Random Access Memories - Julien Richard

all right there he is all right so um name is thank you Chris um this talk is it's called Random Access Memories first of all I'm losing my voice and then C so like if I completely go I'm going to ask some of you to come up here and tell St um just a little bit about me um I hate saying this but I got over 25 years of experience when field makes me feel really really old um my background isn't pentesting you see a lot of today is mostly around pen testing there's also all assessments and things like that that um that I'll cover um but I'm not going to be able to cover everything

that's in that box um and we'll talk a little bit of what that is all about sure that's suck yeah um so right now um I work as director vosc at last wall I've got a few of my colleagues here um give me support and I want to thank them a lot to enable me to come and do these types of thoughts and again this one here uh there's going to be a disclaimer and MEC I've worked in many highly regulated Industries which means that a lot of the stories I'm going to tell talk to you about today um they're in industries that are very very interested in checking boxes and making sure that all

the right things are being done and and there's at least a couple in there that you'll see that we check boxes just to check boxes and not to be more secure which um is going to be a good moral um as Chris talked about I'm the founder of the rank cyber security Collective I'm also on an Advisory Board commun cyber security network um because yeah all of the above just because it was supposed to be a uh a multiple choice but enough about disclaimer uh presentation here reflects my personal views and my research it's not affiliated whatsoever with any companies that I work with at the moment and I will also not name any companies unless the information uh that

I'm going to be talking about is publicly available certain details may have been changed because of I don't want to like you know protect I want to protect the privacy and confidentiality all parties involve um I don't I've I've been on two 300 engagements so there may be people hear that some of these stories touched um you can come talk to me afterwards or whatnot but I will absolutely not name any of the names all right so how to play this game well I'm going to have Blake walk around there's um uh there's a little I call them cars but they're little tiny little pieces of paper in there and if you can find them there's a lot of candy in

there too if you want candy you can pick some it's might tickle trunk um so you're going to pick a cart each story has about 10 15 minutes uh maybe less maybe more and uh you're going to listen to my story and you're going to become another C every story is going to have a little nice little moral um to it um hopefully you can learn a little bit about SE Bey in the same thing and be entertained of crazy stories that are out there um if you get bored I also um put up some old school video games up there so all right who's our first um if you want candy get some candy let's go one one at a time play

let's just do one at a time who's first you all righte preh hacked nice I wanted that one come up yeah um so as a pester I was working for um a pretty big multi National company and they hired me to go in and and do a p test on their internal systems I was mostly doing work Consulting uh for for facing their clients but they wanted me to do a pen test internal um so I got there flew across the country um went in started poking around my first vulnerability scan I find a very bizarre um back door I would say installed in one of their system systems and um come to find out that people had been there

before me um these people were connected through all of their clients all across the world we're looking at a um uh you know hopping into other clients networks and things like that um the really funny part funny not really funny but the scary part was that as soon as I looked at everything um finally accessed uh this back door and instead of giving me access to that system I was really confused for a second because I was actually redirected straight into their active direct with full full system uh their uh domain controller with full system in um very scary now I would like to say that that story ends there but I go see the president of the

company he comes to my desk and looks at me and goes like are you trying to make my life eff and hard right now and I look at him laughing you know it's like yeah I know right he goes like no no I'm serious it's Friday like dude you have hackers in your system like it's not mean so I I had to end up staying a couple of extra weeks um and I I guess the moral of this story is that you may not be the first one there and the executives are not always going to respond the same way that you do um one other thing um I'm not going to take questions because there's a lot of stories and a

lot of stuff I really want to get through that please come see me afterwards when we can talk about these things I would love to take this concept and get everybody's stories and put up a blog post or a podcast or a book or something like it would be really cool I know Evans must have some amazing Stories where is over there right who's next Why Try just use a Wi-Fi yeah why try just use a Wi-Fi um again uh pet testing cons uh uh uh consultant going to a business they say guess Wi-Fi is in scope but don't worry about it um we have a pretty complex password and it's completely segregated from the rest of

segmented from the rest of the environment so don't worry about it you know if you have time just go ahead and poke at it when a pentester hears that they go for you um they're very complicated password was um 1 29 38 whatever you know the rest um de off their uh i d off their session grab the Hat 5 Seconds get on the guess Wi-Fi start pinging yeah it was not segmented um within I would say within a day I have full domain access um active directory for anybody who's had tested it it's very easy to miss configure very easy to um find find a path domain in um unless they have really really good antivirus

and we're getting really good at at bypassing antivirus so um moral here trust with verify um if you tell me that your network is fully segmented I'm not going to trust you all verify Pingo cross and that's why pcss when you're doing a pent test they one of the things they ask you to do is to really load all around the perimeter of your card holder data and see if it is actually blocked because a lot of people don't really understand um yeah turn off Pig campaign services are still there um I don't have my time he Troy 9:30 right now tro but exposed privileg but exposed let me have to go over my list this oh yeah

privil but exposed so this was a very privileged user but not in the sense of cyber security or it um this privileged user had a lot of money um a lot of M um this was done as a personal project personal as in I just got my $5 showand account and wanted to p on which by the way Black Friday is coming up if you want a $5 showand account um it's going to be out there very soon Showdown is a search engine used to look for iot devices that may be hanging out on the internet um not just iot devices but most people use it um I had also learned the dark arts of oet which

is an old system right boget very uh secure uh it is not um it's got no authorization it'll if you tell it to do something it won't even check if you're allowed to to do something it's do whatever you wanted to do um so I found a whole bunch of um botet devices that geotag it for the Atlantic provinces and found um so when you do security research you want to make sure that oh crashed perfect

um so when you do security research you want to make sure that even better sorry I'll get to my story at some point run this

directly um when you do security research you want to make sure that when you're responsible to disclosing stuff you want to make sure that it's real right that you're not looking at data that is done by Jack Sparrow or to star or things like that right like fake data so you kind of have to poke at it a little bit and to be completely honest that's you're towing a fine line of what's legal and what's not but at the same time I believe strongly in responsible disclosure I believe strongly in good faith security research that if I find something that exposes your data or somebody else's data or puts their business at risk it's better

to let them know that it's there than to just step away because you can't make be sure that it's not just a a honey pot or a test system so in this case I I accessed um one of the bognet devices and immediately lost my breath because I saw the name and I saw what it was and it was Mr Tony Stark's uh poodle temperature and Mr stor start bedroom temperature it was not to start but it was somebody that had that ton of money so immediately stepped completely away started going through my contacts letting know that I found this within like half a day was completely brought off the internet but for a period of

time which I don't know how long because as soon as I found it it was gone away but for a period of time people could have changed the pool temperature in uh this person's house which um again trust and verify right uh if you have contractors coming in working on your AGA system at your company they're working on um your your your spa right uh which I also found at some point you want to make sure that it's not publicly exposed we want to make sure that they they do the right things and that's why us here cyber security practitioners are extremely useful we understand what can be done

shocking timing a lot of people heard this story losing my voice um the for for for a minute um we were running uh some physical pentests and uh I I hired this this person um who is fairly not new to the field but hadn't been practicing for a while um so being a really really nice person I said well you're going to try to break into building um and uh he took it seriously like very seriously didn't shave for a couple weeks um or somebody's old rusted up Van uh he actually showed up with the ladder he had a work order for an elal company that he had printed out he had actually created a website for this

elect Tom um and HIZ rolls up I'm sitting there inside I know that this is happening today um as he walks into the door with his ladder and his his nice little uh uh I'm an electrician you know I'm going to see if I can get into this building I swear to God the power would is up not planned had no clue this was happening I knew he was going to have the run of the place no matter what but at this point it was beautiful I it was the most beautiful thing I've ever seen he was up on ladders looking up into the ceiling he was going through boxes for some reason he was going through boxes

like who lets an chrisan go through your your your you know your stuff uh they gave him the Wi-Fi password they gave him an office um he took so many photos of USB sticks like stuck in everything that he could get to um I guess at the end of the day you do this a long time these things are going to happen like these weird little coincidences are going to happen when they look on his face when the power went out and I L really Dex was like was this like did you know like go go on the website and plan this right out of the same I have no idea no idea fell in love

with it that day um he I think he's still doing it up to a certain point I can't do it um I get so nervous my heart supposed to deep out of my chest I feel bad for people that I'm try to dup and everything else uh but this experience may have changed my mind too

laugh was that laugh was that what was that laugh was that um this one I can name names because um we actually disclosed it um it was just this this past year I believe we were troubleshooting something for client um I didn't know this but when you do a um SSO connection when outload uh outload desktop um it needs to proxy your username and password and create a web request the ability solution it will actually spin up its own web server on 7 0.0.1 and serve that to you and then you put it in and you use that one server to post your uh your stuff um well AWS didn't the W didn't really like that

because sounds a lot like a server side request forgery so that you're trying to get somebody outside um try try to get inside of the network using a local address see what's happening so it would put the 127.0.0.1 in the redirect telling uh the website that once you're loging redirect here and do some funky stuff like that so um of course the wife was the the S was was blocking that um and we we fixed it fairly quickly but curiosity right like hack a l said is oh I remember what if you know is this just a Rex are they just looking for 127.0.0.1 I wonder what would happen if I put in the hex

representation opal representation of that of that um address and sure enough completely bypassed it um um so ended up spinning up a fake ssrf um vulnerable web service on AWS show that with the w that was there I could completely bypass the wa do an ssrf the a the representation of 169 254254 which is the I'm getting deep into details here I know but basically you can query the metadata service on AW and it will give you all the CRS that you asked it to and I was they will to show AWS that yeah you have these rules are great but like you're only looking for the decimal representation of the IP so they ended up fixing in they gave us

um fos on their websites when they fixed it and everything else so that was a problem moment for for like all of us that found this because at the end of the day it's it's curiosity it's just not stopping there not going okay we're going to fix this but yeah what if right and you got to keep asking those questions you got keep asking that what if what if what if try something new try if it didn't work didn't work I'd go back to work right that's a lot of work um so yeah that's pretty fun story

now is the next one cve jackpot the cve jackpot uh again a pentest um is this like a reservation system for hotels um or maybe it was a learning system like a learning management system I forget what it was but um we ended up finding couple of crossy scripting bucks in in in the service uh which you can steal session tokens you can do all kinds of stuff right you can you can hook into the browser and do all kinds of really funky stuff with that so I found out pretty quickly that they were just using this this PHP script that they had bought online uh they be like 70 bucks for this PHP script and they kind of put their on

it and everything else so um when you see that that it's not the client that you're working for so you put in a CD which is uh a common vulnerability the yeah um so there was four or five in this script but then when I went on their website to find out who they were I noticed that they were selling the same the same script for car reservations and and like all kinds of they had 70 different products using the same script just doing tiny different little things so if you think about it the way cve works you've got five CVS in one of the scripts there's 70 scripts you know well if those CVS are in those

seven scripts well that's hundreds right how am I going to be able to submit all these cdes right um and then better than that like this was a Tim Limited Test so there may be more there so we we basically um started poking the best part with this whole project was that they actually let you spin up a demo just so you could see it so you didn't even have to buy the script you just spin up the demo pentest it and then get all this stuff to understand I think we ended up with when we qu we ended up with 150 170 cdes through the whole group and and I shared the whole thing

with the Atlantic cyber security Collective we had a conference and we sat down in a workshop and started poking at it and I I showed them how to submit CDs and everything else and a whole bunch of you know students can now put CDs on our resumes um I think there still maybe some El there if you're interested in poking around um come see uh again curiosity right um going a little bit further costly creds costly creds um I looked this morning because I it took me a couple of times to tr oh yes so um again a huge industry had just bought I think it was 300 security cameras to all around their um all

around their infrastructure it's something that was uh compliance they needed to do that to to to look at things and uh go in there to pentest started poking around ask them are the security cameras in scope it wasn't it wasn't really clear in the ra engagements and right away say yeah absolutely we just put those in started poking at them and the first one that I hit uh I loged into it with edmin and um second one I looked at log to it with edmin and um this was anywhere in the network you could have done that in the lobby you could have done that so we quickly realized that they had 300 cameras in their environment with

default crits that anybody could figure out and go um so first thing you do is you go to the manufacturer like hey this is not acceptable the manufacturer said well let not the contract I think they quoted six figures to go in and change all the creds on their um security cameras if I'm not mistaken and you got to check your contracts um this is why secure by default secure by Design is very important we shouldn't even have a Min like you know default credentials it should be as soon as you put put it in you you need to type one in I mean in this case probably the manufacturer would have put in their in anyways but

never maybe they would have put one through two four five six um and they also did not have a script to go in and do this at batch so um third party third party due diligence looking at the at your your vendors going through me process looking at contracts extremely important because these were a very costly price awesome 15 minutes I'll give you one more and then we can maybe start the discussion I I need some water because I'm Ness has gone wild all right one of my first tent testing engagement like a real paid Consulting tent test engagement um and the scope was very vague um it was we thought that the company should

have been secure they weren't um so we started scanning um all these these different vs that they had had and everything else and I ended up with a scan like thousands of pages thousands of pages and um no way the system got so slow as it was trying to process all this information exploring it took minutes and minutes and minutes um and I remember being flying back and being at the airport you like all right I'm just going to start the report we didn't even have any automated reports or anything like this was mostly copy past tra findings um thank you and I remember sitting in the ort I was in Pearson I think and opening it up

and I had like a pretty beefy gaming laptop we all thought we need beefy laptops to cck passwords but at the end of the day you can just do all that in thews um and I went to open the file and I couldn't open it it kept crashing my browser I download all kinds of software that probably shouldn't have downloaded because was I just needed to get it done and like the nus report kept crashing my Adobe it kept crashing my Chrome it kept crashing my laptop I just could not open it so I had to go back in and find ways to split all the information and everybody else so um I just thought that

was funny because I wanted to do everything I wanted to to touch every single vulnerabilities and I learned pretty quickly that you got to bring down that scope you got to really bring down that scope and the best way to do that is you start small and then you build up and build up and you keep contacting with F like all right we looked at that V that's very important um there's we haven't been able to find a whole lot so let's let's expand expand and expand right and until you run out of money or time but don't start doing everything in thousands and thousands of computers and stuff that hasn't been patched forever I think they had

hundreds and hundreds of servers that hadn't been patched um I mean listen we completely all completely only but trying to build that report was my laptop was just on fire one more any questions any uh comments anybody want to come up and tell a story

no Lobby L take Lobby level takeover um you remember um what was it um under the hoodie rapid s marketing campaign was under they had these little videos of people with their HS up it was dark it was like very aous music and this one stayed with me for a long time where a guy was saying he went into a bank um Lo into the lobby and uh and con own by the time they pick him up so that was a huge T and they completely forgot that I was supposed to show up that day completely forgot that I was there so I was sitting in a l um and I saw now where Jack next to me and I

thought hey what the heck you know pend has started just because they have G their room to start like we agreed it was going to start at 9:00 on Monday morning plug into the network by 10:30 um after running responder and get a ton of hashes I was happy I had my BC gaming laptop that time let's just say that by the time they picked me up at 10:30 or 11 o'l I access sitting the just because I tell Network um that was shock to them but at the end of the day you have a big enough active directory um installation and you're I mean I think it was dark diaries the other day I was listening to and I was a

shake my head in a three where he was saying what one of the guest was saying people think that you go there to start your scan start everything but any good pant show would tell you it's just ad you plug in you start responder and you wait uh and you just let it run all day uh what does is it it grabs and it responds to anything that has no DNS entry a share that doesn't exist anymore a computer that doesn't exist exist anymore if anybody tries to access that you go oh it's me and then the computer or the person send you their hashes right away and in an ad domain you can just you don't even have to crack it you

can just use that hash pass it and it'll think that you're that uh so responder is very powerful um uses um Evans is this still on my default LMR still on my default yeah so yeah owning a company before the the person that you're supposed to meet is um going to walk up to you and and pick you up yeah so 10 minutes oh sweating up here I'm not feeling good um I'm usually more entertaining than this I'm just like sick today let's do one more I got to save something P this

afternoon shockingly abandoned um I haven't done a lot of I hacking we got this contract to hack in or not to hack but do a p test to do a security assessment on taser yes that taser um and scheduling this was a nightmare because it was a weapon I to have a hand to go in and the hand just wasn't there sitation all kind it took like two months two and a half months maybe to to schedule this um finally got it all scheduled I was all excited I took that time to read all the books I could be hacking and I all add all my fancy hat fight else there's not a whole lot you

can do but in this case you know we we couldn't look at the firmware or anything but we could inep the traffic I think the worst thing we we we did was inter intercepted traffic and and said yeah I saw that you said that the taser was fired and that it didn't get to the right people so they wouldn't know that the taser had been fired which is again compliance right but anyways all that scheduling nightmare I get there I mean my Handler um walk me into a room there's a taser there's the other two devices that you're going to do they were more devices it was like all right you need me I'll be in my room and left

me there all day by myself with the team so it took us two and a half months to schedule this test because they didn't want to leave me alone I wasn't to be trusted with this thing and didn't even show me how it worked he just go there it is CM and left when you talk about checking boxes this was this was checking boxes R say I didn't taste myself uh I told this story to an RCMP neighbor of mine and he goes like oh that's funny I just came back from Montreal and uh we we were testing tasers it was like testing it was like yeah I got Tas like five times apparently CMP like to taste

himself I guess it makes sense I'm just happy I'm in this fing about that better anybody s games that they what was that um games that they've played yeah yeah anybody see games that they forgot existed yeah I think we got time for there's a bunch in there like there's so many so many I also would like to get good feedback afterwards good or bad just let me know um because I want to know if I want to do this

again there's candy in there too chocolates

um again huge and this is one of the stories that I'm going to talk about at the panel this afternoon Chris but it's just just a tiny part of it um long story short we were hired to do a an assessment of a new POS device for like a retail shop across Canada uh flew everywhere to to go into the Shops and and look at different things and I'll tell the story at the panel I'll leave it um but we we were supposed to do physical pest but some of the stuff that we found right away scared the crap out of HR and said like we don't we can't put our employees through this we just can't uh because you're

just going to own them and they're not going to feel good over themselves but instead we did a physical walkth through um they were so proud of their VI this this was a while ago this like 4K security camera like no they could see everything they were so proud of this he was recording me like two hours worth two two years worth of data they had so much uh storage and everything else and um they were also PCI complient because they were talking a lot of pii a lot of data and everything else and I think some of you know where this is going um I'm walking into the store and then talking about their cameras and

everything else I look at the camera and I look at where it's pointing and it's pointing straight on a table that has like five cash registers that people are literally typing in people's personal information they're typing in their their data of birth their social insurance number they're typing in their credit card numers they're typing everything and they're recording all of this and keeping it for two years in 4K video I don't know how much it cost them but they have to changed this was the layout in every single store across Canada from St John FLC they had like 30 40 stores and they had to go in every single store and to change our C or I don't know maybe they put it

before they should have fixed it it was on the

report all right um

yes no um in this case when you're doing a when you're do stream and that's a that's a very good question and and one of them in there is is basically going through an audit with a uh cyber security researcher um a Cy security auditor that was auditing company I was working with and was was giving findings and then telling them oh we can fix that that's we can't do that um we one other thing that is very very important for us uh when you're as your as a consultant is you give recommendations if they want to know if somebody can help them fix it because they don't know anybody in the industry then you make sure that it's it's your

ethics and it's your morals um and your values and you got to make sure that it is very clear that whoever you recommend you're not getting a a kick back from that you're not getting contracts because you're you're you're doing them but for a big company I've seen sales people ask for the pentest report and said no like you will not see my pentest report that is not okay because then they can turn around like oh you need this this this this this we can sell that to you and then all of a sudden your integrity completely goes out the way there

one of the things that I do is when when I have when I give a pest recording it's pretty big I also give them a stretch sheet uh which is basically like a mini risk register if you want and it lays out the recommendations that everything else and then there's tables that says remediate By Priority who's responsible for it and everything else so it's kind of built for them already it's a great tool that I use anyways because I pop all my V abilities in that spreadsheet first and then I use that spreadsheet to create my report um so that's one of the tools you can give them but yeah I mean it all depends like you even the

recommendations you got to make sure that you tell them these are my recommendation I don't understand what's going on in your network more than the the 20 30 40 60 hours that I was in there you know that the your environment better maybe my recommendation makes no

sense yes uh this is about Tony Starks uh pool just curious what do you think why do you think it was taking off showan the next day do you think that was like well they fix it did you tell them no oh you told sorry I missed that part I sorry yeah I I didn't go with them directly um I was scared I work yes yeah I was I was scared shitless um to be honest like this was this was big enough that I was legally afraid of what could happen right so I went to a a whole bunch of my trusted mentors and and people that I've know in the industry we have like through back

channels and all that so and we got wom that SP right cool

thanks great story years experience start one of your early stories or perhaps that well yeah the the I think the vulnerability scan I had a thousand findings like you know to why why can't I remember your name Conor Conor there you go I knew that um just like Connor said right um You got to set expectations and going you're not going to get a lot of contract if you show up with 10,000 vulnerabilities every single time like go with the low angle food um work with a mentor uh you know one of the things that I do I do some testing on the side sometimes and whatnot and one of the things I do is I

take students that I I see they doing really well and I tell them like hey this is a 40 hour um engagement can you give me five hours tell me you know take five hours go scan numerate tell me what you would do next and if you tell me what they would do next that you make sense then I go like oh here's 10 hours do it and then what would you do next and then if they and I found two or three like really really solid people that can help out by just giving them more CHS and maybe that's one way for a beginner to start just go see some of your peers and everything else like hey

I'll work free I just want to touch something real right a lot of clients will have problems with that but I mean we need to build up our our talent gr like we're not doing great um everybody who's a Senior Resource completely maxed out they don't have time to Mentor they don't have time to help people out uh we would love I I've taken CS in the past not not of the company I work with now but in the and some people were working with me there and unfortunately we just couldn't give the support that we wanted to give to this student who was an injur who was just thirst and knowledge just wanted to learn who just didn't have the

Cycles um so even as a student I mean you're probably happy just to get an internship but at the same time like you know set expectations say this is what I want to learn right and and ask them to be let loose in systems that don't matter good awesome that's not my music is it yeah

hav a dangerous um I mean I think you're asking me a little bit question that you know the answer to all right let's come up here come on no um I mean systems that are that are sensitive right systems that may crash when when you hit them systems that you're not allowed to it's out of scope right you're on you're on a subnet and there's 50 hosts and they tell you well 10 of them can't touch responder has no I think you can tell it to not hit certain IPS yeah you can filter but it would be very dangerous we all like if if you if you if you're interested you can look up what happens when you go outside the

rules engagement especially on a physical pentest asked people out of Ohio that they went on the third floor they should is it Ohio Columbus yeah it's p fire maybe that's why Columbus P fire anyways this company um they said do not go on the third floor of this Courthouse no matter what they went on the third floor and they got cuffed shipped up in prison they finally got out of it but it was a it was a whole um huge problem for them don't go inside your scho if you have if you think you're out if you don't know ask right

yeah thank you [Applause] that

was good