BSides Perth 2025 Day 2 - Live Stream
Show transcript [en]
Testing. Testing.
Sorry, still keep talking for a minute. We'll give it a minute.
kick things off. Just check with dolls on the sound check. >> We're looking good. Live streaming to at least a dozen people, which is always good. I feel very nervous in front of such a large audience. Uh thank you very much. Um for those that have come in and just doing today and registered, appreciate your support. Thank you very much. Um, today's day two, the last day. Uh, we'll finish a little earlier today, but we've got a heap of really awesome talks and stuff lined up, which is good. Um, housekeeping side of things. So, for those that are new on, for those that were here yesterday, you've heard it already. Red shirts are your friends.
So, if you need some support from anybody for anything, just find somebody in a red shirt, give us a tap on the shoulder, and we will help. Unless it's for the physical CTF and you're trying to find the access cards that we've got hidden around, in which case we'll be deliberately obstructive and painful and make it difficult for you. Good luck. Um, emergency evacuation. You'll hear the the whoop whoops uh on everything. We'll give you the nudges. Evacuation is out onto the grass area outside, but just be super calm. These buildings don't go up uh in a couple of seconds. Just um take your time, follow the crowds, head outside, stay safe. Um, bathrooms and breakout areas. Straight
outside. Hit a left. Down the stairs is bathrooms. Uh, there are more accessible bathrooms down to the right hand side. There's a prayer room as well if you need it. Just down there to the side. Um, thanks to Tess and Hannah. They are running the coffee truck and that for us. Free coffees today, free yesterday. It's a pretty good coffee. Enjoy. Say thank you. Uh, lunch again. We'll be hitting Mac Daddy's for the pizza today. similar kind of timing. I think for those that were here for the last conference and there was a bit of a gap between the one and the two, it seemed a lot better yesterday. All Yeah, it's really good. It's awesome
pizza. Um, thank you. It's really easy to get this place in an enormous mess when things like the pizza come out. We will never again do the crispy cream sugary glazed donuts as we did before. That was a an unexpected cleaning cost afterwards uh getting glazed sugar out of the floor. But um yeah, that um we won't do that. Pizza was great. Everyone left it super tidy. Boxes were all in the skips. The bins were all full. Everybody was massively respectful and we're grateful cuz we have to do the cleaning up. Nobody else. So, appreciate that. Um schedule is online. If you want to see that, head to the Bides Perth website, hit the three hamburger bars at
the top, go to schedule, go to the Prattlex kind of link, and you'll get everything. Um, it's up on this screen here if anyone's not seen it. Um, massive thanks to our sponsors. Besides Perth has always been really transparent in sharing its financials at the end. So, when we do the close later on, you'll see just how close we were running this year's conference. Um, if it wasn't for our awesome sponsors, it wouldn't happen or it may happen but in a much more cut down form where you wouldn't get things like lunches, coffees, those kind of bits. For anyone that's ever been based out here, it is super difficult to walk anywhere and get food or drinks or anything else. You're
kind of a little bit isolated. So, the fact that we can put this stuff on and keep you as a captive audience is amazing. And we thank people uh UWA, our venue sponsor, uh they've helped us out for the six years that we've been running this massively. And they've probably got the biggest, most closed facility for us to be able to use with this lecture theater. the other one when we've run two tracks in the past and all the breakout rooms for people that just want to listen in on the live stream, do the CTFs, play with badges, those kind of things. Uh, Infosct, massive thank you to them. They got in early, helped us out. That kind of funding early on
from a silver sponsor, helps us do things like lock in the venue. For anybody that runs a conference, locking in the venue is the most important thing because then it's real and everybody else hangs off the back of that. If you've got a venue and it's paid for, it's happening. So, that's a massive step up for us. Uh, Horizon 3, go and have a chat to them. They've got a booth in the lobby. Say thank you. Um, you'll see just where all the funding that comes in from the sponsors goes when we share the financials later on. Uh, and Securo as well. They really helped us round things out. Equally, they've got a brew. They've got people here from Bri,
from Melbourne that have come over. So, say hello and a thank you. Uh, and all the supporters. Um, I'll share the details later, but one of these came in a week ago, uh, and actually helped us, and that was the difference between being able to do the food and the coffees and all the other bits or not. So, say thank you. And if you see a red shirt, say thank you. Uh, all the volleys and ourselves are all totally unpaid. We do this for the love of kind of pulling everyone together, starting good conversations. Um, and it's the same crew. You'll recognize the same faces as the most reliable red shirts that just rock up. Snades when you see
him he's like Michael Boué comes out at Christmas only he comes out for Besides Perth and you never see him for the rest of the year but totally solid and we thank everybody that's up on this slide as well. Um the badge there's a lot of fun with the badge. So there are still component packs. We saved some by for people that only register on a Sunday. If you want to grab some components build your badge. The reason that we did it like this is you have a shiny little badge that doesn't scratch people because it hasn't got the components all stuck on it. There's always a lot of talk about is it just unnecessary
e-waste. So, we kept it kind of fairly slick. But equally, there are a lot of people that want to play around, learn soldering, learn coding, those kind of things. So, lots of badges, smaller number of component packs. If you want to build and hack the badge, do it. Uh all the source code is up there. We can do those things. Aside from that, um, we will have prize winners and bits announced later. I'll go through all these slides because it's got the details on of, um, some of those winners. Say thanks to Tim that built the badge. Uh, all the usual stuff. Aside from that, and seeing if I'm on time, I'm going to hand over to our
first speaker of today, Louie. Many of you will know Louie. Uh, owns and runs Pentest Lab. Many of you will have, uh, used the kind of training, educational stuff that's on there and learned a heap of things. Lou has been a huge supporter of Bides Perth since the very first one. Uh always kind of comes good and we really appreciate his support over the years. I'll introduce him to talk about those who don't learn from CVS are doomed to rediscover them. Louie, can we set up?
Yeah. Go.
Yep.
[Music] >> Yeah. >> Thanks. >> Can you hear me? Okay. Yeah. Okay. Cool. Um, good morning everyone. Thanks for waking up so early after last night. It may be hard for a few people, especially since we're going to talk about source code. But basically, so my name is Louie. I run this website, Pentaolab, where I train people. And to train people, you want to have good content. And as part of finding good content, I need to look at a lot of CVS, a lot of CVs. And I call myself like a CV coner or a software entomologist or even like a CV archaeologist. I look I love looking at bugs. I don't know why. Just
like I found that very appealing and I've been doing that for a lot of times. It's kind of a weird hobby, but I'm gonna try today to convince you that it's a great thing to do if you want to learn new things. As part of that review of CVS, I came across recently VCV um CV 202554887, which is a missing AES GCM authentication tag validation in encrypted JWE. I know exactly what you're thinking right now. crypto on the first slide of the first talk of the second day. Yeah, let's see that payoff. I know it's hard. We're going to get there. It's only an hour. You you you can go for it. So, when I saw that CV, I
was like, "Oh my god, this is amazing." For a few reason. I love JWT. Love JWT. I did a talk here about JWT, I think five years ago, like pre-COVID. That's how much I like it. and I still love them. I love Ruby and that's a bug in a Ruby library. So, oh my god, that's amazing. And I kind of like crypto as a friend like not so yeah. So, so I'm going on an adventure. Uh if you don't know the reference, that's from Harry Potter. I saw your hat. So, yeah, I'm going to do the same joke in New Zealand. I'm going to get killed. So, GCM is this encryption mode that you can use to encrypt data. And if you
compare GCM to other modes like ECB, CBC, it's a lot better because GCM gives you encryption like all the other modes because you want to encrypt data, right? But the important thing is that GCM gives you authentication, meaning that if you temper with the data, it's not going to get decrypted. So it's really really good because a lot of attacks you can do against uh crypto is around manipulating data and getting that data to still get decrypted. Even if you can't make sense of what is in the data, you can still temper with it in a way that will trigger unexpected behaviors. So let's look at GCM. So here we have all GCM and it's only boxes. You don't
have to understand the details. It's pretty boring. Yanak, I'm not a cryptographer. I'm just an enthusiast. And so if we add here I so the noun the thing to initialize the the encryption of the decryption. If we change that to vi because everyone loves vi and if they don't they're wrong. If we do that right I'm glad we agree. Um uh if we do that the decryption is going to fail. It's going to get rejected. Right? because we tempered with part of the information that is used to feed GCM and that's where the authentication tag is so important. If we try to modify the cipher text and we change it to cite text again it's going to get rejected because we
tempered with part of the information. So the authentication tag is here to prevent that. Um, if we change the tag, the authentication tag at the bottom here, we change off to a a again it's rejected because we tempered with some of the data used to do the decryption. But what if we change of type to just a approved? So it's not in all implementation but some implementations have these issues and so since we can just use one bite instead of the full authentication tag which is that is usually like 16 bytes nowadays um what we can do now with only one bite is try to modify the cipher text and go back to this cipher text
it's going to get rejected because the authentication is only one bite but it's still there. So we keep going. We move to uh what did we do? Oh, we change instead of changing the cypex, we change the off tag from A to D. Again, it's get rejected. But if we do that for long enough and we go for example with T, we may get lucky and it's going to be approved. And so we just need to brute force 256 uh combination and we're good and we can start modifying the encrypted data and trigger unexpected behavior in the application. I didn't know where to put the next slide, but I think it's pretty good. So, and I came up with that idea.
So, signs of a stroke, twisted mouth, apparent par. I had to use it. Sorry. Um, and if you ask uh for example uh to write a bit of decryption in Ruby and to say like, oh, we want to use GCM, they're just going to use the of tag as it is as it is. And the problem is that we have this GCM tag concretion attack. So that's not in all languages. It's only in a few lucky ones. One of them being Ruby as we saw. So when you think Ruby and you're like a Ruby head like me, you find that you like, "Oh my god, I know something that is using GCM." That's Ruby on Rails.
So I run run to the GitHub source code of Rubian Rails and I start looking at the code and as part of the code there is this little comment saying like okay um here we check the size of the tag because there is this issue that we know of and I've been doing Ruby for since 2005 I've been doing a bit of app say crypto and it didn't know about I didn't know about this anyone know about that actually and no so I'm not the only person so Yeah. So there this message like okay um we want to check the off tag size because otherwise people can reinforce it by just using one bite instead of the full
16 bytes. So there's a link I clicked on the link and I go to an issue in Ruby/ OpenSSL because the point that Ruby is trusting OpenSSL and open SSL is only requiring is is trusting the off tag you give it. So if it's one bite we check one bite. If it's 16 bytes we check 16 bytes. And that's an issue that is open since 2016, which is not great if you're in software security. Oh, that's my opinion. Um, but thankfully, so that was in July. It's a bit small. Um, but in August, someone like uh in good decided like so since it's hard to fix that bug, let's at least add some documentation. So they
did that in August to say like, okay, let's at least warm users, let's at least warm developers. Uh so they add that and that's the documentation of the OpenSSL cipher in Ruby and that's the documentation here. So that's why you need to read all the documentation all the time. So that's Ruby. Um PHP has exactly the same issue but at least it's a little bit uh better in term of documentation is that you can see it pretty quickly. But same like in so in Ruby and in PHP your off tag if you provide one bite it's going to check one bite. So that's a good way to brute force things and to find like uh
unexpected behavior in applications. Now we did Ruby, we did PHP. Let's move to uh node. Um node had an issue about that in 2017 and it's closed now. So we're good, right? And the thing with node is that at the time it was only checking four bytes. So a bit better than one by still four bytes instead of 16. Not great. So that issue is closed. So as a software developer, as a software security engineer, you expect that to be fixed. No, that issue has been reopened last year saying like okay uh we still at four bytes and that's not great. We should check like at least 12 or make it making it hard to brute force the
values. So it exists in Ruby, PHP, node. So what can we do about that? So I took my like white hat on. I put it on like white hat Louie. That's how I like to call myself when I do like good deeds. And I looked at over Ruby code bases and see if I can find the same thing. And I found one named Reforge where uh I contacted them like two three weeks ago and we got it fixed then. And that's something that is amazingly easy to do with AI nowadays with like LLMs. I asked um Clo or Chad, I don't remember which one, but like give me that same code in other languages. And LLMs are amazing at doing
that. And I found the same issue in Erlang, Elixir because Lua and Lua they didn't get back to me but at least they updated the documentation. And then another thing I could have done that I didn't do is look at over encryption mode to see if I can find the same issue. But regardless um I worked on making the world a better place one codebase at a time. And that um issue really made me think about all those bugs that have been around for a long long time or have been around in some code bases and then they disappear and then come back. And I start looking at all these kind of bugs that like kind
of happen then we forget and then they come back. And there are like a lot of examples of that. Uh we had HTTP proxy that uh basically HTTP proxy is when you have uh CGI. So uh CGI is like a way to run application that people are not using for the past 10 years. But somehow that kind of bug reappeared and it was something that was pretty big in 2001 and then no one talked about it for like 10 years and then it came again in 2016 or 2015 and we have this cycle of like okay everyone is talking about it everyone is fixing it and then everyone forget about it and it comes back.
The same thing happened with zip sleep. Uh you have like CV around like dot dot slash in zips. So you have like a zip file at the top here management.zip zip where we just have a zip that contains a file that is named dot dot dot dot/c and if we unzip that file with a var vulnerable application that's going to override potentially uh it is pity so that was an issue in 2001 and no one talked about it until 2018 when like the sneak uh team like did like a a nice website which seems very dangerous and they rediscovered the issue and they're very public about like it's not a new thing but like they realized that it's
not a new thing but everyone forgot about it and now it's back and if you look at a lot of code bases written in Golang uh it's everywhere like everywhere in Golang um another bug that was kind of the same way around this is um uniode character in password reset so if I have uh an email address github.com with a nice I like g a nice I uh someone can use a reset password and instead of writing github.com they write github.com but they use a Turkish eye that doesn't have a dot and then when you do the string comparison with the database most of the time it's going to be string uh case insensitive so it's going to get the
email address my email address lgithub.com with a normal I like a classic and that can allow them to reset my password. So that was a thing in November 2018 in Django. Then uh no sorry in GitHub then someone reported the same issue in Django a month later and nowadays you can find people like rediscovering the same bug that's in uh node codebase named uh direus and again the same bug again. Um same thing with SAMOL where we had um signature wrapping in 2005. A lot of people were talking about it like Sol is terrible. Um and then uh no one talked about it for a long time and in two in 2012 a lot of people start rediscovering
the same bug and then no one talked about sel for a while and then in 2017 uh do some really good research around like injecting comments and then no one talked about it and 2002 this year uh it's pretty crazy like some security is back on and the research they're doing is a mix of uh signature wpping and the XML command from DO. So we have like this cycle of like okay everyone talks about it everyone forget and then it's rediscovered. Um and the most interesting thing I saw about that is um this is a podcast critical thinking and this guy here uh with a bill is uh Jim Kettle he does a lot of web research probably one of the
most well-known web security researcher at the moment and he was talking about the exact same phenomenon phenomenal like people are doing research everyone is talking about it at blackout conference it's crazy and then everyone forget and then the issue gets rediscovered again and I'm quoting him saying uh the best example of that uh this that I have is request smuggling so most of a lot of his research was around request smuggling and basically he took a white paper from 2004 and I think he did that in 2012 or 20 like something like like 10 years ago maybe and he copy paste a payload from that white paper from 2004 run it again against Akami and own the hell out
of Akami by just using all research. And that's what he's explaining in that podcast is like people forget about stuff and then they reimplement the same issue and if you like wait for long enough you can own a lot of people pretty easily because we have all this cycle of like oh my god it's vulnerable the world is on fire but then everyone forget and people forget. the security community forgets but also like all the developers forget. So because as a security community we don't talk about it anymore and then there's a rediscovery and we're back to the oh my god vulnerable. So that's why I think it's a really good reason to look at CVS
and to talk about those. So let's see how we do that. Um the best source of CVs nowadays um especially if you want to do that kind of fun work is a GitHub advisory database and they're publishing every day of the week. Um new CDs and the good thing about that is that you can pick your language. Uh you can pick your uh severity. Oh, I only want cool box. I want critical and high. You can also pick the CWE. So the root cause of the issue I only want to look at uh critical directory traversal in golang. You can filter by that and look at that and look at the source code. And I just picked one randomly. That was a
authorization issue in uh go zero. Once you've done that uh what you used to have to do is get clone the repository. Um, then look at all the tags to find the version you're looking for because you need to find the vulnerable and the fixed version. And then you do a bit of g dig between the vulnerable and the fixed version. You keep going until you find something. And if you're lucky, you're going to find the bug and it's not going to be like 20,000 lines of code to review. It's just going to be like few lines. Uh, so that was what I used to do. It was a lot of fun. And nowadays uh GitHub
ask people who uh report vulnerabilities and people who fix vulnerabilities to link to the commit of the fix. And that's what we can see here in the second line. And this is amazing. As a security person, you have exactly what was changed. You don't need to search for hours. You don't need to spend like hours in the source code. You just like click that button, click it, and you got the result. quite success. Um, and so that's that's exactly like that's just picking one of the advisory in the list, finding that there is this button with a commit and clicking on that button and you see that and um and that's yeah just like okay people fixing
a bug. So we can see what the old version of the code looks like and we can see what's the new version of the code look like. Very very easy. So what they were doing is they wanted to allow an origin. So uh trust like a domain or a host name and all subdomains and that's what they wanted to do and that's what they meant to do. What they actually did is they allowed uh host name ending with the origin because they didn't have the dot before the allow. So basically if you want to protect pentestella if you were allowing pentestella.com you were also allowing hacked by pentestella.com or whatever the hell you want pentasella.com.
Once you've done that, a really good advice is to document uh what you found because this way you can quickly look at it in the future. Uh because like memory is something that goes away pretty quickly nowadays, at least for me. And so you can document that and keep the version of the code before and after. And this way you have references if people ask you about like, oh, what's the common issue with uh Golang? And you can come back to that. And that's something I do um I would say on a daily basis at the moment. And because you learn so much, you learn so so much. You learn about traps, things that are misleading, things that
developer will not understand properly. And you can see as well since you have a lot of uh CDs, you can really see like, okay, what are the common mistakes they're going to make? For example, in uh Golang, if you love Golang, there's a function named path. Clean, which developer think will prevent directory traversal. It does not prevent directory traversal. It clean uh as in it uh normalize the path. So if the path start with a slash, it's going to remove the dot dot slash. But if the path start with dot slash, it's not going to remove it. And you can also find patterns. If you look at a lot of CDs, you're going to identify patterns of like okay people
tend to get that wrong all the time. And the last one is your like spidey sense is like the more you look at bads, the more like your spiky sense will be tingling when you look at bad source code. Um so let's look at an example of trap. Uh we're going to talk about the best programming language in the world, Ruby. Um yeah, okay, we all agree. So in Ruby, you have 5.C Debian version and you do read and that's going to read the content of etc debian version. You also have a shortcut name open and we do open/c version read and we get exactly the same result. The thing is that that shortcut is not
file.open, it's kernel.open. And if you do open and something that is user controlled, so fully user controlled, you can get the content of any file on the file system. Woohoo. Which is obvious. It's used to open files, right? Um, now if you are old school and you remember your Pearl days, Pearl added something really cool around opening files and Ruby has the same thing. If the file name starts with a pipe, Ruby and Pearl are going to execute that as a command, not with file.open, but with open, it's they're going to do that. It's going to do that. So you go from like reading arbitrary files to code execution which is a pretty good win if you're attacking applications. Uh
so that's the kind of traps you can come across. Another thing is patterns. You're going to see the same people doing the same mistake again and again and again. And that's probably one of my favorite pattern is here we are uh Java developers loving life. um we do like okay we want to prevent people from uploading malicious files we want to prevent them I don't know if you can see my mouse we want to prevent them from uh uploading GSP or GSPF files because otherwise they may get code execution so we prevent that by making sure that the the file name doesn't end with JSP or SPF that's what we do here and we throw
an exception dangerous extension so that's all filtering So maybe good enough, may not be good enough. We don't care. We're not going to talk about that. But after that filtering, what we do is we modify the file name. And that's a common pattern you can see if you look at a fair bit of source code is this filter and modify. And when you look at that, your ID should be like, okay, can we bring back the what was filtered using the modification? So here the modification is removing all those bad characters hash um uh double quote semicolon square bracket whatever we want to remove all of those what we can do is what we can leverage
that modification to reintroduce something that was filtered for example if we submit hack jsp with a hash that's going to bypass the filter because it doesn't end with jsp but then we go to the modification and the ash at the end will be removed and we go back to actor jsp. So that's a kind of neat trick you can learn. You can also find trends and that's really like that's one hour of writing Ruby or five minutes of chat GPD um is you go through all the CBS that uh in one language and like okay give me extract from the JSON file the CWE so what's the root cause and you can see over time what is happening and you can
see okay if I have a Golang uh codebase what are the bugs that are the most likely. So probably XSS path traversal and denial of service. So if you're like a code reviewer or if you're like a pentester, you can say like, okay, I'm going to review a lot of Golang. What should I spend my time on? What is the most likely to like what's the most likely vulnerab vulnerability? If you're like you have you're part of the blue team, you can also write work around like strategy to make a go cutbase more secure because you can say like okay every time we have a go cutbase, there's a directory traversal because it's very common. What can we do
about that? And same thing if you want to scale security um you can also look at all the critical and the high because you can filter by severity and say like okay what are the most common severity in go and so this way you know like okay we don't care about all the vulnerabilities we want only to cover the the big one like the big impacts and here we have one uh new issue common ex injection that uh start appearing in 2025 in golang any idea why MCP MCP server love to run commands. So we can see that in 2025 all of a sudden we have command injection coming to all list of vulnerability for no apparent
reason until you think about uh MCPS. Um and you can also compare different code different languages. What is the issue? What is the most likely issue in Golang? What is the most is likely issue in uh Python. uh you need to be aware that there usually like a bit of a timeline between the uh time when people found the bug and the time you have access to the vulnerability. So you're like a bit behind and in the same way we have the serialization coming to Python in 2025 for no apparent reason. LLM love serialization of things. So you can see those trends that are really interesting. Since you are all convinced now that looking at CV is amazing. We're going to
look at CVS. So this one is in a codebase name Juju um from Canonical. Canonical is like Ubuntu simplify it. And um we're going to start with a bit of an introduction. Those are three ways to compute a SH sum. So a hash of a string hack the planet in Golang. And we're going to play uh spot the imposter. So we have method number one here where we get the data, we copy it and then we get the ash sum and then we print it. We have method number two where we do something that is a bit shorter, looks a lot nicer and we have method number three. So who thinks the imposter is number one?
Who thinks the imposter is number two? Who thinks the imposter is number three? Ah nice. who doesn't care. Thank you. Thanks for your honesty. So basically um it's number three. So if we run that code, the first two will return the hash of hack the planet which is really great. The num the third one not so much. And because um function sum and so if you go back to the code those three snippet look a lot similar but when you run sum and you pass uh an array of bite to the sign function it's going to add that to the hash before like it's going to prepend that to the hash. So the last one the last hash is a bit longer
because we have hack the planet in clear text followed by an empty hash ash of an empty string. And you may think that's never gonna happen in real life, right? That's exactly why I'm here. So that's a CV from 2025. So very recent again 2025 6224 where um this codebase guju they are creating certificates with uh public private key and they like generating that using golang and as part of that they call this uh ED2551 line with generate key and that's giving us u uh public key that they ignoring here with underscore then a private key that they name key and then an error they check the error blah blah blah And then they create uh a template to
finally create a certificate. To create the template, we call method number three, the one that leaks uh the content of the of what we are trying to hash. And so basically this venerity is nothing short of amazing is this code is generating certificate with the private key in clear text as part of the subject key ID of the certificate. Yeah, like the thing you come across it's magical, right? And it gets better. It gets better. Wait, wait, wait. Um hopefully I'm not running out of time. And um this variety was introduced in 2024 in uh June by someone from Queensland. Classic Queenslander. No, no, no. I'm no actually I like to joke about it, but um this person got
very very unlucky. Like it's not normal that by using a function like code that looks all right, they end up with something so bad. But yeah, and what they did at the time is they wanted to move from ED25519 to from RSA to ED25519. And they changed the code a little bit. Um, and they said like, okay, the generate key for E D25519 has a third argument, so we're going to ignore it, but that's a public key. And when we generate the hash, instead of using key, which is public for RSI, we use just key, but key is a private key. Um, so very unlucky. On top of that, uh, the subject key ID, so the field they
used to put the private key, you don't need to do that anymore. That code is not needed since, uh, Golang 1.5, which was, uh, which was released in 20 2020. So they wrote code for something and they introduced like a terrible bug, not their fault because they got very unlucky, but for code something they didn't have to do. And I think there's a good lesson to learn here. So first uh error proofing. It shouldn't be that easy to get things wrong. Uh then when you do code review check ignore return values here they're ignoring the public key. So maybe they should have not ignore the public key and use it. uh the name of the variable
matters. Like if you uh name something key and it's a public private key, it may bring surprises in the future. So be aware of that. And um every time you change something, is this code still needed? That's probably something we don't do um as software developers and as security person is that we have code, we change it, but maybe it's not needed anymore. and removing code is a lot more important than updating code. The less code, the less program. Um, another bug I really like and that's the first vulnerability I publicly wrote about in 2018. Um, it's a flow in WordPress. WordPress is a blogging system and they allow people to login using that uh function
WP validate cookie and that's a lot of PHP. they get the cookie then uh they split it in three parts based on a pile characters then they get uh the username uh an expiry time and a signature and basically if you don't have the like GCM if you don't have the right signature you can't go through they check the expiry that it's not expired they check a lot of things then they check um they compute like a hash on their side and then they compare the hash they have on their side with the hash from the client and if they are the same you're locked If they are not the same, you're a bad hacker. You don't get
logged in. And uh Facebook is nothing short of amazing. So that's what a lookie a cookie will look like. If you are admin, you got admin, pipe, expiry, pipe, and your signature. And we're going to split that in three parts. And then we compute the HMAC with a secret. And we compute the secret of admin and the expiry. And all is good. Everything is working well. Now another user comes in. This user is logged in as admin one and we got a cookie where it's admin one the expiry and the signature. We can't forge the signature because we don't have the secret but what we have is that the code we split in three parts
admin one the expiry and the signature. And we compute the hash or the hmach of admin one and the expiry. And that's where it gets really cool is that if I'm logged in as admin one with that expiry and that signature, I can be a bit naughty and move the one from admin one to the expiry and then um the code is going to split in three parts. compute the hash of admin that new expiry and uh using the secret and then that's the hmark of admin one with that uh long expiry. So the one we had initially is exactly the same as the one of admin with that longer expiry because we have a collision between two value and that's
yeah at the time that blew my mind and now they fixed that they just added a pie because uh what the problem was that there was no uh separator between the username and the expiry and um lesson learned and I think it's important to do that every time you look at the CV is like okay always always include like an expire array when you sign something because you don't want to sign something that is valid forever. Always use a separator between value when signing and also as an attacker uh people tend to think that if something is signed is temperroof because they don't know how to break the crypto. Um you can break crypto without knowing
anything about crypto. Trust me. And yeah, another one uh PlayStation injection that was found in uh 2013 uh officially by the National Australia Bank NAB and officially by me and basically they have a session management that looks a lot like Rubian Res where they are again signed session and I'm 500% sure I wouldn't have found this bug if I didn't study the one who we just saw in WordPress and basically what they do is um so for the story I was like reviewing like five different implementation of session in Java as you do and um it's really good like if you're not good at something don't look at one codebase look at five code bases and compare them play spot
the difference so much easier and that's a code that is used to pass the session so basically um you give uh no that's a code that is used to generate the session so you have the session in memory and you want to create a cookie. So what they do is they basically concatenate a null bite key a column value null bite and they keep doing that for every key value in the uh that's a hashmap and basically if you're a code reviewer you think you look at that and okay they are reinventing a serializer if you want to do that you use JSON you use YAML even if like even use XML what's better than that
uh don't record my oh that's recording anyway And what is happening is that we have key value key1 value one key2 value one and we end up with key null bite key one value one null bite null bite key2 value two and uh if it's lou and louisa.com we end up with something that is very similar now we look at the other way around when we go from that cookie that big string with all the null by that is very ugly and we go from that to a session in memory we have this weird uh regular expression and then we loop through all the elements that uh we get when we match with that weird regular expression.
Sorry, I'm pretty low on time. So um and what is interesting is that um if we look at what is happening, we get again this way the other way around. So it's a cookie with null bite key one value one null bite null bite key2 value two null bite that's going to go that's going to be splitted by the regular expression and then we end up with session output key1 value one and sessionput key2 value two everything is fine um and now I keep digging looking and I look at the put function and that put function that is going to be used to add your um value based on the key um what they do and that's what gave
away the bug at the time for me is that they check that the key doesn't contain a colon because probably something broke or something like that and they had to prevent uh that colon from happening as part of the key. So they add a filter for that. Uh but they don't have any filter on the uh value. So as an attacker you can potentially inject a null bite or a colon and as an attacker you probably have control over the value not the key. So again uh we are like nice person. We're going to login as Louie because Louis is a nice person. It's going to you have to trust me on that. Uh it's
going to end up with session.put username Louie. Okay we're good. And we have a cookie with null bite username col null bite. Then we not so nice, we're a bit naughty. We set our username to Louis n byite null bite username col admin. That's going to do session.put username and that weird username. I don't know what's going to happen. And then we get a cookie with that uh weird username and that hole that is happening right now with just this weird user with this weird username. But then we reload the page and the application the framework needs to pass a session and that's where the magic happens. It's going to split based on the null bite
and the semicolon as a column. It's going to be username not bite and it's going to do session.put username Louie. And then we got it's going to do one more time because we have more in the session and it's going to do username admin and session.put username admin and it's going to override the previous version the previous value and we're going to be logged in as admin even if we didn't have admin privileges or anything. And the really interesting thing is that that looks a lot that like the previous bug we saw like around like okay we need to have a separator. what is happening if we don't have a separator or we have a separator. What if is happening um if
we can inject a separator? So, and if you keep doing that over time, you're going to build that knowledge and you're going to know exactly what to look for. You may say, "But those are lucky." So, I looked at the bug. Admittedly, yesterday was a pretty good day for CV, like a really good day. Um, so I looked at the a few like CVS yesterday as I usually do and I came across like a few bugs that were interesting. So one of them was an application uh a shopping application where when you purchase something they log you in and their goal was to make it easier for the customer you buy something and you logged in with the
email that is used in the receipt you ask for. Right? What end up happening is that when they log you in, they either create a new account or look up the account in the database. So as an attacker, I buy something for five bucks. I put the email address of an admin of the application or anyone else and I'm logged in into the account. Yeah, that's pretty good fun. Um, this one is absolutely amazing. Maybe a bit small. That's in PHP and basically um and that's from yes no yesterday Friday they have a list of private value you can't use those value too dangerous don't use them and to make sure that uh you don't do that they look up the value
you provide and they look up that uh into that list of bad values bad and if it's in the list they throw an exception and that's the change they introduced to fix that issue So the vulnerable code is array search and the fixed code is in array. So what and it's always important to ask yourself like what did the developer meant and what actually happened and so what they meant is like okay if it's if the item is in the deny list we throw an exception what um but what happens is that array search return false if the item is not in the list otherwise it returns the index of the item. Uh, in PHP, array indexes start at zero.
And people are saying where it's going. Um, it's good. Hey, so PHP treat zero as false. So the first item in the list is not blocked because it's if zero, throw an exception. So it's not blocked. I find like I may be a nerd, but that's beautiful for me. Like that's amazing. Um, yeah. And so that's why Ruby is the best language in the world because Ruby object uh zero in Ruby is an object and zero is true in Ruby because we thought about that. Take that Python and PHP. Um you also find some good fun. So that was not Friday but this week. Uh so that's code written by an LLM in 2024 and someone
reported a bug and that's like the yolo of writing source code like basically when you want to pass JSON people usually use a library like JSON.load load or whatever and could have security issues but like and this code that I think written by an LLM just do eval so basically that's yeah eval at source code and if it's JSON it's going to work it's going to create a hash table like properly in Python but yeah that's very very dangerous so you can find like good stuff like that you can also find incomplete fixes from time to time you're going to be lucky and you can even create good memes sorry If you were like born in the '9s, that's
an amazing joke. If you're born in the 20 something, it's going to be not as fun. But yeah, no one knows who we exhibit it is anymore. Um anyway, so you can find like incomplete fixes like I usually find like a handful per year. Uh so that's one where they actually decided to not fix it. um they had an issue where people could bypass their directory traversal uh prevention using encoding and replacing dot dot with person 2 person two. So this way you bypass the check on dot dot because you encoded the value. So what they decided is to decode the value once. So they actually block dot dot person three person two because now
it gets decoded at dot dot but they are overwriting the same value. So what you just need to do is instead of sending person 2, person 2, you send person 25 to E, person 25 to E, which is just dot dot and code it twice and verix decodes it once and then the rest of the application decod it once as well. Uh found another one this year where uh they add like uh basically as an attacker you can add uh you can purchase it's like a shopping application and you can you get a token that you can use when you purchase something and you can reuse that token again and again and again and again and again. So they fixed
it by adding like adding like uh uh first they look up for the uh token and then they update the token. So what they actually did is they didn't fix the bug. They just make it it harder or the windows of opportunity to exploit it to exploit the race condition is a lot smaller but it's still there. Um so I got them to patch it. I don't think they get issue a CV for that one but yeah so that's what the code to fix it looks like if you're very curious. Uh so they use one single query. So that's a lot of bad bad source code. Um, CV, looking at CV is really good because you're going to learn a lot, but
don't just look at bad code. Um, and uh, I know a lot of people who try to get into code review and they're like really unhappy when they look at source code for like a week, two weeks, two months, and they're like, I didn't find anything. I'm wasting my time. What am I doing with my life? And a few of them are in the room apparently, dog. So, um, and, um, I think it's really important to look at good code and be aware that when you're doing that, even if you don't find bugs, you're not wasting your time. Look at it as, um, building a baseline, um, accelerating future review. The more you look at good and bad code, the better
you're going to be long term. And you're going to get really good at spotting not necessarily vulnerabilities, but things that are unusual because you looked at a lot of good source code. And what I did recently probably last year is um instead of trying to find JWT algorithm confusion attacks vulnerabilities I decided to let's look at how people prevent that issue which is basically exactly the same question but just a bit like swapped around and fancy way to treat my brain like if you look at for vulnerabilities in J libraries it's likely that you're not going to find a lot of them but if you goal is to say like let's see how people prevent those
attacks. You're learning a lot and you may find some bugs and I think I found two. Yeah, I found two uh one in Scala and one in C. It was a pretty good but the thing is that you're getting a lot better as a code reviewer and you're getting a lot better at as well quickly being able to triage those code as in we need to look into that. That's no way it's vnerable or that's totally vulnerable. So you get better over time if you keep doing that as well. So don't only look at bad code, look at good code. And if you do that, don't think of it as I didn't find a bug. I wasted my time. Everything you
like time spending spent looking at source code is never wasted as a security person. really really um in the same way um a lot of people for like uh people who try to break into like security uh or get into offensive security people recommend like oh get a CV get a CV uh it's really cool get a CV and it's good to have a CV I totally agree like if you're new and you want to break into offensive security getting a CV is really good but um it shows like to an employer that you can find vulnerabilities uh you can understand how they occur um you can explain the vulnerability key. Maybe you even look
at the source code. Uh maybe you can talk about how we fixed it. Uh maybe you can add the CV to your name on LinkedIn. I'm not judging. I am totally judging. It's uh the problem is that it's hard. It's hard to find new bugs. Or what you're going to do is you're going to lie to yourself. You're going to look at shitty codebase and find easy bugs because your goal is to not find cool bugs or learn. Your goal is to just find a CV. So let's pick the weakest codebase you can find on the internet and find a CV in it. That's not how you learn and it can be very boring and it's
timeconuming and the real problem is that that's a game of luck and you may get super lucky. Good on you but you may get super unlucky and you feel like you're wasting your time. What I recommend nowadays to people is instead of looking for a CV, analyze CVs. Look at those and you're going to learn a lot of things. do writeups and that shows to an employer that you can understand how vulnerabilities occur, how they get fixed. Uh you can talk about the fixes, you can talk about a lot of things and it's a lot easier, a lot less stressful. It doesn't rely on luck at all because the bugs are already there. It just relies
on the time and the energy you're going to spend understanding the issue and you and you're going to learn a lot and you're going to get a lot better at spotting uh issues in the future. So try if you're looking for job in offensive security, try to do that. Uh it's probably a little a lot easier and a lot more deterministic than just looking for a CVE. Conclusion, I told you we can do it. Um so we look at CVS, hackers, they look for impact, exploit vulnerable versions. Web developers, they look for impact vulnerable versions. Do we have to patch that? That's basically the idea. It's a business. The business. Um I'm not mocking people. It's a business, but I
find I find weird that we call something the business. It's like the name is weird. Um it can impact and how much it's going to cost to fix the issue. Um but not a lot of people are looking at the source code. Uh if you're lucky, one researcher look at the source code because they did a code review instead of just like blackbox test. So that's one person. The maintener looked at the issue. Maybe it's not a security. He doesn't have a security background or she doesn't have a security background. So, we don't know. But they didn't really maybe not fully understand what is happening. And like a few nerds are looking at the diff.
That's about it. And we we're losing so much important knowledge because of that. Um and the same thing is like looking for the exploit versus looking at the exploit. very important like try to like try to keep learning learning learning learning learning to get better. I can summarize that in one uh slide. Read code receive bug. Uh the more code you're going to be reading the better you're going to be. And every vulnerability is a lesson. Um like time wise. Yeah. Good. I'm good. Oh, good. Like I was making fun of the person from Queensland. Uh but like we shouldn't look at vulnerability like something that is shameful. We should look at that as lessons. Uh I got a friend who is
really good at social engineering and he did like a social engineering gig one time and like one of the manager was like a this person got done we should fire them. He was like, "No, this person is the most valuable person in your team now." Because they know exactly how they got compromised, what mistake they made. And it's the same for him for vulnerabilities. When people create vulnerabilities, there's this sense of shame. They're bad developers. They don't know what they're doing. Sometime it's true, but no, but like it should be like, okay, let's learn from that mistake. Let's not blame people. Let's not put shame on that. Let's say like, okay, is there something we can learn? Is there something we can
do better? Is there like um why this function is named path.clean where when it's not preventing directory reversal? That's weird. Why there is a function in g that does like uh sh and like copy the value? That's something that people will get wrong. What can we learn from that? And what how can we make apps sec a lot easier for everyone. Um so celebrate finding and fixing bugs and look at a lot of CV because it's a lot of fun. It's not that nerdy I promise. Thanks for your time and if you have any question please don't hesitate
[Applause] any question otherwise I'm going to be around uh yeah no so you everyone is going to look at CVS I'm taking it but the vibe No, but really like it's I think it's really something like we got all that knowledge that now is really well and easy to access well exposed by GitHub and really easy to access and just like instead of going on Tik Tok Tik Tok once a week once a day or once a week just pick one of those CVs and just like just do that once a week once a month and I promise over time you're not going to eat gold all the time but you're going to learn over time at least more than on
Tik Tok. I can promise that. I swear. >> Otherwise, thanks for having me and yeah, I'm going to be around. >> Thank you so much. >> No worries.
[Applause] >> Thank you. Thanks.
[Music] Couple of minutes just before we kick off the next speaker. Set things up. Hey, come up. Yeah, it's me. >> Oh, yeah.
So, same audience. >> Yeah. >> Try not to think about the 12 like live stream viewers we've got right now. >> Oh, no. >> Crazy. I don't know what the number is.
Yeah.
>> Uh, one of, yeah, one of the ways I was trying to learn for myself to learn was like try and make content for YouTube and this is a slide that I use for there and I realized it is very hard and I don't have time for that. It's a lot of effort. >> It is. So I feel these podcasts that I started
There was a lot of people asking, sorry, there were a lot of people asking if we had some spare shirts and bits. So, as usual, there's a few people that kind of gifted their tickets when fussed about the swag. So if you wanted to buy additional t-shirts and that from this year's con and they do seem pretty popular. There will be some left that you can grab in the morning break. So just a bit of a heads up on that. I think we're out of component packs now for the badges. So if you want to play with those just have a chat to Tim in the corner area. Uh so for now I think we are all good and mostly on track. So
on that basis I will hand over to Aaron now who's going to talk about helping styles in cyber security. So Aaron take us away. Thank you very much. Well, good morning. Great to see you all for day two. Uh for those I haven't had the pleasure of meeting or haven't read the speakers notes because they're just here for the CTF for the swag. My name is Aaron. A little bit about myself, I'm part of the application security team at Korea where we build cyber safety software for children. Uh before that, I was a software engineer before making my way into apps uh mainly web apps and all the fun stuff like that. uh before making the internal switch to security
within Korea. Uh and now I am currently studying chapency uh which is a great thing to do when alongside full-time work as I'm always got all the time. Uh but this is where the idea for this talk came from so I'll touch that in a second. Uh and finally this is my first time speaking at conference so any feedback after the talk after the conference would be great. Thanks. Thank you. So uh as mentioned I recently started studying chapency uh because it is kind of relevant to a lot of the volunteer work that I do and I admit it's been a major shift from sort of technical knowledge to how to care for people. Within the course content, I've been
introduced to a concept called helping or the helping styles inventory which was created by Peter Vancwick. Um 1988 it was created and refined in 1995 and it's basically for carers how to provide or framework how to provide care to people that are in front of us. So it's a model to help carers such as chaplain or counselors or whoever uh helps workers uh to care for them. Um, it kind of describes different ways that we are able to try and support someone. And everyone has a default style that they may use or may have, but understanding how you can switch your style a little bit allows us to help serve people well. And now I want to see
how we can apply this to cyber security. At the core of the model is the idea of self and relationship. In pastoral care and counseling, we are the resource. And I think this actually really maps well to cyber security as well. Us as cyber security engineers are subject matter experts. We are the resource that we can provide to others. So to understand how we can apply this to security uh let's construct the model step by step. On the horizontal axis we have what is called the focus of attention. Our attention can fluctuate between being focused on a person and then or person experiences or being focused on a task. In counseling uh chapency would cause
this task like a problem such as anxiety, depression. On the vertical axis we have the use of power which on one end is being directive so instructing and telling and the other end we can be facilitative emphasizing the person affirming them and allowing them to draw on their support networks and experiences. Now each of the quadrants have a defined helping style which we'll dive into in a sec and each style has certain elements or actions associated with it. So in the middle here these are kind of the actions that you're taking from here. Let's dive into each style. Starting from the top right and going clockwise, we have the guide. This is the person. This is someone being person
oriented but also direct. They are the ones informing, coaching, directing others. A few examples will just be Dumbledore and or Alfred Alfred Pennyworth. Uh both directed people that they care for. In this case, Harry Potter and Bruce Wayne. If you didn't know, be surprised if you didn't, but they rather guide people. For example, Alfred reminding Bruce of his humanity and his duty. The celebrant is someone who's all about connecting with and supporting and empowering people. Phoebe friend Phoebe from friends is an example of this. But I think the best this is best sed by by first the first talk jud this is best summed up by Mr. Rogers. He connects with and affirms every person. And just
as an aside because I really love this example. uh when African-Americans were not allowed to swim with white people, Mr. Rogers invited France Clemens, aka Officer Clemens, you can see down the bottom there, uh a black man to cool his feet with him, tackling racial inequality by connecting with and affirming Clemen's value, as well as empowering him by assisting with his musical career. But I digress. Moving on, we have a consultant who is focused on the problem, but helps others by attempting to empower them to make a difference. uh they talk things out. They help explore and collaborate with others. Lucius Fox from Batman is a good example. He's task oriented, so he's focused on the problem while providing
Batman with the abilities to solve the problem. Another out there example is Dr. House. His differential diagnosis in front of the whiteboard sessions where he explores diseases with his team uh and kind of finds the solution to the problem aka the diagnosis is a consultant style. Although I don't want to hear from anyone complaining that HR got annoyed at them because you just you just belittled your teammates while trying to do this. Don't copy house. Be nice. And finally, the manager. They focus on the task and are often instructing over facilitating. So they suggest, advise, and at the extreme end instruct others what to do. You got Nick Fur at the top there telling people what to do in order
to complete the task at hand. Or a real world example would be Gordon Ramsay. He uses highly directive albeit colorful language to get the task of managing a kitchen and serving dishes accomplished. So that's a high level overview of the model. Now that we've defined it, we can start applying it to our relationships within the workplace and cyber security. However, this is where the usage between carers and engineering start to split. In pastoral care and counseling, in one conversation, we may flick between different styles. An example of this just to give you an insight is an example we were given by um our lecturers of a counselor uh making eight statements back to a client uh scored
all of his statements like this. I think that's outside of scope for this today. Um but I do want to talk about how we can use this as engineering managers uh working in the workplace. So focusing on us as engineers, understanding that we are the resource that can be used to help others allows us to become force multipliers. If I'm the only one that knows about SQL injection, and please forgive the bad example. Uh if I spend my time reviewing code and adding prioritized queries, I would spend most of my time at work doing this. However, choosing instead to share my knowledge means that vulnerabilities are not written in the first place or that others can fix them when they find
them. A much better use of my time. I've managed to take my resource and multiply the effect. Now I just want to stop here to clearly articulate why this is important. If you are in a small team like I am that has a lot of stakeholders, you have developers to train and coach. Uh you have managers that you need to help understand the risk and the effects of uh exploits and vulnerabilities. You have to understand how to engage with these stakeholders effectively. As a security team, our goal is to manage risk. It is less of a burden on yourself when you bring others along with you. So when when we remember Van Catwick's model as we create programs and engage
with stakeholders, we can take a step back and choose how we want to help. I think a few examples will help with this. So I am responsible with a couple responsible for a couple hundred developers myself. Unfortunately, our team is quite small. So it's not reasonable for me to be very hands-on when it comes to patching or fixing. I find a lot of my time comes from to providing information such as secure code guidelines or patterns for security uh for developers to follow. So the style that I would just be stepping into here would be the guide. I am informing, I am coaching, I am directing. I also meet with managers and developers to help them with security related
projects. This is a very conversational approach and any issues that arise we explore and collaborate. This is a consultant style. This can include in include things like threat modeling or working through designs with team to make sure they're uh shifting left and writing secure code in the first place. But we need to remember that particular helping styles may come more naturally uh to people. You may find that stars that may come easier. The above two are what naturally or what comes naturally for me. The next two I have to make a conscious effort to step into. The cbrant would be most likely to get involved with developers and championing them on. I think it's due to the fact
that I am a limited resource and I struggle to find a ton to be involved. I have 200 developers to look after. Um I struggle to take on this style. But a consultant comp sorry but a consultant compare Yay. But if a consultant cares about empowering people and being person oriented, they would more likely ask open questions to help developers get to places themselves. Think questions like well what should we consider as a mitigating control here? Why is this secure? empowering developers to discover things themselves and facilitating their growth. This can allow people to feel more accomplished as they are empowered to uplift to security control of their code. And finally, the manager. They may start
with suggestions, but I think this can easily progress into advising and instructing. This can be mandating security controls, setting standards, or rejecting designs based on security. or when we have something that requires security to take control such as you know the scary words like incident and breach then a manager has to be put on pretty hard and security is instructing because you got stuff to do and you got to get it done now time is critical. So this model also applies and I think it applies a lot better um to a manager and an engineer relationship. So thinking managers how you interact with your team of engineers. You can utilize the different styles and relationship with your subordinates. Now
remembering that we have a default style of helping that may not be the best for each engineer. If you have a bunch of engineers who just like to get stuff done, just give them a jury ticket and they'll go away and come back with a solution. Manager style, great. But if you have a junior that is kind of just starting their career, um you may need to flip between say the guide and the cbrant to help them learn to encourage them and be very oriented on their growth. So coming to the end of the talk, I feel like I've rushed through it. Uh understanding how we can employ different styles of relationship, styles of help in our workplaces allows us to
work more effectively with others. Now this is not a model. Sorry. Now this is not the only model that you would use. However, I like applying this model because it comes from the basis of relationship. When we are the resource and that resource is limited, it is a relationship that is most powerful. It means that our effect stops being from what we do to what we help others do, which is often more than what we can do ourselves. And when we're a team, we're security, we are focused on reducing risk. If we can empower others to help reduce that risk is a win for us as well. So, this is just a tool I have in my
belt, so to speak. uh remembering it can allow you to help others in the best way possible. Uh now that you may know this model um you might be able to use it or you may choose to use it. I hope that you're able to utilize it uh in your roles no matter what they can be. But knowing this model can be used anywhere is great whether to be caring in a caring role like potentially myself in the future a management role an engineering role or even outside of the workplace. Like think of you got kids stepping a different style might really be beneficial to them. So, I absolutely feel like I've blasted through that, but that's all I have for
today. Thank you.
>> Finished so quickly. He hasn't realized >> questions anyone though. It's not the most technical talk, but I enjoy the content. >> Go. Where did you get inspired for the the model at all? Like because often people don't come to these things when they're in ancient role. They've had to come from an entirely different. >> Yeah. So it's because I've started studying chapency. So caring for people. Um so Van Peter Van Catwick was a therapist. Um so that's where he's kind of developed this from and understanding how I walk into a situation to care for people to help them um in whatever you know distress or problem they're in. It's seeing yeah from that content
seeing yourself you have a default style that might not be the best and if you really want to care for someone well understanding you might have to switch styles is really important >> I think did I see another hand um I'm sorry I don't know your names go out the front first >> what's been the most interesting style that you've come across
>> yeah that's a great question Um I think the most interesting style and the one that I personally love is the celebrant. Um and I don't get to do it much as mentioned in the workplace just because of the time but in my volunteer work really caring and empowering people because if you empower someone they take that positive effect and can uplift themselves versus if you say manager just saying get this done get this done get this done you kind of make someone just feel like a a yes monkey just get stuff done. Um, but I come to the massive conclusion that people matter more. You empower someone, they do better work and they reduce the risk
better than just, you know, making sneak work. So, I saw a question up the back there. >> Yum training or trying to get those ideas through to your team? >> Um, I haven't yet in the workplace. This is uh this is speech or presentation I've come up for today. I have thought about, you know, how would I disseminate this further? So, um, once I figure out how to add this to my blog, it's the slide deck. I'll be up in there. But I haven't really thought about doing Inerson training for anything like that yet. >> Oh, I think Cole was first. >> Sorry. If someone's incredibly unsophisticated in any of the four categories, what would you get to work
on? >> Yeah, that's a that's a good question. Um I think the work has to be just the realization about your default style first like you you find a lot of like say counseling and therapy. It's bringing the unconscious into the conscious. So being aware of your unconscious tendencies like you might not be aware that you take a manager role so you just barkers or barkers is the wrong term but you very instructive. It's like you need to do this, you need to do this, you need to do this. Um, but becoming aware and becoming aware that the other styles exist, so all four of them allows you to say, "Okay, maybe this style isn't working. How can I best
empower the team?" And it's actually changing yourself instead of saying, "Joe's useless. He's not learning because he won't listen to me versus, okay, Joe's not listening or he's not learning. What am I doing wrong? Is there something I can be better at?" So it's takes the onus off of I guess the best thing is to take the ownus off the person that's in front of you and ask how can I be better which is I think a very uncomfortable thing of you have to admit your own flaws there which not many people like doing I don't I think your hand up there >> yeah um I think when you are learning a new way of moving
you need to be able to recognize the context to be able to then switch. >> Yeah. >> Um what are some of the signifiers for you that you might need to use a different approach different situations? >> Uh I think the first thing is try and understand the situation before you enter into it. Um yeah it is taking a step back like what's the goal here? Yeah. >> Um the example I gave of like me being the guide for developers is as much as I'd love to come alongside and celebrate them and encourage them and be very relational. Um I can't like I have developers in all the time zones which means my sleep and schedule is
just non-existent. Uh but then it is when you're in the middle of a situation and you might be asking you know why isn't this working? Why aren't they responding the way you expect? taking that step back and um some people actually remain like don't really do this in a work from home environment but taking physical step back and like okay what's going on here how can I be better what do these people need because at the end of the day we are the resource in relationship with the people that we're trying to empower it's not about so much about us it's about them so empowering them to think about security and managing risk again is makes us a force multiplier over just
I'm in a terminal I just get stuff Yep.
>> Uh I think the stars that come from each other are kind of ones on the same axis. So to me I like to be very person orientated. So I kind of want to fit in the celebrant. mainly my volunteer work and then the guide as well knowing that um I have to give the resources out or empower others um so I think yeah it's understanding the accesses here so focus attention person task so so consultant and manager task orientated I think that would work very well depending on the context but you kind of if I go back a little bit uh this thing you kind of the way you interact kind of fits in one place and
then you might shift a little bit and say, "Okay, they maybe need a bit more direct action saying you need to be doing this versus, okay, the direct approach isn't working. How do I empower them to lift them up?" Um, yeah. Does that answer your question? >> Cool. Thank you. >> Yes.
>> HR financing. technical people which will be more. So how does it work when you're working with executives working the leadership have a different role then you switching how >> yeah good question are you asking a question like how do you lead up the chain? Yeah, because you use different method you you like when you're talking to the people you're managing. >> Yeah. >> Like focusing on the person. When you're talking to the leadership, you focus on the task. >> Yeah. >> Because talking too much like about the might. So you you basically like focus on different audience or you try to keep yourself >> uh I think I would switch styles based on the context of what I'm trying to do
and then after that map a certain style to a person. So you're talking about um how we manage and uh expose vulnerabilities up the chain and work with executives to reduce risk. Um I think most executives I've encountered, they're very task oriented. They have metrics to fill. They have shareholders to report to. They have the board that they need to respond to as well. So being very um like manager suggesting and advising saying, "Hey, we got this vulnerability. It's going to cost x hours to complete. I advise we fix this because the cost is going to be this." So you're being very direct and you're solving the problem. Um I think the other way also as a consultant is again
conversely exploring. So maybe they're not so direct but you can explore okay we have this vulnerability what happens if this happens to the company like if we have mass PI leak what's going to happen share price tanks we lose a bunch of customers so you're taking on that exploratory and you are kind of facilitating their understanding of the risk and the issue there. No more questions. I'll surprise there's one. Uh >> Cool. >> Thank you very much for your time.
I thought besides ran last year, so I'm like, "Oh, wait a minute." >> Yeah, I was the same. It's like, "No, last year was just a ride off for everybody time." It's going to be years break. >> Cool. All righty. Thank you very much. Um, welcome back from the break. I'm going to hand over to S now who has presented several times. big supporter of Besides Perth and hand over for efficient defense turbocharging security workflows. Over to you, mate. >> Thank you. >> Awesome. So folks, uh I'm going to try not to bomb this one. Fingers crossed. Um so my name is Saj. I'm the CISO of Kingsside and the technical CISO of Bug Crowd. Um both small companies but do
weird and wonderful things. Uh I used to be the adjunct lecturer at University of Melbourne. So I like to teach things and hope people learn. Fingers crossed. Um I come from web security background. So I made the web security course at University of Melbourne. So come from security research, pentesting, red teaming, etc., etc. And uh used to be a software engineer kind of like Aaron too. And uh I do a lot of bounty hunting and CV hunting. So uh why does all that matter? Um I run a team called the shield team. Um you can basically think of the shield team as a team of engineers. Um they're trained sec uh software engineers that we turn into security engineers
typically. Um why we actually go about doing this. It's cost effective and uh the gist of it is that it fosters innovation. It basically pushes people to go and say cool um you can do x y and zed with your time. Maybe you know look at 100 sock alerts or whatever but you can also get a bot to go and do that for you which is typically more efficient. um or you know it depends on how things go. Uh my team deals with everything technical security. So pretty much from anyone clicking on a link uh in a you know fishing email or something like that uh and trying to teach people not to do that all the way down to finding
an ODR. Um so it's a lot of capacity and trying to do that between nine people is really really difficult. So we turned our specialtity into automations. Now, um, what's quite fun is we actually turned this entire thing into the shield team purely because of the fact that a shield is typically defensive. So, you can use it to block attacks, but then again, you can also whack someone over the head with it and it hurts. So, it's quite effective offensively, too. And, uh, that's kind of the entire concept of how we believe purple teaming is. So, the story behind this entire team is actually kind of weird. Um my uh funny enough I was the first security hire in
Bug Crowd post their mass exodus and um I basically started off and I was supposed to be there as a pen tester uh for their applications and turns out I got heavily catfished um I came in and I was actually supposed to be doing a purple teaming role now but oh well you start off and try to figure it out. I was in the infrastructure team so cloud infra and uh if you know me at least from the 2019 phase uh my cloud infra is not very good. So it was a lot of learning a lot of figuring things out but then I um you know Buckran ended up hiring a CISO he came to Melbourne we
sat down for a bunch of beers and got talking and then he realized that there was a really weird part of me which not many people actually cared about which was the fact that I had been an engineer. So he turned around and said, "I'll fund you. Let's get you two engineers and go show me some magic." And that's basically what we ended up doing. So the gist of it was that tools cost a lot of money and expertise costs money. However, human time is a lot easier to justify or a lot actually more lenient than um trying to go and purchase a vendor for $100,000. So what we ended up deciding was putting all of our money or a lot of our money
into human hours. Now, I'm not saying we're going to sit down and rebuild something like CrowdStrike cuz they do it a hell of a lot better than we ever will. However, there are things that we can do to make CrowdStrike more efficient and things like that. So, we basically provide our humans, our engineers to go do something more interesting and um try to build things in a very quick, agile, fastpaced way. So, uh we decided lambdas are cheap and that should be our basis. And um now funnily enough, years after doing this, we decide AI is cheap and it's also a great way of doing things. So we're going to touch on that. The real quick
thing, the way we actually like to do things, um just to lay it out in case anyone ever wants to um we terraform literally everything. So it's all infrastructure as code. You can pick one up, spin it up within seconds, and you're good to go. Uh everything is a CI/CD pipeline. So we use GitHub. So GitHub actions, it's all, you know, literally an action. you uh pretty much merge it in a master and off it goes. Um quality checks are done as gates. So hypothetically you don't meet a gate, it kills everything and you die. Uh and all lambdas are created with specs or specifications stating that x y and zed must be achieved and you must actually
properly fill out um all the different areas to be able to state what a lambda is supposed to do. So the real process flow is you would start out with um you know the IM permissions. Now one big thing you are a security team. So make sure you do follow the principle of lease privilege preach you know do as you preach. Uh allow list your resources appropriately then move into building ECR images based off golden images. So it's literally just pumping whatever requirements you need on top of that. Um, we find typically scheduling lambdas very effective because a lambda can run for a second or two and it's really cheap anduling them for every minute is
nice and easy and then spin up your lambda and associate the image digest. Everyone wins. Now, what exactly does my team do with these types of things? Um, so we actually built our own custom anomaly detection cuz we hated vendors anomaly detection. Um, we've gone through and built logging sources because turns out some vendors charge you about $30,000 just to get seam logs and that's expensive. You can do that for like two bucks with a lambda. So, we did that instead. Um, alerting on specific types of tools, perfectly fine. Um, but we can do a little bit better. Um, we automate on specific types of behavior. So, things like snitching on people when they're doing something weird. Perfect
example is when someone goes and posts something they shouldn't on Slack or something like that. We have bots that go through and find them, alert the team, and then the team goes and says, "Hey, wake up. Don't do this." Um, and then the other part is syncing between tools. Some tools just don't sync properly. Now, I know there's a lot of no code solutions that can go and do this 100%. However, when you run as lean as we do, we don't necessarily want to use them in all capacities. So, my team runs about 80 different lambdas currently. Um, but the crazy thing is we don't actually have to maintain much of it because dependabot and things like
that just kick in and help us out. Does anyone want to guess how much this actually cost us to run? Any guesses? >> 200 bucks. How much is that? >> Less than one engineer. >> Less than one engineer, definitely. So, 200 bucks a month is the lowest we have so far. Anyone else? Any guesses? >> 10 bucks. Oo, aggressive. It's less. Uh so um our lambda bill is currently so in August 2025 was $1.35 USD, sorry. Um but uh September it was $140. So we went up a little bit and that's cuz we deployed new lambda. Um but yeah, that's literally I'm not exaggerating. You can check our build. That's actually how much it is. Now this
does not include things like RDS. Obviously those are much more expensive. However, I'm talking about just the lambda. Um, so the good, the bad, the ugly. The good is it's cheap and efficient. It's crazy crazy fast. Um, it's interesting for engineers so they don't get bored. We have crazy good retention rates in our team because we allow people to go and innovate, come up with new ideas and we actually have these six week kind of sprint cycles for a specific type of task which we call the innovation tasks where they basically turn around, we give a single engineer um 6 weeks, first two weeks is determine the task they want to do. They turn around and find
the thing they hate the most in their job and then come and tell me. Uh next two weeks is turn around and build a plan. So build a plan for how to automate it and the final two weeks is actually building it out and testing it. Um so it's quite literally just that how do you make your job less Uh it's allow people to do it and uh it's fast-paced. It doesn't require a huge amount of approvals or anything. So we can spin up a lambda in less than a day kind of thing. Um all you need is approval from a peer and you're good to go. So nice and easy. Um, now the uglies and the bads are
pretty, you know, significant though. It's hard to maintain if you do not build it properly. So you have to come in with a plan. You have to come in with a spec and you need to know what you're doing. Um, it is quite dependent upon people. So hypothetically, if someone leaves um, and they were the only person who knew about it, it's a single point of failure, which is bad. Um, and the easiest way to fix that document. Um, but I mean all of us know how bad that is. And uh if processes aren't laid out, there's always going to be knowledge gaps. There's going to be one person on the team who knows everything and then
you know no one knows anything about anything else. So is what it is though. So an example of the type of thing that we've actually gone and built um is the security approval bot. Now, each of these uh different um bots that I'm going to show you today are kind of explained through the process flow are actually AI oriented and at the end I'm going to also tell you about our AI bill which is kind of fun. Um so the first AI bot is a security approval bot. Now this obviously screams terrible idea to everyone here because why on earth would you trust an LLM with it? And the truth is you shouldn't. Um, but the trick,
there's a bit of a trick to it and this is where you have to kind of change your way of thinking. Typically, security turns around and says no to literally everything. However, there are certain efficiencies that you can always gain by utilizing tools to your advantage. So, um you can have something like a lambda polling for new tickets. It'll then go and identify possible um you know uh it'll start processing things, grab the different roles in this case. So we had um fields in our forms stating you know which uh role they actually want to take um and it will turn around and grab the authenticated user's email address. So it's something they can't spoof. The
only thing they can really spoof is a predefined role. So it's from a Dropbox unless they can pop the actual form. There's nothing much they can really do there. So the bot will then go through um previous tickets and documentation and then give some references to the engineer to make the decision. Now note that the bot is not providing any access and that's basically how we kind of limit the amount of risk that we have. The bot doesn't know how to provide access. It doesn't have that access itself. All it has is read only rights to tickets. Oh actually right to but so then after that the human goes in understands exactly what is needed and
then says cool based off X Y and Zed this team is allowed to have AWS access or they're not. And then we basically change uh the entire flow. What this provides us is basically a standpoint and you know the equivalent of Jira's related tickets just done in a way that it remembers what things are and doesn't keep itself up. So then um if you ever have to do vendor risk assessments that are terrible, terrible and disgusting thing um typically they take like 4 hours if you're doing a proper technical assessment and digging into every bit of documentation. So our team turned around and tried to build a bot. Um and uh it it was also
one of the things that my team hated doing the most. Um like think about a company um you know with probably 100 vendors or so. You have to do an assessment for every single one of them. It's hell. Um now what we ended up doing was uh basically we figured out that there was a consistent format that our GRC team love to give us all the details. So we grabbed that pulled that into a lambda. um basically ran all of that in um and allowed the bot to actually reach the internet. So do web searches and things like that. It would go through analyze the vendor's documentation and then um with our master prompt to break down things into
the exact way that we would normally do an analysis and then it put in a private comment into our ticket. Um what does that do? It basically gives the engineer a little bit of a leg up and decreases the amount of time. instead of 4 hours, it takes about half an hour to an hour because they don't have to go and look for the information all over the internet anymore. So saving time, but once again just efficiency, not necessarily taking over everything. Now the next one that we have, and this was one where it actually does take over everything a little bit more, but um we have a lambda that goes through and uh so we created a learning system for an
automatic ask security a question type thing. Um, and all it does is it basically has a lambda that goes through all the tickets that don't already have embeddings. This is where we have an RDS in the back. Um, which is basically a Postgress server. All it'll do is go through all the tickets, grab the embeddings based off the API, and pump it into PG vector, which is a Postgress database. Then after that all it's going to do is go through grab tickets that are already don't have a response and very very simply just create embeddings from the original question that they have pump that into the database do a string match or embedding match more other and then
try to get an approximate confidence. Um what we did was you actually just built in variables for thresholds and then kept tuning the thresholds until we found it working right. And for us it was typically 70% confidence and 30% um kind of uh threshold on um matching which kind of you know is it'll depend on your actual uh company. And if you do want to know how we actually did the tokenizing um we used Tik Token and that was a 400 um car 400 token window with a 50 kind of rolling uh overlap um which worked well for us. once again needs to be tuned and figured out. Um but yeah, the gist of it is that after that we
pump everything into an LLM, let that go through and make the decisions again and then come back to the engineer and give a list of different references alongside their actual uh confidence scores and figure everything out from there. So it decreases your work once again and um yeah, it kind of works out pretty well. So um this is actually our AI bill which I think is pretty cool. uh 27 cents uh for the uh you know last month and this month was 30 cents uh which you can tell is a hell of a lot less than engineers. So trying to decrease the amount of time we spend on engineers and instead let those engineers go and innovate and do
something useful with their time um seemed to be a hell of a lot of a better idea for us. The gist of it here is that engineers are awesome. They build weird and wonderful things and uh they can be cost effective if you allow them to be. So give him a chance please. Thank you.
>> Questions? >> Yep. >> Um so the AI you're using for is that a custom or like >> No. Um, we actually just use GPT5 right now. Nice and easy.
>> How is the AI so cheap in my personal experience? For example, um, using um, like a subscription cursor for example, 30 bucks or whatever it is a month. And then they'll add if you go over that they'll like it's very expensive. It's best to go over how you get it so cheap internally. >> Uh so it's API based everything's done through APIs. You utilize it. So typically what we're trying to do is do pre-processing on everything. So squashing the data as much as possible using embeddings where possible cuz embeddings are cheaper than actual um text and that squishes down the amount significantly. Um and we also do a lot of pre-processing on the data to get it
into the database and that is done through embeddings. So um it's just kind of like small little wins that you can take and if you can do everything through the embeddings database um then you're actually spending more money on RDS than AI and RDS money is just consistent anyway because it's a monthly bill. So we spend probably about 20 bucks a month on RDS. Yeah.
>> Thank you. >> Awesome. Thanks to great talk.
>> And the prestigious size. Thank you. Thank you.
Cool.
>> Got a few minutes. >> I'll just pick the
very much because otherwise will run massively over. So I will hand over to Connor talking about deceptive defenses leveraging honeymods in OT environments. Over to you mate. >> Cheers. Um
hi everyone. I'm Connor. Uh I currently work as a threat detection engineer. Um I'm crowd strike but uh what this presentation uh comes across is it it's all my experience uh in my prior jobs. Um sorry just give me one second here. Um so nothing discussed today relates to sort of my current uh work. Um my prior jobs I spent about seven years working in mining, water, energy, transportation. So that's that's both sort of rail uh port facilities, that type of stuff. Um I my certifications there, you know, I've uh done the GISP, the the grid, so couple of sands. If you guys are interested in looking at OT security, I highly recommend them. Um I'm also a
member of Professionals Australia. I know there's a couple of other uh members here as well. Um it's a union for IT workers. We do have a union with all the layoffs and reduction in forces um at various tech companies. If you're concerned about that or anything else, um come chat to me later. So why deceptive defenses? Uh this really comes out from participating in a number of risk assessments and and things like that where I'm sitting at the table across from some engineer some cyber security um expert from a client system or something like that and you can propose honeypots as a potential control um to help somewhat offset some risk of something and and quite often uh you
know these controls will get rejected and things like that and I'm I'm just sitting there looking at the person crossing the table from me, I'm just like, you just think this is too hard and you don't know what to do. So, what I hope to get across here is is um in a lot of these legacy systems, your seam, your nids, um your endpoint defenses might not be appropriate because of the legacy environments you're putting them into or they're deemed too sort of high risk to to touch anything on the the endpoint systems. Um, so what I hope is that by the end of what we're doing here, um, you guys will be able to go to
work tomorrow and hopefully able to play with this um, and set potentially set something up in about an hour, right? It's these are not it's not a scary prospects. It's only how you architect it and how you you position it and how you set it up um, which is really what you have to worry about. So what we're going across here just touch a brief history on uh honeypotss. I'll go through the purpose types uh use cases. I will give you some practical examples of where I have used this in the field. Um I'll talk about the global use for people who work for large companies who have a um a large distributed um systems. Uh potentially
I'll show you how we we'll see if my uh VPN plays nice. um with actually being going to show you a live instance. So, Honeyart's old intelligence gathering tool um you know sir Francis Walsingham which was like Elizabeth the first spy master um you know set up fake channels to to deliver or collect information for some people involved in plots against her. Um, you can find talk of people utilizing things similar to honeypotss in a lot of um, intelligence uses or espionage uses uh, throughout history. Um, you know, one of the more common scenarios if we're thinking about cyber security is the Kaku's Egg by Cliff Stall, which is what I would say is recommended reading
for anyone in cyber security just because it it it's a really great story to start with, but it it it also provides a really um awesome technical insight in to a lot of the foundational concepts which we still base our career on. So Stall was a physicist on loan to his uh university's IT department. Um and they had an accounting error on um because they had to pay for CPU time back then between different departments. Uh and so after a long investigation, you identified a hacker coming in from Germany um and utilizing their servers to try and break into uh US defense institutions and stuff like that. Um it was a long process to track the
hacker. So the the hacker was coming in from the university of breman um and would go through uh the German datex which was the the German post office essentially uh who managed all the internet in Germany at the time um went through Timnet International which was uh sort of a switching service between uh international carriers. The the problem was you had to keep the the hacker on the line, so on the phone line literally long enough for someone in the German post office to trace the cables to work out where he's coming from. So to do that, they created a honeypot uh with fake defense uh grants and documents and things like that to hopefully be able to
keep this hacker on the line to work out exactly where he is. So like Sir Francis's traps for Catholic spies in Elizabeth Elizabethan era, um Stall's honeypot gave false info to the attacker. This deception prevented the attacker from strolling elsewhere through the network. Uh because of this, the honeypot um the attacker so correction sorry because of the honeypot the attacker is able to be tracked and then ultimately stopped. So while it's unlikely in modern era now we would be able to you know physically track and arrest the hackers that we see in our systems we can still deceive them and then by deceiving them we're preventing them from potentially attacking assets that we do care about
um and you know deceive them and hold them up long enough for internally for us to be able to track what they're doing where they're coming from and ultimately this all comes into a consideration which is called active defense. So moving on, having a look at our uh the purposes here. So this is probably a common uh conception of what people think about uh honeypot. I mean you've got the uh the Norse attack map which um was great when I started in cyber security because every executive walks in you could just throw this up and it's like look we're doing something. Um, but this is the the typical of what you see for for honey bots. External systems
providing lots and lots of information. Um, but not really that much utility. And that comes down to, hey, you're collecting raw data and raw data isn't necessarily intelligence until you actually analyze it. you know, an IP address isn't intelligence until you start doing something, until you start applying context to it. So, this presentation won't really be going into um looking at intelligence or developing intelligence. There are a lot of utilities online that you can um explore if this is something you're interested in. Um yeah, honeypot traffic. So, the deception of the honeypotss, which is what we are focusing on here, is convincing attackers your honeypot is a legit valid target. Um, if you're thinking about the Swiss cheese model
that everyone's familiar with, a whole bunch of holes and eventually someone's going to find a a hole that lines up all the way through. Um, you know, that they might already be in the network somewhere else, um, and looking trying to find another hole. We want to be able to provide them with that hole and focus their attention and focus their time on that so that they're wasted and we start getting alerts and saying, "Hey, someone's trying to check something out internally." Um, we're collecting this information. We're acting on it as part of our active defense. So, this is the DKW hierarchy. Um, we familiar with uh the first instinct fallacy. So that the the first time you
come to a conclusion about something you're seeing, it's really hard to be able to shift yourself mentally off your original conclusion. A lot of the data, a lot of the patterns and things like that you start seeing unless you go into some sort of structured analytical technique where you're breaking out the um the data that you're seeing and thinking about it in different ways and thinking about it with different conclusions in mind. you'll tend to start patterning everything into your first instinct. What we want to do uh with our honeypots as a deception tool is start interfering with this DRKW hierarchy. So the DRKW hierarchy we want to be able to promote bad data from which the wrong
context will be derived which means they have now bad information about what's happening inside our network. they can apply the wrong knowledge that they have to that information um and then their insight is correct uh sorry uh apply the insight to it i.e their own gener and and through this method of us being able to create and craft tools internally in their in our network which they're going to waste their time on um we now get an insight into what they're doing.
So uh Honeypots's active defense, this is a term that I keep coming back to. So, we want to have um these tools to be able to provide us with potential early threat detection. So, the traditional form of honey pots that I was talking about where you got your cool Norse map and that type of stuff, that's sitting at the information stage all the way on the far left of uh the active defense uh life cycle. Um we want to be able to put this into active defense where it's like we're actually doing something about it. you can um the we're gathering information on on the TTPs and we're strengthening security controls actively. Now I'll touch on types uh to just to
make sure that we're on the same page about what honeypotss are and and and what they do. Um so firstly low interaction. These are quick, these are lightweight. A lot of these tools you can find on GitHub. um they simulate limited services. So you have something like just an SSH endpoint or a open FTP server, something like that. Uh where they detect they log interactions with minimal sort of resources applied to them. They're really nice to be able to be able to chuck on a Raspberry Pi and throw somewhere and connect it up and that's all you have to do. Um a couple of examples, Dionia, Carrie, you can find these tools online. high interaction ones. These ones are
tools that do require analysis applied to them. So if you find yourself short on manpower resources, potentially leveraging low interaction honeypots is what you're trying to do in in your teams. Or if you do have the resources and potentially do have an intelligence function that you can rely on within your um subcurity team structure, then this might be a better solution. You have things like um liar bird which will have a vulnerable web application intentionally vulnerable web application but you're man in the middle of all the traffic just to see what people are going on from these you can generate more in-depth uh understanding of stack as ttps. Uh of course um you do have canaries
that they're really simple really easy to do. You can do these yourselves if you're going to shove it into Active Directory. Um, or you can do your own DNS logging, that type of stuff. Um, Thinx does their Canary tokens, but it's easy enough to set it up yourself. So, I'll just call out here as a potential tool you could utilize. Oops. Yeah, Thinst. Um, so our deployment considerations and risks. So, each different type has its own risk associated with it. So if you are deploying it to OT network, you're going to have to consider this when you're planning out your architecture and planning out your controls high interaction honeypotss can essentially be considered full systems. If we think back to the example
I had at the very start with Clifford Stall and what he was doing to try and track down that German hacker um that had a full system of data of grand information and uh emails and stuff like that um which he put in place to be able to um deceive his hacker. Um so it it takes a lot of work and takes a lot of um time to set that up. You want to be able to make sure that these systems that are potentially full interactable systems are properly isolated, you know, from parts of the network where it could be someone is able to break through or break out of the honeypot that you've had into some other part of your
network. Um, and you don't want that to to affect your critical control systems that you're concerned about. Um, with alerting, this can be very difficult if you don't manage your alerting strategy very well. Uh, at the very end, I'll be I'll be showing a tool um, which I've utilized which really simplifies collecting logs from a whole bunch of different honeypotss into one centralized location. So I mean you want to figure out how you can you know if you aren't utilizing a seam product because you don't have one dep deployed to your OT environment do you have some other aggregation method that you're utilizing or some other way to get alerts get information out of these
honeypotss. Um this really should be considered as a whole of operations approach. This isn't so much a detection engineering talk, but uh Palunteer's alerting detection strategies is probably a good place to start if you want to um start conceiving how you're going to like map out these alerts. Uh and and finally, uh maintenance, you honeys for especially for external systems will require upgrades to defeat mass scanners. uh if you are hunting for information, if you are hunting for intelligence um internal maybe not so much uh but this is still a risk to consider. You know these are live systems you do have to maintain them the same as anything else. Uh here is an example from carry which is a honeypot.
Um this is a GitHub issue from 2021. essentially a botnet figured out, hey, we're getting trapped in uh Cry. Let's figure out let's set up a bunch of controls to see um bunch of commands to see, you know, is this a honeypot system that I'm connecting to and then not complete the last stage of its attack, which is what this honeypot was designed for to to collect the malware that's dropped. um very briefly a table to sort of understand the purposes the uh the goals that you're trying to achieve. So utilize the tool that's appropriate for the job that you're trying to do. All right. Uh touch on use cases. There's are quite a few different places
where you can deploy um honeypot systems. Firstly, the very obvious one, um, detecting sort of scanning, port reconnaissance, that type of stuff. Um, you can sit this between your IT and your OT environments. If you do have that sort of level 3.5 DMZ, uh, where you do have access through for one from the other. I don't know why those boxes are white. That's annoying. Um, blue you have your IAS environment. red. Uh you have your your IT environment and your honeypot in the center. Um so sorry about that. I don't know um why that converted to white. My bad. Um monitoring untrusted vendors. So you're having um someone like Semens, someone like Schneider or whatever coming in
remotely accessing your your OT network. Um, and so you have all your potentially untrusted bad actors over here and they accessing a jump host in the center. Um, you know, those accounts could be compromised by someone. Um, and you want to set up your honeypot system to be able to say, you know, if someone accesses my jump host and they don't know what where they're going at the end of the day, um, how can I make sure that I collect someone who is engaging in reconnaissance activity? So, this is a good place to be able to put a honeypot um that sits offside of your um IS network uh and collecting um potential traffic or potential
reconnaissance after someone's already compromised a third party account. Uh dev test zones. Um, if you're going to be able to replicating your uh your OT environment into a development zone, this is often doesn't have quite as stringent controls might not have as um a as strict security or not might not be collecting all the logs from it, but it could be something where some third party integrator comes in and has access to how to set up this in your uh dev environment, in your UAT environment before you push it out into uh the production systems. Uh again, this is where you'd want to set a honeypot to say, you know, is someone looking for systems which shouldn't be there is just
doing generalized reconnaissance and you want to try and catch them at that point. Um finally, you know, legacy systems. Uh I'm sure this being WA, there's some people here working in in mining oil and gas. you know, you have a a conveyor weighing system which is maintained by some guy who works out of a shed in dongra or or something like that. Um there's all sorts of weird legacy tech which which lives in these environments. I mean as sort of one example here I went into a a risk assessment activity and you're looking at um it was for a freezing works and it was a system that maintains you know the the conveyor speed depending on the weight of the the
cattle or the the the lamb coming in on the through the slaughterhouse. Um and you I was looking at it on a Windows 2003 server. Cool. Um but all the all the uh sensors and stuff were communicating through something I didn't understand. I say, "Oh, you know, um what is what is this communicating on?" Oh, this is Dave's protocol. Oh, who's who's Dave? He worked here about 15 years ago. Um he he's he's retired now and you know helps us when when we need help. So, okay, cool. Um, I have a bunch of questions. You know, where where can I ask him? He's like, "Oh, we'll put it on the list." Um, and you know, he's he sometimes
the the nurse helps him remote in on Team Viewer. Uh, because we get him to help him out when he has a good day cuz he has dementia. So there's all sorts of weird stuff that exists like that which you don't realize is controlling some of these systems. So a couple of practical examples um railway lateral movement. So I just need to be clear here. We have one railway provide passenger railway provider here in WA. I'm not talking about them. This is somewhere else. Love you PTA. Thank you. My boxes are wide again. sake. Um, so this is a new train station for passenger rail um expansion. Um, the systems were commissioned sort of with
minimal cyber security requirements. At the start, the station BMCS, which is a building management control system, which handles all the the lighting and the air con and the vertical transportation systems, elevator, escalator, that type of stuff. um was connected in had a HMI server uh system which is this box here. Um great. The vulnerability that we found is that post commissioning for this station um there was a main switchboard. So that the power control uh switchboards uh actually had a little web server hanging off them uh which is where they um would facilitate uh shipping um CSV files and things like that which would be accepted by the BMCS uh HMI which is how they built all their
pretty graphs and stuff like that which people would utilize. This uh main control uh board which is this server thing here. Sorry for my labels again. Actually had access into linewide PCS which is power control system which controlled all the power for all the trains on the on the train network. Theoretically you could access the web server, put a web shell on there and then access the uh linewide power control system. We couldn't put a um we we considered, you know, can we put a NIDS system here in the power control network while we get this defect fixed in the main control boards, but the switches there, they're all legacy that didn't have span ports or anything like that that we
could pull data out of. So, what we ended up doing is putting a honeypot off the side of the um that was accessible by the main control boards um to see, hey, if this was ever exploited, if someone did figure this all out because, you know, these HMI systems were only protected by one of those wooden doors that you see at the train station, which is locked and it says communications on it. Um and it was just a a computer that was in there that was always logged on. um you that would the reconnaissance would hopefully hit the honeypot and would identify that someone is potentially looking at the power control uh system network. Um this was all so they could get the
defect fixed in the manual control boards first. So our interim monitoring solution was put in place while the defect remediation happened. So it managed to um mitigate the controls for our systems um for long enough. I mean the defect control the defect defect process still took 12 months anyway. Um but that's pretty good time. And yeah then there was an upgrade planned for the power control system network to say you know it's probably about time that we replace these switches after 15 years. Second case study looking at a water pumping station. Again we have one water utility in WA and it's not them. Love you water. It's somewhere else. Um yeah, white boxes. Um we have a
remote pumping station. So this was somewhere in Australia. It is a remote pumping station uh for water. Um physical security is very minimal there. You got above fence and because it is remote, there wasn't good internet service. So you didn't even have CCTV at the time. um can't have a seam pulling logs from those systems because the internet link that they had just wouldn't couldn't have all that data coming through. Um and also American companies really don't understand low bandwidth. Um that's something I've I've continually uh come to learn whenever I've deployed a new product. Um, so we couldn't put the link there between the IAS network and the the firewall at the remote pumping station.
So what we what we did is we slapped a small honeypot just on a Raspberry Pi honestly off the in the same rack at the remote pumping station. And this would be the only thing that would send logs rather than collecting logs from everything else. So really the the risk that we're trying to mitigate is someone comes up to the remote pumping station, goes in through the lock door, which has a key lock and that's about it. um accesses the the systems in there and starts looking around to play with things. So um that is is that let's have a look at hang on. Seems like someone's trying to log into our remote pumping station.
So we we got a suspicious alert detected for that one um about 9 months actually after we put the solution in. Um comes through to the sock and then you end up calling the the cyber security engineers dealing with the OT side and they're like we don't know. Um what's your what's your plans here? We don't Yeah, we never made that IR plan that you told us to. No CCTV. As I said, they call the the uh the maintenance planners. Maintenance planners have nothing on at that site. Cool. Uh call the local security contractor who uh when he isn't doing this is is working at target country. Um so he heads out there and rolls up in
his Hilux uh just as um so he heads out and finds our local worker uh out there. So despite the coordination between our security team and the maintenance planners, it was actually this guy was out here. He was working for the uh the mothballing team, removing old equipment from the site. And I don't have a communication between them, of course. Um and so he was trying to make a change uh to some of their old equipment, getting ready to to pull it out, and just basically hit the wrong asset. Um, so what this came out for us, you know, it was it was a pretty good solution. It was pretty validating to say, hey, look, you know, this this kind
of this kind of worked for what we were trying to do. Someone that we didn't know was going to be out there accessing our systems. Um, and you know, even though this was a false positive, it was still a win for us. Uh, it meant that, hey, you know, that I plan that we said you guys should do, you should probably do that one. Um and we also found that the asset inventory system that they were working off um was there were some errors in there. So global use if you're working for a site with um systems all over um yay white boxes um you know if you're going to deploy your honeypot environment to
the edge you can gain unique information about potentially who was attacking you. So this is going back to getting information getting intelligence about your honeypot deployments. And this is great if you have uh multiple sites all over because you can start getting idea of what's unique to different sites. Um this also works uh internally although hopefully you're not getting a lot of reconnaissance internally anyway. Um when you're deploying to the edge you're going to get a lot of the noise of the internet and that's just all the scanners and stuff that happen all the time. There are ways to remove that. I mean, you can manually go through and you can look and you can say who's
hitting me all the time. There are other people who develop these um scanning lists themselves of, hey, here's the common bad actors. There's one example if you trust QR codes. Otherwise, there's a link. Um, and excluding mass scanners from your list of data that you're having a look at can really start to realize like, hey, what's what's different here? What's new for me? And that enables you to start getting a global context of saying, you know, what are we seeing at every single site? What are we seeing at only our sites in Australia or only our sites in WA and what am I seeing only at this specific site itself? And through those stats, you can actually, you know, you can do
cool things of saying like, hey, you know, executive, we are we're getting all these attacks specifically at us and here's how I can show you that. So you can do do this yourself and this is the how um where to start you know you can decide sort of what honeypot for what solution you want to try and achieve there are tons out there on GitHub which you can go through you can explore you can try and work out which ones you want um or this is my favorite which I've started deploying at different sites you can use this tool by Deutsch Telecom called Teapot. This is an all-in-one honeypot platform. Um it's the honeypot are all composed with
Docker, so you can choose to what to pull down, what to deploy, where it automatically gets um dumped onto an elk stack, which means that um you don't really have to worry too much about the the connection between trying to drag stuff into your seam and stuff like that. Literally three commands and you deploy this and it's set up and running and it's operational. Um the Elk service as I said runs on honeypot. Uh it has engines to provide you a secure way to to manage and operate it. You can deploy this internally, you can deploy this externally. It doesn't really matter. So where to start for all of these is all of it. It's it's just that simple. You get your
pretty Norse maps so your executives know that it's worth spending money on you as well as graphs to keep managers happy. And because it's a distributed deployment system, you can have it and you can have say, "Hey, for this one site that I'm deploying it to, I can put one honeyot on my BMCS, one on my power network, um, one on some dev infrastructure that I've got." Or if you're multinational, you can say, well, I'm going to deploy one to a power plant I have in Spain and one I have to a power plant I have in Australia and see what's different between the two. Um, that's sort of what I was doing with the
last job and I was uh when I first wrote this, I had a practical demo to show that, but um maybe now not so much. Um, live demo question mark. Um,
just give me one second.
It's not showing that screen.
Sorry, my live demo question mark is very much a question mark. Um, if you want to check that out, I can show you the deployment that I have set up, but for whatever reason, it's not showing up to the top screen. Um, key takeaways for this. Um, honeypotss provide um you with critical visibility that you might not have elsewhere or you might not be able to deploy elsewhere. If you have um systems where you have low bandwidth or you can't really touch too much within that network segment within that zone, then this provides you with an easy monitoring tool where you don't have to go through the arguments of saying, "Hey, put my agent on your
system, please." Or, "Hey, we need to set up some sort of other SIS log collection method." This can all just work again with literally three commands. Um, deciding on what honeypots you want to set up in different environments means you can almost customize it to be your site. You can go through all those tools that I I showed on GitHub. You can customize the code for yourself and you can you can put it with your own branding. So, it makes it look like what's expected for your environment. Honeypots sort of within the active defense role. they detects unusual activity before it reaches critical systems when people are doing those reconnaissance within those those zones where people come out um where you might
not have other uh controls that you're able to do. You can get valuable data on attacker behavior and use that to you know update your detection logic sort of live as you're seeing it or or put in security controls ahead of the uh attacker as you're trying to get them out of the system. uh or it gives you time to be able to track down sort of where they're coming from and and understand their TTPs. Um finally, sort of some couple of key considerations. Uh choose the honeypot type that's relevant for not just the systems where you're deploying it, but also your team. There's no point putting a couple of high interaction honey pots in different
areas if you've got a twoerson cyber security team because you're not going to be able to manage it and it's what's the point of putting that one in. Um placement is critical to be able to ensure that the honeypotss are in the positions where attackers are likely come through. This is where your you know deploying the honeypot should be off the back of a risk assessment exercise where you're understanding where you have risks that you need to put controls in. Do I have a risk for a lateral movement from a vendor supporter? Do I understand, you know, truly where um am I confident about this guy in Dongura uh actually having good cyber security on his ends and managing
his identity? Um and you know, regularly review the honeybot data. It's no point just letting this log because it's not going to be part of your active defense cycle then. It's just a logging tool. Um thank you. Uh you can find um all my presentations there and you can find uh the teapot tool which I recommend you check out and deploy yourself at the other QR code. Um any questions [Applause]
[Applause] great talk. Um just you spoke a lot about um attack looking attack coming in through the box. Um, have you had any experience in actually emulating the end device, so the the sensor or the PLC or whatever the case is and at the end it's [Music] hitting that which is not an active device. Um yeah, the the question there was um have I had luck um I spoke a lot about people coming in um and that lateral movement risk have I had luck with um emulating end device the the PLC systems that type of stuff. There are honeypotss out there which which do that. It requires the the customization of um trying to you know truly understanding
your your equipment and be able to um present it in such a way. The there are um tools out there which replicate the um Stevens S7 endpoints and things like that uh which you can use and it collects all the commands that would get sent to it and stuff like that. Um question would be sort of to think about you know for your your risk control and where you're putting those controls in. um you know at at that point is that the most appropriate place to put those type of honeypotss or are there further controls upstream where it would be potentially more appropriate or you're going to find more information those type of putting something at that level
um down at level zero or level one um where you would see those type of PLC's and things like that that's where you know more you're seeing hey something's communicating to something which I wouldn't expect and that instantly triggers, hey, this is something really bad to to go check out. You wouldn't really be collecting too much information at that point. >> How many deploy how many deployments of like cutting are you kind of seeing actually modeling industrial control systems? >> Um that are that are publicly out there. Um there's one main system called compot which which people tend to use. Uh it's the it's the one that that looks at um the seaming systems. But a point to to
to understand about industrial control systems is at that level 3.5 which is what we call the industrial control DMZ level three sort of operation control things. You know they look very similar to IT networks. you don't need a lot of specialized tools to be able to replicate or or or to be able to present an image of of what an industrial control network might look like um at those higher levels. I mean, you really don't want anyone progressing lower. You don't really need to dedicate too much time and effort into emulating other behavior. you can make a very convincing um you know top level overview which hope hopefully should catch or deceive u most people that you're worried about.
>> Cool. Uh yep. Sorry.
U most unusual case study I've had so far. I mean the two I put in there was some of the um were perhaps the the more unusual one. The the passenger rail network was certainly interesting to be able to find first that um you know why is there a web server in a in an electrical switch word to start with? Um and then understanding the full scope of being able to say you know okay this can actually communicate to other parts of the network. Um that one I put at the title.
>> Yeah. >> You mentioned to about that running something that linked to or is that uh in >> um that was a question about pay? No, that's that's running. I mean that's been we've been running for what 30 years. Professionals Australia. >> Oh, >> cool. Thank you.
>> Just these sides.
noise. Have fun, mate. Thank you. >> Thank you. How's everyone going? Um, thanks very much for having me here and also thanks for such an amazing event. You guys do an awesome job. All right. um trumping musky infosc noise. So this is a talk about a tool we make at work called talkback. Um we've been building it for a few years. Um and you might have seen me present about it. Um but this is the first opportunity to present at it with bides Perth coming back this year. So I thought it was a good opportunity to show this is where things are at. So hopefully if you haven't seen the tool you learn about it and if you have seen
the tool you learn more about it and you can find some useful stuff out of it. Um just a really quick what is it? It's um a smart infosc aggregator. So it's something that pulls together resources from the internet about infosc and we really wanted to gear it towards helping people with their time, their focus and their sanity um keeping up with information. Um so why why why build something like this? I guess the first thing that comes to mind is how much time we spend in a digital void which is sunk onto apps in our phone and how much time we actually spend on this percentage- wise in our lives. So these are all obviously apps
that are designed obviously to engage you in some way, but they're also designed to make it addictive and get you back and get as much of your screen time as possible. Um, and the thing is we know this, right? So, we know that they're designed to do this, but it's very easy to fall and get stuck into this void, but it's hard to pull yourself out. It's kind of on each of us to work out how we're going to get out of this cycle. Um, there was a really great video last week. Um, I would butcher trying to pronounce them correctly, but I really love this channel. Um they did one about is AI humanity's final
invention and um one of the things that's quite interesting that they talk about was when AI systems are first coming out they're learning from human data on the internet and now there's this cycle of AI crap going back to the internet and then these systems are rereading and referencing that information again. So it's a really time for interesting time for content and where things are at. Um but then moving to cyber security. So that's the universal apps and technology in our digital lives. But what about cyber security? So it's a very broad field. It's also an incredibly deep field as well. So there's a lot of information at different levels in different topics and domains that we all might be interested
in. And there's many ways you can keep up with information. And so you might be a member a member of like Discord, Slack channels, signal groups, um but you also might subscribe to newsletters and podcasts, whatever you use. And it's all disjointed and information is in different locations. over the last like 15 years of Reddit, once a month, like clockwork, a post like this comes up and it's basically, hey, uh, how do you guys keep up with information in cyber security? And then all the replies are like listing RSS feeds and they recommend things like hacker news and bleeping computer and bunch of stuff to use. Um this is just people are also saying I'm actually looking at building
an app to aggregate this. So this comes up all the time and then you never see anything about it again. Um and one of the more recent ones is like this has been covered to death on this sub subreddit. Um you should search and you're just going to find you know 100 instances of the same question. But one of them here is like there is no single source. So what is talkback and what is talkback trying to trying to do? So in a simple nutshell um it's designed to be fully autonomous uh infosc resource aggregator uh we first released it um back in 2023 very early on um and it's had steady development since then
um I presented on it when we first released it at local sec talks um and after about a year gave a talk at besides Adelaide about it with some features and then besides CRA with some more features and where things are Now, it's actually a pretty stable system. Doesn't have too many like changes. We're pretty happy with where it's at. So, today I want to talk about like all the features and show them off and hopefully you can see um how you can use the system. Um one of the things that's different versus presenting it in the past is that we've had feedback from lots of users about how they use the system now and their use cases. So,
that's kind of useful. Um we built this for our team to use. So we are actually having an organized set of data about public resources is super useful. Um so we do assessments on software and hardware and a bunch of other stuff. So having access to public information um and being able to access it quickly is really important. But we also made a decision to um just make it a free community tool as well. So that's what I'm showing today. um person who develops it primarily is Sebastian Mackey in our team and he's done a pretty awesome job at building all these cool features. Um a few principles which we have run with. So the one was like
keep it as simple as possible. Um but we wanted it to be um not dependent on human curation and that was a really important thing just to remove our own biases. So uh here there's the next point is about reducing editorial bot biases and that's really easy to do because um people who are making curated lists of resources um have their filter bubble basically of what types of things they're interested in and um will selectively choose what content they want to include. So we're trying to avoid doing that. uh free, no ads. Um and also we wanted it to be a really clear design like UI-wise um but also consumable in many ways and hopefully it's fairly snappy
performance-wise. Um so yeah, the way it works um is when resources come in, we just want to index them and we want to get the full text of whatever the resource is. So whether it's a blog post or whether it's a PDF document or whether it's a slide deck, we want like all of the text. Um and we want to then be able to store that. Um so on this particular screenshot is this showing that a blog post we want to have um the body of the resource. So web pages are kind of funny because they have the headers, the sidebars, the footers. So we just want the thing which the article is and then in PDFs we want
to be able to part or or any document. We use Apache ticker for extracting out that information and then we stuff all the data into elastic search. Um but where do where does data come from? So one of the questions on Reddit is um you know what RSS feeds do people recommend? So um TalkBack subscribes automatically to thousands of RSS feeds and it also subscribes to many different types of social media accounts, things like Reddit and um, Twitter. And um, what it's basically doing is maintaining a list of RSS feeds. um everything that it's seen throughout time, it's has its own inventory of RSS feeds and then we automatically poll it for new updates. Um but we do the same for social media
accounts as well. So people who are sharing information about technical resources or whatever it might be, we're capturing those users so we can pull from them as well. We also reference conference archives. Um, and the reason we tapped into this was because um, a lot of, uh, Louisie had his talk this morning saying like there's lots of research and things are coming back in cycles. So um, we wanted to be able to if you're looking up a topic, you can then say, "Oh, this was actually talked about at a black hat presentation or something some other presentation from 2001 for example and that comes up quite regularly that sort of thing." So we index black hat usix
Usenix and a bunch of other conferences. Um all of that's automated. Um and I said that we didn't want to interfere with um manually tuning stuff. So we also tap into um this idea called curators which is um when people usually have their job to curate cyber security resources and make them available. So um they will be talking about maybe something that's been trending from the past week um or the past quarter. So Risky Business does their weekly newsletters. Um Think Scapes quarterly um do a quarterly PDF. So we grab that, we pass it, we extract all the resource uh resources they talk about and then we highlight this that's been talked about by a curator. Tood is
quite popular. Um CTO at NCSC um has a weekly um blog as well. And then Louie uh curates a bunch of things that he's found popular from the past week. So we see when humans have talked about this stuff and we use that as a way of just flagging that these particular resources have been talked about by one or many curators. Um, when resources come in, we and we have the full text, we want to be able to add as much information as we can and extract useful information about a blog post or a paper. Um, we save every resource that comes in into the wayback machine and we archive it and it's available via the talkback UI. We
calculate reading time. We grab CVS and CWES, so vulnerability references like CV- whatever and CWE, which is vulnerability types. We grab MITER attack um campaigns, software techniques and cross reference it to the resources as well. We generate word clouds and screenshots and we do cross references between what this resource is talking about versus other resources that uh reference it as well. So you might have a blog post that talk is talking about something but it's maybe inspired by some previous blog post 3 years ago and maybe there's a something that has come out that references this blog post that you're reading as well. So you can see that on the right. So you can see the
vulnerabilities that are referenced by this particular resource with the CWE with the CVSS score and then the references where this is talking to something one month ago, two months ago and then it's referenced by something in the last day. Um, one of the things that's been pretty fun to work on, um, has been to categorize things. So, we wanted to have for all of our resources, throw them into buckets and categories. So, we then know that, and it can be many. So, you might have a resource that is a blog post pulling apart some malware for some sort of device. So maybe that's categorized as malware and maybe it's reverse engineering, maybe it's forensics, but
we want to be able to put those things into buckets and we do that using an LLM and we give a confidence score for every category that we think it's about. So this is 90% confident that it's about exploit development and it gives the rationale as why it thinks it's about exploit development. Um then we also want to grab in addition to that um what is this what is it talking about? So this blog post talks about exploit development about Chrome and V8 and um it's extracted that out and given the context of it. But these are now like entities in our data model which we can then pull up and query and run all sorts of stuff on.
And the next thing is um summaries and ranking. So I said we use an LLM for the categorization and classification of resources but we also use it to um generate a TLDDR for every resource as well. So um you might have like a 40page document that takes you a while to read. So, we break it down to five bullet points to summarize what the content's about. Um, and that's just so that you don't have to read the whole thing. You can just quickly skim if you want to read the whole thing or not. Make it make your own choice. Um, and then the next thing is making a ranking score. And, um, so the ranking score is something that
we've been refining pretty constantly. Um and the idea is that we have a weighted formula for a number of attributes and features that are in talkback. So um when we're calculating a score, it's basically one to 100 trying to say how good something is, how interesting it is. And um we look at things like has it been featured by curators? Um what are the cross references looking like? So like has it been built on or references other things that are super reputable? Um we look at the social media score and the weight and um and then we factor in all these things and then come up to a one to 100 score. Um and you'll see that shortly in
regards to how that works. So um using talkback um so I guess before I go into each one so uh we built the UI um to be um mobile and just normal desktop friendly so you can use both pretty seamlessly. Um, and it's evolved quite a few times like there it was initially like just a dump of resources. Um, and now when you use it um you land on this landing page and um this is just showing like um key resources that um are trending for the past 7 days. And then you have a preview pane as well that can always pop up. This preview pane shows a screenshot where it's hosted, what the reading time
is, a summary um and then like the um the LLM summary of what this content's about as well. Um and you can see that little icon at the top next to the date. And that just says you can save it for reading later. It shows you how it was categorized and why. So application security related, what topics it talks about and then you can view and see more information about this if you want. I'll come back to that shortly. Um so that's how the preview works. Um we also have like trending vulnerabilities from the past 7 days and trending topics from the past 7 days. So this is one way you can enter the data
set. Um library and inbox and chronicles you can uh different features and then you have feeds and newsletters. Um search is I'm trying to keep up with the gif. Um it search is basically um using lucine um syntax which is pretty powerful. We have an API which is free you can get an account for and we have newsletters. So I'll run through all those examples now but that's how it looks. Um the main thing is about resources and like what is a resource could be just anything like a blog post or a paper whatever but it's a consistent view in regards to what um that resource is about. Um so I have two examples. The first one is this 40et um post from
very recently. Um so you see like the title, you see um the summary, what categories, what topics we show where it's hosted. So it integrates with showdown as well. Um we show how long the reading time is, the screenshot, um the AI summary, the word cloud. Um and then how it was categorized. So this is mostly about malware analysis and network security. And then you can see the cross references to another article from 40et which you can then preview as well. And then this has the same things. You can just go down the rabbit hole if you want. And then this talks about matt attack techniques. So it's about spear fishing and scheduled tasks for code
execution and um I have a second one which was after seeing the GPU talk yesterday and um so it was a great talk and it was about a lot of other presentations and blog posts. So this is showing um a blog post from Starabs about two CVS. So you get the summary you it's the exploit development reverse engineering it's about the GPU driver here and then the two CVE um but one of the things here is you can see all the references including a paper to use NIX from like 11 years ago. So it's really useful for being able to see like things that came before and other things that reference this. Um, and this is showing
if I'm looking at the CVE, um, like what other posts in the Talkback database have information about that. So hopefully people find that useful in regards to getting to information quickly um, but also seeing past work, which is really useful um, to be able to get to quickly. We've been um this has been maybe one of the biggest features for us at work which is um finding like using Google or an LLM to find past work is really hard. Um so um we want to be able to make that a bit easier for ourselves and we hope other people find it useful as well. Um so browsing the libraries next um this is the resource view in talkback.
the library um and it's just um has the same preview pane and um you have filters so you can sort by chronologically by risk rating you can select date ranges you can do full text search with the lucine queries you can select categories and topics that you're interested in CVS CWES you can change your sorting order by our rank by our date you can change how the this interface is shown and um you can do quite a lot with it. But there's also a drop down here where you can then hone in on vulnerabilities and do the same. You can also um drill in on categories. So you can enter the like library this way as well and you can hone in on a
specific category. And the next one is um topics. So topics is super useful to browse. So if I'm interested in this particular authentication protocol, I can see all the different papers and blog posts and stuff that have talked about that. So um yeah, that's that's the library section. Um and then what we started with that basically and um and then we started getting feedback from people who were using the tool saying oh I use it every day or I'm away for a week and I want to be able to catch up on information better. So we worked on two separate views to help people like that. And there's two main UI features. One is called inbox and the other one is called
chronicles. So the idea with inbox is it's kind of like a a reader where you get you can then filter by technical resources, news resources, by type and by category and you get this like simple like summary of what it is with a screenshot and you can say what you're interested in just like what you're not interested in or what you are interested in and it will save it so you can read it later if you want. So this is kind of like just a quick way of getting through all the stuff. Um so when you save it like that and you select that button that will remember it. Um and you can just either have it saved locally in
your browser or persistent to your user account but then you can come back and read it further if you want later. So this is one view which is quite recent. And then chronicles is the idea of capturing uh information by week or month or year. So this is like looking at it from a weekly perspective, but you could change it to monthly and you could then sort it by chronological or by how it was rated in the system. So you can see like the hottest stuff based according to TalkBack um by month, week, or year. And you can also filter by categories. So if you're if you're interested in certain topics such as like industrial control systems
or something else, you can just go I just want to go back in time looking at that stuff. So that's what those two features are. Um and then GraphQL uh we we made an API available. Um and what you can do is you can log in and you then um just get a a a token and then you can integrate that into like your own code to do stuff. Um but we chose to use GraphQL so that it's quite flexible for people to be able to understand what the schema is and then make up their own queries. Um but we also have RSS feeds that we created as well. So we publish the RSS feeds pretty regular. I think it's like
every hour or so they'll get updated um based on what Talkback has seen. Um the RSS feeds are just there um in the more drop down and then you have like technical news or by category. Um and then you can go to the API and we have like this how-to page and this is just a way to quickly test and prototype your queries. So I'm using GPU and Mali from yesterday and it's just selecting the ID and title. But then I can go through the schema here on the left and I can add what additional attributes I want to query for. So in this example I think I'm going to select what topics the TLDDR
um and I think the CVE which are relevant. And then I should just be able to rerun this and get all that data. So then I have all that as JSON which I can work with. And the other example here is if you have a unique identifier for a resource, you can then get all that information as well. So this is like the open AI summary, a bunch of other stuff. So that's how you can use the GraphQL API. Um the feeds uh we've heard of people who are just like throwing that into like Slack channels or Teams channels if they're interested in certain topics or integrating it into their Feedley or something like that. So
this is a way when going back to what I was saying before about people on Reddit saying what RSS feeds do you recommend? Kind of technically TalkBack should be following all of those ones plus a lot more plus getting all this extra data. So then you should be able just to use these feeds if you want. Um and then we've had some people who have um made their own apps uh for talkback kind of recently as well. So someone made this Slackbot um and I think they're extending it to Teams as well. So what you can do if you're interested in and it uses the GraphQL API. It doesn't use RSS feeds. So if you're interested in
watching um talk back for specific references or to certain keywords or certain combinations of queries, you can do that and then get a feed and it will just be pumping them into this channel. So this is available on this guy's I think he's in the UK paper mountain talkback messenger. Um, and he's he asked had a bunch of like um it was good that someone was integrating with it because we fixed a bunch of bugs and we made it easier for him to integrate with. But now you can see that like all of that data we're extracting is now available in the feed as well. So it's better than just an RSS feed which is
like URL, time, date. Um, so you have all this additional data as well. Um and yeah, the final example is newsletters. Um this is basically the um talkback weekly chronicles where you have that weekly view. Um and obviously there's like tlddrc and there's a bunch of other email newsletters around. Um but I was saying about like that filter bubble which can happen when people are manually curating information. So this is automatically going through every category and then showing like I think it's like a certain amount of top resources for that week summarized. So we have um the AI summary plus the score from the system and then all of these links go to talkback so you can then
jump to that resource in the system and save it to read later. So it this is um this view which I just showed is obviously in the UI but that same text that same content is emailed every Monday morning. So uh we've had that running since last year and um you can go back through all the history of all the newsletters as well. Um, but we've had people saying that they subscribe to it, they filter on the categories that they're interested in, and then they get a weekly digest that gets emailed to them every week, and then it just helps them with their routines. So, yeah, that's those are the features that I wanted to show. Um, I think I'm quite
early to finish up, but um, I guess to summarize where things are at, so it's been like a pretty steady amount of development effort. Um, but nothing too crazy. Um, it's all pretty achievable. It's a pretty simple system, but we hope that, um, it's useful to people and that you can actually save time and be more productive. And there's now enough kind of ways you can interface with TalkBack. So whether it's the UI or the API or RSS feeds that you can make it work for you. Um, we've been finding it really useful for now our assessments and what we do at work. Um, and there's potential for things like doing like more leveraging the data more
to look at trends and things that are happening for specific types of attributes that are in the system. Um, it's available at talkback.ssh. You can email us if you have any requests for features or bugs or whatever. You can just shoot us an email and let us know. Um, we hope you find it useful and if you do, please tell friends, colleagues and so on about it. Um we find that most of the users are coming from like Europe and the US and like Australia has like a small amount of people um using it. But if you do find it useful like tell people who find it useful. Um but that's it. Um happy to
answer any questions.
>> Yep. categories, excuse me. Um, they're very offic
more GLC focused type topics >> at the moment probably um probably the C they might be there but maybe the categories are more offensive security focused. Um, so we were thinking of changing the categorization to be more similar to how Black Hat defined their presentation tracks with like GRC or um, human factors of security and stuff like that. So I feel like maybe it's the resources might be there and you might be able to find stuff that's useful, but maybe the way it's presented and categorized isn't quite right for you at the moment. But I think that's something we definitely need to improve for sure. um the categorization like that classifier um uh when we update it, when we change it,
we have to run it back through the history of everything. Um and the history of all the data goes back like 30 plus years. So it costs us a bit of money. So we're been a bit of reluctant to change it too crazily, but I think it does make sense to us to for us to update the categories for people of different backgrounds. And um so yeah definitely I think it's a good idea to do that. >> Yep. >> Um you sort of answered the first part question in that previous answer is what's the retention of data like? >> Yeah. So we want everything and we um and um since it's been so we initially
seated it from data from Reddit. So um Google BigQuery has like Reddit databases and stuff. So we use that for our seed which goes back to like 2008 2009 and then we looked up all the RSS feeds and then we scrape all that data and then we did the conference archives. So the data itself goes back to like the '9s. Um but there's coverage gaps particularly around other conferences and there's like other archives that we should index which are online of like cyber security stuff. Um, and then we just store it all forever and we archive it with the wayback machine as well, just in case it gets taken offline because that's always a problem. Um, so
yeah, um, we just want to have like information and data is really important now and it's getting more and more important. So we're just trying to save everything we can. So it should be infinite retention. >> Oh yeah. >> Second question. Um, you mentioned one of the things as part of your mission I suppose was to remove the human bias. >> Y >> uh in addition spoke about how there's a lot of AI regenerated content out there which is just >> Y how did you engineer that out with your rating algorithm? What were the things you focus on? >> Yeah. Um just trying to think like I think it's just from like the bias is like if I look at domains or
where it's hosted or what company it is and go now I'm giving preference to that I want to increase their weight or some factor like that. So instead we tried to look at the data model we capture and the more attributes and features we have in our data model the more we can refine it and tune it. Um so some examples of how we've refined that is stuff like um um when you see that a person has done some research let's say several years ago and over time many people have referenced that and then those have been popular then that initial bit of resource is going to be weighted with bit more credibility due to its
knock- on effect later. But you also have like all these challenges about like companies get bored and then like their sales team take control of their blog and then they spam a bunch of crap to it. And so there's all these like realities that happen. And um and so we have to we like have seen spam coming in from places that used to be really reputable. And so then we have to consider like the frequency. Are there sales pitches in this? Like all this additional stupid stuff I didn't have to worry about. And um but I think the cross references was probably the most powerful. We calculate something called the home. And the home is like um let's
say like github.com/username. Um that path is the home for where someone's publishing stuff, but then let's say you have like a company website that's fu.com. It's different. So we calculate where the home is and then we look at the history and trends for every home and that goes into the scoring as well. So if a company has a track record of like smashing home runs with what they do then um the other thing which I mentioned was the curators. So when curators talk about stuff and about homes repeatedly then that's building up the reputation of that company or that user. So it's been but yeah the flooding like that thing about like sales teams taking over or
whatever it might be um quite a few times oh we have to think of something and it might be changing like social media is a really bad example because something kind of silly or simple might get like a million up votes whereas something super novel gets like 10 and so that gets a very low waiting in our scoring system. It's more about like past reputation and where like reputable curators have jumped in to say something. So that's been quite fun to work on and abstract it out, but we wanted to avoid like we could have it select when we publish a blog post like ours is front and center, but we don't we don't do that for anyone. Um so it's
been a fun problem. Um I think it's relatively um reasonable now. So, if you look at Chronicles and you go back for like weekly and monthly and you look at what's top 10, top 20, top 30, you probably go, "Oh, it's pretty reasonable." Like, yes, that's a really good quality article. Um, but if we see something that's wrong, we have to then go in and think about like how we might tune it. Any other questions? >> Cool. Well, thanks very much.
Thanks so much.
Uh, let's go ahead and keep that change. Why not? That's better. [Music] >> Yeah, that's it. Yeah, >> it's good. Try and adjust the uh the way. So this is Luke talking about ghost of the gateway o days of blind ra and invite a team up and over to you. >> Thank you very much. >> Thank you. >> Can you plug that in testing testing? All right, it's working. Hello everyone. Uh my name is Luke. Uh this presentation is called Ghosts at the Gateway. Um, I'm sure you've all done some pre-ereading about it, so I'm not going to talk too much as to what it's about. Um, but essentially in my head, I saw it as a David and
Goliath battle between me, um, and my ISP who decided to disable a feature that I wanted on my router. Um, so, uh, this is basically just documenting my efforts to, uh, get it back and, uh, my learnings along the way and, uh, a couple of CVS that fell out of it as well. Uh so in terms of uh the agenda um going to do sort of an origin story of how I ended up in this position. Um I'll talk a bit about UART. Um how you can use that to interface with um not just routers but um hardware in general that supports it. Um I'll talk a little bit about the process for for finding the
bugs. Um and just you know for everyone's benefit it's not super technical. Um so everyone will be pleased to hear that. I'm I'm I'm certain. Um and then I'll talk a little bit about why I think routers um are becoming a more attractive target. Um not just like APS, but just digital misgreants in general. Um I've got a few demos to run through as well if we have time. Um I actually forgot that I'd be holding a microphone, so I don't know how this is going to work, if it's going to work at all. We'll see. Um we'll see how we go. Um and then if there's time at the end, some Q&A. Um, so for those that don't know me, I
do know some of you in here, but for those that don't, my name is Luke. Uh, I'm a senior pentester at a major Australian bank. Um, I will let you guess which one. Um, 5 years pentesting now. Um, been in security probably 10 plus just in various uh, fields everything from web apps, mobile, infra and cloud more recently. Um, terms of certifications, most recently OSED, but also have OSWE, OCP, uh, GMOB from SANS and, uh, CRTO from zero point security. Most importantly, I'm father to a beautiful baby girl who is my reason for getting out of bed every morning, even if it is at stupid o'clock, like this morning, for example. So, I'll set the scene. Um, it was last
Christmas. I was at my dad's house. Um, and I was thinking, well, I would love to access my music, uh, on my home network. Um, now my home network, uh, despite my job title, is not very good. Um, it's a fairly flat network. There's no fancy stuff like VLAN and firewalls and switches and whatnot. It's just basically what you see is what you get. Um, so we have my uh ISP, which at the time was IET, and they were kind enough to issue me with an Archer VR600V router, which is that beautiful thing right there. Um, which is the star of today's show. So, on my network, we have uh my Xbox, my Windows PC,
and my NAS. And my NAS was where I wanted to access all my stuff. So in my head I'm thinking all right I've got two main options to to go about this right so I can enable port forwarding um which for I guess those that need a primer it's uh if we imagine my beautiful secure network right there and uh we divide it into sort of the external uh zone and the internal zone where external would be my public facing IP and internal would be my internal IP addresses obviously. Uh what port forwarding does um is it allows us to essentially punch a hole u in the external uh facing side. So uh for example we could uh open up port 111 TCP
and we can have that map to a specific internal host on a specific internal port. Um so for all intents and purposes port 1111 would go to uh port 22 on my NAS host for instance. Um now this is pretty easy to do. Um it's uh available in the admin web portal. It's just a couple of clicks. Um so that's good. Uh the downside is that it means that service is going to be directly exposed to the internet which is not so good. Um now in this example here I've got port 22 open which is you know fairly battle tested um SSH. Um but uh just imagine that you're not running SSH and I don't
know not to name names but maybe you've got Plex media server or something which has a critical vulnerability in it. Um if it's facing the internet it's just going to get pawned and uh it's you're not going to have a great time. And even if there is no uh sort of vulnerability in it, um I'm sure anyone that's ever run uh like a service on their home network knows the minute that you open it up to the internet, you get a ton of bots um that just are relentless. So that's option one. Uh option two is that we can run a VPN service on the router. Um so what are we talking about here? Well, uh in the case
of uh a VPN server, we would open up a a UDP port. So it's 1194 in the case of OpenVPN on the router. Um and that's running uh an OpenVPN service directly on the router. Um so after the clients have done their authentication and whatnot um essentially the router will manage a separate pool of uh IP addresses so 10.8 uh.x uh for example. Um, and then once the client has that IP address, for all intents and purposes, they're on the internal network and they can browse to whatever host that they wish, provided there's no like firewall rules or anything in the way, which in my case there's not, we know. Um, so again, that's fairly easy to set
up. Um, I do remember seeing um the VPN tab when I was casually browsing the admin web portal at some stage, so I assume it's easy. Um, for some reason it does feel safer than just directly port forwarding and exposing um, uh, the host. I'm sure that's debatable, but uh, you know, again, VPNs are all encrypted and whatnot, so feel safer. Um, and if I get stuck, um, I saw there was a ton of tutorials online that I could follow on YouTube. Um, so naturally that's the route I wanted to take. So I open up my uh, YouTube tutorial. Um, and it says, "Okay, navigate to the OpenVPN tab." Um, so I go to my admin
web portal and and and look for it. Um, I'm expecting to see this. Um, but when I log in, I see this. So, you can see it's a very very cut down version um of that uh uh admin web portal that we probably saw in the tutorials. Um, and I know it says I'm in the basic tab here, but I can assure you I went through every single tab. I went through the advanced tab and it's just not there. So, what gives? So, I do some digging online. Uh I'm an expert Googler. Um and I come across this uh forum post. Uh believe it or not, ISPs um have forums. Um and a fellow digital Karen has basically
complained about the exact same thing that I have that their OpenVPN server uh functionality is gone. Now, the moderator for TPG has said for vague security reasons that they've chosen to disable the VPN service on the router. Um, and that's that. So, that sucks for me. There's no no uh no VPN functionality. So, at this point, I feel like I have two options again. I can buy a newer and let's face it, better router, um, which is going to be the easiest of the two options. Um, it's going to let me do all that basic security crap that I should have done from the very beginning. So, like VLAN, uh, firewalling, and all that. That's just going to be available
straight out of the box. That does cost money, though. Um, and for those that know me, I'm notoriously cheap. Um, and if you look at that bad boy up there, all those antennas, all those LEDs, they just they look expensive. Option two is I hack the router. That's going to be great. I thought it's going to be just like the movies. I'm just going to type really fast at it. Um and then it'll open up a shell and I can have my VPN server back and Bob's your mother's brother. We're good. I also thought, you know, it's probably just uh some Linux variant um under the hood. So, all I would have to do is find
an OpenVPN binary, push it up there, and uh run it, and we're good. The problem is I actually don't know how to talk to the OS uh of the router. Um so, that's a problem to overcome. Um but naturally, that's the route I want to take. So, where do we begin? Uh well, like I said, uh we need a console onto the router. And I'm sure most of you know that routers um even those big fancy routers with LEDs and antennas don't have HDMI output ports. Um so you can't just plug in uh a screen and see what's happening and you can't plug in a keyboard and start typing away at it. So um that's a problem. Um the only way
we're really going to be able to talk to it uh is indirectly via the network uh services that it's exposing. uh at least that's traditionally uh how you would do it. That is until I discovered UART. So UART stands for universal asynchronous receiver transmitter, something to that effect. Um and that's a common mechanism for developers to basically debug the firmware that they're building because when you think about it, um they need some way to look at it and and see what's happening behind the scenes. So that's exactly how they do it. Um so UAT is a set of typically four ports. Sometimes uh it's doubled but um it's usually four. They're directly uh on the circuit board and they have uh
four functions. So VCC uh will supply power uh to it in the event that you're not connected to mains. Um ground port will provide a shared reference voltage uh between devices so they know what's signal high, what's signal low um and that they can communicate uh properly. Uh RX, as you might imagine, accepts data into the device. Um and TX is what sends data out from the device. So if you look at the diagram there, it's a pretty uh pretty accurate representation um of of what's happening. So what do we need to uh start talking via UR? Well, we need a couple of things. Uh first and foremost, we need a multimeter. Um you might be surprised to
learn that despite having universal in the name, uh the order of the ports between devices are not always the same. They could be different. Uh so we need a multimeter to diagnose which port is which essentially. Um, we need a USB to UART device, which is the uh that sort of halfbaked image there in the bottom left. Um, and that's going to be doing the translation between um the UART ports on the device and the computer that we're using to um, you know, interact with it. We'll also need some header pins and wires, which is the image on the right. Um, and the reason is on production boards, they typically remove these, as you can imagine. Um, so
we will need to uh resolder these. Um, and that u surprise leads us to also need a soldering iron um and some solder. Um, not just to necessarily attach the pins back to the board. Um, but sometimes the traces uh to RX and TX have actually been cut by uh the developers. So, uh you can't tinker with it. Um, which is what I found as well. All right, so we're going to try a demo. Um, I have no idea if this is going to work. Um, but let's give it a shot. We'll pray to the demo gods. Uh, so I have my lovely assistant, Brent. Um, okay. So, he's just going to Yeah, see, it's not working like right away. So,
we're off to a great start. >> Great. Uh, okay. And again, I I it's going to be difficult to hold the microphone. We'll see how we go.
>> Okay. That should be good to go. >> Hello. Oh, wow. Okay.
Yeah. All right. Wow. Very nice. All right. I'll just pull this out. I'm sure we don't need that. All right. So, the first thing uh we're going to do is uh try to identify the ground port. Um, so for this we need to switch our multimeter into continuity mode. Turn this on. >> It is on, isn't it? >> No. >> Ah,
it's the same god. It didn't work. All right, that's okay. I have a backup. No dramas. You're just going to have to hear my lovely voice.
>> Are we all ready for the next problem? >> No sound. >> First step is to put the multimeter. >> That's okay. I'll narrate it. I'm I'm I'm ready for this. So, the device is now in continuity mode. Uh the first step is to place the black probe on the grounding plane. So, on uh routers, the wireless antenna gold plate there is always ground. Um and then we probe each port until we hear a beep. Now, we don't hear a beep because there's no sound, but um that red light indicates that we found ground, which is on the far left port. In this next step, we plug the device into main's power. Uh we set to DC volts, put our black
probe again on the grounding plane, uh and this time we power the device on, and whilst it's powering on, we probe uh one of any of the other ports. Um, so in this port here, you can see a consistent 3.37 volts. Um, and it's fairly steady. It's not changing. So this indicates that it's probably the RX port. Um, and the reason is that there's no keyboard input that's being sent to change that signal. Uh, so the next step, we do the exact same process. Uh, black probe on the grounding plane, turn the device on. Um, and now this port here we suspect will be the TX pin. And the way we will know for sure um is if we start seeing uh a
fluctuation um of the uh electrical signal which I'm hoping will appear now. Yeah. So that's the uh that's the console out uh output coming from the device. So we know uh for sure that that is uh the TX port. I probably had something else in the voice over. That's why it's not exactly lining up. But uh yeah, it's the TX port for sure. Cool. So the next step is to plug it now into the uh uh the UART USB device. Uh so there is a pin out specification for this in my slide which I can show after. Uh but essentially we just want ground to ground. uh we want the TX port of the UART to go to the RX port of the uh UART
USB device and vice versa. U then all we need to do is open up a putty session, set uh the connection type to serial uh com 3 is the USB line for this um and then we set the board speed to 115200 which is a fairly common uh board speed. Uh, so yep, what we do now is we just power on the device and we cross our fingers. I mean, I don't have to cross my fingers. It's a demo and I know it works. But there you go. So now we can uh see the output from the device and we can also start sending uh keyboard input to it as well. Um, okay. So back we go. All right. So I
do all that um and uh I now have console output uh from the router. Um and I unfortunately find there's one more step for me to overcome. Um and this is where I sort of start to need to think like a pen tester. Um typically um on these devices once you get uh like a UAT shell you just drop straight into the shell. Uh but not me. I uh ended up at a login screen. Uh so obviously I can't reenable OpenVPN until I'm logged in. Uh so this is a problem. Now I like to think I'm a bit of a connoisseur when it comes to default passwords. Um it is my job after all to
know these things. Um so I've tried all the ones that I know about root root admin root tour all that stuff. Um and nothing nothing was working. Um, I know that the passwords on Linux are hashed in a file called uh Etsy shadow. Um, sometimes Etsy pass WDD if it's old enough. Um, so yeah, it would be great if I could get that uh and potentially be able to crack the password to get in. Now, obviously I don't have access to the system to get it. Um, but if only there was a way I could dump the file system and see. Well, it turns out that I could. Um, so I don't know if you saw in that very
blurry demo, but um, when the putty session was open and the device was booting, um, it said something to the effect of press T to interrupt boot. Um, and if you do that, you get presented with, uh, this screen. It's called the CF recovery shell. Um, and that lets you do like a few basic functions, um, prior to actually booting the operating system. One of those being um to dump the flash storage, which is the file system. So great, that's exactly what I need. Um now, this is a fairly short talk, so I I'll just say and lie. Um there was absolutely no problems with me doing this. Like I just dumped it and everything worked and it was great and I
had the uh file system. So my initial plan was to mount it um and then just start browsing the files. But again, um, problems seems to be a theme for me. Um, I couldn't get it to work. So, I went to plan B, which was to just, uh, mount uh, the file itself in my hex editor, just hit F and start looking for things that might be the password. So, like um, admin or password or things like that. Um, and I made this video. I don't know if there's going to be sound, but um for those of you that know the show Archer, um it documents my experience.
Hell yeah. So among the valid passwords were admin 1 2 3 4 guest guest and test test which means we have a couple of findings. Now any good pentester worth their salt will take one finding and make it two. So that's exactly what I did. Very weak passwords u and they're just sitting there on the file system uh with no encryption. But cool, I now have access to the router. Um, and uh, snooping around, I confirmed that it is in fact a Linux system like we suspected. Um, it is compiled for the MYIPS architecture, which I found out later isn't uh, uncommon for embedded devices. They typically are compiled for MIPS. Um, and most importantly, the OpenVPN binary is
still there. Uh, which is fantastic because I didn't have an OpenVPN binary compiled for MIPS. So, mission accomplished, right? Not really. Um, because while it is great that I can perform surgery on my router, crack it open, um, wire it all up, uh, get the OpenVPN server running, any time that the router resets, we would have to do it all over again. Um, and you might be wondering, well, why can't we just uh set it to run on boot? Um, why can't we just set it up as a service? Um and the reason is because the file system is actually mounted as read only. Um we do have admin access so we can remount it as read write make the
changes we want and then hit save and reset. Uh but that's when I uh encountered the scenario on the right. Um if you change the file system the CC hash no longer matches on boot time and the whole device is bricked. You can ask me how I know. Um, but that's exactly how I know. Um, so ultimately we need remote code execution uh on the device. So we're actually sort of circling back to where we were before where we can only talk via the exposed network services. Uh so again uh part of my pentesting process would be to run an end mapap scan to see what's listening. So that's exactly what we do. Now there's a few sort of uh common
services there that we can see. Um there was sort of no instant wins for us in terms of code execution. Um a lot of this stuff was custom developed by TPLink. Um so as you can imagine not a very popular set of software to find vulnerabilities in. Um so we're sort of we're going to need to do a bit of work in terms of getting our uh remote code execution. So I figured the best bet was going to be the admin web portal. Uh reason being um we already have the default credentials. They're printed underneath uh the device. So that's easy. It's adminad admin just in case you're wondering. Um I knew that the web app
must interact uh to some degree with the operating system, right? Because there's a lot of functionality in there um that is going to need to call some sort of OS uh level stuff, right? So for example, um the image on the right there, we can see there's there's firewall and DOSS protection there. So you'd imagine that one of the things you can do is supply an IP address um and have that IP address blocked. Um so it's probably going to output a command like the bottom right. Um and as part of that command uh that part there is probably going to come from us because we're the ones specifying the IP address. Um so if we're lucky, we might be able
to inject uh new commands into that process. Um so to give a bit of a primer as to uh command injection and what it is uh well on Linux uh there's a couple of different ways you can go about um sort of performing multiple commands. Uh so if you want to do three commands for example uh you can do them one at a time like the image on the left just one after the other. Um you can also chain them together uh and separate them out on a single line via a semicolon character um and you have the exact same result. So you can probably see where we're going with this. Um, if we go back to our example, um, and
we, uh, supply an IP address, if the web app is not filtering that semicolon character, we might be able to supply not just an IP address, but a semicolon character and an arbitrary command that we want to run. So, uh, bottom line, we're going to want to see what commands are actually being run as we're using the web app. Um, so we do have the console access via UART. Um, but that's not going to let us see what commands are actually being run. It's going to let us see the output of the commands that are being run. Um, and the reason is because the commands are going to be ephemeral. So they're only going to sort of be there for like a second as
the web app's doing its thing and then it's going to disappear from the process list. Um, so we need a solution to essentially make sure that every process that runs is going to be available for us to view. Um now on Linux there's a tool called ppy which does this for us. Um it basically runs the ps command makes everything look pretty um adds color and uh yeah it just looks nice. Um so this would be a perfect situation uh uh a perfect um well tool for us in our situation. Um but I couldn't find a piece by binary that was compiled for MIBs. And as you can probably sort of tell, um, I couldn't be bothered, uh, to
to figure out how. Um, so when you think about it, um, all that peace by is really doing is, like I said, running the ps command like every so often, um, and formatting everything to make it look pretty. So my solution was, well, if why don't we just do that, why don't we run it a whole bunch of times and, uh, yeah, and then we basically, uh, solve the problem. So that's what I ended up doing. That was my sort of duct tape solution for Peace Spy. Um, all right. So with that in hand, it was time to do my non-technical dynamic testing, which is just a lazy way for me saying that I couldn't be bothered doing
anything difficult. Um, so as I mentioned, there was uh throughout the whole process here, there was no decompilation, no reverse engineering, nothing like that. My plan to find this vulnerability was very, very simple. it was to just use the web app. Uh start from the very top, work my way down, find anywhere that I could put uh some input um and then uh hit save and use my duct tape piece by solution to see if any commands were run in the background. So I didn't have to look very long. Um in fact, this uh screenshot is the vulnerable page. Um the very first one. Um I made some changes. I hit save and check my pace by output.
I thought, huh, that looks interesting. If config ptm00 down, let's see what the web request looks like to to that generated that command. So, uh, without making too many assumptions, it looks like that that uh, PTM0.0 is coming from us. Um, and we might be able to get code execution via um, command injection. Um, so again, uh, I'm pretty short on time, so I'll just say absolutely everything worked. All I needed to do was put a semicolon character in and, uh, we had code execution. Hooray. Um, so while it is great to have, uh, command execution by, uh, hitting send on the repeater tab in Burp, um, I wanted an interactive shell um, to, you
know, basically save uh, my sanity. Um so a couple of ways you can do this um is you can try running SSH. Uh so unfortunately uh this device did not have SSH. It did have TNET. SSH is ugly cousin. Um so we essentially tied the SH shell to Tnet via this command that you can see here. And then we ran it and crossed our fingers. Yay. And there we are. And that's my uh multimeter beeping. So there we go. Remote code execution. Hooray. Um and you'll see the first thing I ran was kill all CWMP. That's foreshadowing. You'll find out in a second. Um so although that's basically mission accomplished at this point, um I thought
to myself, hang on, I I never updated the router ever. So how did I get here? How did my OpenVPN functionality disappear? Um well that's where CWMP uh enters the picture. So many ISP routers have a remote management service. Um it uses the CWMP protocol which is HTTP based. U in the case of our device it runs on 7547. Um it's actually the same on all devices as far as I know. Um and the ISPs can use this service to forcibly upgrade your routers over the internet. And uh most scarily it cannot be disabled by the end user. At least not in the case of Archer. I don't know about the others but cannot be disabled.
So to sum we have uh an internet accessible service that's open 24/7. Um you might be thinking well how do we prevent attackers from abusing this service potentially? Now most ISPs will just simply limit what IP ranges can talk to the service. Um, that's because the only ranges that need to talk to the service are the ISP, um, their ACS server specifically. Um, now surely this has been applied to this device. Surely we can't just hit it from some random IP address. Well, turns out that we can. Um, and I think this is a finding in and of itself, so I've incremented the finding counter there. Um, but yeah, it's it's accessible to any IP address on the
internet. There's just no um filtering whatsoever. Okay, so it is wide open. Um now surely there's not default credentials for this service floating around the internet somewhere. And there are so here we are again with weak passwords. U now they did uh uh I don't want to give them too much of a bad rap. They did take the opportunity to put TPGCPE before user and pass. So we'll give them that. U but nevertheless there's default credentials for the service available. So again we have an unstoppable service that we can't stop at all um which apts and uh ISPs as well can reach into my gateway. Um, now I did discover thankfully that the purpose of this
service um doesn't really uh the fact that you have the credentials, it doesn't really matter, right? Because its only purpose is to essentially be kicked into reaching out to the preconfigured ACS URL to pull down new firmware. So the fact that we have the credentials means that we can just kick it and say, "Hey, go go go talk to your ACS and get your latest firmware." Um, but even even if that's the case, it's just a running Linux binary, right? So, if it accepts input, it could be vulnerable just like any other binary, right? So, is it secure? Well, this is me browsing uh just just uh the default directory for this service. So, you can
see it is HTTP based. Um, I can't give too much away of this one because it is still technically a zero day. Um, but with a little bit of fuzzing, you can just knock it straight over. So, that's great. Um, and okay, so now I'll talk a little bit about why I think routers are becoming an attractive target. Um, well, that's because, uh, embedded device developers, they're really terrible at security. Um I was barely trying uh with with with this and you know there's six uh things that are sort of rolled out of it. Um I also did discover that firmware is often reused across um certainly manufacture specific devices. Um so if you compromise firmware on one device, it's
quite likely that you'll be able to see that exact same thing on another device uh by the same manufacturer. uh the update mechanisms that we were just talking about they are WAN facing um it's very rare for um routers to have WAN facing services so I think um like these devices like the small home small office home office routers uh are going to be quite an attractive target um and uh tangentially to that um like I said they are used mainly by small office home office users and they've already got crap network security like myself included Um, and there's a lot of them. Um, so some stats from Showdown, uh, port 7547, um, just the CWMP port in general, uh,
there was 43 million devices that got returned. Um, and of those, uh, 3 million were TPLink CWMP. Um, I know that because of the fingerprint I'll show you in the next slide. Um, and I must reiterate, it cannot be disabled by the end user. Like that is a pretty serious problem. um if there's a vulnerability in it um and there's code execution that comes as a result of it, your network's just cooked. So yeah, there's the uh uh screenshots there from Showdown. Um so the TPLink uh service returns a very uh unique fingerprint there TR069 HTTP server. Um and that is uh available on 3 million endpoints. So yeah, quite quite quite a fair bit.
Okay. Now, um I'm just going to play the video. Uh I'm going to need to narrate it because uh there's no sound, but I'm I'm just not risking it. >> In this demonstration, we're going to >> let me just >> All right. So, first thing we're going to do is connect to the device. Um, I've got a little service monitor thing uh in the bottom there, which once it comes online, you'll see it all light up green. Even in my recorded demos, there's problems. Jeez. Um, okay. So, yeah, services are up. Um, so the first uh the first script I'm going to run is the rce script that we uh just just talked about. Um, so the thing that opens
Telnet. Um, so here I'm going to the admin web portal and just starting a new session. Um, funny story, the reason I have to do this and get a session key instead of like just giving it the username and password is that there's some very convoluted uh encryption done client side uh of those credentials uh before they're actually sent to to the device. Um so I found that it was actually just a lot easier to just log in um get the session cookie and then use the session cookie. Um so yeah we will now with the session cookie in hand just run the rce script uh we give it the IP address 192.168.1.1 and the uh session ID as well.
So that's just going to do uh what we sort of discussed in the previous slides. It's going to open up TNET um via the command injection and then just automatically launch into it. Cool. So now we are connected via TNET. Um the second demonstration is going to be the uh denial of service for CWMP. So you'll see that the CWMP service gets knocked uh offline as the um uh script runs. Now we can reenable it via the console um and then we can just knock it straight back down. and bring it back up and knock it back down. Hey. Um, yeah. So, we can just do this indefinitely. Um, so yeah, it's it's quite a quite a problem.
All right. And that is it. Is there any questions, comments, or concerns?
Yes. >> Is the uh CWMP enabled only on like telco provided archers or is it on like store? >> Um yeah. So as far as I'm aware it's only on the ISP issued devices. Um I don't believe it's enabled by default um ones that you sort of get from the store for example. Um, and that's particularly uh just because um uh the ISPs like sort of mandate that the firmware developers push updates. It's sort of part of their contract is my understanding. >> I'll be sure to check my secondary. >> Please do. >> Yep. Up there.
>> Uh sorry I couldn't hear. >> There's a user called SU. Oh, yes. Yes, I know about that one. Yeah. Yeah. So, that's uh been removed in the latest firmware. Um but yes, there was a uh built-in root account for this web app uh called su. Um and there was a default password um that they didn't bother to tell users about. Um, so if you uh for whatever reason exposed your admin web portal externally, um, an attacker could get in with just that set of default credentials and it was really bad. Um, it was around for like years, I think, before they before they patched it out. Um, I did try that. Um, I did try
hunting for that password again, by the way. Um, I did some actual proper reverse engineering after. Um, it looks like that whole account's been been nuked now. So, at least that's a win. Yep. When you kick CWMP and it's looking somewhere remotely to find the firmware, >> that remote resource that it's looking for, how is that actually set? Is that just hardcoded by the ISPs when they deploy it? >> Yes. Yes, it's hardcoded in the firmware. You can change it. Um actually, no, you can't because they they change that functionality. Um so yeah, uh just repeating themselves now. Um but yeah, that is preconfigured. Um, and it used to be that you could uh change it via the web admin portal. I'm
pretty sure I remember seeing it. Um, but yeah, in terms of like out of the box, it's it's preconfigured >> because that's the only defense against the default credentials against >> Yes. Yes, that's right. So, in theory, like if you were able to somehow remotely set the ACS URL and then you kicked it and said go get firmware, it would go and point to uh whatever you've set. Um, so if you're, you know, someone that's malicious and you've put something in there that's that's just going to your evil server, then yeah, they're cooked. >> Sorry, we're going to kill it there because we're actually we're gone right through the afternoon break and we need to do the slides for the closing and get
up to date. So, if you got any more questions, grab Luke after while we set up uh probably a five or 10 minute break now just while we update slides and then back for this afternoon. And thank you to Luke. >> Sorry about that. >> Oh, thank you very much. physical glamorous system.
Yep. It's getting close. Um, yeah, sorry. I would have started this a minute ago, but I was too busy playing closing slides. So, I will crack on as we get close and hand over to Cole talking about real coverage and capability, shining light on the real application security problems. Cole, take it away, man. [Applause] Hey everyone, how are you all going today? >> Yeah, good. I'm not a clever man. I'm very thankful that Nigan Dolls gave me some panadol cuz I had way too many old fashions last night. So, and afternoon slots, I got saved cuz this morning I went and met a lot of my team members down near the lake. I thought to
myself like, "Yeah, I I could absolutely live here." But then um I realized I'm living in the bougie part of the town, so probably not. So, that's kind of broken my love story. Anyway, my name is Cole Cornford. I'm uh Australia's application security guy I guess at this point because I do a lot of annoying things on LinkedIn. So I um run Gala Cyber software security company. So if you need help with random software security stuff, hit me up. Maybe I can. We have a lot of different types of customers around the world. I've had some really weird engagements and also a lot of really fun ones. I love being a dad. Uh, my family was
overseas in China for a month and they came back last week. So, I get to spend a lot of time with my kids and the first thing they said to me is, "Dad, you've gotten fat." Which is which is really great. This is exactly what I want to hear from my two little ones, you know? So, um, I'm really thankful to have the opportunity to be presenting at Bides Perf. And like that's one of the great things about going to community conferences is it's about the community. So, yeah, let's make more friends over here. Now, on to software security stuff. I'm going to promise you all something that we're going to explain why coverage and
capability are flawed ways of measuring your software security programs. We're going to outline a new framework that I've called the five eyes for some reason. Explain why I'm including each of the eyes in there and provide metrics to using it. And then get some Q&A from you all. Okay. Now, I'm usually a pretty happy person. I've got at least three people in the audience that can attest to that. I got three people. Put their hands up. Three people who think I'm a happy person. I got one. One, two, three. Yep. There we go. Good. And but I I've been pretty angry at the at the um the coverage and capability narrative. I I think it's
false. And I was thinking about it when I was doing a webinar at towards the start of the year where I was talking about what are the trends that I'm expecting over the next couple of years to be and I was thinking oh I was looking at the slide deck and thinking appsec products are failing our developers and we were seeing a lot of this um where I was talking about we have different types of products that have evolved over time to solve different types of issues in software security like we have um patternbased static analysis tools that'll look for like hard-coded regular expressions or AWS API keys and so on. Eventually moving more towards um data
flow or taint analysis based static analysis but we know high assurance is usually manual interrogation of source code or doing penetration testing but then the industry realized that you know reading every single line of code is very expensive. So we've got to go find other ways to find vulnerabilities and so we started introducing lots of capabilities. Now we have composition analysis to look at all the different dependencies that we have and the vulnerabilities associated with them. We have containers to look at like container security and infrastructure as code scanning. We have dynamic scanning to look at uh what's happening like you know simulating basically a penetration test and all these other acronyms up the top that I
can't remember what they stand for. So, so I got my bird brain on and I was thinking hm wait coverage like what why are we why are we doing this? Like is it is it a good thing to have like 30% of our our applications have a WAF in front of them? Is is it is it better to have 70% of our apps or 100% of our applications have a WAF in front of it? It's a I don't think that that's a very good thing. The same as like is this the way to measure an application security program is a number of capabilities that we're we're introducing. I I thought it was about reducing risk.
I mean it's it's easy to measure. You can you know time scale stuff and say hey we have more apps now covered by these different types of controls. We we do more programming languages. Um so on so forth. If the line goes up the executive gets happy. If it goes down, they get sad. Um, it's just horrendously ineffective. So, like, let's let's think about coverage. Is this good coverage?
>> Yeah. Why Why is it good coverage? >> Yes. Go Perf. It's It's where the people are. Um there's not that many people who are living in like central Australia as opposed to on the east and the west coast, right? Like I think that if you're focusing on introducing controls to get 100% coverage across things, then it means that you're spending a lot of extra effort on things that don't matter right? Here's a common question. You need a W. Who needs a W? You need a W. Do you need a W? You need a W. >> Yeah. Okay. Sure. Yeah, it's great. We just set our entire environment on fire. It's fine, you know, and just burn some money or pay.
It's good for Cloudflare. Like their stock is up 150%. But then like if you go back to those metrics I was talking about, um what would be a little bit more appropriate is probably having a W in front of your API gateway and then having that um talk about different resources behind the scenes. Well, does that mean you have 100% coverage of all your internal applications for WFT? Maybe no capabilities. So, this is from a product called Iikido and it's an application security posture management product. Look at all the things. Wow, it does so many things. Oh my gosh. That's that's just assuming ASPM. You know, any individual one of those capabilities is challenging to get right.
Here's a bunch of different static analysis tools. And I'll say a few things that I've come across in my days about using and trying to roll out and roll do static analysis. This product doesn't support Java 22. This team uses poetry, not Pippi. Sorry, can't use that scanner. This product decided to delete my integrations cuz they got acquired by a bigger business. This business unit is on GitHub and everyone else is on prem TM TFS. I can't swap tools without breaking all my legacy systems. I got invited to play golf with the sales rep. It's just very heavy lifting with a lot of overheads, you know. So I I worry about every time we introduce an
additional capability, you create it maintenance effort for every single one of those. You often have overlaps, a lot of duplication of work, a lot of change management, a lot of process. So I was thinking this is basically the same as the thing I was talking about before coverage and capability. You know it's more coverage isn't necessarily an improvement in security and more capabilities is that justified for the cost that you're putting into it. So I went from having a bit of a love story to saying that it's trouble you know so what could work instead? What's a different way of doing things? I was thinking, oh, like, yeah, we need something that's cool. Like the ASD top
four, application security director at top four, the um Essential 8, top 10, Nifty 9, Software Serious 7, and then I landed on Oh, that's it. The five I got. It's just that's it. It's so easy. It's brilliant. And then I was like, okay, well, I got to make a backy from this. So, we'll go with five eyes. I want it to be risk oriented because I see so many people who just misunderstand what risk is like is an open door a problem? >> Situational. >> Yeah, entirely situational. You know, it turns out that you probably want people to come in and listen to my talk. [Laughter] I also wanted to make sure that we didn't focus very heavily on just purely
the technology part of running an appsec program because as often as software engineers which is the traditional pathway for most people to move in into software security they tend to focus on the software aspect and on the other parts and voila this is what I came up with the five eyes you can inform understand like the threats your current state and what your business goals are You iterate because you can't stop learning and you need to keep improving. You need to innovate because every business is unique and you can build unique solutions for them. Integrate because tech doesn't play nice with each other and influence because sometimes you need a stick and sometimes you need a carrot.
Yeah, I know. Like why didn't I think about there's six six up there but it's five eyes. Okay, so let's start with the first one which is innovate. Who works at an enterprise? >> Is this calendar familiar? >> Where's the managers and directors in the room? Just just love this. You You have two things that happens when your calendar ends up like this, which it invariably does. This is the only time I get work done late at night. or well, I'm just going to go put my hand hat on and start firefighting constantly cuz I got no capacity to actually think about things. Everyone agree with that statement. Who are the late nighters? And who are the
firefighters? Firefighters, hands up. Yeah, late nighters. I feel bad for you two. You shouldn't be late nighters. You work for me. main thing is that if you're either having to use all your outsides of work hours to think about work, that's that's not so great. And if you're firefighting constantly at work, that's also terrible. You got no time to think about things. And that means that you're not necessarily doing the right things. You're just doing things right. One of the things back in the day that Google did was this idea of 20% time where they'd say, "Hey, one day a week, as long as you build spend it building something, maybe you can innovate and
come up with something cool." And they did. They had Google News, they had Google AdSense, Gmail, and Google Maps came all out of that 20% time. Just telling smart people to go off and figure things out for themselves. And then they became an enterprise and killed it. But I still like the concept. I like the idea of like having some, you know, capacity walled off cuz that those success stories come from having some capacity available to actually innovate about stuff, right? Like one example I have is go SDL. So that came about because of um Slack. So Slack had um issues with getting engineers to be doing a lot of just like self-service about understanding what requirements
they
Related talks
9:14:20
7:10:54
31:32
33:04
10:10:50
41:24