mnemonic that we have generated from the previous one, it is also to do. Of course, no hardware portfolio will protect us from physical access, when the gentlemen with a drill fall, unfortunately People value their health and life more than money, so
everything is fine so far. It's best not to admit that you have any money at all. The problem is real, because, for example, a friend running an investment blog had real problems because he was publicly and he gave his address to the public, so it was known how much money he had and when it turned out that he had a bank account, problems started at that moment. Holding on exchanges, who will guess what all these exchanges have in common, which we have on both sides? Exactly, we divide the exchanges into those that have already been hacked and those that will be hacked, so generally if we use any exchange, Let's do it safely, we pay, we exchange, we pay, we don't keep funds on the stock
exchange, unless we are traders and we succeed, then we have to take into account that the funds we have on the stock exchange can simply make a puff from day to day, literally from hour to hour. And maybe we will get them back, as in the case of GOX, maybe this year, after 12 years since the fall of the stock exchange, maybe people will finally get their funds back. And what can we get from blockchain? The most common question is business. We don't want a blockchain. Blockchain, as I said at the very beginning, is a quite bastardized database to which we can throw information, but we can't delete it or change it. So we don't
need a blockchain. But when? We need a database that is somehow secure, that duplicates itself. Of course, a regular database can do it too, so we have to add a few other elements. When we don't need a blockchain, when we only register to a database or don't need a database at all, our system doesn't require it, when the registrars have a common interest or we can use a trust-based system on the other side, which can already have a blockchain, but we are simply not interested in it. In such situations, we don't have to touch the blockchain at all. However, if we decide that we want to, we must answer a few key questions to choose
a specific type of blockchain. Do we need a public blockchain, i.e. one that people have access to and can save information, or a private blockchain, which we have very much limited, or a hybrid solution, which part of the information is stored in a public blockchain, and most of it is in a private solution. This is useful when we want to use long transaction speed on our servers, but at the same time also give that someone is protecting the system So the first question is whether there is access control, i.e. whether anyone can record and open information there. If we don't need it, the second question is whether transactions can be public. Of course, we don't enter
any information into the blockchain, such as address data, because we can't remove them later. Blockchain is not compatible with RODO, it has no right to fill, we cannot delete such information. So only if our transactions are less or more pseudonymous, they do not have such critical information, we can then introduce a public blockchain, such as Bitcoin, Ethereum or anything else. If we need access control, the second question is whether we need consensus control. So what do we have to decide who can create more blocks? Then there is a private solution. For example, Corda or all Proof of Authority solutions. And a hybrid solution when we want transactionality, but we want to have something in combination with the public blockchain. For example, Parity,
i.e. a de facto Ethereum client that we can run in a private mode. A few words about passport contracts. Smart contracts are what Ethereum has created. These are generally computer programs operating on a blockchain, run by network nodes. They are of course run in the virtual machine Ethereum VM. There are of course more blockchains that use VMs. Some admit to it, some don't. But of course, the transaction fee for making a given transaction is required. in the form of a token of a given block chain. We can save arbitrary information to the blockchain chain. Most blockchains are transactional, because they are the origin of Bitcoin, which was generally created to be transmitted between users of Bitcoin. However, we
can save some arbitrary data to the blockchain chain in the transaction. In Bitcoin, there is the so-called Opre Turn, which was created for this purpose. In Ethereum and its surroundings, we can also pass some information to each transaction, which are passed to the smart contract, but are part of the transaction. so this information is also saved to the block chain forever. There are various strange things to find there. And the smart contract we call may call other smart contracts to read the information. Of course, if such a smart contract has such information outside. What can we read from the contract? Of course, it depends on how we write it. But the smart contract itself can read information about blockchain, such as block number, hash block and current timestamp, i.e.
the smart contract can know some date and hour. It can also read information about the transaction, i.e. who sent it, who signed it, how many coins are sent in a given transaction, how much gas is not used, i.e. the limit of operations that can be used in a given transaction. So what can smart contracts do? They can send a token or a coin, they can read the information from their storage, they can also make functions in other contracts that can also record or read data, and of course, users can make some feedback information. What smart contracts cannot do, and what people often forget about, is that smart contracts are not independent beings. There must always
be some kind of trigger from the outside, someone has to call transactions, which will actually trigger some function. The contract itself does not trigger. We are not able to make a system that is very often used to check the current price of a dollar in Google once a day and, depending on this, buy or sell shares. There is no such thing. The smart contract itself will not do it. We must have a system that may trigger a smart contract when such conditions arise. Blockchain systems are quite hermetic, such as smart contracts or any other blockchain is not able to see beyond itself, i.e. it can read the information that is in the given blockchain, but
it cannot look at other blockchains, so if we have a system called cross-chain or similar things, there is always someone in the middle, someone transmitting information between blockchains, and this someone can always be hacked, for example. And data saving. Besides the fact that it's impossible to use it on your own, you can call a smart contact to write it down. You can't look at the internet, you have to get information with the transaction. Thank you. The QR code leads to my linktree, where you can find links to my YouTube playlist, to this presentation and to a few other things on the social media. Thank you very much.
The title should be here now, right? Disinformation as a natural environment of the human Marcin Szywały. But unfortunately Marcin informed us that he will not be able to participate in the presentation today, so I just jumped into his slot, because why not? But for that, listen, we finish an hour earlier. Okay, before I start, I would like to thank a few people. Yesterday a lot was said about old age. Imagine that maybe not so much today, but yesterday So on July 13, Polish Shrek ended at 23 years old. And that was just when we were going to the cinema as young people and watching Shrek. A massacre, right? Thanks to you for 10 joint editions. I can't
say it's 10 years old because the first edition took place when the world was about to end. in 2012. And then we all wondered if it would even come to October. But it did. And here I can greet the non-existent today, nor on any edition of Mr. Żelazny, who put me out during the first because he arranged a lot of people, almost everything, and at the end he wrote me: "Listen, in general, we don't finally do it for beer, here are people and so on." And I just pulled it and stayed. So it's nice that you stayed too and dared to come here. And so early. Hundreds of prelegents, thousands of participants, millions of memories. Thank you all for being here. Special
thanks go to the computer man, who is probably sitting in the second room right now, Foxtrot Charlie, I don't see him either, but I thank him very much, Nikow, that's the man, SHM, who unfortunately had to go, Paranoik, who is also sitting in that room, Languścia, Rew, Nem, Niegryzie, so Marcia, Kuwa, Jeremy and a few volunteers unknown by name and surname who came to us both from the University of Warsaw and from the Higher School of Business National University of Unis. Special thanks go to our partners, first of all, Logical Trust and the boss, Borys Błącki. Listen, he just supports us as much as he can and even if he can't come today, I believe that we are here, we are being watched. Hello, Boris. And also Hexarkana,
Genovi and Psyacołom. He is a man who does a good job and I suspect that if it wasn't for him, many of us wouldn't be here and many of us wouldn't be interested in security at all. And also here is the patronage of Isak. Mr. Robert Bigos is currently on the second session, which is unfortunately not recorded, so if anyone else wants to go there, I have no problem, you can go there and watch it. Thank you also to the media representatives. I don't think I have to introduce any of these logs to you, because they are all known, unless I introduce one closer. And okay. First of all, thanks are due to the prelegents. Earlier it was 43 people, now it's 41 people,
because two people have been thrown out, but that's nothing. Listen, it was the first time we had to reject a dozen people. This is a record. I hope that next year we will be able to do so many tracks that we will not have to reject anyone, but I suspect that the program council will reject someone anyway, because if we have it, and thank you for the people who voted. Maybe those who didn't vote, don't thank you. But it was as it was. When the need arises, you make the transition yourself. So if anyone at this point would like to go to the unregistered presentation of Robert Bigos, the topic of how to overcome total
failure into moderate success, then Aula B, I invite you. Because it is not recorded. Gaus, as you were not there when I thanked people from the Programming Council and the Organizing Committee, thank you very much for having managed to do so many things, so many things. Listen, he is a man thanks to whom we are here. So, a big applause for him. Okay, I'll move on to my topic. Unfortunately, I will call you. Social costs of just starting a script. Okay, a little about me, because maybe someone doesn't know. I work in BCF Software as a regular programmer, I have been programming in the dotnet for the third century, I don't know PHP, I am currently studying psychology and crisis psychology and crisis intervention at WSBNL, because
I have already finished cyber psychology and I am waiting for the last entry, so the question is whether I should enter that I am still studying it or not. I had doubts, so I didn't enter it in the end. I also work at the Polish Institute of Cyberpsychology, Cyberpsychopathology and Cyberpsychotraumatology. If anyone has something between cyber and psychology, come to us, we can help you in some way. I am also a practitioner in Psychologzy24. I breed ants and breed them more often. I invite you to the IRCPIRT.pl channel, to the "Listek Klonu" channel, also to the IRC QuakeNet.org, unless someone prefers Discord, I can invite you. There was a bit of talk about this photo, where there are people who
have the basics of computers, networks, Linux and immediately try to go to hacking. I'm standing here and I'm a little afraid to go on the last staircase, I'm as green as this presentation, I don't know what I'll say, so I'll talk more about the butterfly effect. And here is a meme from demotivators. Yes, I still go to demotivators. Does anyone else remember this portal? There are some individuals. I understand that you send him demotivators from some interesting one, then he clicks and looks. So, you know, if someone asks me one day what is the Motylab effect, because I will talk a little about it, I'll tell him that if in January some Chinese guy with a genitalia, then in March you
have to open a window with an elbow in Poland. Fortunately, the pandemic is behind us, it is the first post-pandemic edition. Okay, next thing. The presentation presents a totally fictional universe. All similarities with real facts, places or people are accidental. Well, meet our main character of this presentation. Here he is, Wacław Black. Almost like Sirius Black. But he didn't get to Azkaban, by the way. The genesis of the name: Black, because, of course, black hat. I didn't want to use black, because you know, it can be taken differently, especially if his name is W. And Wacław, well, you know, if someone is an ordinary Wacky, then he can do bad things to people. Wacław is an anonymous script
killer. He likes to start scripts without their understanding. He has a big botnet for DDoSing. As I said, we are not looking for people who could fit in at this point. His dad hacked Pentagon, NASA and our class. And his grandpa made defaces and called for free from the booths, whistling to the headphones. Do you remember such skills? Is anyone so old that he still whistled to the headphones? Well, you first hit his head and then: "No, not me, I'm ..." It didn't work. It didn't work? From those blue ones, not necessarily, from those yellow ones, apparently yes. We are talking about times when there were no blue ones yet. They were so granite gray. And gray. And then it worked. Do you know
what's good in conferences held after years? That you can calmly tell such things and no one will call for theft, because it has been long time ago. Excuse me, it wasn't punishable. It wasn't? No. Oh, good to know. It was such a joke that it was not even considered an exemption. Well, in fact, it would be harmless anyway. How much did this impulse cost then? A card for 50 zlotys was enough for two hours. 20 groszy, even less. Okay. We're going back to our Wacław and listen, Wacław is not afraid of this prison at all, is he? Why? Well, because DDoS is not a hack. How many people have heard that DDoS is not a hack? Well, I think everyone has
heard about it on the internet forums. in the early 2000s, when bad hackers gathered and said to themselves: "Listen, if someone changes something, D-face, then you can consider it a hack." And it's like it's stuck in the browser, it's a bit too often. And another thing, I'm not afraid of prison, because only the cops get in. And besides, he thinks he has a connection with the police. The commander is his father's cousin, or even a neighbor, this kind of thing. And besides, he has everything encrypted. He thinks that even if he has a computer turned off, encrypting on a disk will help him in anything. And another thing, he has a grandmother's backup. He heard that if they caught him, they would do a search,
and as you know, a popular entrance to the house. Well, to my house, not to my grandmother's house, so the backup is safe there. Besides, he is only 15 years old, so he will take care of it. Hormones are causing. There are holidays, we have July, we have to kill the boredom with something. He will be a brave man if someone finds out what he has done to her. He will impress the girl and he will get paid for coal. Who remembers the situation with coal ore? Maybe I won't tell you because it will be public. In general, the boy is glad that he is not older. And the question is whether DDoS is a
cybercrime in your opinion? Absolutely. According to the UN, all illegal activities used in the form of electronic operations against the security of computer systems or subject to processes by these data systems, i.e. at most, after all, we are dealing with some computer security, because availability is one of its pillars. And at this point we cut this availability. Let's skip the rumors of ransomware, because if someone even breaks the hacker's decalogue, let him go to another sandstone. Which ones specifically? We have ransomware. Which hacker's command, in your opinion, is broken by ransomware? Well, certainly not a hacker, he doesn't need to sleep. Yes, exactly. Information wants to be free. When we encrypt information, it stops being free for people who have legal access to it and for
those who are not. Okay. Let's also avoid money and bank data theft. There are places like this in prison. Listen, when someone starts stealing someone, it's game over. It's totally unethical. Don't do it. But no one is robbed in the bank. How not? Bank money is neither yours nor mine. But they are taken from someone's account. The bank takes them. They are nobody's. It's like in the PRL, when it was the last 8 years, what is all is nobody's, you can take it. Well, it seems so, but then the other person cannot pay for these funds. No, the other person can, because there is a bank guarantee fund. - that banks approach money stolen in a completely different way, because banks withdraw
from their pool, from what they earn. So from what they deposit into the bank fund. We don't steal, like hackers, we don't steal you, physically. We steal the bank. In most cases, if you make a scam on Blik, you steal a specific person. The bank washes their hands. Just like when someone calls you and says: "Pour it on the technical account", unfortunately you poured it on the technical account. It was your move. So if you poured it yourself, you poured it yourself. It's still something else, right? And the bank won't return it either. Well, then no, because it will fail itself. The only possibility when it will be returned will be when the bank's infrastructure will actually be hacked. You have to
read a few letters. And with this, maybe you could say 268 of the criminal code, paragraph, which is up to 3 years to be processed information. The question is whether the information is processed or only available. Because this information is not processed here, it is processed in this place, it is not processed on the connection. Okay, availability. Thank you very much for the correction. I recommend it. The first two things are that the criminal code is more binding than the recommendation of the IZ. - If you went this way, you have to remember that this is making my business work harder, which is also punishable. Of course. So here are different regulations, depending on what happens. But the penalty is also punishable. Can someone explain to me why access
to data is not part of the element of processing this data? - Access? - Yes. I'll tell you. Access is when the service is running. You can get to the disk physically. You have access, but you don't have accessibility. But it's distorted. I can access... - Not access... - Processing is when you do something with the data, and not just read it. So you know. Yes. But what's the difference? If I want to log into my application, it's not necessarily to read what's on it, but also to enter new data. But you're not entering them at the moment, so it won't be processed. Because the process is confused. Okay, maybe we'll move this discussion to the backstage. Yes, yes,
yes. The point is that availability is an element of processing. No. How? - I can't explain it. - Okay, but you're doing it with data. - Yes. - You don't have the data yet. - It's not that you're doing something with the data. You have to divide the activities. To insert the card into the segregator, or to erase something from the card, you have to go into the room. And only when you enter this room, you will have access to this segregator to insert the card or change something in it. And what if I close the lock and it doesn't work? What if someone closes the lock halfway through? I don't know if it's that easy. Okay, I
suggest... Gentlemen, I suggest cutting this topic, because we are going live. They can watch it... I know that the minimum age of the conference is 16 years old and everyone is at the age of permission, but children can watch it, even if I noted that the stream is not suitable for children, so... Okay, let's move on to this Vacek, who decided to take over the routers of the Kaling company. and from them go to a well-known company called Heart Big. And yes, he found a zero-day, or rather, he didn't find a zero-day, but his friends told him. Well, you know, since he already has it, he goes to Cebulka, to various strange, interesting places, and it turns out that there is a nice exploit
for this zero-day. Well, I'll take it. He checked it, it works.
I enter Shodan and it turns out that there are several dozen thousand such devices. I take care of them one by one. I start the same script everywhere. And I connect with another place from there, I make a simple CNC here, I put the bot and hit what it will fall into. And what will fall into the infrastructure of the Hard Big movie. Okay, profit. Let's look at each other, because I know it sounded a bit psychological, but it will be a bit more technical. What could such a potential VAT spoil? First of all, the first thing is to use resources from other devices, to generate unnecessary network traffic and its operation on these devices. So
here is what Gauss mentioned, that after all, everything can also fall on the way. Another thing: devices overheat excessively, emit heat and can potentially damage themselves. The devices take more electricity. Here I will refer to what my friend from Bitcoin said, that in fact, maybe they are not that big, but as you know, when everything is collected, there is a lot of it. And the next thing: there may be a decrease in network parameters. So the neighbors of this device, but neighbors in the sense of in the bit and quite close to this switch, They may feel some ping, some drop in bandwidth. And now here's a question for you, next, first of all for the admins. Do you
know the infrastructure to which the devices you control are attached? The whole one, from point A to point B? Always? Ever? Who knows, raise your hand. I don't see. They sleep on the after-party, I understand. Do you know your neighbors, their neighbors and all neighbors on the way to the package? I don't know anyone who knows either. Meet Mr. Czesław. Mr. Czesław invests in a stock exchange, but you know, not such a cryptocurrency, but such a physical stock exchange. And you live in Warsaw, I don't know where the securities exchange is in our country. Generally, you bought an apartment for a million coins to have the lighting almost directly connected to this building. And the problem is
that Switch had a problem, because the neighbor's soot soot, nice. The effect? Mr. Czesław, on delay, on transmission, in quotes, "lost", because he simply did not get them, a few million. How is it supposed to work technically? How is it supposed to work technically? Well, just when the device overheats, it will start to work slower. If we have two users plugged in to Twitch, and one generates 100% of the possibilities of its port, then the other absolutely does not feel it. Even if three next to it start to heat up? That's how it's done. Oh, thanks. As I said, everything is fictional, but anyway... - I can say that in our block it works like this. I just upload, I
call my neighbors, I connect them, and they start to open their websites. I understand. And it's a more infrastructure-based, no one is connecting the world of water in this way to invest on the stock exchange. There are specific parameters, specific contracts, these are two different realities. Okay. So, listen, my unconsciousness came out again. Thank you very much for being at such a cool conference that I learn new things. Mr. Czesław is not aware of the existence of Mr. Wacław, and yet he harmed one or the other. Here we have a different situation. This is actually a piece of lighting and some infrastructure. Here is a question for you: what is this device? Do you know it?
Because ants? In general, there is some device and this is just authentic from my life situation. Usually there were temperatures of 25-40 degrees, but during the attack one of the switches on the route warmed up to over 60. This caused the death of the entire colony of ants. Ants are totally unaware of the existence of people, and only then did the bats cook alive. We had a similar situation, because it wasn't really an attack on DDoS, We were doing some things in the labs, it was hot, it was +30C in the apartment, the switch was overheating a bit too much. And for the ants to be warm, the ant colony was standing on it. And at some point they started to evacuate.
Fortunately, it didn't boil, but it was close. It's good that Mariusz said, "Hey, look, ants are trying to evacuate you, something is probably too warm for them." I looked, "Okay, there was no point." And this is a real nest, not mine. which is made on one of the network devices of the company Netgear. So such situations actually take place in reality. Mice also fry in server rooms. Here I was wondering if I should give an authentic picture of a mouse in a server room, but I decided that it would be too brutal, so I just generated it in AI. - Good, because mice in server rooms are very harmful. Okay, but the question is whether
we want to, when this mouse is boiling, to get to its distribution, to start getting fluids from it that could possibly flood, etc. So in my opinion, the best thing to do is to take it out from there if we actually find such a mouse. I'm not going to let it go, but I'll make it available. Here is a picture where one of the admin ladies tried to see what was really going on, that she had strange random problems with the machine and it turned out that inside she had made a nest. So, authentic, such situations happen. And here the question is: do we want to kill these animals? Let's not kill poor animals. Let's limit network traffic to what is actually necessary. Let's
not do botnets without sense. Yes, I know that mice can destroy equipment, but we can do a nice exhibition with them, right? Meet Mr. Edward. Who is Mr. Edward? Well, a nightstand. Mr. Edward monitors the network and noticed greater burden than usual. His change ends in 10 minutes, and he sits with the network operator, analyzes the logs and manipulates load balancers, because this movement needs to be spread sensibly. As a result, Mr. Edward is late to his daughter's funeral. He will never find out that he was directly killed by some bastard. That's nothing. Let's move on. Meet Paula. Paula suffers from a rare liver cancer. She was under teleoperation by the Da Vinci robot. Unfortunately, during the operation, she lost contact with a doctor from the USA.
She has a blood clot on the spot, but Paula will end up with a stoma. Maybe if something in Paula's case and in her operation did not affect her at this particular moment, her comfort of life would be better. And here is Mrs. Grażyna, she is a service-girl Orange. Also generated. Why? Because I thought it would be easiest to choose orange clothes. Lately, they have their heads torn off because the base stations are under excessive load. Let's note that Wacek attacks all the routers of the company K-Link, which he managed to find. K-Link is very close to K-Line in Irc. By the way, the movement of bots, DDoS attacks or spam only add traffic. "Lately, Mrs. Grażyna has to stay after hours. There is no one to
take her son to the basketball training, which she loves so much." You see, Mrs. Grażyna's son has been overwhelmed by the fact that strange problems occur in her work, which are really caused by some 15-year-old who takes care of some devices somewhere. And listen, there are no free dinners. The more traffic, the higher the costs for all the operators on the way. When this cost is high, it will be more expensive for Clouds, Servers, and finally we will all pay for it. Because they will start raising prices if their costs are higher. Another thing, here we had a very interesting discussion about availability. The problem is that if something does not work, it does not earn. And
if someone does not earn, it will not pay, so someone else will not earn and he will not pay. And you know, it's spinning. Another thing: starting such a script leaves a carbon footprint, because the world's devices operate on electricity, and electricity is in Poland from fossil fuels. Unfortunately, we have not yet decided on this. I read, for example, in an article that the new technologies industry in the field of ICT information processing produces as much CO2 as the aviation industry. So about 830 megatons, not including cryptocurrencies. It is 1.8 to 2.8 percent, it depends on how to count it. - Not taking into account the AI time, or what we want to call it, because now it is terribly needed. - Possible, this data
is up to 2019 and then there was no artificial intelligence, I did not find any newer. - Google has been giving for the last 5 years, since Google was... And it's only Google. Let's add Amazon, Microsoft and the rest. - Ok, next thing is something that needs to be cooled. After all, when we heat up devices, both network and servers, which send all this, we waste water, which is less and less, because many cooling devices use water, not only for this purpose. What method would we not choose? It's always cooling that uses electricity somewhere. So again, this coal, right? Okay, who else will be affected? Workers fixing firmware. Because if we really have a liability, if we can find an
exploit for it somewhere on the darknet, then at some point someone will report it and finally fix it. I hope so. Workers in help desk, when something just doesn't work for everyone. Cloud subscription owners. if there was something related to the cloud somewhere along the way. Employees of the energy sector, network workers, food suppliers, people who are distracted by the vehicle driving after hours of work, people who are affected by heat, and many more people from other countries. And not only the company Heartbeak. So, if someone comes up to us, we always have to think: are we local to him to play on him? Very often not. And if we try, we have to think about all these potential victims, which
we do not really know about, but which only appeared somewhere along the way of our packages. Yes, remember that most, if not all, is innocent. The moment our skills grow, our responsibility for our actions also grows. And we always have to take this into account and think about everyone. Accidental victims really did not do anything wrong. Let us not harm others and protect those who do not defend themselves. Security is above all, but remember on the other hand that sometimes poorly used security can even kill us. And if a hacker commits a crime, i.e. uses security in this way, then not everything is fine with him. And there are even scientific studies on cyberpsychologists that show that committing cybercrimes
by hackers is very often associated with their mental illnesses. and very often it is even their only reason or main reason. Another problem is the disruption of social ties. If you want, you can try to read these whitepapers and learn more from there. If there are people among you who, like Wacek, sometimes try to commit some cybercrime, then maybe consider what problem you have in life. If you have a problem, especially a problem that is already very bad, then I suggest taking advantage of the "Life is Worth a Talk" website, where we have information about free aid places from various foundations, from various problems. Another place I know that this link is still here from coronavirus, but it still works. And
here you have described where you can get psychological and psychiatric help from our government. When you were watching the presentation of a colleague from NASK who spoke about the online interview, you certainly remember 116 SOS. It is a website that collects information on 116 111 for children and 116 123 for adults. Don't be afraid to call there, and in fact, if you don't call, you can always call 726713162. This is my number. Another place where you can get psychological help is the Foundation for Depressive Faces. They mainly deal with depression problems, because if someone thinks about hurting someone, it means that this person is already starting to be afraid. And when it comes to anxiety disorders, they are only a step towards depression. And of
course, I invite you to cyberinstytut.pl. If any of you feel ready to help other people, you can hire helpers in a fictional company. If you see a person who is employed in this company and puts this logo on their avatar, it means that we can talk to this person about our problems and we will not be judged by this person. As the scouts say: "Try to leave this world a little better than you found it." This is a quote from Baden Paul, who is their master. To sum up, not only the victim is being robbed, but also many people on the way. If we protect the environment, if we sort waste, it is also worth
considering which of our network movements can be cut and how to do something more optimally, so as not to generate excessive network movement. Remember that network movement and computing power are valuable resources. To put it bluntly, let's not waste water and electricity. And remember that as the possibilities increase, responsibility should increase. Do you have any questions? I don't hear any. - I have one. - Yes? - It's a bit like addressing problems from the past. There are no real problems on a massive scale, because some script kid is bored and starts a script. This is not how it works. The problem is people who have been scammed on Blic and lost a lot of money and are ashamed to sell to their family.
The problem is people who have been scammed on cryptocurrencies because they wanted to earn money quickly on a certain investment of 40% overnight. - So in a word, it will be cut out, right? No, it will be cut out. I haven't seen a scenario in years when someone playing DDoS generated a problem on the part of a large infrastructure. The fact that it is not possible to watch the Polish presentation in TVPT matches is just a realization of the mission. - - - . . I would go further in your thinking towards the fact that a lot has happened since the moment when social media appeared for the first time at the brand and today we have 12 years later or I don't know, 14. It will be 20
soon. Yes, and see how they changed in the meantime. At the beginning, there was a selected group, they themselves, and now everyone and there is no control over what is happening there. So here I would go in one direction. My second point of interest here is that this 15-year-old does not pay attention to the fact that he wants to hurt someone. He does not look at it. He does not think about it at all that he will hurt someone, that it will be a crime. For him it is fun. um CyberScout teaches at least. - But that's also the responsibility you're talking about. If adults don't know how dangerous it is there and which direction this danger or danger is heading, they can't
set a limit. You're talking about the outcome and the result. Okay, okay, but we're in one point, but we're looking at it from two different sides. Yes, six and nine. I agree with Gałtus that Internet Mr. Wacka. Because of such a desire from children, because they thought it was cool, it proves, for example, an attack on, I can't say the name, but there are a lot of attacks on smaller companies, which, because they are inaccessible, have losses and these companies, despite the fact that, for example, they will call the company that is their provider, I am very careful not to say what company it is, they do not receive any help at the moment. - I can also say about myself. -
Exactly, it's the cost. - Yes, it's the cost and it's a small-letter registration. - No, listen, when you buy a car, it's not like that, when you buy a business car, you don't get a discount. Exactly, it's an extra cost. Life is an extra cost. When I buy a Volvo delivery man, it's not like I have automatic protection against traffic jams, no one will scratch the car. There's a lot of things you can buy. Business is investing money to take out. We believe we will take out more than we put in. On the other hand, a lot of e-commerce has turned into big suppliers, like Shopify. and so on, and it solves the problem because they want to do business and not deal with building IT. If someone is
still doing business in 2024, like in the mid-90s, that is, he bought a 100 megabit DSL for himself to the office and put it on this post office, www and online shops and says he has a problem because people are adding it, The question of whether the invisible hand of the market did not work and did not solve the problem. It's not like everyone is responsible for everything. You have a business, you risk it, and that's exactly what TVP did. TVP knew what it could do in a situation when it happens, even not so long ago, such a DDoS or simply increased traffic. If you mix it with DDoS, it gets modulated, it falls out.
They didn't take such actions, it's a conscious business decision. Well, just because of such a conscious business decision, during my last visit to the hospital, I had to lie down for two days, right? I understand, but still... For technical reasons, because they couldn't write me out, because they didn't have a way. Because the infrastructure in the hospital just fell. Instead of being happy that you could lie down, you complain about the infrastructure. It's like in TVP, you buy a ticket for a three-hour trip, you have six hours of travel, it's a promotion of the Radio Pajaw, you don't complain. Seriously, again, but the question is what you did with it. I tried, but unfortunately they told me that they would not let me in. I'm not
saying to fix it, but if someone in the hospital allows someone to work in the infrastructure, then it is so. We are talking about the fact that there are specific agendas, these hospitals have some kind of supervision at the ministerial level, etc. It is necessary to scale. Are you talking about whether I reported it? No, I just considered it a total failure, that as a programmer, due to the infrastructure failure, I was lying for two days. I used to lie on the track and I had a lot of stress, I was lying there waiting, because the life threatening time is 18 hours. And the electronic system of triage informed me that now it's only 17:30.
But it happens. I think the problem is that a lot of companies are not even considering the safety issue until the first fuck-up. And when the fuck-up happens, people start looking for others. But who is guilty? If you find guilty, you cut off guilty and you get a second one. You can see that in Ransomorze. I worked with the same company 3-4 times this year, which was attacked by another attacks. I told them: "You can't do it once well, it's great, but 4 visits are easier than generating constant costs." We get the point. It's a good business logic, Thank you very much. Who's next? Maybe the battery will run out here, will the second one come? If there
were more batteries, I would need some kind of a charger. if you want to, just plug it on this one unfortunately, but it may not be possible it's a presentation case so you plug it into the plugger
Do you know how to use a microphone? I can have a microphone. But how? This is for streaming. What is it? You take it like this. You have to stick it under your shirt. And is there a specific page? Yes. It's good that this page is up. So here. Yes. Thank you very much. And the stickers? There were stickers already? Yes. Well, you have to make stickers. If there is something that you don't understand, Okay. No, no, let's wait a moment. I'll start with how you can hear me. If I say yes now, can you hear me from the back? Is everything okay? Okay, and how's the stream? Can you hear me there too? Okay, let's turn it on
now. Now the question is who likes Java and who doesn't like Java. First, raise your hand who likes Java. And who doesn't like Java? Oh, I don't know why you came here to listen to how things are done in Java. Okay. I don't remember if it was in this... I don't remember, it was announced a long time ago. Okay, now here, "Playing from the start". Okay, great. Today I will tell you my story about how I tested the client's software. It was a software from Asia. I've recorded myself on my own idea, which is why I spent over a week debugging the problem. At the end, on the last slide, I will show you that
I can do it faster. I would like you to learn from my mistakes, not from yours. How to deal with a problem when you test an application and you want it to be cool. And now, who am I? My name is Daniel Kalinowski. I work as an independent research specialist. I have 8 years of experience in the field. I have performed a few times at conferences. And I am an amateur in looking for bugs in bug bounty programs. How many of you are familiar with the topic of bug bounty? Maybe someone is actively working? Do we have any program managers? Here in the room? No? Okay. If he were a manager, he would just like to talk after the presentation. Okay, so
now some basics of Java, because to know what's going on here, we need to know what the classes, methods and, for example, some classes, methods in Java are. different levels of visibility, such as public or private. We will also talk about reflection, which is a language mechanism that allows us to refer to a specific class using a row of characters and create a given object of this class. I will start the demo in a moment. We will calmly go step by step. All these things that are here on this slide. And now we will look for gadgets. Gadgets are such fragments of code that allow you to perform some, I would say, malicious actions not intended by the author. So
if we find a fragment of code that allows us to create a file somewhere, by creating some function, we can call such a fragment of code in the application a gadget. Gadgets are usually found in some external libraries, in the sense that we use libraries in the application, for example, some Apache Commons Collections, and there we can create a fragment of code in such a strange way that it will simply and some unauthorized action, for example, creating files or entering a code. And now I would like to minimize and start this. Only a question, can I move it? Okay, but now I won't see anything. Let's do it this way. I'll stop the presentation and I hope that then you will see my
screen. Is that right? Great. Okay, because it will be easier for me to explain what we are doing here. Here we have a basic class written in Java, a basic program. Here in this line we are just starting our adventure with Java Reflection. And here we are simply looking for this particular class in the program. This is a car, a car class, and it describes some basic parameters of a car. Of course, we needed some easy example. Well, here we have a car class and a model, year of production. Well, you know, basic parameters that it has four wheels and one steering wheel. And, of course, there is some run, right? And here we have an identifier, I forgot
what it's called professionally, which is the visibility class of this object. If the class is public, it is available in other classes. For example, here is the main class and we can find it easily. We also have fields such as model and production year. And here, for the non-secretaries, we have the keyword private. And it determines the behavior of the application, that is, in the Java language, that we can only get to these fields from a given class. from this class. For example, if we wanted to create an object of the class "Samochodzik" and change the year of production and model, we would not be able to do it, because we would not be able to get it from
the outside. We would have to create a constructor or a method that would write this sequence for us. Now let's go back to this reflection and when we run this script in a moment, it will show us here how a given class looks from the perspective of the reflection. Here we are trying to get to this class. Here we display the methods in this given class. Here we are getting to the constructor. As you can see, here we hit the constructor and it has no parameters here. It will be this constructor, because it has no parameters here. And here we call this constructor in these two lines. Here we call the new instance of this constructor and we don't give any parameters, so everything
is correct. And now let's start it once so we know what's going on. Did it work? It worked nicely. As you can see, here we have our methods. We have a car. This object shows us the model and the course. Here we get to the method. It's like this. Here we get to the model field. We set a new field. Here we get to the course. We set a new course value. And as you can see, here for the first time is the call of the class before changes. So we have an Opel model, mileage of 1,356 km, and here we have the same object, but with the help of reflections we set these fields, which are private, as if we had
cheated a bit, and now we have a new object, and we have Opel made of textiles with a mileage of 1 km. And now it's like this, we have these basics, Let's go back to the presentation. I was looking for... Yes, this mechanism. We cheat a bit, because we have the basics of the basic operation, but if we want more control over the object, we can do some magic and change the private fields, and even if you allow yourself, you can also get to private methods, etc. In the sense, there are bases that are not vulnerable, but if you try, you can break these bases. - But no one uses it in practice. - Exactly. And here
it turns out that someone uses it. And it's like this, that mistakes related to reflexes or data de-sterilization, I meet them and use them since 2018. That it's somewhere there. There's a lot of... There was a boom on Java, I would say that it is still there. There are enterprise-class products that will be written in Java anyway, because we have programmers, we have teams, we have licenses bought and large corporations will use it. There are a lot of frameworks that use various strange solutions. There was also a moment, I don't know, 8 years, where each framework had to have a reflection, deserialization, etc. because it looked cool here, it turned out that we were doing cool things well. And
the practice showed that we were doing cool things, but not necessarily good. And now let's get back to this presentation and how it looked in my case. The context is that I am testing an application at the client's place and we know how it looks like when testing an application. We try to determine what kind of application it is, what technology it uses. And here I had the pleasure and the luck that developers allowed them to make exceptions and reporting them was very loud. You know the Javascript stacktrace, right? When something falls out, there's a whole litany. And here I got such a litany in my face. I was playing with the parameters and I found out that there was no such method exception. I said,
"Okay, you can't find a method, so there's some import class somewhere, some reflection just below?" And I say, "Okay, but what kind of project is this?" And here I say, "com.ruoi.project". I say, "Okay, I don't know." And I searched on GitHub. And it turned out that it actually exists. But I say, okay, here we have a few forks, five wheels, stars. I say, okay, what is the awareness of this product? Let's remember that we are testing an application used in China or somewhere in Asia. And I say, okay, if we have GitHub, is there something like that? like GitHub, but typically for Chinese people. And it turned out that there is something like GitHub for
Chinese people and it's called GITI. And there, the same framework already had 42,000 stars and 23,000 forks. It shows that it's a pretty cool project, so to speak, cool, used, experienced. I say, okay, interesting goal. And now a nice anecdote, that in China, when I started working with them, there is a cultural difference. When we have blue, it's a defensive, and red is an offensive, they have it the other way around. Because culturally red is associated with defense and blue with attacking. And it caused various funny situations, that we talk about some concept or something and I say: we need people from red team. And they: OK, we'll make sure we have people from red team. And
then I get people and they can't do any offensive things and I say, "Hmm, something must have gone wrong here." And only later did one of the traders explain to me that culturally it is the other way around. And when you have it in mind, then exploring this Asian part of the Internet starts to make sense. Let's put it that way. I'm listening? Who? Oh, I didn't know that. I mean, cultural differences are an interesting thing. And it's like... It's not used in production, but this framework, this software on which this application was based, used something like this in production. And it was in managing tasks, that this feature worked so that if the programmer wants, he can write his own class.
Then, using one request, it can set the call of this class, as if it had a CRON from classes in Java, called by a web application. They came up with such a solution, that it is necessary for someone. And that's how it was. But they didn't set it up like this, there is no soul in hell. and they left some problems. One of them was that... I'll start with the fact that the app I tested was somewhere behind WAF and it was a poor WAF. When Ival saw it, he blocked my request. But it was possible to bypass it, I'll talk about it later. I bet you already know how it was possible to bypass it if it was a
poor WAF. But okay. Another limitation was that we could only use the arrow marks once. And when I used the comma, it was a mess. Because when you go into the example, I would like to see an example. I prepared a demo, now I'm looking at it, I think. I can show you this. I just have to turn on the docker. Sorry that it came out like this, because I came a little too late. and I didn't have time to sit down and do it, just do it calmly. But, oh, I would tell you about it. Because of course it's all open source and if something is... Oh, okay, yes, because I would... Okay, but in
a moment I won't be... I won't spoil the surprise. Surprise, surprise. So you can use it a little bit, right? Yes, for example, I once had a relationship with a framework that has long died and it's called Rich Faces. I like it because these applications are still there. This error is different from the one I'm telling you about now, but it's so specific that it's hard to exploit it without any deeper understanding of what's going on down there. And these applications can still stand today, they are without any WAFs. Even if there are WAFs, it is difficult to protect yourself against it, because the payload that we give there is Base64, but it is not just Base64, because it is Base64 that
contains a deserialized Java object and there are already trashes. It's just that if WAF sees it, it will be for him anyway, unless there is a rule, typically just for this one, right? Okay, yes. As you can hear, I turned on the burp here, right? You can already hear that the rust is working. I have 22. Okay, and now we're going to turn off this presentation. It's dark, beautiful. You know.
I have it all prepared in a container and I had an idea to share it after the conference. If someone wants to play with it before, you can let me know, I will send him these files and some instructions and yes, it will be difficult, please, you have such a build, typically from github, you don't have to play much here, see that Chinese signs have fallen out of Chinese signs, we have some coding errors, but this is due to the fact that I have the coding not set in the database. I should change it somehow, because this part of the application is dynamically translated from the database. And here is the feature I was talking about. It looks like this. Here we have
the class name, the method, and some parameters that we can call. And when we save it here and start it, it will start somewhere in the background and we can see the results here. Only this class doesn't do anything very interesting. But this is a feature that is supposedly available in all of this. And now let's go back to the presentation. Okay, so now that I know that there is some reflection there, I need to find a gadget that will allow me to do something evil in this code. And so I tried some standard payloads at the beginning, which I knew before from other databases. They didn't work for me, mainly because they look very specific. Let's take something like
this. As you can see, there are a lot of signs here. This one fits in our limitations, so we have brackets, we don't have brackets. and it fits in these limits. I tried it here. I have a couple of CVEs from this one. The point is that from the assumption that this library is from YAML and when you load the appropriate object, you can make a code by loading one file or some structure in YAML, you can make a code on the server. I like this accessibility, so I checked if it worked at all and it turned out that it didn't work. It didn't work for me, but later it turned out that it did, but I had to do
something wrong. But more on that later. And here I just wanted to spam a class on Hama that corresponds to making a command in Java and run just exec, so typically for ham, and it didn't work because here we have, as you can see, there are two attachments, right? And it didn't work. There is something like ScriptEngine in Java and this ScriptEngine can be used to call JavaScript, so we have a connection Java, which calls JavaScript in another engine there and I was just trying to play something that way, but it didn't work because In JavaScript, there was a problem with the brackets and so on. I tried to do some coding there to make the object appear without these brackets and brackets,
but I didn't succeed. But the fact that in Java, using the reflection system, we can to generate a engine that will make JavaScript for us, it's a kind of inception, I would say. We go down a few levels. And as I was sitting in front of this code and fighting this application, I got into a rabbit hole. I said, "Okay, let's try this and that." And I tried many such methods because I wanted it to be interesting. And the standard methodology required a slightly different approach from me, but I said, "Okay, I have a lot of time, it's cool Chinese software, I've never tested Chinese applications, so you can play with it." And at some point I decided that if I can't find anything interesting in external
libraries that will allow me to do something bad, I will check if it is possible to do something wrong with the help of classes that are already built internally in Java. And it turned out that it was possible. And here comes a trick that from guess to some version of Java, when we used the XML input source, we had XSE from guess. Basically, you could give this structure of XML and it would call. And it worked for us, because we didn't really need no brackets, nothing, because we had xml, so we had square brackets and we could read one line from the file, for example, it was enough for POC, but I said, okay, I would like to do it with RCA, and I
started conducting experiments. Here are, I don't know if you know how it works, that here we have the class name, here we have a package in which this class is located. As you can see, these first two paragraphs have a common part. This is the external library that was used by this framework and it looked quite interesting. And here, for example, I wanted the script to connect to my database and use another trick in which you can force to mysql, a java one, so that it connects to my angry base and I will then serve it a deserialized object and it will deserialize it on its own and then it will do it again, right? make such anger. I wanted it to be nice again, to have some kind
of trick there, and I didn't succeed. Later, we go back to the territory of this javascript, because there was this engine from JavaScript, but used in the external library and it was written a little differently there and I say, okay, let's try it again here. I also failed to achieve it as I wanted, because I broke these attachments again. In any normal language, these attachments are needed to call a specific method, etc. But later it turned out that I was wrong, because there are languages in which these attachments are not needed. And then I fell into it. I also tried Spring Framework here. If you don't like Java, I don't know if you know Spring, such a technology. This is a gigantic framework that is
also used in many applications like Enterprise, but it has its own new successor that makes writing the entire application easier. And this is Spring Boot. And it also has its own different and other methods. I also tried to play something in Groovy language instead of JavaScript. It turned out that this Groovy has a class that can be used in Reflex. We'll go to it right away. Here is an example script in Groovy and how it looks like to call this script. Oh my, it's pretty good, isn't it? There are no smudges and so on. As you can see, this Groovy is a bit similar to Java, with the exception that we declare a variable a and we can create different things for
it and here we just declare a variable and assign a value to it and as you can see here instead of a new line I can use a middleman and I can build various levels of the code, so it makes it much easier for me and we want to show you an example here in which it works because I have a few such examples, I made smaller ones And generally here, it was my first attempt, because it turned out that this Groovy, each string there has such a, each string was supposed to have the execute method, but it turned out that I did not call this method execute, again without these attachments, right? And I had
to find some other approach to the subject. I read the documentation and I reviewed it. It turned out that if Groovy knows that a given method has certain parameters, and I give it these parameters and there will be no doubt that it is something else, then I can call a given method without these attachments. And I say, okay, we're at home, because I got rid of this main problem. And now I'll be able to build a nice payload step by step without these attachments. And now I'll show you how it looks like on the second payload. And here's what I'm doing. I'm defining a variable s. To it, using the URLDecoder method, as you can see, there are no
attachments, but I'm giving it a nice string. And Groovy knows that there is a method called decode. It accepts a string because it only wants a string according to the documentation. And then we use the evaluate method, which also consumes a string again. And there is no problem that one variable has some unknown value. And when I turn it on now, it will gladly show me the result of this script. And here in this script there is something like this. Print1. We have a nice reference, we have a method call, we have a print method with references and we have These are the things that Framework implemented. This regress is a bit more expanded because
it is a newer version of Framework, but we managed to bypass this one obstacle and we bypassed this obstacle with these diameters. Here we have the meter, because we can easily call the whole line of signs. And I came up with the idea that I can easily pack the whole line of signs here. I started experimenting with long payloads where instead of print1 I was doing eval, creating files, but it turned out that the field in which my payload was stored in the application has 255 limit characters. Because it is coding this script, I had to play with a different way of transporting it. I came up with the idea that instead of pressing the whole angry script that
I want the application to make, I will put this file somewhere on the server and then I will download it and the application will make it nicely. And now if it goes well, I don't have the Internet here, I won't do anything. Okay, because if we try to call it, it will probably be just, well, it's empty because nothing happened. But what was actually going to happen, I'll show you here. If I don't have the Internet, it's not very good. Okay. But now, what script was in this coded form? In this coded form, I used this method to decode the whole string. Then I defined a variable command, where I would already reach the curl on the server side. And I
made a flag, a callback to see if it works. And since I was in the second context of the script, which allowed me to use characters, I just took the command, the "execute" command, because as I mentioned before, every string in Groovy has the "execute" method. And as it didn't work for me before, I didn't have these attachments, so now I can easily get to these attachments. And in the end, I chose the Evaluate method and it performed the whole the whole line of signs, the whole command. So to sum up, because there is a lot of such interpretation and I could do it better, make some graph of what is happening step by step, but it is like this. To sum up, it is like this,
There was the first problem with the attachments. We managed to overcome it by using a script that allowed us to call the method without these attachments. Another problem was limiting the signs in the field that kept the whole variable. To reduce the number of signs in the payload, we download it externally from the entire signage server. So, theoretically, if the application would not allow it to go out into the world, we would have to somehow build this payload on the server, I don't know if it would be sign by sign, or we would put it somewhere into some file in the temp and save it. So it would be possible to do it without this external call to the server. But I was lucky that the environment where the
client's constant application was not so secure. And that's it. I was generally happy with it, the client was also happy. I was rushing over this connection of dots and avoiding these obstacles left by programmers for a long time. And I could make everything easier. And I wanted you to bring out one thing from my presentation, that if there is a popular framework used by many people, which I have already managed to determine, it may be worth it, however, to check if someone has not found the same before. And even if it is a different another piece of the world, you just need to find the Chinese side of this framework, find the documentation, find the release notes, which were also in Chinese, and see
that you have a payload for pulling your hand out and instead of spending a week searching and connecting dots, you could just go into these release notes and the same day as you intended to do this framework, you can do it with the help of these payloads, which are available on the Internet. So this is the answer to what will happen when the research is fixed on a given thing. It's so cool that this presentation was created and that my method allows you to perform this script on the server side without this external call. As you can see, we have some URLs here, we try to download something, connect it somewhere, and in my method we can put this script
here. So if we were operating in some... in a closed environment, where we have access only to the application, it has no access to the world, etc. Then with those methods we would not get RCI, and here with my method we would have remote code execution. However, there was some positive value in my work and that is one thing, and two that I had a nice topic for presentation. Thank you for your attention. That would be it. If there are any questions, if someone wants to complain about Java, I invite you. I understand that it was almost up to date. Yes, exactly. It was one problem. When we go to... This is WS-478. When I went to the framework page today, it turned out that it was
479, so there are some changes. It was so funny that when I tested my solution on the new version, this code contains more things, more obstacles, verifies, here we have LDAP, RMI, so these are the fixes for this. Why does he take a stream from the Internet and load it into some kind of reflection? Well, that's ... Even when you learn about applications, it's like that. This is a panel for the administrator. This was supposed to make it easier for the programmers. It seems to me that the whole concept of this was that I have a chrono for which I can write a class in Java and it is made for me and I can manage it from the web panel.
But nobody thought about the wider consequences of having access to the whole class, to the whole Java namespace, so you can do different interesting things, use different interesting classes. And just like here, These things use internal mechanisms of Java. Just like this script, ngManager, it loads the class URL class loader. And the file we're serving here It has a JAR extension and it also has to have a specific structure. It can't be an ordinary JAR, you know, that you set it up right away, that it's a main class and you make a code right away. But it has to serve the definition of the service that is automatically loaded. When you load this JAR from the outside, It will be checked in terms of the definition
of these services and if there is a definition of the service, it will be loaded automatically. The Java has a lot of such strange mechanisms of operation and when someone is programming, they see that they can load a file and everything will be fine, but it turns out that if you use this class and not this class, the application will be completely different. And here, in the next versions, this programmer tried to fight it. And there should be a whitelist method somewhere here. Oh, there is a whitelist. And here in the newer versions, he limited this package only to his framework. Basically, you can make classes, but only from his framework. But here's another cool thing.
This framework has a utility class and it has some totally strange things here that you can also try to get here. And here is this cool class. And look, this is also the dream of the whole thing. We have a public class, we have different methods and now there is such a cool method somewhere and it is here somewhere. I think it's called Create Table, if I remember correctly. Yes, where is it? Here is Create Table. You know what? I think I had this payload written somewhere here. Yes, here is Create Table and this is We have a public method, so we can get to it from reflection. We have a public class and it consumes this string, which is just SQL.
And we can use it to call SQL injection. So that we don't get lost. We have this Chinese framework that has a feature that allows us to use the reflection method to perform Java code, like Cron. And the developer fights against the malicious use of this method using of the number of classes that you can call but it forgets that it wrote a bad code which allows to perform SQL injection using the same method and this is 4.7.8 version and now it is 4.7.9 I haven't measured it yet but there is probably some bypass somewhere for its protection and it is a problem. It is 48 Po if you don't have any more questions, then someone in Poland used
this question No, I have clients from Dubai. In Dubai, it works like this: you have all the nations and some businesses are Chinese, there are a lot of developers from China and they use things that are available. The team of developers is Chinese, That's why we use this framework. But in China there is a lot of it. Even if you go to Zuma, which is a Chinese shodan, there are also a lot of these instances. And the motive is that This is available only after logging in, but there is still a error that does not require logging in, but this is version 4.3.0 and this is the deserialization of data by the cookie and there is a problem
that there was one key on the whole framework that encrypted the cookie and it was available in the GitHub code, so this one, no, no, no It's just a tool. It's like... So if you complain about C, because the programmer can't take care of buffer overflow and memory, then just give the programmer a stick, if you want to put it in his eye, it's the fault of the stick or the programmer. You know what, I wasn't thinking about it. No, well... There are a lot of such... The idea is that you have these engines and... They also have their own dependencies, because there is the Nashor engine that allows for JavaScript, there is also Groovy,
probably there is still one niche language that was once used, it is still supported, but nothing more is expected of it. I say, the applications are different, and if the programmer wants his application to be universal, easy, etc., then I do such things. That's it. Thank you for your attention. I hope you don't like this Java so much. Hi everyone. It's a pleasure to be here in such a wonderful group. Thanks, thanks. We have a lot of viewers, but today we will focus on the topic of the hacker backpack. I am Aleksander Wojdyła. I am a pentester. I work at Securitum, I am a consultant of security services, a pentester, as they called it. I have some certificates
in the industry and I mainly deal with hacking infrastructure, Wi-Fi, etc. I don't touch web applications too much. I don't know why it just turned out like that, it didn't fit me that well. So I managed to use a few of these tools a little bit on these tests. And in fact, starting from the very beginning, what do you or you think could be in a hacker's backpack? Any ideas? Water, a tape, a tape. Okay. Okay. A PC. PC. A whole PC. No, it's true. Maybe some other ideas? A bag with a pen drive. Oh, that's a good idea too. We might have something like that, but not necessarily a whole bag, because it would be a bit expensive. Maybe rubber ducks? Maybe rubber ducks, yes.
We even have a few of those devices that were mentioned here in our backpack. But yes, starting with the hacker himself, from the definition of the Polish dictionary. What dictionary? The definition is different. There are several definitions. English-language dictionaries also have different definitions. However, often the hacker is described as a person who is looking for security holes in computer programming or is a network breaker, which also sounds very interesting and sounds like some tool used by the service. But this is the definition from the dictionary, you can refer to SJP, it was there and this definition is quite old, because it is probably from the 90s even in Poland when it was established, so it's a bit on the
market. However, I usually like to explain the hacker as a person who likes to dig into systems, in devices, play with them and not necessarily in the way planned by the creator, whether it is programming or a given system, device, etc. We also have in pop culture, in fact, various images of hackers. These are just memes, starter packs from Reddit, that a hacker should usually have a black shirt, some mask best connected with anonymous, use Linux scale and use Veeam or not being able to exit Veeam, because it sometimes happens. There are a few memes related to this, from which a hacker or script kiddie can use. Today we will focus on real tools that are actually used. for example, with Red Team, which is already more advanced
penetration tests using, among others, sociotechnics. And also those that I take on a daily basis, whether I use it at home or when I'm on the client's website and I just test their internal network. So we also have such devices and I will also try to distinguish what would be Red Team, and what would be typical for each audit that I would perform directly at the client. So, of course, we start with a laptop, some computer device, but it will not be possible without it, usually with a set of tools, with some devices. We have to start from the basics, it is quite an important thing, because we will not work too much without it.
Such a laptop would probably be able to replace the Raspberry Pi I mentioned earlier, which simply I think that the best way to install such a system is to use a laptop with a monitor. Of course, the laptop should have a encrypted disk, a bitlocker or other tool so that it is not a problem that someone will steal it from us, take out the disk and just open the data or break into our system. Sometimes some hackers forget about their own security, whether operational or physical, but they don't do such things, and I think that It is better that there is no darkness under this flashlight and that people dealing with cybersecurity remember to encrypt this disk if they recommend to enter such encryption to
others, for example. So it's also such a note when it comes to laptops. Next, of course, you can get yourself a pendrive. On such a pendrive, there may often be a collection of tools, for example. There may also be another data carrier with a backup from our computer or laptop. Because we never know what will happen to our equipment. And if we are already at the client's place, we went to another city somewhere far away, we spend two or three days there, a week, we don't want to waste time to recover, download, etc. Hi. Such a backup copy can do a lot, so it's also a kind of a pen drive, whether with tools or
with a backup copy, it's always useful, because then you can open your data as quickly as possible and there are no major problems here when it comes to further work. Well, because when we're at the client's, we don't want the client to pay for our inactivity, really. As for other devices, not recommended for hackers, but also for people who want to use their devices safely, from the Internet, of course, Yubiki. As I say, it's often dark under the flashlight. Some people forget about it and don't use such tools, but they can really help us. Such a YubiKey, as probably everyone in this room knows, can be used to verify a two or three-component and protect against some delusions of our testimonies, however, it would be unpleasant
if someone had a phishing attack on a person directly dealing with cybersecurity, so it is also another issue. Cables. There must always be a lot of these cables, whether they are some power supplies, extension cords even, I remember that my friend Christian laughed at me when I took an extension for the audit, and there was a situation that there was only one available socket and we would have to somehow strangely share this energy or ask the client for something more, and so it is, we connect the extension and we just have power, no problem. So it really comes in handy for auditing and it is worth remembering about it. Well, cables, some RJ or something, the client does not always have available or have some strange procedures of
issuing such with which it is better not to struggle, so always such an RJ, even 2 meters, is worth having with you just in case. It can be useful in different ways, for example, I also use it to connect to a pineapple, which will be later, so cables, cables, a lot of cables, power supplies, etc. They will always be useful. If it comes to local LAN audits, it often goes in line with the Wi-Fi network audit. When we go to the client and check something, the client often wants us to check the Wi-Fi network. There are different types of cards. computers, main boards, actually network cards that are in computers support the so-called monitor mode
for analysis of network traffic around. However, usually if we want to play with hacking Wi-Fi, we have to buy such a card. I have a few of these cards here, you can start with such a TP-Link for a few dozen zlotys, it works pretty well. This one, from what I think, supports only 2.4 GHz frequency, while such an alpha, for example, It can handle 5 and 2.4 GHz networks. The problem with these cards is that they are very often defective. And by saying very often, I really mean it because they just stop working at some point. And usually when I run an audit of such a network, I take one or two cards just in case one stops working, because
it can literally change the situation from day to day or from hour to hour. There may be problems with the controller, with the virtual machine, etc., so it is worth having at least two such cards with you so that there are no problems later. And very often it happens in such a hacker's backpack. So these cards for testing Wi-Fi are really used. With the help of such a card, various attacks, whether we intercept some WPA handshakes, whether we perform attacks on PMK and D, whether we create some captive portals, viltuins, etc. Various things can really be done with it. It depends on the choice of our tools and also the skills. You can also go a little further and invest in a card, which is not even
a card, but a device that is a little more expensive, i.e. Wi-Fi Pineapple. There are different versions, there are cheaper versions for about PLN 700, there are more expensive versions up to PLN 1,000,000. However, here we have one that I think costs about PLN 900. And such a Wi-Fi Pineapple It works on different principles. First of all, this function is not only used to perform attacks on the Wi-Fi network, but also for, for example, red team operations when we break into a building and want to set up something, some device has the Rogue AP function, which is Rogue Access Point, which allows you to maintain access to the network after connecting via LAN. and the user can still have access to the network with such
a tool. I mainly use this Pineapple for Wi-Fi network audits. It works very well even with attacks like Evil Twin and when collecting handshakes. I create a network, usually with a name similar to the client's network, or identical and I try to set this network as open. These antennas are quite strong, so this signal is strong, so users connect because it is one of the strongest networks in a given region. They connect or their devices connect themselves if the same encryption algorithm is used in a given network, so when we create a WPA2 network, then we also create a WPA2 network. but we have the possibility of creating an open network in which we would like to send a certificate, whether to some network, to go to
it later and see, for example, check further whether segmentation is done, or you can break in somewhere further, etc. But you can also just make a statement to some internal company services, to some Jira, for example, to Confluence, etc. Also, such a Pineapple can serve as an appropriate prepared portal, so such a tool also works well as a plug and play. We connect it and it practically works. There are only a few options to set. The aforementioned Raspberry Pi In fact, With this device you can do everything. We are also able to enter some scripts and perform audits with additional modules for Wi-Fi. We can also use it as a rogue access point to leave it with the client, add some GSM module there
and just connect to LAN or other tools. Or just use it as our main system and install some Kali Linux on it. Arch or Paroto S. It depends on what you like to use. However, such a Raspberry Pi can be used to make some things. And from the more popular toys, I think, we have rubber ducks. Not such rubber ducks, but just such rubber ducks. It looks a bit like a pen drive and in fact We usually associate rubber ducks with a tool from the company HAK5, which also produces Wi-Fi, Pineapple and other tools that we have now. But we can create rubber ducks at home with the help of an Arduino, we can take a case for a pendrive or print it in
a 3D printer and such rubber ducks, which cost about 60 dollars in the HACK5 store, we are able to make them ourselves for several dozen zlotys or, on a larger scale, for several dozen. So there is also such a possibility and it works basically, probably everyone knows, for sure if someone watched the Mr. Robot series, we associate what is happening with it. It resembles, in fact, for a computer, a Human Interface Device, i.e. in this case a keyboard. We connect it and then a script is made. Generally, often various tools, whether it is EDR classes or antiviruses, have a much greater problem with it to detect such an attack using a rubber duck, because the
computer often receives it as something that the user would type into the keyboard. than making a malware that we would send to the user somewhere, he would open it, then such an EDR is often able to detect it or another antivirus, and such rubber ducks, some protections, due to the very genesis of how it works, may be omitted. However, in some companies we have, for example, introduced USB port blockades, that you cannot connect any other devices, there are only one accepted on the basis of the physical address of this device, but there are actually bypass methods. There is a so-called key-step, which is actually a keylogger, but we connect it between the keyboard and then we
plug it into the computer and this kickrock copies the serial number of the keyboard so that the computer knows that it is the same device and it is difficult to detect because then you would have to check every connection and disconnection of the device, and yet sometimes the keyboard may be disconnected, etc. So it works pretty well. and you can also have fun with it, it is generally difficult to detect, and scripts work just like rubber ducks, so we can run some script, which will be performed on a given computer. For example, some reverse shell, download some software, or we can also set the rubber ducks so that we take them, connect them to the
computer and just download some data. So there is also such a possibility. Well, right now on my rubber duck, which I connect to my computer, I have it set so that this disk is detected there and there is some notification. However, here is just a quickly entered script and I should have a duck on the screen right now. On this principle. So... At this point, the attacker could take over our computer or play some data. It's also an interesting way to show that with the moment when we have physical access to the computer, which is unlocked, we can do practically everything. There are a lot of attack methods, scripts, etc. There are repositories from which you can download such scripts. and use it, although I don't always recommend downloading
some random scripts from the Internet, because you know how it can end. We want to hack someone and it turns out that someone hacks us. So it's not always worth playing like this. And this duck is harmless, but it could be just a script that collects our data, password from the browser, etc. So a lot could be done here. The problem with her is that when she starts, she doesn't want to go. She will just walk around the screen for now, because it's hard to turn it off. You have to click it for a while. So you also have an additional point of interest on the screen in the form of a duck from the
script. We also have other tools. It is more for exfiltration and remote network connection. When we have access to LAN cable, we can connect LAN turtle somewhere in the company. We can connect it between the computer, we also plug in the LAN cable there. This computer still has access to the network. and we are still able to make recommendations as a separate device in this network. We don't go directly to this computer, we treat ourselves as a separate device in the network and then the attacker can do everything, collect some data, etc. It's just a different version of rubber ducks and the scripts that work on rubber ducks also very often work on these other
devices. Okay, I won't turn off this duck for now. What else do we have? We also have similar LAN tools. We have Shark Jack, which also allows for exfiltration of some information from the network. It also has a LAN end, but it can work in such a way that we connect to some socket for an RJ, for example, here I would have such a socket, it is probably somewhere. I think even for sure. I would connect it and it will simply exfiltrate some network data very often. The script in Nmap is automatically triggered, which scans all available devices here or something else that we actually come up with. So you can use such a device.
You know, if this internal network had access to the Internet, we can still keep some connection somewhere and use it, so there is also such a possibility. However, the main tool to use this Shark Jack is simply connecting some data exfiltration or, as we have here on the picture from HAC5, It's just an external device that allows monitoring of what's going on. It's probably some kind of a rooted phone that someone uses. Also, some curiosities. This is a return to the Wi-Fi network and auditing them, but it's more of a toy, which is a Puna Gochi. It works on Raspberry Pi Zero. It allows you to collect handshakes on Wi-Fi, which you can break at home. There are various games,
there is a system for collecting experience. When such a Poonagotchi detects that there are other Poonagotchi next to it, it smiles, hearts are shown, etc. Very interesting toy, such a DIY at home. On the website ponagoczi.eu, I think, is this tool described, all components are written, which you can buy and just do it at home. So if someone likes such toys, it is definitely an interesting thing, allowing for many different options. Of such more toys, but The tools that are theoretically used during audits are probably Flipper, which we all know and it has a lot of possibilities. You can copy some RFID cards to go somewhere further, you can also audit Wi-Fi or Bluetooth networks. Wi-Fi networks need to be audited with
an external module, but we can do various things with such a flipper, for example, make some DOSes for devices, phones, etc. There are quite a lot of these options here and this tool can work interestingly. So, in fact, it all ends with our imagination and how we are able to use it all. As for these tools, such as Rubber Duck, Land Turtle, etc., there is a special language called Duckiescript, we can compile it all on the website of HACK5, i.e. the manufacturers of these tools. and just use it somewhere and so on. So when it comes to this presentation, that was all. However, I'm actually waiting for your questions, so maybe you have any questions about these tools or general audits we are conducting, right?
No, I don't think so. I think there will be one, but I can try. I think this one will just reset. No, no, no, you still have to write the script. Oh, no, there are two. Okay, there really are two. So you can burn these little ducks, you can do many things, you can install, open a skerwer that would encourage someone to pay some money, you can do many things with this rubber, so it's also a cool thing. I don't have it now, I would have to bury it somewhere. But, because, actually, on the Hack5 website, they are just ready somewhere, just a few things need to be changed and these rubber ducks on different systems then work and it is compiled, so I can
only in this version compiled on the computer. Something to control R, some strange long worm. Well, yes, yes, I mean, it's just in PowerShell. Yes, generally it is in PowerShell, the path... But there is not much visible, yes, I can put it in the notepad. It's just such information, yes, and it is referring to another script in PowerShell, which is ready there, but it can be generally... and use it to make it even harder to detect. So there is also an option and this is the way to replace it. You have a computer with admin and authorization, right? Yes. And if you send it to an ordinary user, will it work? Maybe not with Timescript, because an ordinary user may
not have access to PowerShell, for example. It depends. Before such an audit, we usually try to do some reconnaissance to see if I asked in context of this, because many companies and users don't have access to admin accounts. For example, I have, in spite of the fact that I should have, they didn't give me administrator's license and I have everything organized by IT department. I have CyberArk and without it I can't remove the license to admin and I work on a limited account, so something like that won't work for me. Ok, so that's why we have a reconnaissance to define it and then we can adjust the attack by adding something like malware to this
device. Simply. On this principle. To make it simpler and malware can be directly transferred from this rubber duck so that you don't have to download something from the Internet, so that there are fewer IOCs at this point. And to make it harder to detect. So it depends on the organization of how it is implemented, but many organizations do not use it, whether it is a book or someone has such administrator rights often. - But I don't even have a Bluetooth to transfer data. I only have audio via Bluetooth. - Then it's harder. Then you have to play more. Then you have to define what you can. I think you have to talk to the employer. - They
recognized each other on the human. There are companies that use Robert's TACs for installation of videos. Yes, maybe automating the script is also a way to use it. Because we can plug it in and the script just goes in. Or some updates to download some additional programming and so on. So it makes it easier. If someone doesn't want to use GPO, that's it. Do you have any more questions? So. If I were to continue this presentation, I would focus more on the technical and software aspects that are used both on the computer and with these devices whether it's when doing audits for Wi-Fi, because there are also interesting issues, such as, for example, auditing enterprise-class networks, which is a bit more difficult and you have to play around
more, as well as the scripts for rubber ducks and these devices to show in general how it works with different possibilities. So more of these scripts, for sure, I don't know, show in general how they are written. So Preska definitely has the potential to go further somewhere, I think. Is my Wi-Fi at home easy to hack? If I have a new router and a password different from admin 123, then I think the password is complicated. Do you have a WPA2 or WPA3? WPA2. What did you answer? It depends on how the password is actually folded, how much time the attacker has, but with WPA2 there would be no problem, but you know, if the password has 20-odd
characters, it will be heavier, but if it has only a dozen, it would be possible to break them in a reasonable time. Yes, although there are also different attacks for WPA3. It doesn't matter. The first thing is that the WPA3 must be turned on, because it means that the compatibility must be maintained. Most of the devices that we have on the market do not support WPA3. So, if you turn on WPA3 and only use this, then some smart-boxes, users, IoT, cleaners will stop working. That's why you should do an isolation on IoT and something more advanced. Yes, because most of these attacks on WPA3 are downgrade attacks, so simply returning and forcing this connection through WPA2
to continue working. Unfortunately, but it can be turned off on most routers. Most people get routers from the operator and they can't run it. Most people are not like you here, people who log in and will run after it. Most people are just rascals. Superrouter was given to the operator, because the operator said that it is a superrouter, that it has the latest security. Even if you find somewhere on the Internet that there is a WPA3 that protects the whole place from this, someone will not log in to it. So it won't play in it and it won't turn off the downgrade. Yes, it is... It has the possibility to earn money in many different worlds. If you get a play-through as a stationary internet,
you won't change anything. - It's not very legal. But a regular user wouldn't do that. When you insert an OLT in the end, there is some handshake, right? Yes. And if you connect OLT from the operator to your light, it also starts handshake, right? Yes. Olek, I have a question about the hook. I mean, I have nothing against the hook. Give me the third one. Can you give me an interaction? No, but it would be possible to program it so that something would still work with these ducks. But if you let them go, then no. No, no, no, it's impossible. They just walk around, you have to click a few times to delete them. So there is something like that. I mean, it just
disappears then, yes, the script is off, ala, on this principle. If you control the script, then the task manager would see these ducks too. Yes, they are displayed as a process. I think that you would find people in the office who would like to open such a beta. Yes, real rubber ducks. But when I read that someone created such a rubber duck, it means that he just put it in and that was the first model. Ah, so it's from the history of this. I didn't go deep into it, it's interesting. But sometimes companies give these as toys, pendrives, or you can buy them in some store, so it probably came from that, and you never know what will happen there. So it's also an interesting thing. Okay,
more? What is the distribution on this Shark Jack? On this Shark Jack, I think it's some Debian, but I'm not sure. Now, the box. Ok, that's all, so thank you very much. I have half an hour left, but I won't invent anything. - Maybe some entertainment part? - Demo? - Some... - Come on, go to the demo. - Entertainment part. I don't know, we can ask some other questions. - Come on, go to the demo. - Live you can hack my network. No, I won't hack it now, damn it. Illegal! I need documents to hack here! You have a recording of your phone! But there will be a scope, it's not known, maybe I'll accidentally exit the scope. There's no risk. There's only one person
who will enter the scope. They laugh very funny. Sometimes it happens. And what about Digispark? You can buy Digispark on Allegro, it costs 1$ and it works. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one.
It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one.
It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It's a good one. It Yes, it's more sophisticated, there is a set of tools and you can play around with it. And it's probably that he sets his own video or something like that. Yes, yes, yes. Maybe there is a theme for this game. Cool tools. I recommend to see the version, because it's really great. And in
terms of USB ports and potentially the implementation of rubber ducks, someone asked about the fact that there are standard pendrives on controllers. It is possible to change it. But it is the family of specific controllers that have been so much hooked that it is possible to change this firmware. Yes, you can also print something on it, but not all pendrives would support it, because not all of them have this module. Yes, it works in different ways. So there's nothing much there, you can even open it. Literally, because it works like this, that generally if you don't open it, Nothing works, I can't even pass it without SD card, so I don't have to put something in someone's computer. I can show it, even run it if someone
wants to see it. - Is it working only for Windows? - No, no, for Mac... - I think it's there, because it's in PowerShell. I mean, this payload, yes, but generally Samora, Berdak, no problem. But this shit won't show up on Mac or Linux. But we have a PowerShell for Linux. But I think it might not work with the script, it might not be compatible. You have to have a specific OS payload prepared, really. Because then a hit appears as a keyboard and it starts typing. It's like someone pressed Windows + R. Yes, it's literally... menu start. So, there are further possibilities. What did I put there? Rubber, but if you want, I can also put other
ones if you want to see. Where is the sound? I can give you some tools. No, no, no, Digispark has... I know, but it's like an analog structure with this specific Atmel. Yes, 2.3.2.8, the lowest. The lowest, but with an OSB hardware. *laughs* *laughs* *laughs* *laughs* *laughs* *laughs* *laughs* *laughs* *laughs* *laughs* *laughs* *laughs* *laughs* *laughs* *laughs* * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs *
* laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs *
* laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * * laughs * laughs * * laughs * * laughs * laughs * * laughs * laughs * * laughs * laughs * laughs * * laughs * laughs * laughs * laughs * live * * laugh * live * * laugh * laugh * laugh * laugh * live * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh *
laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh * laugh You don't come in with a bag like this, you go to someone's house and you do it yourself? Yes, we have people who are responsible for it. Christian, have you been to Onsite? I have
been once. I have been there once. I have no experience with it. Do you really come with such things to the building? From what I know, yes. But when it comes to further steps, it's very different. I think we rely on... Yes, it depends on the range. We rely on simpler socio-technical tricks than strictly hardware. Yes, so it can often be done by convincing and breaking people, not systems, really. You take a drill and someone hits you in the knee. Yes. I also had a situation when we were sending packages from InScope which were not from the delivery man and we were sending them with pendrives to a company and as a society they connected
them and used them as a gift Yes, but it wasn't from us, but as a different software provider. As a different provider. As a part of the social technology, it really worked. And we also used such rubber duck. It's also a cool thing. It's a bit easier to avoid security than malware typically played by the Internet, because then there are many more places where an alert can be shown. So the only real method is to use blockers, right? Yes. The blocker won't allow you to open the script. No, I mean, blocking the ports itself here, but if we have... I'm thinking about the software, for example, GPO. Yes. But then in the computer, if there is
no Bluetooth, it can be a keyboard, for example. But one of the devices that went into the object, it replaces the serial number and imitates this keyboard. Yes, this KickRock. - Then it will imitate one, but just ... You plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the
keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the
keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the
keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you plug in the keyboard, here you I can't see anything, it's still running Which one exactly? No, it can be powered by LAN, if you connect it. Yes. Then you have to use a phone or something else. But you can connect it not with a computer, but with a phone. Or a powerbank too. - Can I use the powerbank? - Sure. It looks more like a military router. I have to turn it around. Ok, the power
is very thick. Yes, because you have to power it directly from the contact. It is not so good in situations when we do not have constant access to electricity. Question. It changes between the ARM mode or the mode in which we are able to play the script. And these rubbers need to be unfolded in order to be able to change it and to be able to enter a new script, but this button can be programmed in such a way that if we click once, the script will turn on on Windows, and if we click twice, the script will run on Mac, for example. So we can program it in such a way that it just responds in this way. This button
is also at our disposal when it comes to payload. The equipment is not back. Do you have any more questions? No. Okay, so we can really end it. Thank you very much. I'm talking, I'm talking. Yes, I'm checking. Great. And how many channels are there? Or you're talking about Tarek? Oh, this one.
The image is going, there are guests, so what, we start? We decided to make my part with Maja, because this research is mainly her merit. It will lead to a contract with you. We have devoted all three days to potentially discuss the surface attack, to contract that even today a very cool performance, The least sexy part, i.e. risk analysis, the granular approach to what will happen and how it will happen, is extremely important, but also underrated. The part that we agreed with Maja and we wanted to propose to you is the approach in which all these defense lines failed. These tools for millions that were poorly implemented or not tuned in time, which Konrad talked about very nicely yesterday,
failed procedures that for various reasons allowed to spread not only harmful programming but also behaviors that are simply forbidden. And also to the approach that the whole market is now warming up to. What is AI in general? Does it exist? What are the differences between machine learning and the approach to looking for repeating patterns and drawing good conclusions? and AI, which can be divided into two subcategories: do it for me, do it with me. So my part is just to welcome you, thank you for being here and introduce you to the world, to the technological journey that Maja has gone through and agreed to share with you. So let's welcome Maja with applause. Okay, let me know if I start speaking too quietly, because I don't have
the loudest voice. Okay, so I deal with machine learning, I came from this side, in this case for cybersecurity, so I have a slightly different perspective than most people in the room. And today I will talk about the life of machine learning, and not strictly AI for cybersecurity, which I think is quite interesting I will try to convince you that it makes sense. But of course, as everyone else, it is more sexy to talk about AI. It's very nice to play with AI, as you can see in the picture generated by me. The name of the product I will tell you about has AI in its name. This is also something worth noting, because I suspect that this is not the only
case where you will hear about pure machine learning branded as AI. So, let's get started. I am here with the company Sagensa, which is engaged in the production of cybersecurity products. This is a small company and at the moment we have such a SaaS platform that which serves to conduct security audits, especially in small and medium-sized enterprises. Why am I talking about it today? Because we use it as part of our solution. And now what I will talk about today more precisely is our Ransom SPY AI without AI, which which serves to detect ransomware, as the name suggests, and which is an endpoint software installed on the user's computers, but at the same time integrated with our SaaS platform,
so that threats from one machine could be sent to another. And now, ransomware, I don't think I need to make a big introduction, everyone knows that it is a huge problem, the available statistics are quite tragic, because not everyone wants to admit when he was attacked, but what is known is that it is a huge market, a very expensive market for attackers, therefore, it is rapidly developing and although there are many offers of protection against ransomware, very complex solutions and so on, it is obviously it all gets in the way. And now why do we, as a small company, care about other approaches? Partly because it all gets in the way. And it's not that we
say that we suddenly have resources better than Microsoft or someone like that. We just came up with another interesting brick that can be a very cool addition to other security. Oh, and I didn't want to go through the slides at all. It didn't work out that way. So, if you're wondering how to protect yourself against ransomware, it would be best if this ransomware never infected you. and of course reducing the attack surface. If you already download something, then testing in sandboxes, etc. And we absolutely agree that this is the best solution when it works, but it doesn't always work. Therefore, what if this ransomware is already installed on computers in your company? then it would be nice to cause as little loss as possible. So, first of
all, it's better to start on one machine than all the machines in the company. And secondly, even if it starts and starts to encrypt, it's nice to start encrypting 5% of files, not all. Now, of course, all I'm talking about is Crypto Ransomware, which is the one that refuses us access to data because it encrypts this data. There are other aspects, such as taking data from the computer and then blackmailing it to release it. This is not our department here, we are talking about Crypto Ransomware, which, in addition to the losses of the company's credibility, etc., has simply very Sometimes you need this data immediately. If it's, for example, a medical sector, you want to know what kind of tests this patient had done now, and not in two
weeks, in three weeks, when you may be able to get what you want from the backup. So it's like this. We try to protect against crypto ransomware. And now, as I said, first of all, At the moment when the attack is already initiated, we want to catch it as soon as possible and we want to propagate the warning in such a way that if one machine detects that it is attacked, it can warn all remaining machines as soon as possible. And now? How does the whole system work? As I said, there is one central platform, which is not at all convenient to show here. No, I mean I wanted to be on it. It's good, but I prefer it
this way. Yes, how should I aim if I can't see where? I can show you. Can you see the arrow on the screen somewhere? Maja, don't get distracted and don't worry. Calm down, no, I'm just frustrated, I don't care. You know what, I'll take this cable out and I'll just do it on this. Now you see? OK, you have it. It's old. So here is our central platform that will want to extract data from all computers and present some simple statistics. Very simple. At this point, it will be data on the basis of the probability of an attack on the A, B, C and D machine. So these are not any reliable data. The second part, I didn't ask for it, is This
is what we install on every Windows machine in the company and there must be such programming that will even go on Mrs. Zosia's program in the office. Therefore, it cannot be difficult and it must be something that can constantly monitor whether there is ransomware or not. and send quick notifications to the rest of the network. Therefore, it must consist of a module that monitors what is happening, behavioral research. What we focus on are changes in the register keys, changes in file operations, this type of things, the use of resources, this can of course be added because it is modular. Then there is the entire module of machine learning and here is why machine learning, not AI, because at
least for now we do not install AI at Mrs. Zosia's, it is too big and too heavy and it makes no sense at all, we do not want to use all the computer resources for how to do something simple. And then, of course, we have to do something with this information. I will focus less on this today, because it depends more on what the company wants to do with this attack. Does it just want to report, or does it want to cut off from the network? There are of course many options here. But I will talk mainly about this part of machine learning. And of course, if such an attack was detected, we can try
to extract a little more data from this machine. So we can, for example, cut a report that tells us why we got this application based on what data. To be able to check later if it made any sense at all, if it was false positive. Good. Here is a short demonstration of how it actually looks. This black console is... I don't know how much... This display is not the best quality. It's going very well. Has it gone already? No, it hasn't. It's going. It's going? Okay. This is the central part, which is currently for a single machine, which tells us what the probability of an attack is. Green is below some limit, very low values. At this moment, nothing is
happening on this machine. This is, of course, a screenshot from a completely different screen. This is a screen that a security specialist or another administrator will see. And what happens on such a user machine? Let's say we copy files, there is no impact on... Here, of course, there will be a few-second delay. We do a sampling, let's say that the sampling is every 10 seconds or every minute, and so on. Usually the sampling is every 10 seconds, so the results will be displayed with some slight delay. Therefore, we do various types of operations, because I can barely see what's behind me. It's a bit difficult to comment on. But anyway, here we do things like
deleting large amounts of files, copying large amounts of files. There is no such recording, but maybe we use some software, maybe, for example, Visual Studio Code, we will start something in this style and start clicking something in it. And at some stage, ransomware will start. And then we'll see how it will change the whole situation. And of course it should be like this. that we want to detect this ransomware as soon as possible. Therefore, in the ideal situation, as soon as the file is run as a ransomware, the probability of attacks should increase immediately. Of course, it is not that after the ransomware is run, it always does something, there are sometimes delays. And these predictions, as you can see here, are not zero-one.
So, just as we said earlier, all machine learning models work on the basis of probability, not 0,1 and then such a threshold is added that if it is above it is 1 and below it is 0. This demonstration here, here we install some software, so these are a little more intensive operations, especially for a weaker computer. And then these numbers grow in a rather insignificant way. I'll see if I can get a little closer, I'm just afraid it's all going to fly away. Did it go forward? You stopped, you stopped. It goes again. You know what? I will do it outside the presentation, it will be easier. No, because it started again from the beginning, I don't know how I have it ... Which one?
No, I'll go to the next slide. I'll just try to show it outside the presentation. Pull the strip? I can try. But you know what? I'll try it outside the presentation first, maybe it will be sometimes easier.
Okay, let's try from this moment. Maybe it's a little too hard now. Yes, it should go here soon. Oh yes, here we already have higher probabilities. Here we already have the probability at the level... Okay, it's not important, I won't bother you with it, I'll just go to the next one. Anyway, what I wanted to show there is that... - Hadami drank it. - He didn't. - He drank it. - It's there. - Please, open it again. - It was already... - I think I've tested this ransomware on my computer. - Okay, we can see it. - No, you can see it, but you can see it. Okay, it's there. Okay, anyway, what I wanted to say... I probably packed something too
heavy for this presentation, that's why it's so heavy.
I will speak and you will deal with technical service. What is the key point here is to catch the ransomware at late stages of the attack, because encrypting thousands of files is really difficult to miss. This is one of the advantages of such a late approach, that we try to catch this ransomware earlier, but if we fail, then we have a guarantee that we will catch it later. And then, let's say, after 10 seconds from the beginning of the file encryption process, we will already have this alarm. And this is after 10 seconds on the first of the infected machines. Which gives us time to send this warning to the next machines. And we hope that then this infection
will not even start on the other machines. Could you give me the next slide? It doesn't matter in this case. I mean, we were training it mainly on EXE files, because we got a large database. However, we are starting to be interested in ATAK from the moment of turning on, the beginning of the unique part of the ransomware. The ransomware has to recognize the files, where they are, and then what we encrypt and encrypt. We are interested only in this part of the stage. Whether it came through phishing, or something else, we don't see it at all. So it's so much... Maybe I didn't mention it at the beginning, or I didn't say it well enough.
We are talking about a situation in which all the remaining tools, tactics and procedures that we implemented have failed. However, we do not care about taking care of the the whole post-mortem process, that is, to know where it came from, what went wrong, etc., but to minimize the surface of this encrypted segment or possibly separate it. So it wasn't exactly in this part of this whole research and development stream that we were interested in to cover all possible aspects of encryption. I assume that encryption is often the last stage of an attack, when we either want to cover up the tracks or something just didn't work and we want to do harm or we were
hired only to detonate the payload. So my research and the whole stream that is incubated in Sagenso in systems that, without mentioning names, but to use an example, in atomic boats, updates are still given on floppy disks, so it was supposed to be as light as possible and its propagation was supposed to be as small as possible. The whole idea is that we want to deal with the stages that have the least diversity and the least possibility of bypassing. If you want to encrypt files, you have to find out where they are and you have to encrypt them. You can't encrypt files without encrypting files. They are just like that. However, whether you will submit it in
one way or another, there are much more possibilities here. This, of course, does not mean that in the future we cannot expand it, but it is just a core of it. Now I will start to go to the side of what really interests me, i.e. machine learning. And I think it is the most interesting part of this presentation. First of all, machine learning is based on data. Even a small company like us, which cannot afford 10,000 samples to slightly improve the algorithm, like Windows, must have this data from somewhere. People are surprisingly reluctant to let us run ransomware on their computers, and we can record what is happening. Therefore, we have to do it on virtual machines. On these virtual machines, We will have an operating system that
we want to detect later. Let's say at this point it will be Windows 10, 11. We have to have some software, some files, so that it is not all empty, because surprisingly it is difficult to detect ransomware encryption without files. we need to have a user. Now, if we want to have a lot of this data, we don't want to have, we don't have the budget to hire 10,000 people who will sit and click on virtual machines and pretend to be real employees of the company. So we do it scripted, mainly we use AutoIT. And we have various types of operations there, but let's say that the absolute core is that there must be things
that can For example, large operations on a large number of files, large number of caching, large number of copying, unzipping, unzipping, then of course there must be such things that we simulate, because they have a chance that they will resemble what Ransomware does. The longer we have this training environment, the more we can improve, the more things we can install, the more we can add, so that it becomes a more authentic environment. So we have a virtual machine where things happen and our AutoIT script copies and writes files, whatever it likes. At some point, one of the large ransomware libraries that we were texting there is launched. That's what it's about, because this discovery has In a real
product, this detection occurs while the user is using his computer, then we also have to teach our machine learning model to be able to detect it in such a dirty environment. Now, of course, this data is not enough, because they are completely synthetic. And what we need in the second phase is, first of all, a large amount of data from some partners, without ransomware, only from normal machine operation. Because what we absolutely have to eliminate is false positive. And now, for example, we know that our current interactions work well, but only well on very busy software programmers. So, for example, if someone does Visual Studio, our predictions are already approaching such an orange phase. He
doesn't say yet that it's ransomware, but he says that a lot is happening. So we draw a conclusion from it later. Okay, in addition, we now have to start simulating much more busy machines, such as programmers. And in the next iteration, we take our new machine model and check if it works better on the machine, nice. Maybe now how will it be on the graphics machine and so on. So this is an iteration in which we mainly use real machines to eliminate positive and negative false ones, and we use virtual ones to attack to a greater extent. Of course, it does not mean that we do not want to have any real machines with attacks,
but realistically it will not be a big challenge. And now, of course, there is a third way in which we can collect data, it is more for the future, with real clients, organizations, etc., who already have software installed, let's say version 101, and we want to do 201. Therefore, every time their machines send a report that there is a ransomware discovery, or they send a warning, then we want to have a report from it and see What features? What measurements? Maybe it was the number of files that caused such a diagnosis? Maybe this? Was it a correct diagnosis? And again, we can change our training environment so that the next iteration is even better. And now the model itself. There are of course a lot
of company models that are very light and that can make quick predictions. What is their problem? Practically Almost all solutions, both machine learning and AI, are black box. So you really don't know why a specific prediction is one way or another. It's not that bad, because there are tools that allow you to, for example, enter deep neural networks and try to zoom in or guess why. There is a whole science to understand the data that deep networks give you. But we want a light model, so we don't need the whole science to analyze it. We want a fast model. Therefore, based on earlier literature, we have adapted so-called additive models for our needs. And now how does it work? It works in such
a way that it generates such nice drawings, as we can see here. Every time we do some measurements, let's say we write down all the changes in the register keys, we have to transform it in such a way that fast models will be able to interpret it. So it will most likely be such simple numerical values, for example, how many files were saved in the last 5 minutes on average within 10 seconds? How many register keys were changed? What is the entropy? What is this? What is that? These are relatively simple calculations. This generates the so-called features in machine learning. And now, each of these features is in our model. First I put it aside, and then I try to cut it
off. The top chart. Control, which one? It doesn't give me anything, it just changes the slides. Wait, where is it? Oh, I have it here. Each such chart presents one feature. For example, let's say the feature is the average number of files deleted in some time period. Let's start with the simple ones. And now we convert these features into, we put them in drawers in such a way that we have discrete values instead of continuous ones. and create this type of chart that correlates this feature with the probability of an attack. So in this case, for example, low values will reduce our prediction. So if the value of deleted files is low, then we say that this causes the attack to be less likely. High
- more likely. Why is it useful? Because then we get something like this chart at the bottom, which makes some strange fly-off. Let's say that this is the number of created files. It's not, but let's say that this is the number. Well, it starts a bit strange. How come suddenly, with low values, some red flag? Probably because there is something wrong with our training environment and we can change it. A very nice example in these additive models was for medicine. They were doing an analysis in hospitals, how to classify patients, how high is the risk of death if he has a lung inflammation. In this respect, what is the priority of this patient in the
health system. And suddenly it turned out that their models were taught that if someone has a strong asthma, he has a lower chance of dying from lung inflammation. What's the point? If he has asthma, he has a weak lung, he should die easier. It turned out that because earlier in the training group, these patients were treated with greater attention, because doctors knew that these patients were at greater risk, therefore they gave them priority, therefore their treatment results were better. But now, if our model has learned that these patients have a better chance of survival, then the next doctors would already get recommendations: "Oh, he has asthma, don't worry about him, he'll be okay." This is an idea to kill patients. And here
it translates into all industries. If we don't know what the model has learned, then he will learn this kind of shit. Thanks to the fact that we know what our model is learning, in this case we know that our model learned to fuck off in the second chart. And we can fix it. Therefore, the second feature of this is that if we make the final prediction, first transforming our initial data into values in the drawers, then our entire prediction is: for the first feature, the result entered this drawer, We have to add 0.15 to the final value. To the second we have to subtract 0.32. These are operations that are done just quickly. These predictions are almost immediate. The burden of the model itself is
none. And in our initial data, at this point we have a large number of such data generated on virtual machines and we tested it there. Those predictions, as we expected, are accurate and very fast. This speed is very important. And what's more, we get a pretty good result with a small number of false positives. Now, are these data that are already final? Absolutely not. Now we are at the stage where we need a large number of real data. Therefore, if anyone is interested in cooperation, we invite you. But I think that the whole value of this solution, especially in machine learning, is that we know what is happening, that we can even sit down with a CISO and say: "Listen, we predict ransomware on such and
such basis." And they say: Almost great, but here's one thing, you might still look at it because it doesn't make sense. Because they can here, because such a CISO can help us in the same way that a doctor can help this specialist from these models to predict the results of lung inflammation. So, the fact that we understand what we do and what we offer, of course, helps. The fact that it is light and fast, of course, helps. And also, because it is is it connected to this whole training environment, then we can now, for example, go to another industry and we can see: "Okay, you have some very specific software that can cause problems? Let's do an implementation, let's check.
If not, we can train it ourselves, because we know exactly what it is about." So that's the idea. And my message is that I love AI. I personally use chat, copilot, everything. But it is worth noting, especially if companies have more specific needs, that sometimes taking the gun is not necessary. Sometimes you can take something much simpler and get really very interesting results. And we will have more impact and more opportunities, at least at this stage. Thank you. To close it off, we can use many generative tools that allow us to do it ourselves or do it with us, automate some things. However, the story is that Machine learning is so beautiful and really light, if
we are talking about the processes that we operate in large technological debts often and scalable. We are talking about situations in which we can adapt the model to our specific capabilities in an RGAP environment and not necessarily train it, but at least understand some of the behaviors of our network. The president of the agency is with us, so if you want to talk in the hallways, then... Yes, of course, I forgot to finish. You know what, because I'm here... Yes, one of the simplest methods, just skipping the communication through this central platform, As I said, the balance between detecting real ransomware and false positives must be beneficial, otherwise we will have 10 alarms a day and the client will turn off the whole protection after
the first week. I got a little confused. Okay, so normally we have to have some threshold, because I said before that these percentage results convert to ransomware, not ransomware, on the basis of some threshold. Normally this threshold is at some stage. Let's say it's 60%. 60% probability of attacks calculated by our model means that we really think there is an attack. Let's say you get a 50% result now. Well, there is no attack. But if the first machine decides there is an attack, we can send this warning and all other models will now have a reduced threshold. So now another machine will just predict the probability of an attack of even 50-40% and we will say it is an attack. It was not an attack yesterday because there was
no alert state on the network, and today there is an alert state, so it is an attack. Now, of course, there is the second part of the question what we are doing with it. As I said, this presentation is less because it is not part of the project, but Here it is no longer a matter of course, we have some original conceptions and so on, but it depends on the company's policy. Because if, for example, someone has more dispersed, a lot of people working remotely, a sector of less risk, by less risk I mean if the ransomware attack takes place, it is not the end of the world yet, these are not the end of the world. And now, for example, One of the things suggested by
us would be, for example, immediately after such alerts, cutting off computers from the network. But let's say that this small company has people scattered around the country, one IT specialist and he can't cut off a computer in Szczecin every time when the IT specialist is in Rzeszów, or they probably don't even have a cyber security specialist. That's why we focus a little less on this aspect, because the company's policies can be so different. that one solution proposed by us, for example, cut off from the network or this, that, it's just a bit too... In our opinion, the best idea is simply to integrate with the company's policy. However, with some companies there is a low risk, it will probably be just sending an email
and 100,000 alerts, and in another company it may be, I don't know, a kill switch. - As you said, we were also together with several other major companies, when it comes to such a service, - - foreign I would like to add something. I am talking about a project at the start stage, so some of these solutions are pre-made. For example, changing the threshold is a nice starting point, but over time we can have a moderate exchange of information between these computers. And here we are not talking about exchanging such dangerous information, who and what file he named, etc. No, we are talking about, for example, exchanging information, how many files at a given time Just such numerical summaries, i.e. we
can divide into features and then we can have models that do not work only on the basis of having their own module for the local machine and to build from other machines, for example from this department or something else. Therefore, the potential for expansion is fantastic. But for now, these are all things at the planning stage, not yet. Krzychu? This is the starting point. We have to start somewhere, because most computers... - Absolutely, yes. - Yes, yes. For formal reasons, we had such beautiful logs in large quantities on the first slide. This is the product, you know, this is the result of the NCBR project. Therefore, it is a closed form at this stage, which in my
opinion already has added value. For someone who will want to test it. but at the same time it is the beginning of... I'm asking from the point of view of my work, where in the unit where I work, Windows is literally three laptops, the rest are Linux, servers are Linux, users are Linux, right? So... In part, it is a matter of available tools, because we, for example, are based on checking operations on register files, we use ready-made software that has a license, Such softwares are a bit more difficult to write, and they must be very light, etc. A lot of requirements. In this respect, writing something like this by ourselves would be a much bigger undertaking. Now, of course, this thing will not work on Macs at all. Therefore,
we would have to find another such solution and on Linux, for sure something. It just multiplies. Likewise, for example, although theoretically there is no problem with it working on the server, it does not work on the server in this iteration, because we did not train it on the server. One of the advantages of this type of light machine learning is, as we heard in one of the lectures, training for the Microsoft version of the chat. To better describe some images, it took three or four months of training, a huge team, etc. Our models are trained on a fairly strong, but single machine. maybe an hour, maybe half an hour. Therefore, we can, first of all, make
changes quickly, and secondly, we can have 15 different models. This is a model that you put on the programmer's machine, this one you put on the secretary's desk, and there is one for Windows, one for Linux, and one for the server. Therefore, scaling in this way, from our point of view, the only resistance line is data. The onion safety that Maja has not yet strengthened the essence and genius of all this is that Maja has learned to verify her own work. She looks at it, she imagines it on one chart, but she actually checks whether the number of detections and repeating patterns are in a nice, even pattern. She didn't forget about an argument like the
doctor who gave a sheet at the entrance and the lightness of the model. You keep saying "my model, my model", so I thought that this conference, we even had part of the lectures in MIM, it is done through cooperation with MIM Solutions. They offer various kinds of machine learning and AI services and so on. This particular model was their idea, so I can highly recommend it, if there is a MIM, I thought I would mention it. Can I, as a person from the street, for example, install some plugin or program that will work in the background for me? Unfortunately not at this moment, because part of this data works on our own scripts, it would not be a problem, it
could be sent to you. the part that studies these register keys is a commercial product. And we have access to a fairly limited number of these keys at this point. If we had already signed a sub-payment agreement, we would then buy the most expensive license that gives us an unlimited number of these keys. And then you would have to wonder if we could collect this data in the company. We would definitely have it. However, Antec will probably have a better idea of how it works legally. Because we definitely cannot use this license to allow everyone on the network to install their software and collect data for us. - um um especially to have a nice interface in different operating systems. Exactly. We had a team, we
have a major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major
major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major
major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major
major major major major major major major major major major major major major major major major major major major major major major major major major major major major major major real We were sure at the beginning that the registry would be different. It's a proof of knowledge. It's a code. It's rather an MVP. We know that models trained on older ransomware families work again. This is a confirmation of value. So MVP, understood as a minimum, such a full-value product, is already there. It functions on the most popular environment of operating systems. trained on old models, on old families of programming, works on new ones. Indeed, the business aspect, the president, purely scientific aspect, the approach, where there is still some additional intellectual fit, it's all as
always. If we are not a corporation, we did not want to sell for millions, just do something of our own, it has all these shades of gray. However, that is why I agreed to sign under it and share your opinions, because it works. It works. The model and the way of working and all those people who... - Only the recording doesn't work. - Yes, only the recording doesn't work. However, the approach and training on older families works on newer ones. This system or its characteristics are what they are, but it allows us to say that we can also handle Linux families. Of course, all the next steps are the Go-to-Market strategy or some corporation that will
incubate this solution and also allow us to be even better. Of course, everything is part of this performance. It was a bit surprising how simple things gave good results. At the beginning, we had a much larger range of features, we tried to combine them a bit and there are, for example, very cool possibilities of using AI, because we can, for example, at this moment, read such tables from recordings to some chat, of course, somehow anonymized and say: "Listen, suggest our features to us" or, for example, "describe what was characteristic in this period of time", therefore, these features can be much more difficult. But if you have excellent results right away, of course in a simplified environment, with very simple features, it is difficult to
be very creative, how to improve almost a 100% result. Therefore, I do not expect this result to be so great in real conditions, But it was a nice surprise that relatively simple things like, for example, whether there are questions about the system, about operations, about some file changes, suddenly it turns out that this is a fantastic feature that Ransomware can detect. I have two questions. The first is, because you use some external tool to monitor changes in the registry. I understand that you won't tell me what tool it is, okay? We will tell you or not? No, no, no, locally. No, no, it was also a feature that you have to assume that you are
driving to the same place and it is supposed to go on without a question. So the whole solution works offline, with the exception of this function of preventing other computers. Now, putting forward such a very optimistic, positive scenario, how can we help you? You said that at various stages companies do not want to test it, do not want to give access to new data. No, no, absolutely not. I may have mispronounced it. The only thing I said was that the data from real attacks are ... The only thing companies will not allow is to install ransomware on 30 machines and see what happens. However, access to data ... In what scenario are real-time attack data
helpful for you? Because real-time data is just for you. If we had recording during the attack, then they are great. If our monitoring method was not installed, then... Okay, next question. How many ransomware tools are available? Either publicly or quasi-publicly. What is the problem with testing it in your own environment on a scale of any kind? No, I mean, we run ransomware on virtual machines, not on real ones, so if there is some... You know what? There is some and some there is not. There is, for example, access to files. How about configuration issues? I thought you could do it until I started doing it in Azure. And it turned out that you can do
most things similarly, but for example, things like access to files and so on. All the solutions I found, for example, access restrictions and so on, which can change the ransomware operation a bit. If one computer is totally open, and the other one has everything to check what is where, you have to go in. Most of these solutions, what to change, so that the machine is somehow configured, on all our physical machines everything works, on virtual ones we try to change it, even such a simple thing as turning on or off the Defender. Everything is just such tiny things that you don't see every day, but it turns out that there are some differences. None of these differences was to cause me to think that
it will not work, that I let our trained model on my computer and it worked, but But as a scientist, I would like to check if there are any differences in this way. For example, we have done many times RASMUER simulations in production corporate networks. But we did it with the use of our own software, which just behaves in such a way. Also to test EDR. On the other hand, and here, from the point of view of EDR, On the other hand, there are a few products, such as Bridge Attack Simulation, which either have or plan to implement the simulation on the software. So it's not that companies would be very skeptical about implementing something like that. As long as it's a simulation and not
using something real. If you have any specific intentions for this type of software, we would be very interested if you could give us something like that. This is, to be honest, in the perspective of maybe half a year or something like that, when we would practically use it, but in terms of perspective it would be very cool. We found various simulations of other types of malware with our small attachments, but we didn't have Rakuya Transamura. No, but it's not like that, we would have had many companies that are willing to share data, allow us to install it and so on. Such two blockades were that it often required a little too many personal investments from our side.
We also had to introduce such a good technical dedication, some time, or the data, or the data,
Yes, we are waiting for the result of the next project, such as the one we are going to use in the future. We will be able to use a larger set of such. There are also cases when companies test disaster recovery and usually at the first stage of this test, it is not real ransomware, but very similar to other companies, as if they were damaged so that it would not be sold too much. and how long it takes to restore the infrastructure from backups and so on. So I think if it was a little more about this tool, I think we would find companies that would like to cooperate even on real equipment, because some
companies also make such scenarios to see how long it takes to get a given part of the infrastructure. That's why we went to the conference for the first time. Yes, these are... We're leaving the basement. ...this kind of measures that will be very useful. Personally, I think that we need the first wave of data collection without ransomware and then with ransomware. But we need ransomware, I think. I mean, otherwise. Personally, I would be more convinced by the product that was tested in this way, as you just said. Although very often it doesn't happen on the market. These products are more like the whole implementation is more about checking that the product does not harm the consumer, and not that it helps
him. Okay, tell me something about this model, because it's all a very nice presentation, it's really about nothing. Because we use machine learning to generate some features and based on that we generate a report, we've been doing it for about 20 years. What would you like to know about this model? It is available. What are the features? I will not tell you all the features here, but the features are relatively simple. For example, in the register keys, how many times there were questions about... Ok, so that I don't get confused, I'll tell you about files, because they are simpler. So, for example, we count rolling min for the last 5 minutes, what is the average number of files saved, let's say, for 10 seconds. Very simple. Most of
the ones we have now, not all of them, some of them we are testing a little bit, for example, some changes in the endpoints of files and so on. These are the types of things. As I said, we have a lot of ideas for better features and we even have a code for it. However, so far we just didn't need it because we have good results in these training to add features and know that they have a lot of added value. Signing files is very little information, right? You need a lot of information. Of course. If you want to have a full list, it's on the GitHub repository with this code. And there is also a list of current features, but as I say, it's super cut
out. If you're on GitHub, you can link it. You know what? They have it for free. No, but you know what, I can... Do you want to get this link from the world? No, it's open data, so it's not a problem. Okay, because we are publishing this model at the moment, or in the sense that it is for IE Access now, and we are at the stage of editing, but there is a preprint and everything is submitted in this preprint. This preprint is an old version and not ideal, but if you type in Mirati Ransomware, There will be a publication, and on GitHub it is also called miratoreposatorium, I think there is sagensomirat or something like that, but it
is a publication, it is relatively easy to find. I will see the repository here too. But as I say, at this point this list of features is not super impressive, just because we didn't have enough omars. Here it is. It doesn't throw, you know. Why doesn't it throw? You have the presenter mode there. What am I supposed to change here? Do you know how to throw it? Github mirad sagęso and there it is. And it still didn't disappear. It will stay like this. Well, always. I'm ready to record. Okay, great. I'm wondering if the presentation will be beginner level. I don't know if you will be interested. But can any of you describe the CPU from the beginning? How it
works? The most basic one. Does anyone remember anything else? There won't be much new information here, maybe something new will appear, but there will also be a lot about the production process later, so maybe someone will be interested in it. We can also move on. I came from Gdańsk. Generally, my background is very interesting. I come from a rather... Yes, I worked at Intel, but I come from an artistic family. The artistic family is quite interesting. My grandfather was a painter, my great-grandmother a writer. If we went a little higher, along the genealogical tree, we would find out that my family came from Germany. It was a noble family that even had its own coat
of arms. This coat is a cat that is used very often as an example of a funny painted cat from the Middle Ages. It appears on Facebook, on YouTube, in various articles. I myself have such a background that I went to music school, I finished music school of the first and second grade on the alt instrument. Then, however, I went to study composition. You may ask what I am doing here. I do this because music is not only my only interest. Since I was a child, I was fascinated by how anything works. I was always interested in both mechanical and electronic devices. I would turn everything around when it was running and then I would fold it.
Sometimes a few parts would stay, but they worked,
Related talks
43:55
57:24
1:01:16
44:08
29:57
1:08:51