Will Ransomware Eventually Run Somewhere? - Jordan Glover

so thank you hey um my name is Jordan and I'm going to be um presenting today title of my talk is um will'll run somewhere eventually run somewhere and it's basically I'd say my prediction and it's what I think may happen over the next 10 years so just a brief introduction um I'm a senior penetration tester with Stratus IA I'm part of the assessment service and we do a number of Assessments we do web application tests infrastructure every kind of 10 test you can think of um outside of work I'm a keen bug Bounty Hunter I'm part of the um sinac red team as a security researcher and I do um public bug Bounty as well um I've had recognition from

Google the BBC um working with the University of Cambridge just now on a project um so my career didn't actually start in cyber security I didn't have your typical entry route like most people do with the university I started off in the Army and the all signals did four years um deployed to Afghanistan and then I left the Army and decided to move into a career in oil and gas in offshore field um I worked on drill ships and oil rigs all around Europe and for the last two years before I finished doing that I went International um Egypt Israel some really nice places like that um that probably sounds weird of how I got into cyber security but prior to

joining the military I probably spent from the age of 12 to 16 17 in my room on the internet learning learning lots of things probably the best way to put it so that's where my interest came from um yeah the age of 12 20 years ago I was kind of given free re on the internet and it was just one of those things you make friends you integrate you learn things and I kind of what it was back then so I'm going to start with an opening statement um could ransomware becom a thing of the past um with a generation that utilizes social media for large aspects of their life um and an emerging Financial area where a

social media post can move a financial Market um what could that mean inste in terms of Cyber attack so what I'm what that kind of breaks down into is we've now got a generation that lives on social media the first thing they do when they wake up is look at a screen the last thing they do when they go to sleep is look at the screen they live their lives on social media everything they do is documented on social media and they just live there basically and that's it's an interesting attack path and it's something I'm really interested in so um let's obviously to do the title around somewhere and this talk is I've aimed it for all levels so if there's

anything I say it's absolutely fine put your hand up and say what you're talking about it's fine when I watch things online because I stop and pause it and Google it so if there's something I say let me know and I can explain if you don't understand it so um ransomware what is ransomware malicious um malware that infects a computer typically um and it restricts access um to data until a ransom is normally paid um users are normally tricked um or socially engineered as we call it into um opening a file accepting a file and that contains the malware and the system become can become infected um we we're all probably aware of how malware works

it it's very basic the executable the program the rra goes onto a system it locks the data and the um malicious acts they request a payment for it this talk is more aimed at from the malicious actor side and what that actually entails and how things can and may change um so if we look at it um from the other side as um an AP it's complex it's time consuming it's hard work you've got to go through a lot of effort to breach a network you've got to be able to get your executable in you've got to be able to encrypt data and it's once you've done that you've now more recently it's it's likely that the ransom may not even be

paid so you're almost wasting your time you you're going through all this hard work you've infil Trad a network you've locked all this stuff down you've wreaked havoc and it's not worth it sometimes so you might have to go through the negotiations and the angle maybe no money what a waste of time right so I want to move on to to credentials now credentials we use them every day like I say everybody lives on social media you need credentials to access everything these days we presented this with work we presented this outside of work social media your work accounts typically a user name and a password to um authenticate to a service so authentication is the process

of verifying whether someone is who they say they are and typically it might look something like that Jordan app somewhere and then your password a username it could be a code again you've got that typical username and password and that's what we're looking at when we talk about authentication at the basic level um so credential storage so when you sign up to a website you type in your email whatever is and then you create a password and what actually happens or should happen is um the password goes through a hashing process and it takes that word you've created and it does a process a one it's meant to be a oneway process that turns that into unreadable human

data meant to be one way and it's meant to be irreversible and that is what it's meant to look like at the bottom of there that's an example of a hash there's there's many hashing algorithms and they all range in weaknesses and strengths and they're all different you can use different ones um all password should be hashed when stored in the database there are cases where you come across databases that aren't they're just clear text which is obviously not great so credentials I'd imagine are quite a a targetable thing it can get you into somewhere there's not much hard work involved you got a username you got a password if there's no multiactor authentication set and

then yeah you can get straight in kind of thing so this is quite um it's quite a lucrative I wouldn't say business but it's it's targetable and when companies organizations anywhere basically is breach that's typically what malicious actors are looking for they're looking for credentials they want that easy way back in yes you can sit there with your handsom Weare and you can add back doors and other ways to get in and out but it's easier with a key right you walk through the door with a key um so what we start to see online um on the dark web there's forums that you can get a hold of is when breaches take place these turn up online and when they're

online they're they're they're quite easily accessible I mean you can actually Google do if you pick a domain pick a user or guess a user you can do this without having to go to these forums it's all doable um that used to be what was known as raid forums obviously raid forums got taken down um a new one several have popped up since then so that was never going to disappear but um raid forums basically was a was a a place where um credentials were traded um there was all sorts traded on there but you know looking at it from this aspect you could get credentials for all sorts of companies everywhere that had been breached you

could type them in boom all right they've been breached you got hundreds of users at a time so it's it's not trusts obviously everyone's out to make money from the the malicious actor side so how are they kind of transferred and what obviously you can do is you know Bitcoin cryptocurrency that's changed the way that people make money these days criminal wise it's meant to be not traceable but it's a lot easier to move money around and you can move files through um websites like this you've got Anonymous file uploads you've got pce bin you've got Obin which is meant to be secure you got escor these are all ways that you can move files from one person

to another without being traced um so we'll look at um some quite high-profile breaches um 2014 Yahoo you had 500 million accounts breach LinkedIn several times 165 million user accounts LinkedIn again is another form of social media everybody lives on it everybody uses it to speak and live these days businesses depend on it um dub smash again 162 million accounts Adobe was a huge one that was quite old and what you'll find actually with the Adobe um depending on where you look you can actually find the clear text um secret question information so that's actually out there you can find that and when you look at this information it'll say username password there's a hash and

then at the end it shows you in clear text what the answer to that secret question um my fitness pal again 2018 150 million accounts gone um canva that was quite a big one 137 million and my Heritage a lot of people use that and again 2017 92 million accounts gone so I'm going to do a little demonstration and what I'm going to look

at is that not

working it's

broken there we go sorry about

that so let's do um a small exercise based on the malicious actor um ideology and let's pick um we can go on to Google and you know UK top 10 companies they're all out there so it's it depends on what the malicious act as intent is um it's easy to find big targets have a look on Google they're all there but um for this demonstration I'm going to pick the BBC because they've got a bug Bounty program so I can use those guys and what we're going to do I developed a tool that basically it has multiple functionality to be honest um it does quite a few things um for this demonstration um I've just taken

part of it away and what we can do is we can type in the B subdomain and what we can start to do is um fire through those breaches now what I have done for this demonstrations obviously remove the passwords this is something that we do with clients in a secure environment and we we can show them basically we can whiz through all of their breached accounts and it shows them usernames password it's all there for this demonstration obviously I've moved all that but this is basically what you would see so that tool there if I was using it in a different format I would input bbc.co.uk and out it would fire and I've just made this for today um the

usernames and the passwords and you can with the tool it it can do multiple things I can then pipe certain accounts that have been found to social media such as Instagram LinkedIn Facebook to actually see if they're valid accounts so I don't physically need to do it I can pipe these results straight into another part of the tool that'll tell me this guy's on Instagram with this account this guy's on Facebook with this account and this is a big thing that we talk to companies about is people registering to third party services with their work domains it's it's a crazy thing to do but people do it and humans are we're quite lazy we pick one password and we stick to it we

use it everywhere and sometimes you might have to make a few changes to it might be a letter might be a number but if you can find someone's password it's quite likely that they are keeping the same one so what we should see here now is just these are a load of accounts that have been breached and they're all BBC users it's out there you can go and find these you can look at their passwords

and so with that you've obviously got I would almost say a possible entry remember we're not interested in spending ages with rant somewhere we want the easy way in there's over 5,000 accounts sat there you could try them somewhere you can find them um so moving on to the next part I'm going to play you a video now this was from an incident that took place in London um 2017 in November I'm not going to describe what it is I'll just let you watch it

[Music]

H we're starting out with some big breaking news that's coming in right now London Police say reports of a number of thoughts fired at Oxford Street Reports say the police have treated the incident as a terror related the police urg commuters to avoid Oxford Street no casualties have been reported so far so shots have been heard at Oxford Street in London this is a very busy street in central London the police are investigating the matter they of course are treating it as a terror related incident they investigating the matter where the shots came from but commuters have been asked to of course vacate the area the Oxford Street area there you can see commuters at the tube station in

Oxford Street running in all directions after those shots were heard fired near Oxford Street Tube Station a very busy street a shopping era in the city of London and in the middle of the city of London extremely busy extremely crowded at any given point of time commuters there of course who seem to have been inside the tube station exiting the tube station running across that very busy street which has of course a lot of shops lot of various arcades as well London Police of course investigating the matter they are trying to find the origin of where those shots were heard from they are treating the matter as they say as a matter of a terror related

incident is this a terror attack for the moment they're treating it with utmost seriousness they are investigating the matter as to where was those shots heard from so that video we just watched there what did we see we saw Panic we saw uncertainty we saw fear as the reporter described they thought it was a terror attack um if you you probably weren't paying that much attention but the last line news reporter says they are investigating where those shots came from now those shots actually came from social media an incident took place on the London Underground um it was an O location between two men it was a fight and social media someone Oly M um he

posted a tweet and said that there was gunshots in a shop and there absolutely wasn't now OE Ms has at the time I think had about 7 million followers there's a potential that 7 million people saw that and again we're talking about a generation that lives on social media they breathe social media they believe social media so that sent London into a spiral basically that there wasn't a gunshot there was no one shot social media is where the shots came from so I'm going to move briefly onto social media and when we talk about social media if you look at it inter there it describes that social media are interactive technologies that facilitate the creation and sharing of information

ideas interests and other forms of Expressions through virtual communities and networks now everybody in here will probably think of social media Facebook Twitter LinkedIn I can reel them all off there um my personal opinion of social media I absolutely hate it I think it's a toxic cess pit of negativity it is the cancer of society but that's just the way we live and I'm going to go off track a little bit with this presentation and um as a parent I've got a young daughter who is my age when I my age 20 years ago when I was first let loose on the internet and I had no restrictions nobody really knew what it was parents

didn't know what it was it was just a game and um so like I say my daughter's now that age where she wants to be on the internet all her friends are on the internet they've all got social media she doesn't that's another conversation but um there's tools out there that can help us um kind of limit and direct what our children can do on the internet um because it wouldn't be fair it wouldn't be fair to me to say to my daughter you are not having any interaction on the internet that's not fair but I can limit and keep an eye on what she can and can't do so um Google have an app called

the family link and what it basically does it allows you install it with your daughter's or whoever your child's account um you have to use a Gmail account you can make one up that's what I've done use two different accounts for it and um you like you say you can um set screen times and basically what I use it for is she wants certain apps on her phone and it'll come to me on a notification can she have this app yeah fine can she have this app no she canot off um so this happened I want to say four five months ago um I was on my desktop doing some work online um my daughter was playing on um I think it

was Minecraft or something and she plays online with her friend and they use the Google Hangouts um but because she needed to log into another um machine it needed my authorization so I'd actually I was in the middle of something and i' forgot the password that actually set so the process is the child logs in or attempts to log in with her credentials to um Google Hangouts it then comes back to me and says can she do this or like she did she brought the computer to me on the laptop and said can you log in and approve this okay and like I say I couldn't remember the password and um and intuitivity got the

better of me and I thought actually let's have a look at this and um what we ended up doing was um throwing it through burp um bur's a proxy tool that you can use there's many other proxy tools out there um and basically you can intercept um read um modify requests that are sent to and from servers browsers and stuff like that and um what actually happened was when she brought me the laptop it said Jordan log in couldn't remember the password and what i' done was i' click clicked forgot password and it wasn't as quick as I'm talking about it it took me about half an hour and I watched the flows and basically what we could do and she sat

there with me as I'm doing this was um it would you could change you could change the notification that was sent to your app so if you set up multifactor authentication with Google it'll come up on your phone if you try and change your password anywhere if you loging somewhere new it'll come up on your phone and say is this you give you an IP address give you a location yes or no so so what happened was couldn't remember the password thought okay let's have a look at this ran it through burp I don't know why just did and then um my a notification came up on my phone and it said are you trying to change your

password now this is the very long story short without using burp you could click yes and what the authorization flow did was kind of forget what we'd asked it to do in the first place which was can we let my daughter log in and it automatically gave her approval so she didn't actually need my password or me to be able to authorize it basically all she needed to do was go on my phone and click yes she didn't need to change my password she didn't need to do anything like that and um we reported it to Google and it was actually really really good they they're really good about it and I can see their business case they

said you know when we look at our bugs we're looking at it from a a large audience and what is the likelihood of your kid grabbing your phone knowing how to unlock it and hitting yes it's not that high well yeah but in the way that the way they sell it and the way they say their product is designed it's not highly likely so like I say Google say again well exactly yeah we we did it between us and um I don't know if youve when you submit a bug to Google um they're quite good about it's quite exciting they send you good emails and she um I got heavily involved with it and um she asked me today she's like oh

um not yet not today should I say when she knew I was coming down today the oh you're going to talk about the Google thing I was like yeah okay and um basically yeah we were able to author um bypass the authorization and um yeah basically we worked with Google we went back and forward and um they sent her hoodie about it and she she was she was made up she was over the moon and I proper proud of it because like it it Sparks that interest that I know I found 20 years ago and I I thought it was good so that's why I wanted to bring this up cuz she one cuz she asked me but two again

it's about the new generation we need to educate them does she have a really strong password yeah is it three words and characters and loads of numbers yeah so let's move back on to um what we're actually here to talk about and what social media can do and has done to do um we've probably all seen somewhere um Elon Musk we probably know about the crypto stories and his tweet has has had crazy effects on financial markets as you can see he tweets one word and you can see there like the markets move instantly and that's just through social media all he's done is use a tweet to say one word and that's the outcome I

think it's mad but um social media has been used for other things as well I personally think this was quite funny um a lot of accounts were breached um and as you can see they were all set up to reveal a Bitcoin address and people were socially engineered into sending this guy I I can't remember the amount I don't I don't know I'd be lying if I tried to make it up but they they made some money out of it and again this was through social media this was through people that saw a tweet online and believe that if they sent them money they would get double back but hey um but it can also cause Financial damage

so back in two 2013 yeah I can tell cuz it's on there um the Associated Press was hacked and what happened was um they' put out a tweet or the malicious actor did he put out a tweet and said that the White House um had been blown up well there it is yeah two explosions in the white house um and barck Oban is injured now that's an absolute lie that didn't happen however Financial damage that that caused to the S&P 500 I think it was like over 130 billion within 6 minutes gone as you can see it dropped and it went back up but if you look at that in terms of what you could do

financially if you know that something is going to drop like that you can short sell that sock you can stock even you can ride that all the way down and on the other hand of that within that 6 minutes it went it did that went down and went straight back up if you know that's coming that's a tremendous amount of money that can be made because you've got that information and again that's from a tweet um and social media can cause huge amounts of damage as well like I say there's organizations that live on social media um this was taken off LinkedIn in um I think it was last year there was um a large company and it

basically came out online they didn't have a good culture um people weren't treated well blah blah blah blah and what it was was a load of posts were made online and again like we said OE Mercy had 7 million twitters uh so 7 million followers on Twitter and they all saw this what actually happened to that company is their stocks well picture paints a th000 words look at what look at what happened within that month their shot their shares just shot right down and again that was nothing the company did that was through social media so what I want to show you quickly is um what does a breach dump look like so we've obviously you know in the last

six months there's been some events around this is a non-political presentation um there's been events around the world and lots of things happened and this was only released publicly in the last 30 days and this I blanked it out but if you're clever enough you'll know who released it and what it's about um this was this is an open share released in the last 30 days and it's full of data um I'll zoom in a bit and as you can see well say hundreds there is a lot of lot of data through there peap files again they can be analyzed to see what's on them all sorts but what I'm focusing on is social and when you go into there this is

exactly what I'm alluding to with this presentation I think the building blocks are already there if you look this is what the malicious actors are already building Tik Tok Facebook LinkedIn all these different social medias Snapchat Facebook again there's LinkedIn there's all sorts in there it it's all being used it might not be at a large level but I I'd like to say the foundation work is there um going to jump back to another demo hopefully it'll [Music]

work um so that's still going I'll cancel that and what we'll do we'll move on to this so we um we decided to pick on the BBC I picked on on BBC because they've got a public bug Bounty program so when we click on the BBC now this is a problem that we see with clients is that um they're focusing on one or two domains one or two applications and I get it there a budget is only so big you cannot hit everything but you have to bear in mind that malicious actors they don't stick to sculp they can hit and they will try and hit whatever they want so we click on the BBC website

and I'm not going to waste any time with that that's the BBC that's what's there but what I'm going to do is I'm going to take their root domain and what we can do [Music] is um I'm not going to spend too long explaining what all these do because I don't want to go that technical but basically I've taken that um BBC roote domain and what I've done is I've gone out there looking for all their subdomains and you'll start to see I'll zoom in actually there is hundreds of them and this is basically what um malicious actors are looking at they're not going to go after your typical main application because we already know

that's been pent tested a million times hope spell right and what I'm doing is so we got what 500 subdomains there now this is a way to a numerate this is all Passive by the way so if anything when we go through this presentation the only thing that a BBC sock might see is an IP address visiting these websites and it's all about information gathering basically so we got over 500 um subdomains there and what we can do is um use a tool called HT TP probe and what that'll do is that'll send the small probe um HTTP or https um to each of those um domains and see basically if we get anything back and as you can see

we're starting to get hits on quite a lot of them now what the next stage will be is we use we use another tool called um FFF and what that's going to do is that's going to send um an actual request to the server and what that's going to do is that's going to capture the response the browser is going to send a request and it's going to capture the response and it's going to break that response down and typically from a server you receive um headers and you receive the body and in the body contains the HTML typically that we see with our eyes that's on the web page the headers you're not really paying any attention

to them in fact I'll show you because it's easier again axy tool that millions are available out

there let me just get this set [Music]

up so what I'm going to do is I'm going to go back to um bbc.co.uk I'm going to turn the proxy on first that would help bbc.co.uk so my browser is sending a request to their server basically this is what happens let me [Music] try all the apis are going mad

so um let me I'm assuming you can all see that so when the browser sends a um request over to the server it receives um headers and it receives the body so as you can see here these are all your headers right down to here and and then this is all your body and your body is what you see with your eyes in the browser now that should be done so as I said we're going to quickly hit those hosts and we're going to capture all that information this should be a lot quicker CD there um now um what I've done there is basically we saw there was over 500 subdomains and we hit all the ones that

responded with a probe um to their server now some of you may look at this and think what the hell is that but to a pentester or a malicious actor this is all information that shouldn't be there we we it's something that you report to developers you this stuff shouldn't be there you can hide it basically and it's it's it's it's attractive you can look at some of these and you can tell the newer ones you know if you look at ISS 8.5 you know unless they're running the extended life Service Pack I think it is that um that was end of life end of 2020 and again Apache I like the look of that

BCC GTM I don't know what is these are all things that attract attention to malicious actors basically what we can then do is have a better and remember this is all passive I've not actually clicked on it um where's an

coyot so as you can see this is an admin interface um and how I found that was through the server headers server header shouldn't be there you can remove that and it's information that's given away and again this is what malicious actors can be looking for it's the EAS EST way in so we've seen on the other VM that we have I closed it but we had like over 5,000 BBC credentials is it going to take me that long to hit 5,000 credentials in a stuff and attack through there no probably not so this is a way you can automate looking through a huge organization is and it's it's what malicious actors do and what you can do again is look for

authentication and what I'm doing is I'm looking through the through the headers and I'm looking for stuff that gives it away so this is telling me that all these are probably going to be a login page I'm not going to waste everybody's time but what I'm trying to get out is you can use breach credentials and you can use you can find login interfaces with e because they're missed you know we we concentrate on our main applications and we spend a lot of time making sure they're the more secure but this a subdomain that we forget about and they've got horrendously weak um authentication policies on there um another thing we can look at actually is

very quickly what I'm going to do is I'm going to take all of those um all the information contained within the body we've called it all and these are all the URLs that are contained in it because you can have redirects you can be pulling information from somewhere else the web application you know that they integrate they look at different things

um so there we go we've got an API straight away we're looking at these and it's all it's all information we can we could I wouldn't do it now but we can go mous actors will go through all of these and they'll look to find interfaces and I guess the point is moving from Ransom to what I think is coming is it doesn't take much work to use social media to to to damage a company doesn't take much work to use social media to move a financial market for profit we've seen that and companies are kind of almost they're leaving the door open and they need to widen the scope a little

bit you jump back to the presentation

um so my overall thoughts um I've probably have covered this so the real life scenario if I were to make you know this is with your ethical hat out the way and all that stuff you know if I want to make a million pounds I'm probably going to use social media to try and do it you know it's highly likely you know we've seen Elon musk's account what it can do imagine if you found his password you got onto his Twitter you'd already created a cryptocurrency you know these are things that you can do and I think you know with the with the attack say the the gunshots that we saw earlier social media contributed to that if you can

cause P panic and Chaos there's a way to make financial gain from that and when you're looking at how threat actors they have to weigh it up they have to look at this ransomware is going to take this long there's a chance we might not get paid the message is is now is not to pay so it it's hard work so what else can we do to make money and I think it's through social media I mean threat act to progression it's it's the generational thing you know what the typical demographic we see you know when ransomware gangs are caught and they arrest a super hacker or whatever they want to be called they're of a certain

age they're in their 30s and 40s that they're of the same mindset that it was 20 years ago where you know what we used to do with our friends you know put a a malicious file on your friend's computer and then sit there and watch their mom on the webcam see their printer say oh I'm going to kill you kind of thing it's it's that me that's that method mentality even where it's getting the executable from A to B and then letting that do the work and I think as threat actors progress you know with the rank structure you're going to see the younger generation come through where they live on social media and I think

this is what it's going to become it's an easier way to make money um actions what I would do if I was a big CEO and I was sat on a company that was floating on the stock market I would personally give everyone 3 hours off take the cut and get them to multiactor every account they've got that's work account that's Social account that's every account they've got um and I think that's going to secure an organization because what I didn't show within that um tool was you can actually identify where it comes from and there's we saw the LinkedIn leak and if I can use someone's credentials to log in LinkedIn and say something about a company that's that's

going to nve their reputation they're going to be ruined and again insurance this was covered um earlier Insurance isn't going to pay out on a breach that occurred on a third party application if your company a and your shares drop 800% it's not a Cyber attack if that makes sense they're not going to pay out on someone going into your LinkedIn account and saying your company's crap or something whatever you want to say on social media um so yeah I mean we have days for everything Cat Day dog day let's have password week where we change everything um what I'll do I'll quickly finish up um I was on an internal pen test um again in the last month um set the

picture internal penetration test the network isn't facing the internet um I did the external and what we tend to see is the external is really good and the internals a mess well actually this client was really good their internal was really good everything they had control of servers the workstations everything was up to date patched everything they had control of they looked after um so what I found on the well day one actually um doesn't sound very cool but I managed to find um how much this is the last few slides so basically um the first day did all my scans did my service scans found out what was going on in there second day um

they had they had a network printer big huge Tower printer in their office um had a look at it found a web interface didn't waste any time and I just downloaded the user manual typed in the word password straight to the bottom user credentials admin whatever the password was I won't say it and the default credentials stilling you so I got onto the printer and straight away might not sound very cool but containing within the printer I could see the last 10 print jobs and they all contain sensitive client data what what the company was doing I could see I knew what their projects were from the printer um I had their address and the

most important thing I could actually proxy the traffic I could move the print jobs from their printer to a controlled server of mine um sorry so let's have a look at what we actually saw so I was hit with this interface the network attached storage should have covered that um loads of hard drives people like them they don't want to move stuff to the cloud so they store them on network attached storage um so yeah hit with the login interface um what do you do on the login interface you always have a look around and yes that did say that and yes I thought I'd got an easy goal I didn't tried admin tried passw it

didn't work so when we logged in um capturing the request we want to look at what the application's doing and you can see the function there is verifying the login username is Jordan username is password and as I expected um look at the Jason success was false it didn't let me in because I didn't have any credentials right well actually this is the error message that I got so what I did I thought about and this this is going to take me 10 seconds to explain on the pent test it took me about four hours um I re intercepted the response from the server so I sent my credentials again Jordan password Jordan and before

it was able to tell me that I was not successfully logged in I intercepted it again and what I did I told it that I was successful now this shouldn't work and I've only seen a handful of times on pentests it's it's good when it does happen um I changed it to true and again I want to point down to page mode zero took me a long time to find out that was actually admin it was to admin is hero and as you can see um by changing that to true and that to zero you can then see that it gives me a session token I am then validated my session and as you can see I was then

given access to their um Network tax storage and I had absolutely everything as you can see what we looking at 917 GB of data I got that for free through through an authentication bypass um the client was over the moon because what retrospectively that might mean is if someone breached the external network got into the internal this might have moved into a ransomware because I'll show you I was able to um basically hit everything I could um password protect the data I could then start exfiltrating it I could do whatever want basically but um that's pretty much it has anyone got any questions any interesting on any questions for Jordan make stronger passwords oh it's St it again sorry

about that you mentioned about insurance um there's been lots of talk about cyber war and weapons being excluded now yeah so how has that landed with people who thought that insurance was going to be the Silver Bullet that saved them for them to now realize that they're actually going to have to fix their Network segregate stuff turn stuff off buy new licenses Etc I guess I don't have a proper answer for that because I've not had to do it but I guess it's through trial and error it's through breaches it's through an attack happening and then the CL the insurer looking through the finer details and finding out that Actually the password for your admin account was breached 3

years ago you didn't change it and that's how they got in so they're not going to pay it basically and insurance companies do do that because of course they do it's it's what they want to do they don't want to pay oh hi that was so interesting so much information to take in thanks um just a question about when you do pentests is this now part of the scope where you do review of a company's social media and what you can find so not specifically no but within our company we are developing new initiatives where we're starting to include that and I do numerous exercises with clients and I will go through that in detail and I'll show them actually

you've got 500 domains exposed and actually you've got 7,000 accounts right here here's the usernames here's the password go a password audit basically so we're starting to integrate it into our [Music] processes all right the last question don't set the edge if you can have questions set the edge um so you mentioned um your subdomain mapping and identifying subdomains that companies having use do you think there's an issue with them being public facing provided that um you know there is MFA and like f use and you've ensured that they are locked down is there a problem with them still being public facing I would say yeah because you were never like we saw with the BBC 555

subdomains you were never going to lock them all down it would take you a lifetime so yeah I would say having them publicly available is is an issue yeah definitely well if can we have a lovely round of propose for the lovely Jordan