BSides Las Vegas 2019 Tue - Proving Ground

Thank you. It says most improved. I appreciate that. You have five minutes. That's all you got, four minutes now. I know. Sorry. We don't want to make her feel rushed, though, because we want to make you feel-- We're not trying to rush you at all. No, just take your time. OK. Usually the slow part is getting the other speaker out. Gotcha. So no big deal. Just take your time. Bring up your screen. - Yeah. - Connected to the USB-C adapter and you can have a few minutes to relax. - All right. Just making sure I close up everything else first. - You don't need any sound, all right? - No. - Sound. - I just need... - Oh, I wrote it in

the slide. - You have an HDMI. - Yes. - Relax. - For now, yeah. - Perfect. - All right. You can just stop at her research section.

I think so, yeah. Cool. Is there any chance we can get everybody in the stream alcohol? At 4 o'clock today? Everybody. Really close. So I've got to say a whole bunch of stuff. I'll do your bio. Thanks. Basically, I'm... but you'll see me cut you down 10 minutes before. Okay. Okay. Great. Great. So, wait until you start. All right. So, if I talk quickly, I should be around. You take your time. Right. I mean, it's already a short-distance talk. So, you have to repeat the questions into the mic so that we can record. Okay. Yeah. Because the walking mic isn't working. I have a separate mic, and it's... Hopefully rehearse this enough times, I know.

- Yeah. - You're among friends. - Yeah, yeah that's okay. And yeah okay. I got this. - You know, I like phone talks. - Okay, all right. - Thanks. Okay, we gotta wait. Okay, let me do this real quick. Welcome, good afternoon. Welcome to B-Sides Las Vegas. This talk is given, oh, video, recording, live streaming. Yes, that's good. Got the thumbs up. Thank you, guys. We'd like to thank our sponsors, especially the Inner Circle, Critical Stack, and Valley Mail. Also, our stellar sponsors, who are Silence, Microsoft, and Robinhood. Cell phones, please be courteous. Put them airplane mode for a few minutes, okay? Okay. Feedbacks are available on the website. With further ado, I'd like to introduce our speaker. Vanessa

Frost is currently a cybersecurity graduate student working with Dr. Kelvin Butler at the FIC Research Lab at the University of Florida. Her research interests include protecting consumer data privacy from third parties, eliminating the effectiveness of mass surveillance techniques. Let's give a hand.

Thank you for the introduction and big thank you to B-Sides for this opportunity. One small correction, not the MIT lab, I wish. I'm from the FIX lab, the Florida Institute of Cybersecurity at the University of Florida in Gainesville. So a little bit more about me. I'm a third year PhD student, again interested in protecting consumers mostly. I got into the PhD gig because I was super concerned about data mining, mass surveillance of populations, that whole thing. And this research is part of what came out of questions that I had. So today we're going to be talking a little bit about DES. That might surprise some of you because it's 2019. Why the hell are we

still talking about DES? Let's get into it. So, a little bit of background. Before we had the Advanced Encryption Standard, AES, we had the Data Encryption Standard. So the Data Encryption Standard is the evolution of an algorithm developed by IBM in the early 70s. Just as a note, there are three flavors of DES. There's the OG, DES56, that has a 56-bit key. There's Triple DES, which is DES three times with a 168-bit key. And then there's DES40. Now the US treats encryption algorithms as munitions. So in order to export DES to other countries, we had to make a weaker version. And DES-40 was our solution for that. So DES-40 is DES with a 40-bit key.

Now DES-56 was publicly brute-forced in 1997 by participants of the DES challenge. Shortly after that, NIST suggested using triple DES as a temporary replacement. With a longer key length, it was more resilient to brute-force attacks. Shortly after that, DES 56 was deprecated and triple DES followed just last year. Alright, who cares? Some standards committee deprecated DES. Why should we care? Hopefully because we're security enthusiasts, we should care. Encryption using DES-56 can be broken in just seconds. DES-40 with a much smaller key length can be broken in less than half a second. And triple DES has suite 32 attacks. So suite 32 is an attack that utilizes what's called the birthday bound of block ciphers. So say that you have a cipher with

a block length of n bits. The birthday bound of that cipher would be two to the n over two. Basically what that means is that if you have n-ciphered blocks, you would need about two to the n over two blocks to find a collision between two of them. So using these attacks researchers were able to find a collision between blocks in less than 25 minutes. Now aside from that there are also downgrade attacks, which will roll back the version of TLS you have to probably an earlier version that may only support does ciphers. And there are also middleman servers that exclusively advertise DES servers for handshake negotiations. So you're locked into using DES encryption. All

right, it's been 22 years now. Where is DES? 22 years since it was cracked. Is it still out there? We weren't the only ones curious about this. There was some prior research that looked at recorded connections from 2012. This first paper finds that 1.4% of connections are using triple DES. And it went down last year and only 0.3% of connections, which is great. We're going down, that's the direction we need to head. Second paper takes a look at DES-56. DES-56 accepted handshakes in 0.9% of connections in just last year. And now, according to their website, that's less than 0.05% today. So, looks like we did it. Deprecation of DES works, we don't have to worry about it anymore, right? Not so fast. So these

prior papers looked at a passive analysis of existing connections that they observed over time. That means they're looking at what servers did in the past, not necessarily what servers are capable of doing. We wanted to know if servers were still supporting DES, not necessarily using them. So in order to do that, we first have to understand how a TLS connection works. In a TLS connection, when a client wants to connect to a server, it'll send a client hello, as well as a list of Cypher suites that client will support. The server will receive this, send a server hello, and choose the strongest cipher suite to encrypt with that they have in common with the client. Now for purposes of our research, we don't care about what happens after this.

This is important because there are 36 different DES ciphers that could be used in an encrypted handshake. So if you want to find out if a server is supporting this, you have to query it with just that cipher. One IP address, 36 times. So in order to figure out if servers are supporting this in any efficient manner at all, we had to come up with a sort of strategy. Now first, we needed to get a list of IP addresses. Just querying random IP addresses that may or may not exist wasn't going to get us anywhere very fast. So thanks to the generosity of some researchers up at the University of Illinois, they gave us access

to their census database. Now census uses a tool called ZMap to probe IP addresses that may be online. It will send a hello if that server responds. They will cut the connection with it with a reset packet and store that IP address as something that is responsive online. So we were able to pull a list of 41 million IP addresses that were responsive on port 443 from census and query them. Next, we needed some sort of program or automator that will query these IP addresses with these 36 different DES ciphers for us. So the automator that we created will take this massive list of IP addresses, split it up into a bunch of different sub

lists, and hand it to these worker threads. Now the worker threads will take each IP address in that list and query it with a DES cipher. Each one, one at a time, 36 times. It will store the result as a JSON and then we can analyze it using PySpark. Alright, so, 36 ciphers times the 31 million IP addresses that we were able to query is 1.1 billion handshakes in a period of about six months. All right, numbers, I'm boring you. What did we find? Over 40% of servers worldwide still accept some form of DES cipher. Yep. I'm going to be going through a lot of graphs and a lot of maps now, so feel free

to jump in with questions that you have. You don't have to wait till the end. Alright, so over 40% of servers we queried accepted some form of DES cipher with triple DES being vastly most supported. It was just deprecated last year, that's probably to be expected. However, we did see a substantial and worrying amount of DES 56 and DES 40 being used. We also wanted to know What about the top sites? These sites, the 40%, may be from servers that never get upgraded, that were connected once upon a time by some guy who was tinkering around in his basement and forgot about his Windows PC forever. Not quite. The top 1,000 of Alexa websites still accept, or 34% of them still accept some form of .Cipher. And

the breakdown for the ciphers that get accepted is about the same. Triple does is definitely overwhelmingly more supported. But we also did something a little bit cooler that I think I really appreciated. I was curious to know who was accepting DES ciphers. So we ended up taking location data from census that were tied to these servers and mapping them per cipher to the countries where these servers are located. So these maps are going to be a percentage of whichever cipher is accepted over how many servers are in that country. Now there are a couple of countries that are striped out. These are countries for which we had fewer than 100 servers reported. We left them out just to be as accurate as possible.

So as you can see, most countries do not support DES-40, with the notable exception of Kazakhstan here, with 32.7% of their servers accept DES-40. Next up is Liberia with 17.8%. Without getting legal analyses and policy experts, we can't really say for certain why Kazakhstan and Liberia accept so much DES-40. looked online at why this might be the case. A lot of countries have either legislation or unofficial policies governing what encryption, I guess, standards they're following. So in instance, for Kazakhstan, they require both ISPs and individuals to assist in government surveillance. Don't wanna be too speculative, that's just something that I'm throwing out there, but there seems to be a lot of evidence to that fact. But it's okay, guys.

Alright, now we have DES 56. We have Niger in the lead with 24%, Liberia with 19%, Canada with 14%, sorry Canadians. Absolutely blame Canada after three more slides. Alright, now we have Triple DES, the problem child. This is where our 40% comes from. The majority of countries support Triple DES on 40% of servers at least. We do see typically a pattern. We see countries that support a little bit of DES 40 and then a little bit more DES 56 and then a buttload of triple DES support. Again, probably to be expected, it was just deprecated last year. If we pulled this in 15 years time, hopefully this map would look a lot more like DES 56. We do see some patterns

that, or some countries that don't fit this pattern. For example, Kazakhstan supports actually less triple DES than they support DES-40. Not to single out Kazakhstan, it was just a fun country to look at. We also wanted to know, are there any countries that are contributing some sort of imbalance here? We can see the percentage per country, but worldwide, 40% really? The answer is, yeah, yeah there is. The US, either because they were the most servers that we could reach or because it just has a buttload of computers compared to the rest of the world, had the most acceptances out of any country for each cipher. So as a note, the countries are shaded for the

total number of DES accepting servers that were found in that country. And the bubbles are just more localized points where some of those servers were aggregated. Just as a note, there were some very small bubbles that we had to cut just in order to be able to render these maps. And there were some very large bubbles we had to cut that are still represented by the shading of the country just so we can read the map. So even though Kazakhstan supports a higher percentage of DAS40, the US supports their own export cipher more than any other country. Oh, yeah, no. So where we got this geographical information from the servers is not necessarily super accurate. They are supposedly 99% accurate to

the country. The region is less accurate and then like the city is even less accurate. So actually for the majority of our countries, the dot that we had, the latitude was over like reservoirs and lakes and seas. Probably no servers there, I'd be willing to guess. So we're not really sure why there's that big bubble over Florida. My initial thought was Gainesville and all of the university polling that they do, possibly also NASA. Don't take my word for that at all. Alright, now we have DES56. So Canada wasn't quite in the lead for percentage accepting, but they are second place behind the US for the number of DES56 accepting servers that they have. Now, there are a lot

of countries that support triple DES at 40% of servers, but the US definitely dwarfs every other country in terms of raw numbers. China comes in next. Now, there were some limitations to our study. For instance, we didn't get a chance to look at the longitudinal information for DES support. So, an IP address that we queried a month ago, we couldn't query today and see are they still supporting what they did last month. We just didn't have the time. And next, our list of IP addresses is from a single snapshot in time. That means, and our scan took six months, so that means that by the end, when we were getting to some of the IP

addresses on the lower parts of the list, it's possible they were taken offline, they were unreachable, other machines could have cycled onto the network. We have no way of knowing. So we do include this Sankey key diagram something that gives a breakdown of which servers were responsive and which ones weren't. So the servers that gave us unknown errors were actually responsive, it's just for some reason our client was not able to communicate with them. Could have been a configuration error on our part, could have been a configuration error on their part. There was just no way to know. We also got some IO timeouts. Each IO timeout and connection timeout took us 10 seconds before

it actually timed out. So the I/O timeouts, these servers were actually responsive. It could be the case where we would query it with one desk cipher, we'd get an I/O timeout, we'd query it with another, and we'd get an accepted handshake. So we had to leave those in just to record our accepted handshakes. For the connection timeouts, these were servers that weren't reachable, that weren't responsive. And in order to save time on our polling, once we got the first connection timeout, we ended up dropping all subsequent connection attempts to that server. Otherwise we'd be spending six minutes on each IP address, which was just not feasible. Alright, we've seen the map. It's everywhere. Why? Why is DES still being used? We had a couple of

ideas. One is that these people who are accepting DES may see that removing support for DES encryption could remove support for legacy machines. And secondly, as we saw, national policy might influence which encryption ciphers get used. But we don't think these are compelling reasons because 40% of global servers aren't legacy. The previous research has borne this out. At the highest number that we saw, triple DES, when 1.4% of connections, 1.4% of connections were using DES. Why are they needing 40% support? And as we saw on the raw numbers, national policy might influence what a country does within its borders, but its neighbors are not beholden to its encryption policies. So that's not the weighing factor either.

Okay. We see DES. It's everywhere. We have a couple of ideas why it could be there, but they're not very compelling reasons. So how do we get rid of it? And we had a couple of ideas. So, first one is pretty straightforward. Maintain support for legacy users only on an as-needed basis. Take a look at your customer traffic. Take a look at what encryption ciphers they're using, what their handshake looks like. If you drop "does support", we believe that you will lose a shockingly small number, small amount of user traffic. And the previous research has borne this out. Two, review your internal encryption policies with some regularity. As an example, OpenSSL dropped support for TripleDES in 2016, and TripleDES is still being supported in 40%

of servers. That means either people aren't updating their OpenSSL, or they're copy pasting, dragging old configuration files, or they're manually adding it back in. And if that's the case, probably nothing I say in this talk is going to dissuade you. Next, propose a cutoff point for DES support. If anybody here is familiar with the tale of the renegade YouTube team and killing IE6, you know how effective that is. As we step in the right direction, most major browsers have announced that they're going to drop support for TLS 1.0 and 1.1 by 2020, which is good news because they still support DES ciphers. And lastly, we have a compelling alternative to DES. It's faster, it's stronger, it's free.

It's not patented by anybody. Please use it. And now. We saw which countries were supporting them, how often DES was being supported. We wanted to know who's still supporting DES. So to that end, in the future, we're hoping to take a fingerprint of IP addresses which do advertise support for DES. We have some preliminary results using reverse DNS, and what we find is that typically companies that offer services like cloud computing or leasing computing power have the largest numbers of DES supporting servers. Now, we're assuming this isn't the company's practice, it's whoever they're giving these machines out to who's responsible for this configuration, but we're not sure. And to summarize, DES ciphers are broken. They've been broken. They don't provide adequate security guarantees for online communication

anymore. Over 40% of servers worldwide still support some form of DES cipher, with triple DES being the vastly most supported. And does ciphers are being used less over time, which is good, and we can probably expect to see a long tail as they gradually fall out of support. And we can take more proactive measures to phase out does support completely. Otherwise, we risk being haunted by our past. Thank you for listening to my talk. Any questions? Yes. - Is that correct? - Yeah, so for the majority of TLS implementations that I'm aware of, you can manually add support for specific ciphers or drop them. So, but yeah, TLS 1.3 by default doesn't support DES. Yeah, so the question was,

is there a paper that we published for this research? And yes, the paper name is Examining DES-based Cypress Suite Support within the TLS Ecosystem. We published it at Asia CCS just this year, and feel free to go read it. It's got a bunch of pretty graphs in it too. Yes? So the question was, does Suite32 affect AES, which is also a block cipher? And are there other modes of encryption for AES that you can use that will mitigate that attack? And the answer, in short, is I'm not an encryption expert. But I would assume that AES is subject to Suite32 attacks. But because AES's block cipher is much larger than DES, DES's block cipher is 64 bits. AES is, I

think, 0.28. Yeah, it will be less susceptible to those attacks. Yes. Did I probe email too? No, we just probed IP addresses that were responsive on port 443. We would like to look at email as well. That's probably why a large number of our DES ciphers weren't used ever, but we didn't get a chance to. Why not port 22? Simple answer, because we had very limited time. Yeah. Gotcha. All right. Thanks, everybody. Thank you. Thank you.

Oh, yeah.

1-2, test 1-2. Test 1-2. 1-2. Microphone test 1-2. Hey, hey. 1-2. Microphone test 1-2. Hey, hey. Test 1-2. Hey, hey. Test 2. Mic test 1-2. Hey, hey. Podium mic test. 1, 2. A, B, C, D. Hey, hey. Mic test. 1, 2. Microphone test. 1, 2. Hey, hey. 1, 2. Mic test. 1, 2. Hey, hey. 1, 2, 3, 4, 5, 6, 7, 8, 9. Hey, hey. 13 14 15 16 17 18, 19, 20. Testing. Check, check, one, two. Testing. Check, check check check check check test. One, two, three, four. Test. Check, check, one, two, three, four. Test, check one, two, three, four. Three, four, check one, check, check, test one, two three four five six seven eight nine ten.

Check, check one, two, three, four, five, six, seven, eight, nine, ten. Ladies and gentlemen, please welcome to the event Michael Turner. Check one, two, three, four, five, six, seven, eight, nine, ten. 11 12 13 14 15 16 check check 1 2 is the team this thing check check check check hello hello see hello lo yeah I just yeah

Check, check, one, two. Hello, everyone. Ladies and gentlemen, I'm here today to talk about everything that's going on. I have a projector, a screen, a thing, a door, the air wall. People are in their rooms, sitting in their chairs. One, two, three, four. Test, test, test. Hello, hello, hello. Check one, two, three four five six seven eight nine 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 51 52 52 53 53 54 54 56 57 58 58 59 51 52 53 53 53 53 53 53 53 53 53 53 53 53

53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53

53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53, 53, 53, 53, 53, 53, 53, 53, 53, 53 Hello? Oh? Oh? Check. Oh? Tsk. Oh? Oh? Oh. Oh. Oh. Ladies and gentlemen, today I would like to talk about white tape. Yeah, so, it's alright. Someone had a purpose to do it. No. Yeah, no, I used all that tape recently.

I read over and over and over. How could I teach you? Yeah.

Yeah, what could you do for me? And his wife wrote him back. She's like, thank you for your kind words. And here's a code. And they knew for like extra books. They're very sweet and very knowledgeable. So Scott, how much do you need? And I've got to go back to the check in. Yep, I'm very thankful for it. It's going to be an interesting experience. Okay, cool. So it's got an HDMI setup. Yeah, I realize that. Okay, so is there a clicker for the, or will it just be on my laptop? Yeah, I think the laptop goes in there. Okay, so there's no like PowerPoint clicker or anything? Not that I'm aware of. There will be 80 people to help

you get set up when you're... Cool, okay. I need to be in here like 15 minutes before or something, or at the speaker room 15 minutes before, I guess, when something like that... Yeah, you just watched the door? What's your name, by the way? Nice to meet you. Yeah, that's nice. I love Android. It really was, I mean, it looks impressive, but it was really... I mean, yeah, it doesn't seem like overly complex. It was nice to go search Python. It's worse than USB, though, right? I couldn't seriously program around it. You put it in, and it mounts.

That's true. Check one, two, three, four. You only have one side lit up. That's good. Is it like at full? Check one, two, three, four, five, six. Yeah, no, I'm in the corner of the room. No cutouts. I don't hear anything. Is this channel number six? Number five is on right now. Number four on. Okay. I walked both sides.

Just the one side. I leave it how it is, but can you send Jason over here and then I'll just do an audio check. It cuts out and that's when we'll start worrying. Check one, two, three, four, five, six, seven, eight, nine, ten. It's on right now, so I don't think there's any issues, but I'm just going to walk out here. And then same thing, thumbs up, thumbs down, you know. Check one, two, three, four, five, six, seven, eight, nine, ten. See, and they cut out like this before. So I think we're good. Check one, two, three, four, five, six, seven, eight, nine, ten, eleven, twelve. Yeah, still good, right? Yeah. It's a real deal.

- It's running good. - I'm Fred. - Fred.

I'm going to go to that party. At Info booth from 4 to 7:30 and then 8:30 to 10:30 I'm doing the karaoke and parties. You're blocked solid. Yep. Well I am blocked solid on Monday and then on tomorrow at the Info booth. Yeah, that's the same here. So I'm going to do Blackhead full day. Oh, I see. Right, because our party is better. Go through, first booth, and then the parties. Yeah. Yeah, but you have to get all your photos now. Because what happened? We're like actually holding your jacket because of the light. From the in-face. They had a next gen because we locked it open. We had to pull it out of the computer.

Exactly. And like there's 50 billion pixels. Great. Guess what that length of that line is? That's what people are doing now. Trying to fill it in. Yeah, there's probably less than that. - I work on a project, code word, opening malware loads. Generic words. - They'll take two words in the alphabet and they'll say, "Word point two," and that's the phrase. - But they're allowed to do that because those are the open ones to say. - But then they also say, "I work on malware load for projects." - So I think that's a problem. - Oh, true. - For of course, they're our tournament people. - Yep. - We go in there with our badges because they're

like, "Wait, get her out of here." So I was talking to one, brought me in, and up here, walk out with another beer, "Okay, I'll be back in 10 minutes or two years." And they're like, "Hey, there's a beer." Basically, you know, drop the mic. - Yeah. - Because, you know. - Pretty Carolyn. - Yeah. - So I came in like,

tell me your you know of course you know they're looking at two things

- Are you watching the Garfield? - Yeah. I'll be surprised. No, I can't see it at all. Ooh. It looks really neat on the record. I should watch it at the library. Test. Okay, we're live. - All the time. - Go to like a grocery store, you can get them like packets. - Yeah. - And like sodium, that's like four of them. - Well, smart. - Get the Pedialyte packets. - Same thing. - Now I bring all things moleskin and Pedialyte. - So, if you're good, instead of moleskin, there's a product called Leukotate. - Okay. - It's better than Moleskin, now instead of Moleskin,

I don't think that's his intended purpose. Yeah, it is. Yeah that would make sense. I know all about that. Share the information. Hello? It is. Mic's on. The microphone for the mic is coming out of your hand. It is. It was like... That's not very strong. This should work out. This was live. This file will be displayed. All right.

- I was thinking you were saying . - And I didn't select bird. - No, it's not. - I'm pretty sure I can, but it's so fast. - Thanks, man. - I'll come back. - I'm fine. I didn't think you were gonna help. - Lazy down there. - I'm very excited to get you home. - Excited.

I did. Clones are responsible. We have water and stuff. So if you guys ask questions, I can throw you socks. Okay? Just to let you know. Not me. You're the speaker. Not me. Socks. Security operating sound. Something. Insecure by nature. I still use Windows. Okay. So... um yeah it's originally a 7 p.m today is your bio weekend it should be in the program

Oh goodness. Especially me. Ah you're Guy. Hello. I am the world's okayest. Okay, so I have Okay. I'm the president. I am the president. How are you? I'm nervous, but good. No, no, no, relax. Remember, everybody wants to be in here. That's why they're here. Relax. Okay. Let's do a video chat. And I will split the screens so that you can hear me. Yeah, I need to plug this in. All right. I will be out. Yes, absolutely. Thank you for asking. Yeah, please do. I just wish I wasn't so jet lagged. On the screen. Oh, it's actually live. Did I make it worse? I'm so sorry. No, it's fine. This is one of the, you know, this is the granddaddy of them all that started

it all. Yeah, I know. It's nice to be able to be here for the 10th anniversary. Cool, so I've got about 10 minutes. I've got 8 minutes. We're using my cell time. My wonderful phone. - You can see because the tape is holding the glasses together. - Yeah, it's like my cell phone case. It's thoroughly taken a beating. - Yes. - At least there's air for the-- - So the schedule on the board is correct. - Correct. - Not correct on the program, but it's correct on the website. - Yeah. - Do you want to make that an outcome? - No, we already told people to-- - I mean, it should be obvious-- - That's why I wanted

to know.

I was here for this other time. Yeah, I was, you know, but I stayed here because this one's more important. It is more important. Actually, to be fair, these satellites are super important. They're a lot of fun. Those little ones bump up this big. Those are dangerous. That solar sail one is real as hell. It's like this big. And then expand back. It expands a huge-ass solar sail and then you hammer it. You can put your back into a little football and go, yeah, I'm fine. It's like they do this weird type of geometry in order to do the folding. It's incredible. Math. Math is important. It is. Come on, up front. Don't make me

use my TI voice. With blankets. It's been a long time since I've done this.

Ask questions to get these right now You have questions we have socks Only for the first three though. Do you have a plan? Do you have a plan? Well, at least one person's a plan, right? Someone's going to ask a question, right? Okay, good job. Who's your favorite mentor and why? For besides Las Vegas. Not this Bill guy. It would be hyper-specific. Who's your mentor that's here, that's your favorite? It's like the who's your favorite child. Oh, yeah. Diamond Junior. That's amazing. The okay-est. You got four minutes. I just came back from 10 day network. So spent some time in Iceland for that. I'm here all day, really, honestly. I'm not going anywhere. Yeah. Yeah.

Yeah. Yeah. Yeah.

Yeah. So the red ones came with the software on the CD and not on the badge themselves. So I stuck it up on the loaded. So I mean, people on the ground trying to find a CD drive. I couldn't. Yeah. We're waiting for the last few people. We're gonna close the door soon. Come on, run in, run in, hurry up, come on. Alright, so start streaming. Are you streaming, sir? Streaming? Yay, thank you. Okay, good afternoon and welcome to Besides Las Vegas. Really? You can do better than that. Come on. One, two, three. Welcome. Alright, it's on video. We want everybody to know. Come on. Okay. We'd like to cordially invite and thank our sponsors, especially the Inner Circle sponsors, Critical

Stack and Valley Mail, which are outside in case you missed them. I'd also like to thank Secure Code Warrior, Paranoids, and Amazon. Did I say that? Okay. Cell phones, please be courteous. You know the rule. Okay. I have a microphone. I will pass it around. We'll answer questions. So we'll hopefully record the conversations on there. If there's feedback needed, see the websites, okay? And for further ado, I'd like to invite, announce Elizabeth Wilson, our guest speaker. Thank you. Hi, so I'm Elizabeth Wilson, and thank you for joining me today for Satellite Vulnerabilities 101. Now, just to begin, a little bit about who I am. I have a bachelor's in international business concentrated in Russian language and culture from the

University of Texas at Arlington. And after I got that, I did a 180 and decided to go be a software developer for a few years. I kind of leaned on some job I learned back in high school and passed an entry test and they let me in. So, did that for about a year and a half to two until I got a scholarship for my master's degree. And I'm currently wrapping up my international master in security, intelligence, and strategic studies, concentrating in security and technology. based at the University of Glasgow, Dublin City University, and Charles University in Prague. Now the whole reason this talk even came to be is while I was in Prague, I

got the opportunity to take a course in space security, and I ended up writing my final paper on satellites and their vulnerabilities overall, which is turned into this talk.

Now I also just wrapped up a visiting research position over the summer at ETH Zurich's Center for Security Studies, which ended about a week ago. So a week ago today I was nine hours forward. So excuse me if I'm also a little bit jet lagged still. Now to begin, as one of humanity's global commons, the frontier of space is really the responsibility of the entire international community. It's one of the most important space assets, if not the most important, for both civilians and militaries here on Earth. Now they're used by billions of people every day without often time really thinking about it. They've kind of become utilities that we just sort of take for granted until we reach a point where

they're unavailable. Now, we use them for, of course, Earth observation, communications, navigation, even precise timing and location for precise timing technologies such as banking and deep space telescopes. Now, the most notable consequences that we would have if we lost a swath of our satellites would be, for one, a communications and transactions breakdown, potentially, of course, to the point of complete unavailability due to the increased loads on the terrestrial infrastructure, as well as the lack of GPS forcing people to actually plot their routes manually again, which would be interesting. Most would probably still just do it on their phones, but some might break out paper maps. And also the systems that have very precise timing such as

in banking would suffer from clock drift which might end in freezing accounts because they have to have the transactions very tightly tied to the timing actually. Now there's also gonna be of course loss of military capabilities and negative impacts on weather prediction and climate data collection as well. Now just a little overview here. These are the basic vulnerable nodes for satellite transmissions. And for example, say you were making a satellite phone call. You would be the requesting entity, you would send out the request through to your service provider who would then send it up in an uplink to a satellite, which would then bounce it, of course, through at least one other satellite and back down a downlink to more terrestrial infrastructure to the ending caller.

And it would, of course, then go back the other direction to make the connection for the phone call. But each of these nodes is somewhere where the satellite systems are vulnerable. Now, there are two main categories of vulnerabilities, and this would be physical and cyber, but there is also hybrid vulnerabilities where, say, somebody hacks into a satellite and then moves it into a dangerous situation physically, or, say, somebody uses physical force to corrupt the data on the satellite. So those are also potentialities where it's a little bit of both. Today I'm going to start with physical vulnerabilities. Now, satellites are inherently easier to damage than any Earth-bound object due to their orbital velocity. and the exposure to radiation that they

have that we are shielded from from our atmosphere. Now, these can be either accidental or intentional issues. Primarily, our main threats right now are actually accidental, especially with the case of collision risk that's been increasing. But there's also terrestrial and extraterrestrial weather interruptions as well. Now, as I mentioned, accidental collision risk is definitely growing very heavily, especially with the propagation of things like the small sat constellations that are going up currently. A lot of them don't even have propulsion systems, which means if there's an oncoming collision, they cannot move out of the way. One study even found that it was a 30 times increased risk between 100.01 meter satellites versus a single 1 meter satellite due to the

disbursement of the satellites increasing the likelihood of impact. And this is particularly worrisome when all it takes is about a centimeter of an object to do mission critical damage to a satellite. Now as far as terrestrial weather interruptions go, there is rain fade and ionospheric scintillation, which can both interrupt and degrade signals for different reasons. In the case of rain fade, it's either electromagnetic interference or the absorption of the broadcast, while scintillation actually kind of acts like a refraction of the signal and slowly degrades it until it's no longer recognizable. Now extraterrestrially, we have radiation as a very big threat. which we typically shield by thickening the spacecraft walls. It's really the only time that any sort of space armor is actually useful here. But

not all radiation can actually be shielded against. In the case of the Van Allen radiation belts, which you can actually see in the background of this slide as a depiction of them, these are two belts of catastrophic radiation that have been trapped in our gravity well. And this is actually an area where one of those hybrid attacks would be potentially happening here. Because if you hacked into a satellite and moved it into one of these belts, you could easily destroy it. Now, solar flares are also the other option for potential radiation damage to satellites. They can degrade signals or destroy the lifetime of a satellite. Now, unfortunately, this physical aspect really is the most difficult

area to mitigate risk in. Anything can really be turned into a weapon against a satellite, which is kind of why it's a bit silly when people talk about banning space weapons. Because I mean a satellite itself can be used as a weapon all it takes is a single centimeter object To just do damage enough to destroy the satellite more or less and 10 centimeters. I believe it is for catastrophic disintegration and with all of the Debris that we actually have nowadays going up increasing and increasing especially with the ASAT tests it's becoming harder to track this debris as well and so People have been testing their anti-satellite weapons such as the direct ascent and co-orbital style ones. And the difference in these two is really just the style

of how it attacks. A direct ascent anti-satellite weapon would come up directly from the Earth and intersect immediately with the satellite, while a co-orbital anti-satellite weapon actually goes into space and sits and waits kind of like a ticking time bomb. and eventually when it comes into the path, it goes off. Now there's a handful of countries that have proven their anti-satellite weapon technologies over the years. Most recently this year was India, and I believe that was back in March. And how I mentioned the issue with the debris growing, you can see here this is a plot from I believe it was the end of June that shows the debris that's still in the air right

now from the Indian satellite test. And also to the left is an animation from the ESA showing the orbital debris and how much we have accumulated space junk over time. I mean this is just the easiest to depict. Of course there's much more small tiny things you can't see as well. And those are the most threatening to be honest because they're the hardest to track. The other form of anti-satellite weapon is directed energy weapons. And these would be lasers or microwaves. In the case of lasers, you can either dazzle or blind sensors typically, but if it's a strong enough laser, of course, you can also do physical damage too. While microwaves are more for interrupting

processors and maybe even permanently damaging the electronics on board. An interesting aspect of these kinds of attacks is that the attacker may not even really know whether they were successful or not. It might not actually outwardly show that there was damage done to the satellite, even if they are successful. This is also an area for another potential hybrid attack, like with the microwaves, where they could potentially destroy the data on board with a physical attack. Now, moving on to cybersecurity challenges. And if anyone's curious, the binary does say something. It's part of the intro to Star Wars Episode IV. I had to fill it with something. Now, of course, there's the typical insecure practices and issues that affect normal networks are going to impact

satellites as well because they are tied into these networks. Back doors, hard-coded passwords, insecure authentication, all of those kinds of things. But to top that off, satellites have extremely long life cycles and that exacerbates the issues here where you get these immensely old legacy systems that have had immense investment going into them and then you have issues with patching it. It's potentially even impossible to patch it because of a lack of knowledge, time, or money. Or the unavailability of even having downtime because it's a critical system. So you can end up with very critical hardware or software issues that just can't be fixed. Now there was an analog to digital transition that happened over the years that they really didn't have cyber security in mind

in this process. And the fact that satellites are very limited processing power, things like encryption eat up a lot of processing power and you just can't put it on there because it takes up too much space. And that sort of also compacts with the fact that some people have made their satellites as a labor of love and say it's just for scientific reasons and they never even really considered the fact that somebody might want to hack it in the future and redirect the processing power to something malicious. Some people just never thought about it. And this is exemplified by the fact that when the Iridium network was launched, it was considered essentially too complex to

hack. This is from 2007, it's a leaked PowerPoint slide from Iridium and it says, "The complexity of the Iridium air interface "makes the challenge of developing an Iridium "L-band monitoring device very difficult "and probably beyond the reach of all "but the most determined adversaries." This is extremely near-sighted. They really didn't bother with security at all. It's kind of the old security by obscurity idea, which is not very smart. Less than a decade later, the Chaos Computer Club in Germany came together for their Chaos Computer Camp And they took this hubris as a challenge, and they decided to throw together some homemade systems for snooping on the Iridium pager satellite system. And they managed a basic

one for about 50 Euro, and it was less than a grand to get a pretty solid setup here. They were not able to intercept every signal, nor were they able to decrypt every one that they intercepted, but it was a significant percentage. And if anyone's more curious about this, you can check out Iridium Hacking, Please Don't Sue Us on CCC's website. It's a really interesting talk and I highly recommend it. Now continuing on with other vulnerabilities. Satellite jamming is a major vulnerability in these systems, partially because the satellite GPS signals are actually weak by design. So it's very easy to overpower them. And jammers you can actually buy pretty available online. It's illegal to buy in most countries and illegal to use,

but in the UK it's only illegal to use, interestingly enough. So this can also be intentional or accidental because of how easy it is to happen actually. In 2007 the US Navy was in San Diego conducting an exercise and they accidentally took down a large part of the city's infrastructure because it impacted ATMs, cell phones, airport traffic and a bunch of other critical systems when they decided to do some jamming out in the bay. And of course they stepped forward and said, "Oh, I'm sorry, this was us." But for a while there was a lot of confusion going on in the city because all of a sudden people's cell phones weren't working, you couldn't use the ATM. Was it a major attack? No, thankfully. But it could have

been, and that's one of the issues there. threatening one was for 10 minutes a day in the London Stock Exchange they also had it go down every day for 10 minutes for a long time and it was thought that somebody was hiding from their boss essentially like a delivery driver of some kind and it was intercepting the Stock Exchange's connections up for the timing with the atomic clocks and the GPS systems. So that's just more of a nuisance though in that case. Now GPS spoofing goes one step further from jamming and rather than just blocking it, it also replaces the signal with a fake one In 2017, there was an issue with a bunch of

ships in the Black Sea where they would show up with lost GPS fixing position or it would say that they were in the Galindjic Airport over 25 nautical miles away. Now they were pretty sure they were not in the airport, so obviously there was a little bit of something going on there. And a very similar issue actually started happening around the Kremlin as well with taxis, and it would show that they were actually at one of the Moscow airports rather than where they were near Red Square in the Kremlin. So these kinds of attacks are actually a big threat because if it was enacted at a critical time during a military mission, it could severely

impact our people. And as a last example for this section, one of the first cases of satellite interference, Captain Midnight. This was John McDougal, who dubbed himself Captain Midnight, and decided to use his position at a satellite company one night to take over HBO's broadcast for about five minutes. And he displayed this lovely message of, "Good evening, HBO, from Captain Midnight. "$12.95 a month? "No way! "Showtime and movie channel beware." An interesting aspect here, if you go and look at a recording on YouTube from when somebody was recording this night for the film that was on, The Falcon and the Snowman, you can see that HBO tried to retake back over the signal. The show starts to come back and then it turns back

to this message again. And what was happening was HBO was increasing the strength of their uplink to try and overtake him, and he'd increase his strength and then they increased theirs, and eventually they gave up because they didn't want to damage their satellite. And so he finally quit because he was afraid of getting caught, which of course he eventually did. And he's actually the reason the Electronic Communications Privacy Act of 1986 was passed, which made satellite hijacking a felony. So in his case, it was not a felony because it wasn't a felony yet. Yeah, first, like he said. Also, satellites have vulnerabilities that arise from their terrestrial support networks. These are the connections of the people who run them and the ground systems themselves, like NASA headquarters.

This attack surface and the variety of vulnerabilities are both very great. There's a wide variety of ground infrastructure to be attacked. As of 2011, NASA had 190 IT assets all dispersed around the US that were linked into critical projects like rovers and satellites. Now, these high value targets have typical security threats from cyber issues to supply chain attacks and insider threats and accidents. So these networked high value targets are hit very hard with hacking attempts. Eventually something is going to get through between phishing and social engineering, malware and APTs. It's near inevitable. The larger that an organization is personnel wise, the more likely that something is going to make it through. The human element really is the weakest link in these technological systems. In these cases, in

2007 and 2008, hackers got into NASA's systems via the internet and actually got to the point where they could have commanded the satellites. They never sent any commands, but they could have, and that's a little worrisome. Now, as I said, the human element's really the weakest link, and this is also where insider threats come forth. The big issue with insider threats is you don't really know they're a threat until something happens because they're trusted. And it's very hard to mitigate this kind of a risk. A real life example here would be Gregory Justice, who worked for Boeing Satellite Systems. He was feeling a bit unappreciated at work and had a bunch of pressure for money

for his wife's medical bills and an online girlfriend that his wife didn't know about. And he decided to try and meet with Russian intelligence in a hotel room to pass on some sensitive satellite information. It was subject to export controls, of course, and surprise, it was not Russian intelligence that he met with. It was the FBI. So he got caught in this case, thankfully.

Now, moving on to our last example here, very small aperture terminals are an interesting case because these are mobile satellite system receivers, essentially, and they have them on many satellites boats and ships around the world. And this is actually what came up with this little tweet here in the corner. Somebody created a live ship tracker via Shodan. There was exposed web services where they could actively track these ships due to the VSAT systems on board. And it was just the default credentials of admin1234, of course. So quite easy to find online or just to try a couple of times and you might get it. So some basic security hygiene really would have stepped in here and made it a little bit harder for this to happen.

Definitely an interesting case. I think that the link doesn't work anymore. I think they've patched the issues that were there at this point, but I haven't checked it in a few months. So there might be more issues again.

Now to conclude here though, satellite security is multi-stakeholder and multi-faceted. These systems are widely dispersed both on Earth and above it, creating a very large attack surface for both physical and cyber attacks. There's a wide variety of vulnerabilities that are impacting this area, many of which are just due to the nature of satellites themselves and the way that they've evolved. Now, malevolent actors, nature, and accidents are really some of the biggest threats to these areas, but some basic security hygiene would really go a long way. Some really basic security hygiene, like changing passwords. Now, we really need more cooperation internationally to address these issues. Like I said at the beginning, this is a global commons that we are working in, just like the open oceans.

We need to work internationally together. We've had trouble with people, say, applying to put up a satellite here in the US and getting denied, and then taking it to India and India putting it up. Issues like this add more threat to our orbit, to adding more junk. We need to have more agreements and more conversation between our countries, the ones who have the capabilities of putting things up into orbit. Anyways, thank you for your time today. I hope you enjoyed this. And do I have any questions? Cool. Have you looked into the case where Iran captured a U.S. drone? Was that GPS spoofing? I have not looked into that specific case, though I have read a little bit about it.

Thanks for presenting, first of all. Have you seen any research on exploiting satellites for financial gain as far as location of shipping, et cetera? I've heard about it a little bit, but I haven't seen anything concrete. Hollywood and various others love talking about the Kessler effect and how we could end up blinded for centuries until this stuff comes down. What would it take to actually achieve that? Not obviously asking for myself, but just out of interest. I mean... It would probably have to be an issue with the debris just getting so cumbersome, so much of it that we can't track, and so much small pieces that it just slowly... I honestly don't think it would ever get to the point that they...

the extremist point that they take in the whole Hollywood view, but it could make it where we really can't put anything more up there because it's just not safe. We need some form of debris management system. So my statement is not a question. It's more so from a previous history of consulting with LASP in Boulder, Colorado around satellite management. When we designed systems, we designed them for 50 years of support, right? Fifty years is a long time. The last projects I saw there were still managing Cassini, and Cassini was managed on Solaris 8. and when vulnerabilities came out for Solaris 8, and being that it was now owned by Oracle and having to rely on Oracle to create

patches, Oracle would take six months or longer to create patches for our satellite systems. So just something to keep in mind that support is hard to find sometimes on these older systems. - Oh absolutely, sorry. - In your research, have you come across anything that would resemble good redundancy or any redundancy systems for a lot of these exploits that these individuals here have been asking about? I know there are a lot of systemic redundancies for the actual physical devices, but any sort of kind of like a networking, like if one goes down, there's like more to pick them up, things like that? I mean, that's honestly something that they're actively working on right now to have more of, but part of the problem with that is the

more you put up there, the more hazards you're putting up there as well. But that's part of why they're putting up so many constellations nowadays is for that resiliency, why they're kind of switching to those. - Last question. - Thanks for the talk, really interesting. Do you have any examples of K-band attacks in terms of downlink or failing that? Any other examples of specific times you mentioned, like protocol attacks? - I do not currently at this time. Thank you everybody. Thank you all. Thank you. You just improved. Thank you. Thank you, that's awesome. So you're Nick? Nice to meet you. This is social engineering. Nice! Nick from Card Sources. So, when I was consulting at Lyft, they asked me, like, it was up to me, and I

had the license, and I was supported for over 50 years, what would I use? And I was like, uh, that's a really hard question. Because nothing is supported for 50 years. That's a big issue with these systems is they're designed for so long. I'm just putting my laptop away. I will. Yeah, thank you. I'll be out in just a sec. So if you have a question, I'll be out there in a minute so I can get out of your way. Thank you. Okay. I mean, I actually am kind of right now. I'm just now starting to. I put my dissertation in about a month. So... Yeah, yeah, I might reach out to you. Okay. Great job.

Thank you. Let me get out of her way real quick. Yeah. Thank you. What do you want? Everything's fine. No. It's even better. Yeah. Yeah. Dutch people are very very hard names to pronounce. Yes. Yes. Yes. Hello. Hello. My Thai. I'm an hour off. I'm a minute off. Oh, I'm sorry. I was waiting here. What I was... You're fine. You're here? Yes. That's all I'm asking. We just gotta get your video in. Yeah, where's the HDMI? Where is it? It was there. Oh, it's in my room. Right, cool. Yes, you're up. Okay, good. You have a few minutes? Okay. So, that's the 25th. You're in the 25 minutes, right? Yep. Okay. Can I have alcohol

right after?

- You can, oh my. - High five. - Don't worry, you'll be awesome. Let me talk first. - Yep. - I need the mic. - It's okay. - I'm just stuck. - Okay. We just kick off the A/B people first. A/B, are we streaming? Yes, that's always good. - You can grab the mic and talk here if you want. Or you can stand here, whichever you want to do. - Okay, all right. You can start early. Oh, we're on time. Okay, even better. Okay, good afternoon and welcome to B-Sides Las Vegas. I want to be louder than those guys next door because I hear them all the time. Come on, once more. Welcome. All right, thank you. We'd like to thank

our sponsors, especially the Inner Circle sponsors, the Critical Stack and Valmel. I'd also like to thank Amazon, Blackberry, and NSA, the National Security Agency. That's what it says on the form. Okay. Remember, if you have your cell phones, please be polite. Turn them off. Okay, I have a microphone. I will pass them around. And the first three people who ask questions get a pair of socks. Woohoo! All right. So, and we have feedback forms on the back. I'd like to introduce, and I can try to say her name right. It's Sana Masakur. No, it's perfect. No, it wasn't right? You let me know. Well, thank you. I did it the right first time. Yeah, yeah. Well, thank you all for being here.

First of all, I want to thank my mentor, Chris. I think he would be somewhere here. Yay! Hi. My name is Sona Maashockers. You didn't pronounce it very well. It's Dutch, so that's why it's very hard to pronounce. But I will introduce myself later. First, I want to play a little game with you because you're all security experts, right? First, I have this website, a screenshot of a website. You just go browsing on the internet and you encounter this website. Take a couple of seconds to look at it because... Now you're looking at this website. Did you see some differences? I'm not Hans Klok with the show here, but did you see differences? One, two, three. Yes, right?

Well, there were some differences on these websites because the first website looks a little bit more legit because it used the smartphone.store as URL and has an SSL certificate. And the second website has the smartphone.store.virusscannerpro.uk. So that seems fishy. And there are small typos and misspellings on the websites. So when you see those websites on the internet, Do you behave differently? Well, I don't think you will because you are security experts, but I did a little test with a small set of people and well, I was wondering, do people behave differently when they got these two websites? And that's what I'm going to talk about today. I developed a model, what is user behavior and do

people behave differently? So my name is Sonne Maashoekers. I'm a pen tester working for Fox IT. It's a company in the Netherlands, part of NCC Group. And this is my daily life. Well, not actually my daily life because I was asked to be a hand model for the national news. And during my work day, I don't use a pen. Metasploit with a, I don't know what it is. It was a very stupid exploit. Well, this is 99% of me in the media and 0.1% in my actual working life. So yes, I'm making the world more secure every day just like you do all day. i was wondering could i combine phishing social engineering with my previous job in web development and

security so that's why i came with this presentation so phishing well we perform phishing assignments almost every day to test the security awareness of our customers i think you will do as well but what we know after we performed an assignment is how many people clicked, how many people filled in the credentials, and how many people Executed malware, but we don't know what happened in the meantime do people like the website are they wandering on the website? Are they clicking it away after they filled in credentials, but didn't submit it it was like okay We only know some things, but we don't know how to actually behave on the website, so that's What I did actually But before I needed to

know a little bit more about the psychology of phishing so So why are people clicking on links on websites? First, because they don't know it's a phishing website because they don't have the knowledge. They don't know. Second, because It's called visual deception. The phishing website looks exactly or almost exactly the same as the legit website. They're using the same logos. They use, well, very good typo squatting, maybe use all domains or domain takeover. So it looks like a phishing website. So even when you are okay aware, you still don't know it's a phishing website. Last but not least, because you have a lack of attention. For example, before you have your morning coffee or after a long day of annoying

colleagues like mine, you don't have the attention anymore, so you're just clicking on a website and okay, fine. So I did a little experiment like I said I created two websites. I already showed you a screenshot screenshot of the Phishing website so I created two websites one with the heuristics of a legit website and one with the heuristics of a phishing website Those two website were presented to a test group and They were included in a questionnaire, so I sent out a questionnaire to a group of 30 people, not in my network because I have a lot of IT specialists and security experts in my network, so I asked some people, including my parents, to spread the word because they are not in the field. And I

asked them to browse to two websites, First, browse through the legit website, perform some simple tasks like, okay, go to the website, go to the login page, register, Add a phone to your to your card and then finish the purchase I did the same with the second website so with the fishing website Perform the same steps of course I switched the order of those two websites after 15 participants because maybe they already learned from the first website so there So their behavior would be differently and After they had to to perform those steps I asked some some some general questions to gain more knowledge about the people so for example age and education But also if they have experience in buying online Because

maybe they already got scammed and they didn't see that the difference isn't okay. That would be clear and Also asked the question did you see differences between those two websites and what did you see which difference did you see so? This was my setup This is a screenshot of the website so it was called the phone store. It's not a real brand because you have a brand association and all that kind of stuff. So I made up a brand, the phone store, and it was a phone web shop with iPhones. It looks like this and it has small differences. I used a visual similarity model because it had to be almost the same because if

it was a completely different website, then yeah, of course the setup wouldn't work. So this was the website. Those differences can be placed in three categories. The first one is in content. There were a lot of researchers that placed all phishing heuristics in three categories and those are those three the first is content so that could be text could be images the second one is content and URL so you're using another URL could be a total different URL but you could also use IP address for example and the third one is the use of what SSL certificate I know that a significant amount of phishing websites use HTTPS, but I still decided to use it because, well, the websites really look

alike. So I wanted to have a clear indicator that it could be a phishing website. So when I When I applied those heuristics, it looked like this. So this is the phishing website. I used the logo, the same logo, but I changed the dimensions so it would be not that sharp as the normal website. I used some typos. Type was here, type was there, not that many. I used Chinese characters, could be any character, but I wanted to show that, okay, this website could be a scam website, could be a phishing website because it's translated from another country. It was just a small indicator that it's not completely legit. Then I used this one, I think it's very funny. Phishers tend to use fake security

logos on their website, so I just picked some security logos from websites, it's not even a website security logo, so I used that one to create a fake security idea on the website. So people think it's secure, but it's actually not. Also wanted to add a small time pressure So it was a big quick only a few devices left in stock So that people are going to their goal and are going to buy that phone I also used a difference in price well, this is in euros because I'm from the Netherlands, but it is Little bit more and then you have the dollar amount I chose to use a price that's not That far from the original price because if it's too good to

be true well of course we all know that it's too good to be true so I chose a little bit less than the normal price, but as you may know iPhones never are in discount unfortunately Then we have the login page and here I also used the fake security. So you can see that it's not secure because you're entering a login page. There is no certificate so it's not secure. But I said, yeah, this form is secured and encrypted but it was just text with a green font awesome lock icon. So it's still not secure of course. this this was the fishing website now i wanted to gather information about their behavior but first i needed to know what behavior is of

course so i read a lot of researches most researchers were in the ux context or ux domain but there was one researcher that researched the behavior in combination with security because it was about biometrics and security to create a continuous authentication application. So I thought, well, that would be fine because The goal of that research was to distinguish people by their online behavior and this that was exactly what I needed so behavior what what they researched was that behavior is Contains mouse speed so your speed with the mouse on your website click frequency and key press frequency the hand amplitude, so the maximum width of your hand on the website, the idle time, and efficiency. I will show later what the amplitude, how

the amplitude was calculated and the efficiency. But to gather this information, to get this information, I had, of course, capture information on the website. So that's why I decided to use the mouse capturing. So on what timestamp are you on what coordinate on the website, the click press, or the clicks of your mouse, so which time on which coordinate, and the key presses. I captured the key presses, Not not the real key presses, but that our key was pressed and in which field it was pressed So that information was sent by an API to the database so I could use it for data science data science Well, how does that look like I made a small? Screen capture how that look like

looks like Here you see me scrolling on the on the fishing website. So it says okay go to all iPhone models and Okay, I just scroll through the website I Go to register and in the questionnaire asked to go to the login page first and then go to register So I'm just entering some information. No, you all know my password. So, okay. I'm login I go to the show add something to my cart. Okay, there's something in my cart. Do I like this? Yes, okay I want to check out and that's where it ends. You don't have to fill in your information because it was research. Okay, so I was added to the database as a user. Timestamps and

mouse X and mouse Ys were added. Even for the clicks and the key presses. So this was entered after what I did on that website, so I can use this information for data science. The users, I also captured the dimensions because I had to normalize all screen dimensions because my screen is smaller than your screen, so I had to bring it down to 100%. So what I did on the screen capture resulted in this. This is the screen, or this is the heat map with all mouse movements. Please note that the Y axis is going from zero to 350 in reverse order because, yeah, my screen is starting at zero in the left top, of course.

And 350% because your website is scrollable, so you go further than 100%. This is the mouse movement. This is when I use convex hulling. That's a technique in game development. I enclose all points to calculate the maximum hand amplitude. I only had to brute force all those dots that were on the line to calculate the maximum length of the amplitude. This is how it looks like when you connect all mouse movements. This was needed to calculate efficiency. Efficiency was defined by researchers different ways. I used to divide the length of the click box so that length between two clicks divided by the actual movement between those two clicks if you're very efficient you go from one click to another one just in a straight

line if you're not efficient you click you go all through the website like crazy and then go to the next point to click and if you don't divide those two numbers then you get efficiency and So if you're very efficient, then you're close to one. If you're not very efficient, you're close to zero. So in the questionnaire, I also asked something about education, ages, and if you ever bought online, if you got scammed, if you saw differences. And that resulted in a lot of information that I needed to process. Well, in total there were 30 participants and more than 100,000 interactions. I created R models to check them, what happened. These are some cool statistics. Most of the people buy

online every month. There was only a very small group that buys once a year. And the second pie chart shows how many difference they saw. only content is the light blue one content.plusurl was the red one content url and https is the orange one so if you saw more than one uh different the difference so only in content so only a typo for example then you were one of the 83 participants percent of the participants uh if you saw more than two you're 20 percent exactly all three categories stands 30 percent a 17 percent of the participants didn't see a difference well that's not very good so what are the conclusions well People behave differently

on those two website because the efficiency on a phishing website was way higher than the Efficiency on a legit website. So yeah, it works Time pressure was added. Maybe they feel pressured so they go directly through the target We don't know but there are several things we can think about and Next to that, well, there was only a set of 30 participants, but we have to test this on a bigger set. That security awareness defined by the number of categories and differences they saw is very low between the ages of 16 and 25 and 56 and older. So we should focus on security awareness for those two groups. My generation knows how to recognize phishing, apparently.

So what to do with this? Well, I was thinking about the future and what are the next steps. I was looking for the future and this was the image I got on Google. It is a wrapper, the future. What could we do now? Well, I'm definitely going to use this model in our phishing assignments so we can not compare if there are differences in behavior between the legit website and the phishing website, but we can definitely check if there are differences between the phishing assignments. So maybe that one with a bigger logo, one with a typo works better than the other one. Not only looking at clicks or uh... or downloads or uh... fielding credentials but also at their behavior at the website and one of

our next steps well uh... i put everything on the get up and the websites the a_p_i_ the data so you can use the data set as well as for the our script so you can uses in in your own research you can download it and by added to research paper of seventy pages if you want to know more about this research if you want to know more you can follow me on Twitter or LinkedIn thank you are there any questions there's still socks they're very nice the boat the two websites were made in Laravel it's a PHP framework and the API was created on lumen that's a micro framework for api's everyone wants a socks

Were you testing to see if people refused to complete the test on the phishing site and did you have results in that way? Yep, I had two people that didn't want to click on the second website and said immediately, "Nope, this is phishing." And they were in my generation, in my age. Were you surprised by the group that noticed no differences and what do you think training-wise you could help that group of people out? Well, I was not surprised because most of the, most of the, The people that were older than 56 didn't see the differences and younger than 18, so they were there. Yeah, I'm not very surprised if I look at my own grandma and granddad actually because they didn't

grow up with cybersecurity. I keep telling them that but they still use the same password for everything. So no, I'm not surprised. What do we need to do? I don't know. All have a granddaughter in security. Something like that. So is there a way to track websites that are actually watching your clicks? Because I haven't seen that very often. Is that commonly-- Is that feedback very common? - Well you have tracking blockers that block a lot of trackers, but that's why I decided to create my own API because when I use, for example, Google, they have services to track your behavior on the website, then a lot of the tracked behavior would be deleted or blocked. So yes, there are tracker blockers that block this kind

of information. Did you notice any other correlations in the group that was less likely to fall for the fish? Were they more likely to be working in tech or associated with tech? Or were they more frequent online shoppers? Well, I didn't go that far actually, but the data set is online, so if you want to check it out, please do. Yeah, I'm fine. Okay, thank you everybody. Did you like it? Did you like it? You did good. Yeah? Nice. Nice. Very nice. Thanks. Nice. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks.

Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks.

Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. Thanks. thanks. thanks. thanks. thanks. thanks. thanks

I cleaned up my desktop too. Bag it, B-G-G-E-G-T. My main concern right now is getting this up to here. There it is. Drag it over. Drag your presentation over. Other way. I think I do this. And the clicker? Is there the extension for the clicker? Yes there is. Do you have USB? I do. Okay. It's not the tiny. We don't have the. I only have the regular USB. He's got one. He's got the older Mac. Hey, better Mac. Yeah, yeah. You good to go? No. You got your screen, you're good. You know what you're doing. Thank you. The rest of it. I have an introduction and I will cut you down for 15 minutes. Okay? Alright,

I am. Okay. We won't touch anything. Something is wrong. Ask good questions. You get socks. Is that about correct? Come on. I think the socks are great. I love getting socks at cons. It's great. I've been wearing t-shirts after a while. They're easier to take home. Come on. You get like seven or eight t-shirts, you're like wadding them up, trying to put them in the bag. I never don't need more socks. I think these are just one size. These are sponsor socks. Always good. Hey, I'm up. Can I be up? Not yet. I'm up. I need a microphone too. Test, test, test. Alright, AB we're streaming. Yay. Okay, good afternoon and welcome to Besides Las Vegas.

Louder than the other room. Come on, once more. One, two, three. Makes me feel better when they have to complain. We'd like to thank our sponsors, especially the Inner Circle sponsors. This is Critical Stack and Vellamile. We'd also like to thank our stellar sponsors, Silence, Microsoft, and Robinhood. Cell phones, please, you know the drill, turn them off. Feedbacks are online if anybody wants. I will pass out the mic for questions. So they can be recorded for our online viewers. And of course I have socks for the lucky three first people. All right. We need to get Jim in here. We need AV help. That room went quiet. Let me go see if I can find somebody. What do you have so far?

We've got this HDMI out and it's not showing on the screen. You may have to reboot. I hate to say that. Turn it off. I keep crying. I hope for AV.

So I'll read Will's bio here while we're working on everything. Will is a former intelligent communication officer currently with NATO, SOF, cyber trainer and volunteer of many B-Sides conferences. He was also a SME for iOS and Mac forensics. and apply them to skills and private sector. He has teenage twins, feel sorry. And at New Mexico State University, he's a graduate and also from Georgia Tech, and he enjoys teaching and making other people suffer. So there you go. - Thank you, I know we're on the clock. I have a lot of material we're gonna cover in a short period of time. Murphy happened with a projector. Has that ever happened to y'all? Happened just now. So in the 1960s, in the Vietnam conflict, when

a position was overrun, the US Army would screen the call. Use the microphone. They would use the command. Can you hear me now? Thank you. It'll get smoother from here. They would screen the command, broken arrow, asking for help from any and all available resources in the area. Even something as small as an assessment overhead could spot the advancement of enemy troops so our guys could get out safely. The reason that ties back into this, Fix My Desktop has become Fix My Situation. We're not rebuilding desktops anymore. We're not putting in Pentium 2s, Pentium 3s. We're not putting in graphic cards. My ex knows where my text messages are. My ex knows what I'm doing all the time. They're

able to see my emails. How is this happening? You just came back from DEF CON. You came back from B-Sides. Can you help me with this? And as I've talked to folks preparing for the presentation, every single one has said, yes, somebody's approaching for this exact type of request. And it's our nature. We want to do something. We want to be able to provide the help to these people to say, even if I only have 10 minutes, I can at least give you a triage to start to mitigate the hemorrhaging of the data. If you don't have much time or if you don't really want to get involved with the situation, Christopher Cox is a

fantastic resource at GoAskRose.com. There's another book, The Smart Girl's Guide to Privacy. Both are fantastic resources for just a limited interaction. As he said, I'm Will Baggett, former CIA officer and current digital counterintelligence instructor in Europe. It's actually weird to say that online now. I'm a former banker, fraud investigator, And I've learned that bringing all these together, the digital counterintelligence, the fraud investigation, and the operational security into a domestic situation, whether it's an abuser situation, a bad breakup, whether it's you or someone else, we'll just call it the adversary. It's a one-size-fits-all term. And as we go through this, we'll take the information security principles of data availability, data integrity, and data confidentiality to make that cool CIA triad and we're going to rebuild it

to make it control the environment, watch for identity theft, and data availability. The most important of these three is to control the environment. If you don't control the environment, your perimeter, your data, reporting identity theft and having a backup copy of the one drive that shows something horrific happened at home doesn't matter. And from this, we've got personal security, data security, and family disclosures. We'll touch on all three of these in a minute. The most important thing though, if you are in a bad situation or your person is in a bad situation, you get them off the X. You get them out of danger. You provide somewhere for them to go. You call the police. They

don't have to stay in the situation. We had a meeting overseas. An operations officer met with an asset. It went south. We were doing post-meeting analysis back in the office and the station chief said, "No bad situation ever got better by sticking around." That same motto can be applied to the domestic front as well. It's not going to get better. Make a choice to get off the X, to get out of danger, and move on. A couple of suggestions. If you want to get off the X, you have a bug-out backpack ahead of time. I see some people nodding. So I would keep your electronic devices with you. your credit cards, your ID, whatever that

might be for where you live, copies of your computer and your phones, but is there stalkerware on these devices? That's a point that was brought up yesterday in the dry run. You might want to consider keeping a prepaid cell phone and your prepaid credit card somewhere else offsite so even if you did leave the environment, you have a backup plan with your contacts in there so you have somewhere to go. And then the question comes, but what if they leave? And this is more of, They've left. You're in the house, you're in the apartment, the condo, whatever. First things first, you change your passwords. You don't just change your passwords, you call the locksmith. We've

got a lock pick village out here. Locks aren't that difficult, but legally, if somebody breaks the lock when you've changed the locks and they've left the premises, the law enforcement's going to respond differently to that than someone just letting themselves back in the house. And change your garage to a remote access frequency. A lot of people just have the button on your car, push the button, Garage door is unlocked, you're into the house. So you don't want to change that. And not even that, there's some garage door keypads that have the reset code on the flap. So if you forget your passcode, you just follow the steps right there and you can reopen the garage

door. That makes no sense. It's very helpful if you've forgotten your code, but what if you don't want someone to come to your house? Security questions. So the locksmiths on their way, you have a known safe machine. We're just going to assume here for this sake that all we have a safe machine. Change your passwords and your security questions, but it's okay to lie online. You don't have to use honesty when you have your security questions because the adversary knows the answers. So lie about things. Where's your favorite place to go on vacation? You might have gone somewhere that was terrible, but that. Lie about information. What was your first car? 1984 Plymouth Station wagon, Chevy Roadster, right? Lie about events. Where did your parents get married? Botswana.

I don't know. Something other than the truth that can be found on Ancestry.com. Winston Churchill said the truth is protected by a bodyguard of lies. That applies in this situation as well. There's no shame in lying to protect your digital privacy on all of your accounts. So the next thing I do is get on my Wi-Fi router. change my password and while I'm there I'm going to look to see if there's any other road access devices on the machine. Is there a Wi-Fi camera in the house? Is there a bug? Is there a listening device? First thing, take a screenshot if there is, then disconnect access. And the last thing I would do is keep

a copy of the Wi-Fi router logs. This audience probably doesn't. Most people keep their cell phones named their true name's cell phone, their true name's iPhone, their true name's Android. So if you have persistence coming into the house of the adversary's buddy, and then you see the device showing up on the network for the rogue camera, well that starts to become evidence you can use down the road. Right now, you're the only person with this information, and we're gonna talk about how to save this. And legal disclaimer, I can't begin to show you how to collect the Wi-Fi router logs of every model out there. So for perpetuity, look it up on your own. But

this is just a marker for when people look at the presentation later. Remember to look it up and save your log. Then we'll keep it off site. OK, your Wi-Fi router's changed. The locksmith's walking around the house. On my iPhone, I'm a Mac guy for good for bad in front of a crowd. It didn't work. It worked fine at home, performance issues. I'm going to go to my settings. Apple ID settings, and down here, when you're online, you can see the number of places your iMessages are synced. So my messages are here on my Mac Pro and my older Mac Pro. So I get dropped copies of my messages here, here, and here. That's great

for me. I've had multiple people come in and say, "My ex knows what I'm doing." And just these two steps, we'll look and we'll see it's her iPhone, and then her ex-husband's iPad, her ex-husband's iMac, We take a screenshot for evidence, and then we disconnect them. Very simple. It's not high tech hacking. It's common sense. So over here, find my phone. Nebula's iPad, Nebula's iPhone X, Nebula's iPod Touch, Nebula's MacBook Pro. Same thing. You've now got this beacon walking around with you that the adversary can see where you are and what you're doing. Turn it off. Disconnect it.

Next thing I do is make sure to share my location. It's off. Family sharing is off. You don't need to share your notifications, your updates, your photos with a myriad of Apple devices out there. Right now, just keep it turned off. If you're on an Android, go to your recently used devices and it'll scroll down the list and see where you're logged in with your Gmail account. The same principle occurs with your messages there. Take a screenshot if you find your messages are somewhere they shouldn't be, then disconnect them. And I think Google's a little bit more sensitive than Apple in that you've got Google Takeout. Show of hands, anybody familiar with Google Takeout? It's a log of everything you've done since you opened your Google

account. Every email sent, received, deleted, draft, Wi-Fi location, map location, everything. And once it's gone, it's gone. So if the adversary has access to a shared computer, they download your Google Takeout, they have everything. So we'll turn that off. Facebook. Some people have heard of Facebook. I hear it's a social media platform. We'll go to account settings, security, active sessions. Where else am I logged into Facebook? Facebook is very invasive where they want you to have data being shared, so you're always connected. Take a screenshot if it doesn't look right. And there's one particular function of Facebook that would be damaging in these situations. It's your call data records. I believe it's T-Mobile and Verizon keep records up to three days of your SMS content.

No other US cell phone provider does. Facebook, though, keeps your entire call data history, SMS history, to include your content for at least up to a year. And that's something, if they have access to this, they've got the full body of life for what you've been doing. So you want to make sure that's turned off. And just to give you an idea, when I'm saying change passwords, how easy is it to recover? If you have a Mac, You open Keychain. I've got Infuse 2017 here as an example. Click on the Wi-Fi password. We'll come over here. Click on Show Password. We'll put in our system password. If it's a shared machine, they know what it

is. Right there in ClearText, the password for Infuse 2017 was Guidance. The methodology is rinse and repeat for your Gmail, your Twitter, your LinkedIn. Wherever you've saved this password, it's going to be readily available for ClearText recovery. So you want to make sure you delete it. And when I say persistent and thorough, a neighbor bought a 65 inch smart TV, bought it off Facebook Marketplace, and she found that Facebook, Netflix, and Amazon was still logged in by the previous owner. Persistent and thorough. We talked about risk of family and friends. If you're removing your digital footprint online, your family and friends need to know not to put your information online so that you're being seen and tracked. Oh, Betty went down to this restaurant. She

wore a nice red dress. Well, now your stalker knows where you are. You're starting to control your data here. Ring doorbells. The X can see who's coming and going from your house unless you remove the password. Amazon Alexa, it records every time you've ever said, hey, Alexa. It's got the data before, the data after, so they can watch when your other person comes and goes from the house. They can hear all the conversations around the, hey, Alexa. And not only that, if they still have access, They can disable your smoke detector, disable your burglar alarm. That was the plot line for CSI Cyber back in 2012. Financial risk. If you're going through this conflict, turn off your Amazon

shared account so that they can't rack up your credit card charges, run up, deplete your debit card because you're still connected together, you have implied approval. We still haven't touched anything that works with forensics or any coding, this is all just GUI driven, very simple steps to take. On a Windows machine, you just go to view printed file, and now whatever they've done, you can see the files they printed out before they left. Or conversely, if you leave a printer behind, they can see the data you've been printing to plot your escape. On the Mac, you go to bar school cups, and the files that start with D, this one over here, the D indicates it's

a PDF that can be recovered. and the ones that start with C, their metadata is still available. You run a strings command against that, and you can see that this one file that was printed was a world market. Okay, great. However, what else is through here? And if I run something like a disk drill program to recover the deleted files, what else is there? So tracking. Show of hands, you might have heard of SuperHuman. It'll couple people. It allows you to see when the user opens the email, the geographic location, and the IP, and the number of times they view it. So if you're fleeing the stalker, they enable superhuman. They can see when you've opened that. And if you couple that with Doc Send for Outlook, I

can see how many times you've opened that PDF, the number of hours you spent on the PDF, and the sections you skipped. So if you're going through a legal battle, I can know how many times you opened the email, where you read it. what sections you're worried about, what sections you're glossing over. There's a very simple risk mitigation. Print it, work with paper. Another thing to consider is the man in the middle real world edition. Informed delivery by the post office. If you have the right credentials, like living in a shared house with somebody, you can see PDFs and JPEGs of all the incoming mail. So if we know you're getting a check, because I

got a PDF saying you're getting a check from the bank. I know to open the mailbox on the exact day, take the check out, take the bank statement out, the attorney letter out, you've never received it. So you go to the post office, talk to the postmaster, very simple mitigation. Just be aware that it's there. As far as tracking, shared calendars. If you sign up for something like a TripIt, TravelManage app, where your confirmation number, your travel itinerary is shared out to the world, If your ex was part of that getting this information, so if you book a trip, delta.com sends this to Tripit, you're now going to have this shared out to the ex. Make sure that's turned off. Twitter spoofing. Okay, so tweeting from South

Africa, Belarus, Hawaii, the Kingdom of Saudi Arabia, Moscow, Dar es Salaam, that's great. That's obviously fake. I didn't travel that far and tweet. But what is true from canfoleague.com is the venue that I'm using, I'm using an icon. So use Signal, use Tor, the grug is right. But if your devices are compromised with something like flexi-spy.com and your attacker's getting all of your data, use personal meetings. Leave the devices behind, have nonverbal paroles, arrange with family members. Putting yourself on Facebook with a red shirt might indicate to your friends and family that you need help to get out of the situation immediately. That would be something prearranged before time. So has anybody ever actually seen a bug installed in the house?

It's Murphy and I'm running out of time. It's a great video, it's going to be online. Put the SD card in, cover the SD card, camera, microphone, connect it to power. Now you have your own personal bug in the house. The good side is you've got a triad, collection, power, and storage. If you're going to constantly broadcast and collect data, like this 1080p phone, that broadcasts over Wi-Fi to a cell device, but it needs constant power. Risk mitigation, unplug it, call the police that you're being bugged. The 720p air freshener runs on batteries, SD cards, somebody has to physically collect it. Same for the USB drive that's actually a microphone. And what would come and go from a house? You

give the kids a nanny cam. It goes to mom's house every two weeks, it shoulder serves mom, she's all of her passwords, keystrokes, observed by the bear, goes back to dad's house, SD card comes out, and now you've got a mobile listening device in the house. Alright, I get it, this is too much. I want to order a pizza. Even Domino's has your current location, your password, your credit card, and your new phone number. So when I say change all the passwords, I mean all. Even the low-hanging fruit. So they've got close and continuing contact to you. There's a high risk of identity theft at this time for opening accounts in your names.

The government has a great thing called identitytheft.gov. It's very binary. If you have identity theft, you log on on a clean machine, you report it, you get an incident number, you're able to use that so that you have data availability. You don't have the implied consent because if it ain't documented, it ain't. You have to report things as they happen. So if you have the bugs in the house, if you have somebody watching you and monitoring you, report it to the police, report it to the authorities, report this and keep your data. You have the only copy of this data in the world. So think PACE, Primary Alternate Contingency Emergency. The primary goes to an

attorney, backup might go to a safe deposit box, another copy goes to work, and the last one that you want to work with at home, that's great. If something happened at home, you've got three other copies stored somewhere offsite. In conclusion, You want to be firm, friendly, final, and fair as you approach this process and help the other person out. We have the stigma of being hackers. If we do something like try to get into someone's account, the law probably won't favor us because of what they consider our capabilities. Do the right thing. Help them get off the X cleanly so that they're not being stalked and you're not putting yourself at risk by doing

something that's unethical. The too long, didn't read version, change your passwords, change your locks, report everything to law enforcement and document events as they happen.

We've got two minutes for questions. Fight it out. Is there any organization that works with people to help them go through this process? GoAskRose.com. Thank you. Podium. Podium. Go Ask Rose has more links to this. Yes.

I came in a little bit late, so I might have missed it, but did you talk about password reset questions? Yes. Why? Lie about your location, lie about life events, lie about intent, just lie. They don't have to be accurate. Yes, ma'am. So I volunteer with a public library system, and I work with a lot of people who are in situations like this. And they also have social workers who hang out in the libraries to help people with this. And a lot of times, I don't have a system as nice as yours, but I try to talk to them about these things, and I just get that look of panic, like totally overwhelmed, like, oh my gosh, iPhone settings, where do I even start? It's

so overwhelming for them. Do you have tips on how to get them past that? The entire presentation is going to be available. OK. Yes, the presentation will be available for that. Fabulous, thank you. And thank you for what you do. That's amazing. One more question? So actually it's sort of along the same lines as hers. Is there by any chance a single page handout to, for example, put to make available in counseling services like at my school or sometimes they'll have things like the domestic abuse of violence awareness business cards. Please grab one. Is there a very small? I'm used to a small classroom. I'm sorry. Yeah, again, go ask Rose. They have all those resources. Chris has

done a fantastic job. All right, let's give it up. 65 slides. I know. You were going pretty good. You need to take it. All questions outside now. I'm sorry. Is that all right? It wasn't too bad? Thank you. I never know if you guys are here or being wrangled in somewhere from somebody else. Let's get your video working first. And then I'll look you up and make sure I say your name is correct. You know, that's important. And you have socks, of course. Right. This is perfect. Yes. The other one. Oh, this is for me. Oh, you. What's up, man? Ready to knock it out of the park? Oh really? Okay. Alright. I don't plan

on walking around so that'll be just fine. Okay. I'm sorry? Atkin? Yes, that's me. Okay.

Let's see. I need something. In 15 minutes, look at me. I'll mark it down from 10, 5, 2, stop sign. OK. The 2 is for questions. We don't have anything, just like a book or something I can prop this up on just a little bit higher. You got a pair of socks? That'll probably work. Everybody in the room, come on, hurry up. All right. Yeah, go ahead and get that. I'm going to pop this up just a little bit so it's not so hard on this HDMI plug. That's what we have socks for. That's what the socks are for. And then check your sound. That should be all right. All right. That should be good. That one right there? That's

the one you wanted. OK. Test. OK. You're good there. All right. We're recording? Yes. All right. Good afternoon, and welcome to B-Sides Las Vegas. Louder. Louder. One more. Wow. OK. We'd like to thank our sponsors, especially our Inner Circle sponsors, Critical Stack and Velmel. And our seller sponsors, Robin Hood, Secure Code Warrior, and Paranoids. Cell phones, you know the rule, turn them off. I'll pass on the mic when you want to ask questions. The first three persons get socks. And feedbacks are available on the web, of course. And with further ado, let me tell you about Ty. I lost him over here. Ty is a highly sought after dinner guest, is a security operational center lead, and

co-founder of Full Metal Cyber Security. He believes that anything worth doing is doing not only well, right, or I should say, sorry, doing right, but also being done with excellence. Ty. Very good. Thank you. All right. My topic is understanding the human API, involving end users from authorized adversaries into our best defense. So, I hope you enjoy it. All right, pre-talk obligation. I just want to point out the last bullet. I will be using the word dudes and it is intended to be inclusive. Cool? Cool. All right, so this is me. I do many things in many capacities and we're going to talk about each and every one of these things another day. Here's the

structure of my talk. My plan is to discover, better understand, and improve human interactions by mapping some basics of computer science onto human behavior. So we'll discuss a range of topics, including behavioral science, philosophy, and neuroscience in the Human API Fundamentals. We'll discuss our perception of security. We'll discuss what helps make a mature organization and security's role in business. Then on to the primary topic of security and end users, and then we'll finish up with the prime directive. All right. So this comic has a little more truth to it than I'd like to admit, but the ring girl has a sign that says "Data Security" and the MC announces that in this corner we have

all the cool black box technology and in this corner we have Dave. And Dave is labeled "Human error." So this comic quite candidly points out that information security is becoming less about computer science and more about human behavioral science, or at least becoming more so. I suggest a frame refresh of some aspects of the security structure, refresh what security means, reassess our goals, and I'll offer my recommendations to maximize our ability to capitalize on opportunity. So to that end, let's identify and explore some key parts of the human API. So an API, it's an application programming interface, and it is a particular set of specifications that programs can follow to communicate with each other. It serves as an interface between software programs and facilitates their interaction.

Pretty simple, right? Human API is almost the same. It's a particular set of rules and specifications that people can follow to communicate with each other. It serves as an interface to the world and facilitates interaction. Simple enough, right? So why is understanding this important? APIs make it easier to develop by providing building blocks necessary to realize complex actions, like potential. Potential represents something that isn't real yet, but we act as if it is real. That's heavy duty when you think about it. So we realize our potential by interacting with the world in a manner that would get us the most information. Accurate information is critical to optimal decision making. We know that if we put

ourselves into a new environment that new genes turn on, in our nervous systems. It turns on new circuits and they encode for new proteins. So we are full of biological potential that won't be realized unless we expose ourselves to challenging circumstances. By doing so, we put different physiological demands on ourselves down to the genetic level. And it's important to understand this so we know how to build more meaningful and productive lives. So I propose that the human API is split into two parts. And in a moment, we'll talk specifically about those parts. All right, so before that, there's a foundational piece to acknowledge. Within our reality, fundamental opposition exists in all things. Here's a video illustrating opposites. ♪ Opposite day

♪ ♪ Opposite day ♪ ♪ Opposite day ♪ Volume wasn't great there, but I think everyone, I just turned up, so we might be all right now. I think everyone gets the idea of opposites, right? So obviously illustrates opposites pretty vividly. I think everyone gets this. So there's opposition in all things. And you can't have one without the other. So they're not enemies, they're only opposites. And the existence of opposition provides us with choices. So the two parts of the human API I promised to talk about earlier are represented as chaos and order, which are fundamental opposites because every conceivable lived situation is made up of both. They are the two ultimate categories of reality. Alright, so we're going to start with

order. Order is predictable. Order is the place where what you are doing is producing what you want to have happen. Let's see. My mouse is locked in there and it won't let me move over. That's weird. But yeah, order is predictable. Order is the place where what you're doing is producing what you want to have happen. Chaos is the opposite. Chaos is danger. Chaos is disorder and lack of organization. I don't know if you guys are South Park fans, but Professor Chaos was my favorite episode. All right, so in a nutshell, chaos and order, these are the two fundamental pieces. Very good. And so the concept is the most that we can do to reconcile these two seemingly opposing ideals will help generate more success and more meaning

in our lives. And so I'm gonna elaborate on that in just a little bit. So, we're gonna talk about some brain science real quick. Our brains are split into two hemispheres, left and right. Brain lateralization occurs when certain functions prefer specific brain regions. The left hemisphere prefers logic, and the right hemisphere prefers imagination. This categorization doesn't attribute or prescribe personality. It's just simply functionality, right? The concept is that in the natural world, we have a continual dialogue in the right hemisphere and in the left hemisphere. The right does a continual dialogue of imagination, and in the left hemisphere does critical analysis. If the left brain is too strong, it over-analyzes and over-works. If the right

brain is too strong, it daydreams away life. They require each other to work together to function properly. The left brain favors order and the right brain favors chaos. Like the cerebral hemispheres of our brains, these contrary forces are actually complementary, interconnected, and interdependent. So they're separate, but together. Alright, so how does this mental processing help us make sense of a tough situation? An incredibly old philosophy maps directly onto this concept and will perhaps guide us to potential solutions. So this symbol here in the center, this is Dao. The Dao means potential. The way of life, the path, that's why I've got a picture of a path here, The dowel means to live in proper manner.

So the orange side represents chaos and the blue side, I'm sorry, the orange side represents order and the blue side represents chaos. So order is calm and moderately happy. But then we've got this blue dot of chaos right here. So this reminds us that order can be disrupted and plunged into chaos in just a few moments. So I like this image because it looks, because the texture of it looks almost like it's water and it suggests that it has a depth to it. And so I imagine this is, I like to think of this as a 3D model. All right. So when you're deep in chaos and you're in a hopeless state, when everything seems

to be going wrong and you find a critical realization, a little bit of hope, a little bit of order, a striking realization can pull you up out of the chaos and take you back onto the path and order will resume in your life. So this is an important dichotomy because we can't, chaos isn't all bad. That's where potential, adventure, and growth lives. But we can't just hang out in order and we can't hang out in chaos too much or we'll be swamped and overwhelmed. So the key fundamental to understanding this part is that these two pieces of our minds have to work together and the better that they can work together and identify dichotomies, the

better and more successful we'll be and then this is how And the more you do to reconcile these two, the more you'll stay on this path. And this middle path right here through the center, that's where meaning is found. And so we need meaning to protect us from catastrophe. And so if we have a solid why and a solid understanding of what we're doing, we can get through anyhow. So truth and meaning are critical to our survival. And so here's a quick video that I just gave you a quick sneak peek of, of Ronnie James Dio, and he's talking about truth. Between the truth and hard esteem

So not all of you may have gotten that reference, but now I know where all the metalheads are in the room. So the lyrics to that song, it's a song called Holy Diver. The lyrics to that song are, between the velvet lies, there's a truth that's hard to steal, and the vision never dies like a never-ending wheel. So I think there's a lot of wisdom embedded in these old rock and roll songs, and essentially what he's saying is the more you can live in accordance to reality and what is true, the happier and successful and the greater chance you have of finding meaning are. Alright, so meaning and truth are critical. In this next video, Bill and Ted are in heaven and they're at

the pearly gates and they're trying to get through. And so when they're at the pearly gates, they're questions and they're asked in this video. What is the meaning of life? Every rose has its thorn, just like every night has its dawn. Just like every cowboy sings a sad, sad song. So they're reciting lyrics from a Poison song called Every Rose Has Its Thorn. And again, living between the dichotomies, finding meaning and truth. That's the whole point of this concept, right? All right, moving on. So now I'll show how this principle applies to security. Often when you're making calls to a RESTful API, there'll be lots of results to return. A default limit called pagination or paging

is usually implemented to prevent a massive response with thousands of results in order to make responses easier to handle. So it's a mechanism employed to impose order on chaos. Pagination is like perception. Our perception serves this function for the human API. So here's some more brain science. So it's not necessarily reality that shapes us. It is the lens through which our brain views the world. It is our perception that shapes our reality, which is great news because if we can change our lens, not only can we change our fulfillment, but we can change all personal and business outcomes at the same time. So that's a powerful concept. Let's define our goals that will get us

down to this path. So let's revisit our perception of security. The Latin word for security translates to without care or without anxiety. Security literally means without worry. Security is the ability to do whatever is meaningful unimpeded by an opposing force. Security exists to defend the organization and its people. Everyone can be secure and everyone can be defensible. The goal is to be okay no matter what. It means accepting the notion that it's no longer possible to keep the bad guys out of our networks entirely. It means that you're prepared to respond quickly to restore operations when it does happen. So this doesn't mean abandoning all tenets of traditional defense. It means accepting that despite how many resources you expend trying to keep malware and bad guys out,

all of this can be undone in a flash. Sounds like that order of chaos thing, huh? All right, next piece. So, security is an infinite game as opposed to a finite game. There is no static goal to cybersecurity. There is no finish line. There is no ultimate destination. There is no cyber nirvana. Until there are no longer people who use the cyber domain for bad things, companies must understand this and resolve to be fully engaged in this battle. So, this next bit I'm going to quickly introduce in five lessons is from the Cyber Avengers playbook. So, check it out at thecyberavengers.com. So, lesson number one. Security is not optional. Information security is now a critical

part of business and a failure to adapt is not an IT problem, it's a business problem. An organization is like an arch and security is that center keystone that holds everything together. Lesson number two, if your company has a computer or data, it is a target for attackers. Even if you don't think your data is valuable, ransomware has proved this for us. And then @MalwareTechBlock says, "Just because you're not important enough to be a target, doesn't mean you're not insecure enough to be collateral." Lesson number three: patch and update. Install security updates. Run patches as often as possible. I know some of us work in environments where that's not possible, where you're stuck with legacy

systems and they can't be updated. You're the extreme case, but as often as possible, patch and update. Patches are no good at defending against vulnerabilities if they're not applied, right? Correctly. All right, number four. Number four is really simple, back it up. If you have data that you want to keep, back it up. And the key part is to have someone that's responsible, making sure that the backups are happening, and then when something has happened, that they have the ability to restore operations. All right, lesson number five, constant vigilance. This is how you play the infinite security game. This is how you stay ahead of adversaries, is constantly patching, constantly updating, and doing everything you

can to be proactive, instead of being reactive. So we're gonna go over a couple of those models here in just a second. But the way you play this constant, vigilant, infinite game is to continue to practice good principles, defense in depth, and then we will get to a stable condition where we can continue to do what we need to do. Alright, so this last piece right here, it's time to, like I said earlier, it's a time to take IT from just being a simple you know, this cybersecurity being an IT problem to making it an organization or a business problem. So it's time to invite cybersecurity to sit down at the table and then they can be part of the risk management and the budget conversations to make

sure these things happen at a pace and at a budget level that's not gonna just drain the organization 'cause cybersecurity can be a money pit and it's important to keep it live and manage it appropriately. So this next section is about structures that get our security. culture from basic to mature. So the DOW solution to basic and mature dichotomy is risk, threat, and maturity assessments. Each of these models are different, and this topic deserves its own talk. But time is limited, so I'll just briefly introduce the concept. So these models will help you assess your current status and help you determine if the risk level is acceptable and plan budgets accordingly. Here's an example of

Batman's threat model. So he's got his assets and his protection and threats all lined up nicely. And then he's got little risk levels, and there's the legend down there, low risk, medium risk, and high risk. This is perfect. This is a really simple threat model system. And then I'm going to introduce just very briefly a couple more models. So this one was in Krebs on Security posted this maturity model. Not only can you see where the red are parts and where things are vulnerable and need to be fixed, it's a good map of at a glance being able to see what's going on in each different department and what their security levels are like. This

one shows how to take attitudes from a basic organization to progressing to advance. And then this model right here takes It takes an organization from reactive to proactive. Pretty simple stuff. All right, the next section we're going to shift focus to is the relationship between the IT department and end users. So rule number one is end users are friends, not food. Or restated, end users are friends, not foes. So end users will behave as authorized adversaries if treated as such. So to keep this bit at the top of our minds, we're going to add humans to the layer 8 in the OSI model in the carbon layer. So these sensors are configurable to form a

resilient defense. From this section, I'm going to use tweets from real information security pros to teach a few security principles. So let's look at some examples. Sometimes we forget who our user is. As security professionals, sometimes we are so proud of this security baby mobile thing that we made that we forget what it looks like to the end user and you end up staring up at the rear ends of these stuffed animals. And sometimes when we're delivering a product like the comic over there on the right, it goes through all the various departments of the bottom right where the customer wanted a tire swing, all the way through the different departments of mistranslation of what

they thought the user actually wanted. So perception and perspective is important. This next piece comes to us from Swift on Security. And don't worry, I'm not going to read the whole thing. I'm just going to tell the story. The story is that a grandparent wanted to watch a video of their grandkids in inadvertently downloaded malware. They didn't want to get malware. They just wanted to watch videos. So this thread teaches us three points. If users feel beat up over security measures, it's 95% fixable through design changes in the interaction. Sounds like that human API thing we were talking about. So point number two, users' machines that are provisioned with all the tools they need won't

go download AdWare and Spyware bundled programs from shady sites. Point three, seek to understand, know user goals, and know what they need and provide it. If we understand user motives, we can deliver security in a way that sticks. All right, this next example's on the right. DudeMan4Win relates a bit that may sound familiar in this malicious compliance phishing email training. So he relates a story where he fell for an internal phishing campaign and was sentenced to one hour of security detention. And so to avoid going through this again, To avoid being thrown in the security violation boo box again and to put off undesirable tasks, he just simply doesn't open emails from management anymore. And so when they ask why he didn't respond to emails, he

just says, I was being careful of phishing. And he doesn't yell that for dodging work. So when poor security awareness training is implemented, it'll lead to these poor results. So using security training as punishment and shaming users is not a good plan. This next piece comes to us from InfosecTO at JF Sloic. And he questions the effectiveness of canned Phishing attacks, so I'm not saying don't do them I'm just saying do them better and what he suggests here is an honest security walkthrough by security by security teams and security professionals teaching exactly what a phishing phishing a real-life phishing scheme looks like teach them the tells teach them how to spot things and and then

that way they're not going to be got by the obvious ones. So the important part is to build relationships with our end users to where they trust us and we trust them, mutual respect comes out of it, and then they'll get better at being one of our best defenses. So this is my last bullet in my attack plan, and this is the prime directive. Excellent to each other. Party on, dudes! So Bill and Ted, it's my favorite movie. I'm going to quickly break down the prime directive into two parts. So the first one is be excellent to each other. And this is simple. It's restating ancient philosophy. Love thy neighbor as thyself. Do unto others as you

would have others do unto you. It means you help, serve, and sacrifice for others. That's easy. That's what being a leader is. Party on dudes is a little more nuanced. I think the sentiment work hard, play hard is misguided and sounds like you're constantly peddled to the metal. Either way, it can lead to burnout. So I think it would be healthier, more fulfilled, and we'd find that we stay on the straight and narrow path if we work smart and play always. Party on dudes means that people are going to wonder if we're working or playing. So this is my final piece. This is my final admonition. Meaning emerges from chaos and order when impulses are

regulated, organized, and unified. Meaning emerges from the interplay between the chaotic possibilities of the world and the ordered value structure within that world. If the value structure is aimed at the betterment of being, the meaning revealed will be life-sustaining. It will be the antidote to chaos and suffering, and it will make everything better, and it will make everything matter. So do what you must do to faithfully continue to keep the machinery of the world running. And finally, I'll conclude with the words from a former president, as security professionals we are, dedicated to a proposition which was true in my time just as it's true today. Be excellent to each other. All right, that's all. Thank

you. Sure. We have time for questions? Oh, you need socks? They want socks. They want socks. I see how this works. All right. There's one more. I'm coming. All right, there we go. All right. Go ahead. Who's first? First man.

And to thank you for all your hard work and to help you remember everything that you've done. This is your most improved badge. Oh, very cool. It's actually a spinny thing. Very good. Thank you. Where is your mentor? Right there. Mr. Tom. Did you get yours? No, I wholeheartedly agree that trust is one of the key factors in working with your users. But my overarching question is, how do you build that trust? And I know you could probably... do a talk for hours on that, but do you have any tips on how to build trust? Because I know with perception being reality, sometimes they don't see the efforts you're putting forward to build that trust.

So how do you build that trust taking into account perception with your end users? - That's a really good question, and it's a lot easier to talk about than it is to implement. Communicate with them. We're separated in my current facility. We're separated from our users by quite a ways. We're still in the same building, but it's far enough. But every so often, I'll go down and be like, hey, we're pushing this new thing. And I'll key them up for it. Like, hey, this is what we're expecting. This is why. And I'll explain to them the meaning behind it and why it's important and how it benefits them. And if the sales team understands that,

hey, this is going to help me make more money, they're usually all right with it. They may complain about the There may be some implementation issues to begin with, but if they understand what's happening and why, it usually goes much better. So simply just explain to them why and interact with them. And the more they see you, the more they know that you care about them and that when you are making implementations in order to help them, they're usually more responsive. Is that helpful? How do you help when the coworker just doesn't get it when it comes to phishing attacks? That's a tough one. There are very click-happy people. It's a tough one because you're

trying to get someone to care about something that they feel like gets in the way of their job. And whenever I feel like I'm doing well with security, I'm really humbled when I go through the airport and have to go through the TSA facility. So you remember what it's like being an end user in that regard. And so behavior, when it's taught... and they change their attitudes about it, it'll stick. And so in order to get them to care about something, you need to incentivize it positively and not negatively. So if that comes in the form of bonuses or whatever, positively reward the good behavior that you want to incentivize. So rather than user shaming

or say, hey, you guys that failed, you get more security detention, positively reward the people that do well. And so you make an incentive to do well on it, and they usually respond better. Does that help? Last question. Here. Training or awareness? What would you implement in cases for big organizations? Or did you even make a difference in that part? Is the same for you for this part or often users? If I understand your question, you're asking what's the difference between awareness and regular training? What would you recommend? Regular training for the employees, for example, or just awareness? Just for end user security training, what would I recommend? Is that your question? Yeah. Okay, cool. If it's entertaining, it's going to stick. A lot of security

detention training is just boring. And so there are a couple of vendors out there that do exciting, encouraging gamify training. And I think that's really the key, is if you can gamify the training, it usually is a lot better and it's usually a lot more well received and people will remember it. Rather than trying to just pound through the computer-based training, you know, fail the quiz a couple of times and then learn from the mistakes and then take the quiz and then pass it at the end and then forget about it. So just canned computer-based training usually isn't effective. But something that you would enjoy taking is usually something that an end user would be

good with. So the trick is finding a company that does it. But there are some out there. Thank you. No, no, no, you're fine. I'm sorry. Hey, Tom.

Dude, look what happened. The mouse won't move. And so when I had a text that went further down below right here, I couldn't freaking scroll. Like, it won't leave this box. It's never done that before. And so I'd get to a certain point, and then I had to freaking, like, three-ball. Oh, it worked out. So what I bet... Because it didn't do this yesterday. You know that you weren't doing multiple monitors, though. I tested this yesterday, and it worked just fine. So why I decided to lock up all of a sudden, I don't know. It's just bizarre, man. Are you looking forward to the Bill and Ted 3 movie? Oh, absolutely. Bill and Ted 3? Yes. I've been tracking it since 2012. They've been making announcements

and scripts for it for a long time. Yes, very much so. I think it's summer or November of 2020. I think it's next year. I would say this is the most important. Fantastic. I'll give you a whole talk about life lessons and what you can do. All of them. - Oh yeah. - Yeah, for sure. Yeah, the guitar solo that he does. Heck yeah. I just watched that movie again just two days ago. It's good, man. All right, well, thanks for saying something. See you, man. Well, thank you. That's nice of you to say. Really? I swear you did. Thank you. Thank you. Yeah. No, no, no. I will post it on my blog. Can I give

you a business card? Sure sure.

Well, thank you. That's very kind of you to say. Because I've had this planned and I've worked on this and practiced and practiced and practiced. And then my cursor, if you notice, I kept trying to get my cursor to drop out of the way and it wouldn't. And so like half of the stuff I had planned, I just had to remember off the top of my head. I hope so. There you go. What was your name? Oh, thank you. Thank you, David. Yeah, yeah, it's on my website. It's just fullmetalcybersecurity.com slash blog. And so I'll have this posted as soon as they give me a copy. Rock on. Thanks, man. Oh, my God. That was bizarre, man. I've never had that happen before. And so

as soon as I'm, like, trying to scroll over, it wouldn't freaking go. And then I hit the down arrow because sometimes that will scroll for me. And then it skips ahead a couple pictures. And I was like, gosh. And so it just pisses me off. So it snowballed a little bit on me. Yeah, right. Or if I could do this like in a podcast form. I have a great face for radio. Well, thank you. That's awesome. It's a pleasure working with you. Yeah you too. I'm a little disappointed to get another version of it but sometimes I don't get to see a recording or see it. Heck yeah. I mean... If you ever want a

second opinion, that's something else. Well, thank you so much, Tom. I appreciate it, man. Great working with you. You as well. We'll see you at DEF CON? Yeah we'll see you at DEF CON. All right. Right. Yeah right. Damn. Yeah.

- Use those. - You want the batteries, man? - I have two bricks, though. I actually have one in my poor brick. - That is the most valuable thing. - She did, she told me. - Yeah. - Yeah, no, it's a different good, but what really sucked was drove me out of it. So, change out space and see if you miss the CFP. - Yeah. - Yeah. - I asked Jen Ellis, it's not too weird. - Jen Ellis is not exactly telling us about it. - Public ground.

I'm having the same problem. Check, check. I guess that's on. I do.

Tanner. Yeah, I saw you yesterday, I think. I think that's a USB-C dollar right there. I actually, yeah, I have one that's a lot easier, and it won't let me plug in the... They're really tight together. If I plug that one in, I can't plug in the pointer. I don't? You're very well prepared. Where is the pointer? We have a roof pointer. Oh, that's what I need. I just need to be able to point it slightly. Laser pointer. Yeah, laser pointer. Let me just blind my mentor with it. Oh. What? Oh, you have to like pull that out. Well, that's if you want to use it with your... I will probably do that as well. No

one read ahead. It's not showing the other monitor. It's not working? Yeah, it's not actually showing the other display. Okay. I think that's it. He's coming in BGA. Oh, VGA? You don't have an HDMI? Oh, I'm sorry. Yeah, it should be HDMI. Yeah, it's underneath there. It should be pushed in. It's going to be the refresh rate that's ascending. It's not a testing facility. It's not getting picked up. No test. Well, they will take those into place. That's all right. They'll send you out with Geiger counters. They'll give you the tools. It's the same with us. - What was that? - There's a little pod right here. Oh, I see. Okay. The other end was not plugged in. It needs to

be plugged in. Oh, I see what they did. That splits the sound off of the HDMI so you don't have to change the sound output on the laptop. I got you. The other end was not plugged in. What a great thing. - What's the problem with all the new iPhones? - You can't remove the flash. - Yeah, you want to use that. - That's why he left. - Right. - You're in there. - I mean, sure, you got your name. Does it? Yeah. That's why I was confused. I will. I'm going to be counting. Sure. I'll have it. Yeah. Is there anything you want me to say? Will I get picked up for the recording?

Please speak. I will. All right, all right. I can't just scream into the internet. It actually has to be. It's my mentee. That's my mentor, by the way. You can throw that scotch. If you want to throw something. Throw alcohol at me. Just throw it with the cap off. Yeah, yeah, yeah. I feel like someone should do a talk like that, just like a bottle of scotch, just like at the bottom of their talk. Like, dude, my first job was like a PM, and he made so much money for the company, they just like didn't care. He'd walk around with a solo cup in the office, just like whiskey. They're like, are you just drinking whiskey? Okay,

man. Do you? I don't know what the rules are. Also, my parents are watching on the live here, so maybe I shouldn't just... Sure.

Yeah, I've been told. I actually think I do have it. I was thinking about it. I think I only have it on the Xbox. I don't have it on the PC. All right. Thank you for my talk. All right. Can we get started? Yeah. I'm in early, but that's okay with me. So the recording's going. As we say that. Yeah. All right, everybody. Let's get started, shall we? Good afternoon, welcome to B-Sides Las Vegas Proving Ground. This talk is Burp Suite Team Collaborator. Our speaker, we're lucky to have him today, is Tanner Barnes. A couple of announcements before we get started. We want to thank our sponsors, especially our inner circle sponsors, Critical Stack and

VelaMail, and our stellar sponsors, Amazon, Blackberry, and the National Security Agency, my favorite. It's their support along with our other sponsors and donors and volunteers that make this event possible. So thank you all. These talks are being streamed live. As a courtesy to our speaker and audience, we ask that you check to make sure your cell phones are set to the silent position. If you have questions, please use the audience microphone so that YouTube can hear you. Just raise your hand and I'll bring the microphone to you. Although we may only have one microphone, so that may be a juggling. I'll just repeat the question. OK. All right. We'll figure it out. With that said, let's get it started. Please welcome Tanner Barnes. - Thank you. First off,

I'd like to thank Tom. He was my mentor for this whole thing. This being my first time speaking at a conference, so he was a lot of help in making sure the slides looked somewhat presentable and I didn't sound like a complete fool. So we'll see how well he did. It's all on him if this doesn't go well. It's not me. Right, so my name is Tanner Barnes. This is a Burp Suite plugin that I built for allowing collaborative web app testing. So a little bit about who I am. I'm a full stack, I say full stack, I am a full service penetration tester. I work for a consultant firm doing everything from red teaming

to social engineering. When I'm not doing that, I get the pleasure of building tools that make my life and other lives of hackers more easy. And then before all that fun stuff, I was just your average full stack developer writing software for various different companies. So show of hands real quick so I have an gauge of the audience. Who has used Burp Suite? Perfect. This slide is way easier. For those people in the middle who don't necessarily know what it is, it is what's called a web proxy. So any requests, when you set it up with your browser, when you make a request for google.com, it will go through Burp, log that request in clear text, and then you can toilet it, do what you'd like, and then

send it on its way. So it's pretty much the de facto tool for any type of web application testing. So, a little bit of story time here. It's really just kind of a manifesto for why this came to be. So, in my job, I typically deal with some more junior penetration testers or people who maybe were less known to this type of space, right? And it was one week where I was on a dual engagement on a web app and I had to keep getting up, going across the room, look at their burp window, see what they might be doing, go back, sit down. Later in the day there'd be another problem. And then about

halfway through the week I thought, Let's just solve the getting up thing. Just export your project and mail it to me, which worked, except by the end of the week, that project was five gigabytes and was impossible to ship around, except with these giant file transfers that you have to log into a third app. It was a pain. This is a week of this. I've gotten none of my work done because I'm just standing over their shoulder. Here's how you do cross-site scripting. And I was just furious over the weekend. I thought, someone has solved this problem. This is so dumb. It's been like a day, and I was like, well, no one has. And

being the true developer that I am, I was like, well, I've got this. I can do this. So that's really what birthed this tool is, and I was looking at the Burp Suite APIs, which you can see there in the extension store, and there was this just beautiful API request where it will take an HTTP request from the proxy, turn it into bytes, and then you can do whatever you want with it. And I thought, well, why don't I just grab a chat server? Instead of sending text, I'll just send the bytes of the request, and it worked. So over the weekend, I had the nuts and bolts of what is the meat of a

Burp Suite team collaborator. So, this is kind of what I was alluding to earlier, right? If you look at, like, what can we do to collaboratively work in Burp Suite, we're very limited, right? You can export and merge project files, but there's a lot of cons that come with that. They're a point in time, right? So when you do it, that's it. If the second you send me that, and I'm midway, like, typing my password to that file share, and you're like, oh, wait, I figured it out, well, you've got to re-export it and re-send it to me. Even if we do that, like I said, the products grow to massive sizes, especially if we're

dealing with some type of app where you would need a collaborative type of workload. And it's just a repeated process. I'm going to have to, when I fix or find out what the solution is, I've got to export it, send it back to you, and it's just a complete waste of everyone's time. So that's what we're here to solve today. So what the collaborator does is it allows multiple testers, two to N, to connect to one central server, and every in-scope request that you have, I will see in real time, and every request I make, you will see in real time. So it allows you to remotely, anywhere in the world, with two or plus

people, collaboratively work on the same web app at the same time.

So how it does it is pretty simple. It's your standard client server architecture. If you really want to boil this down, I've made a glorified chat server, but it's still cool. So the client is written in a burp suite plugin in Java because Jython is gross and you should never write anything in Jython. Don't do it. I tried for like a week. I was like, oh, I love Python. And I was like, I'm not writing a Java class in a Python file. I've got better things to do. So that was done. I was like, we'll just do Java. And Go, that one's the more fun one. I never learned Go and I saw some cool

projects from some co-workers in Go and I thought, well, I'm doing this, let's learn Go. So the server's written in Go. It also has a nice ancillary benefit that the server, when you compile it, is cross compatible, right? So when you build this thing, it can run on Windows, Linux, your phone maybe. You shouldn't do that, but maybe you could. I've actually never tried that. Someone should try to run this server on their phone. That would be pretty dope. So, let's look at some of the things we can do with this plugin. So, you can, in this plugin, share scope with the whole team. So when you join a room, which we'll show in a

second, you can set the scope for that room and push that scope to all the other testers. So you can, in a click of a button, you can have 10 testers, all with the same scope and no confusion about what API are we doing, what app is this, they're all on the same page. This one is pretty useful, especially if you've got people who like to troll, which is obviously no hacker in this room, by all means. You can mute anybody in the room or the entire team in general. So that's definitely a big help for all of us. You can also say you're working on something that you'd rather not send anybody or you're

going somewhere maybe no one else should see. I won't judge. You can pause your requests and make sure those don't actually ever get sent to the server until you're ready to send them. And the final large feature is you can share whole requests or individual ones with the whole group or a single team member. So if, say, I join your project a week late and there's this API I really need you to see, I can right click inside the target map, pick that request or the whole top level domain, and send it straight to you and you only, and you're immediately caught up on all the work I've done for the last week. We look

at some tool specifics, kind of like drilling a little bit down. You can do that same sharing with both repeater and intruder payloads. The repeater is probably the most fun, especially if you're looking at something that's really a tough nut to crack, like a weird XXE or an SSRI vulnerability. Maybe I'm not good at those, but I found it. I can ship that off to a better tester. He can toy with it, fix it, get it working, and send it back to me, and I can send it and see how it works without ever having to like I've seen people who have done this, and I've done it, try to copy a whole burp request

into a Slack window, and like, yeah, this will go well. Here's this binary file I'm sending. I'm just going to paste it in ASCII and hope it transfers well back to burp. It's just a terrible idea, right? So that's immediately solved, because we're transferring it straight to bytes and then back into a burp object. So it doesn't do any type of weird encoding on its way there. I will say, oh, actually we'll cover it here. So this is something I talked about earlier. The server allows multiple rooms at once. So you can have a top level server for your whole organization, and then separate team rooms for all the projects you're running without having to

spin up individual servers. A part here I didn't put on the slides, but I should have. My apologies. All of this is AES encrypted. And shortly, I haven't got it fully working yet. By version 2, probably the end of the week, each room will be individually AES encrypted, so any one room doesn't know what any other room is doing on a project. So they are all individually siloed and have their own work streams. So here's where we're going to walk through the fun part. There is a demo. This is not something I just made up. It's like a big con. I actually do have a working product. Right, so this is the UI. Can everyone

see that, by the way? I hope so. No? I, oh, I know, you know what? I know what I did wrong. I didn't switch it in the slides. I have a better video. Way better, right? That was like the first thing I got on Monday. They were like, we're not like, no one has a magnifying glass in here. So this is the UI, right? So you have your display name, right, which is unique to you. You've got the server address, the port that it runs on. Currently, it's tied to 8.8 or 8.9.8.9. I'm fixing that this week as well. Set it to whatever port you like. Have fun with it. This server password is also

the AES encrypted key. It's generated when you start the server, and then when I fix it, it will be generated when you create a room. So that's unique to the server, and that's how you authenticate to it. So we're connecting, right? You see here on the right, there's no rooms, and that's just like the default setting once you're on the server, there's no rooms created. So this is the two clients for a lot of this demo will be zooming in and out of different parts. This is probably the biggest show of it. This is two burp windows side by side, right? Two separate clients. This one is actually on the proxy. It's actually connected. This

one is not connected at all to the proxy. No requests are going through here. So here on the left, I'm creating a new room. That's another kind of weird thing. That's a Java issue. Java creates pop-up windows on the main screen. So this is actually a bigger monitor. My laptop is below it. That's something I'm also fixing just to do it in whatever screen you're in. But that's pretty trivial. So that's the window name for the server that we're creating. So you can see here on the left, that's you in the server. And then when I make the room, that's pushed to all the other clients. So this is that new room I made. Most

of the UI here is right-click menu, so you just right-click in there and hit Join. And then immediately you can see both testers are in the room, and we're ready to get to the actual fun part. So this is really quick. That's just leaving the room, rejoining, pretty simple stuff. So here's where the real fun part is, and it happens really quick. So here on the left, this is test.com coming in, and we're pushing it live to the other client without ever being unburped. And you can see it's all requests, it's not just the top level. So here in this next part I'm showing actually sending specific requests. So I'm deleting YouTube in the idea

that maybe I haven't actually gotten to that API and joining the server. So we go to share requests and we do to group and immediately it's all sent over in real time. And this is just to show you don't have to necessarily do the whole thing right. Maybe there's like a specific API request. and we can send just that one specifically, right? And we'll only get just that API if you don't want to bog someone down with an entire workload. This is muting, right? There's also a super useful feature for some things I have coming in 2.0. You'll see that where muting will be a real big feature. So here you can see we muted

ourselves and I don't think I can go back really easily, but I muted myself and you're never going to get requests from that user. This is the sharing scope, right? So I set a scope here on client one, test.com. We set room scope and it's pushed immediately to all clients there. And just like, say, you're late to a project and I don't have the APIs, but I'm trying to get up to date, I can just do get room scope and I will pull that scope from the server and be right up and running. So you don't necessarily have to start at the same time. This is the opposite of muting, right? This is pausing yourself

where you'll get the requests immediately. and the other clients won't ever actually get them until you unmute yourself. Oh, so this is the other fun part. So this is the repeater payloads, right? So this is a repeater payload I've made, say API, right? And I do share repeater payload, and we're going to send it to the group. Every group's got that repeater payload, exactly how I make it. Now, maybe I only need one team member who's really good at this next part. And so it's the same thing, just like sharing them in the top load, right? I can send them specifically to a teammate. We can do the same thing with intruder. and send it straight to both. This is actually something, if you'd like to help

me out, Burp Suite does not actually, and this is maybe the one bad thing I have to say about Burp Suite, but it's very minor, you can't actually share intruder payloads with your set custom indexes. So you can send the payload, but it will only use the default ones. If I have the indexes, I can make it, but I can't actually get that information from the UI. So if you'd like to hit up Portswigger and ask them on my behalf to make that available, that would be amazing. Or tell me I'm wrong, I honestly might be wrong, so who knows. So this is the same thing, right, just in intruder. And that is the demo,

but wait. But wait, there's more. So these are some things I'm working on pretty actively here in the week. I've actually demoed this to a couple people. They got to see it today ahead of time. So one thing you'll notice if you pay kind of attention when you use it in full screen The only person who's going to see findings from the passive scanner is the person who makes the initial request. So I'll push the request in the response to your BERT, but you won't see the passive findings. Now the nice thing is we can actually push those to your client, and it's pretty simple. So here in the next week, I'll probably have it so you will also-- if I go to an

API and it passively detects SQL injection, that finding will get pushed to you and also stored locally on the server. So you can actually, from a server side, just see the collective findings of a whole room. Another thing, super simple, I just haven't gotten to yet, sharing of cookie jars. This is actually very useful as well. If you're doing collaborative testing and I've got a set of creds I've found and I authenticate to it, when you do that in Burp Suite, it stores that session cookie in Burp. So instead of me having to get on Slack and type you the credentials, it will just push that cookie to your cookie jar and you can just

refresh the page and be me or whoever you'd like to be in that type of room scope. Pushing findings between clients goes with the findings on the server, right? And this is the one I'm most fond of. I got this 90% of the way there. So when you go to Repeater in version 2, you'll be able to see another context menu that does create a link. And what that will do is take that request, build a base64 hash of that, and then append it to a custom URL handler. And then what you can do is say you're a person who does guides. You did some cool walkthrough on a hack the box. And you're building

your guide to teach the community. You can take that link. embed it in your medium post or what have you. And if you click on that link while using my BERT plugin, it will inject that into your repeater payload. So you can literally do play along, like walkthroughs of hack the box type things. Another one that I have working now, you can save connection settings. So you're always going to the same server. If you close Burp or close the extension and reload it, you'll get those connection settings back. That's just a little helpful. And then again, for you guys, I'm sure there's something I've thought of that would be amazing for this tool. And so

that's one thing I would like the community to help with is is getting the information. So that's part of this, right? So this is where the code is. You can find that here. The first one is the client, that's the Java burp extension, and then the server is the Go server that will help you run them. Seriously, please, someone try to run this on a phone. It would be amazing. Please submit issues. I've already had some people tell me some things that could probably be better. Please do those. If you'd like to help, I'm always open for PRs. And then submit suggestions. I'm sure there's, again, some cool things people have thought of that I

can't do. And if you'd like to ask me some stuff I haven't thought I'd ever cover here, that's my Twitter handle. And that is the talk. Thank you. And that was the Q&A part, obviously. Yes, sir. You got the attention of Port Swigger yet? Yes, they just retweeted. Actually, it's a retweet of a retweet. Yeah, sorry. He asked if Port Swigger has noticed it yet. Just probably 30 minutes ago, they retweeted a retweet from HackerOne about the talk. So, yes. Anything else? Yes, ma'am.

So she was asking if while you're doing work, if I make a change of request, and is she going to know if I did that? The answer is no. That's actually a good idea. Yeah, there's actually a nice way to do that because I don't want to pop pop-up boxes. That would be annoying, but you can actually, if you change something in a tab, it lights it up. So probably what I'll do actually is just put a hidden notification on, there's a burp TC tab for the plugin. I'll probably put a hidden counter you can't see and just move that, toggle it, and it should change the thing to white. The thing I worry about

that, well, Yeah, that's a good idea. So the answer is no. It's just kind of streaming live. You will notice repeater. If I share you a repeater payload, the repeater tab will light up because there's a new repeater payload. But the actual just live request on the target map, no, you'd have to be watching. Good question. Thank you. Yes, sir. Can you handle the client side or server side, and can each tester set who they're using? Correct. So he asked, is the muting handled client-side or server-side? It is actually a state of the server. It means stored client as well. Yes, every single user can control who they mute and when they mute them. And you can mute, again, you can mute everybody at once or hand-pick

people you want to mute and unmute. Thank you. Question. Because this is your first talk at a hacker con, it's a well-improving ground. We want to award you a most improved-- Oh, thank you. Yes. World's most OK-est mentor. Oh, yes. All right. Well, that's all for questions. That's all. Oh, yes. Go ahead. Is it possible to keep people that join your server? Not. So good question. So no, not yet. But that is something very useful for 2.0, especially as I start working with some people who do the type of live streaming. And that is one of the interesting things I've been talking to people this week about, is using this in a collaborative setting on Twitch to play

along with people as they are teaching a topic. And of course, there will always be trolls. And so yes, that's something in 2.0. Whoever's running the room will have the ability to boot people off the room, for sure. Thank you. Yes, sir? Have you considered actually adding-- now that you have a chat server, have you considered adding chat in line chairs so you don't have to go on a platform? Or is that not really-- I've thought about it. The one thing I worry about is almost putting too much on the UI. And most-- I mean, at least I always do. The people I've seen hacking, they always have another window with Slack or Discord or what have you. So it seems a bit of a repeated use case.

I personally wouldn't like it. Fork it. Do it yourself. Yeah, so no, I wasn't planning on putting an actual dedicated chat server in there. But thank you. All right, thank you. Thank you.

It was great. It went really well. I was like, I don't think you went there for Monday, but it was like, I'm way better than Monday. Yeah, thanks, man. Oh, please. No, I wish, yeah, let me know how it goes. Thanks. Yeah, so I've done it. Here's how many people you're going to use. Like, play it one time. Yeah, so I've done three. It handled that like a charm. It's very tiny, like packets. It really shouldn't be a problem. But if you're doing it to people, I'd be curious to see just like what the workload that's going to look like. Is this for 1.7? It works on both. Yeah, it's very simple. The UI's going

to change. Yeah, no, you're welcome. Yeah. Yeah. - I love Miami. - Oh, me too. The tickets didn't cost me anything. But yeah, if you're around. - It was a really kind thing. - Yeah, you can see me up on Twitter. - Are you going to the Def Con or not? - I am, so I'll be here. - I'm joking. - Oh, awesome. - So, you found a good one. - Oh, awesome, great. - Yeah. - So, when you buy a Canadian car, I can stretch this out. - Yeah, I can stretch it. - Good job. - Before I go one question. - Yes sir? Thank you. Yeah. You said demo? You're doing demo? Yeah,

I'm doing demo days. Yeah, so it's Saturday at like 4. I guess I probably should have plugged that. Yeah, thanks. See you later. Have a good night. Thank you. You know what I need? Oh, actually I have one. You still have five minutes. You're good. I think what I need to do is adjust.

What I need to do is figure out how to change the display settings, you know, so that it's projecting the right thing. Okay. I'm not very good at Windows. Do you want to mirror it? Yeah, I want to show, like, what's on here. I don't know why it was actually showing my desktop. Yeah, it's too simple and longer. Click on Duplicate. Duplicate? Okay. Right here. Yeah. Do you want to duplicate the displays? And now they're the same. Is that how you want it? Well, actually, I kind of wanted it just to show-- I guess what I'm going to be forced to do is just do the full screen like that. Just the presentation view. Hey, Nathaniel. Hey, can you help us

figure out the best way to just make this presentation view? Oh, yeah. It should be five, maybe. Have you already connected this on? Yep.

- So you don't have it. - There it is. - Okay. - And you're Serenity Smart, right? - Yep. - Do I have that right? - So you don't have the mic? - Three minutes. You know I'm gonna signal you? I'll signal you at 10:05. - She is. - 10:05. - I'm the 10. - I'm at two. - Two. - How you doing? - So I've been arrested. Yeah, just need the mic. Oh, yeah? Today it's just this? Okay. Yeah, that's why I was... I guess it works. It's okay. Yeah. So tell me when... A couple of minutes. Okay. I'm going to wait a couple of minutes to start. Start right at 530. Good afternoon

everybody. Welcome to B-Sides Las Vegas Proving Ground. Our next talk is called the resilient hacker growth mindset health hacks and powerful help to navigate personal challenges Our speaker is serenity smile a couple of announcements before we get started we'd like to thank our sponsors, especially our inner circle sponsors critical stack and valimail and stellar sponsors silence Microsoft and Robin Hood It's the support of the sponsors along with the other sponsors I didn't mention and our donors and volunteers that make B-Sides possible. So thank you. These talks are being streamed live as a courtesy to our speakers and to the audience. We ask that you check to make sure your cell phones are set to silent.

At the end, if you have a question, we'll just raise your hand. We'll take one question at a time and we'll have Serenity repeat the question back so that our YouTube audience can hear the question. With that said, let's get started. Please welcome Serenity Smile. Thanks. Alright, so I have a question for you guys. Well, as you know, my name is Serenity and I'm really glad to be here. I feel really honored. This is my very first time speaking ever. So, thank you everybody for coming. So, I have a question for you guys. How many of you have ever felt stressed or overwhelmed? Alright, that's everybody in the room. Great, me too. Guess what? And so, guess what, I'm here to help. My goal is here

to offer some tools based on my own life experience. I've been really passionate about the subject for a long time. So, bear with me, I'm having a technical difficulty moving this thing. Okay, so we did that. So anyway, who am I? Well, relatively new to cybersecurity. I was really fortunate enough to earn a Stan Scholarship. And so they thought that I had an aptitude for cyber security so I earned. This is an example of a growth mindset. I never thought that I was good at math or programming or cyber security. It never occurred to me. I'm actually an English major. And so I actually only became interested in technology later in life when I had

my son and he became actually interested in computer programming. robotics and Lego NXT and so because of him I thought you know if he can do it I can do it maybe So anyway, that led to studying a lot of different things like web development. I basically started applying for scholarships and studying whatever I could get a scholarship for and found that I could do it. So I got the SANS scholarship, recently completed that, and did three certifications in six months, which is working full time and volunteering and having a family. So that's an example of what I'm going to talk about, this growth mindset. that even if you don't think you can do something,

actually, I think that all of you have applied this in your life because you're all in cybersecurity. I know the amount of work that it takes and the dedication it takes to apply yourself to learning a technical topic. I mean, it's not like reading a novel, okay, or watching TV. It takes some dedication. and knowledge. But before that, in a past life, I actually was earned, I felt so strongly about learning yoga and meditation and stress management that I dedicated a lot of time to learning and I actually still study and practice yoga and meditation every day. And I really try to apply it to all facets of my life. And I've found that this

is a major thing that's helped me, say, get these certifications and be able to study and be able to stay sane, even though it sometimes felt very overwhelming. So anyway, that's a little bit about me. So why are we talking about this? Well, you know, I did a lot of, I'm very, I tend to do a lot of research about things that I'm interested in, so cybersecurity is interesting. something that I'm really passionate, really interested in. And so, you know, being new to the industry, I started researching it, you know, do I really want to work in this field? What's it like? And I found that, you know, Especially that I have this great interest in health and wellness. I found a lot of

current research is talking about I found past RSA talks white papers Different studies we're talking about how in cybersecurity, you know there it's a very challenging industry to work in apparently we struggled, you know, we there's issues with possible long hours and because there is a Lack of supply, you know, in cybersecurity, and we might face possible long hours. Understaffing and sometimes lack of support by management who don't understand the importance of security. And there's also that struggle, you know, to keep up with attacks and constantly changing technology. And it's a landscape with pretty big consequences. So anyway, I was reading all this research and I actually, frankly, was feeling a little bit depressed about it, but I thought, you know what, maybe I can offer something

to help because I have had all this extensive training in yoga and stress management and meditation, so maybe I can just offer some tools. So anyway, just a brief thing, how does stress affect us? Why is this important? Well, as you probably know, stress is the leading, probably, it's been called the leading cause of illness. I mean, it just leads, it's a contributing factor to a lot of diseases. Chronic stress can lead to burnout, depression, or even suicide in extreme cases. You know, it's a contributing factor, and stress makes cortisol, and excess cortisol has a very adverse effect on our bodies, so... So what what are some solutions that we can apply? Well, I talked about growth mindset and so

I I really believe that having a growth mindset is I've Discovered this throughout my life, you know having a fixed mindset means feeling like a victim and I had a very you know I had a pretty difficult childhood so I kind of understand that that feeling of victim, you know victimhood nests and The opposite of that is understanding that you can develop your abilities and your talents and your intelligence. I'm telling you this because you can actually develop tools to help yourself because I'm not talking about that's a different issue to fix the systemic problems. I'm talking about things that you can do to contribute to your own wellness. How can you take things into your own hands? That's what I'm trying to... talk about. So what, so the

goal here is develop a personal, to develop a personal resiliency plan. So what is resilience exactly? Like what are we trying to do? Well the goal is to be able to bounce back and go with the flow, you know, when we're challenged by life. And you know we can have these tools that, you know, I'm going to present you, so basically I'm going to present you with a tool set, okay? And it's like when you get one of those multi-tool sets, well you don't end up using all of them, you try them all out and you see which ones to keep, right? Like especially if you're going on a trip and you can't take all

the tools with you, but you can try them and then like a lock picking set, you know, you figure out, okay, what's the appropriate tool to use in this moment? Which ones are the most, you know, help me the most? So I just want you to know that you do have a choice in how you react and respond, and a lot of these tools The thing is, like, it gives you a buffer between something that happens to you, you know, an event, and then, like, what do you, you know, instead of kind of, like, being really reactive about it, like, have you ever, for example, like, I know I've done this, like, you know, if

you're angry and you just, like, say something, like, very, like, sarcastic or, you know, kind of insulting, and then that kind of, that doesn't go very well. But, you know, if you practice, say, meditation or yoga every day and you kind of become more calm and you're in a more relaxed space, you can kind of step back and say, or, you know, breathe and think, okay, well, what did that person really mean when they said that? I mean, were they really talking about me or were they having a bad day or maybe they didn't even realize that what they said may have been insulting or, you know. So I have this picture of a lotus

flower here just because I want to The lotus flower has been inspiring to many cultures and religions, such as Hinduism or Buddhism. And the reason is that lotus flowers actually grow in ponds, which ponds are bodies of stagnant water. So the mud on the bottom of the pond is pretty stinky. So lotus flowers grow out of this mud, and it's this beautiful... beautiful, very useful medicinal flower, which is gorgeous, and plus not only that, but the leaves are incredible. They're original inspiration for Teflon. I mean, if you see there's, whenever water lands on a lotus leaf, it just rolls off. So just like that, if we use these tools, hopefully we can just have adversity just roll off us. Not only

that, but you know, growing out of the pond, the mud of the pond, which is adversity, just a beautiful thing grows. So I really believe that actually like all the adversity in your life, if you think about it, it can be your advantage. I mean, it's like shifting your mindset, you know, because if you think about it, all the things that have happened to you and everything that you've been through gives you experience. And like, I know that everything that I've been through makes me more compassionate. for other people so it kind of helps you grow as a person and sometimes we don't really know why things happen to us but um but you know

later if you look back on it you often say okay that was good that i was fired because actually i was able to do something else Alright, so what are some health hacks that we can do? We can get out, this is very powerful, if you get outside, you'll find that you'll get inspired. I really encourage you to disconnect once in a while. I know that I personally have spent days trying to study or figure out a programming problem or something. But if you can step away, you know, if you notice this is part of mindfulness, how does it feel like when you're, you've been inside all day? Like when I've been inside all day,

especially in a room without windows, I feel kind of weird at the end of the day. You know, sometimes it's hard for me to go to sleep. But if I just take a break, like if you just take a break, Also, sitting is the new smoking. If you just take a break every 20 minutes, 30 minutes, go for a quick walk, take a nap if you feel tired, that'll not only recharge your creativity and inspire you, by taking time away, you'll actually study better, you'll do more creative problem solving. and you'll get the rest that you need to sort of give you a different perspective. Also longer term, remember to take vacations because that actually helps you recharge too. So physical exercise,

of course, doing outside is optimal because it's like you're getting a two in one. It flushes out the stress hormones. Being outside in nature actually has been shown to make you smarter and calmer. People have written whole books about this. We're kind of just, I'm introducing things, but if you're really interested in this, I want to encourage you, you can contact me at the end. I'll have my contact information and I can provide you with more resources and point you toward more resources. So nutrition, I just want to say that the brain is really dependent on nutrients and phytochemical plant compounds that are only found in plants and vegetables. You can't really just swallow a pill and get the same effect by taking vitamins. And there are recent studies

in, there's actually a book called "Fast Food Genocide" by Dr. Joel Fuhrman, who I really admire because he does have a lot of scientific research. Just that fast food is a major causative factor for depression. He also mentions there are studies that sugar contributes to anxiety. So even though, you know, the natural, I think like the thing is when I feel stressed, I might feel like eating ice cream or, you know, cake or something. And I do love to bake. I've found that I've tried to substitute that, you know, with eating fruit instead. And that's actually been very helpful to me. I also follow a plant-based diet and I've done that for many years. And I really feel that that contributes to my

having a lot of energy and better health. So, you know, just if you consume whole natural foods and try to avoid things, you know, with ingredients you can't pronounce, that it really does make a difference. But it's up to you to experiment and see for yourself. So, you know, just try to eat for nutrition. So Dr. Joel Fuhrman coined the term "nutritarian." and he works with a consultant with Whole Foods on that. That's just basically the concept of, you know, you don't have to be a vegan or a vegetarian, just try to eat more nutrient-dense foods, like make every calorie count. You know, try to avoid sugar, processed foods with ingredients you can't pronounce, and

just, you can just make, take baby steps, you know, just make little substitutions, like try to eat fruit whenever you feel like eating sweets. He actually recommends five fruits a day. So anyway, other powerful help from the past. Well, people have been doing yoga and meditation for thousands of years, but only now that we have modern scientific equipment like MRIs and machines that, you know, brain scans and things that can study what's happening in the brain, we know now that Meditation actually shrinks the amygdala, that's the part of the brain that controls anxiety and fear. So meditation helps to make you feel less anxious and fearful, lowers cortisol, the stress hormone that we talked about,

it's so detrimental to the body. And actually the opposite of that, it triggers more activity in this left prefrontal cortex, which is what is triggered when you feel happy and calm. So that's pretty compelling, you know, that they actually now scientific research is proving what people have actually experienced for thousands of years. So it's actually also recommended, you know, by now as for people that are depressed to help them Instead of antidepressant drugs because it provides you know pretty much it provides the same results as antidepressant drugs But without the side effects and also it's you know, it's free. So all the tools that I'm presenting to you are free Other interesting things are you'll age more slowly It's been a UCLA study show that in

as little as 12 minutes a day for eight weeks that You know, it can repair your DNA and help you age more slowly, protects your immune system, may help lower blood pressure, and basically you can think more clearly, make better decisions, helps with chronic pain, and you can sleep better. So, you know, mindfulness, it's just maintaining, like whenever you're doing anything like eating, walking, talking to somebody, just having a moment-by-moment awareness of what's happening, how you're feeling, you know, what's happening around you, this kind of situational awareness. And yoga, okay, meditation is actually a branch of yoga, but when I say yoga here, I'm actually talking about the physical postures that's hatha yoga, it's called. So anyway, doing, and I want to say that

with meditation and yoga, there are many different styles, so it's up to you to experiment with different styles. If you have any questions about different styles, I'm happy to answer them. But I just want to encourage you to just try something. If you don't like one class or one teacher or one book, try something else. Yoga reduces stress, of course, makes you stronger and more flexible. And there's this whole mind-body-spirit connection, which is more familiar in the East than the West. So it's a whole holistic thing. If your body feels comfortable, that affects your mind to make your mind feel more calm. And that helps your spirit feel more happier. So lastly, I'd also encourage you to laugh and spend time in good company. We have this

new stand-up comedy, hacker stand-up comedy happening. I think it just passed today, but there's another one tomorrow. I believe around four to five and try to connect with other people because it's also been shown to It really helps when you actually connect with people in person. So if you like, let's do a quick breathing exercise. I'll teach you how to deep breathe, which is something that's not only preventative, that if you practice this over time, it'll become more and more natural to you, but you can also use it as an emergency thing in the moment, like if somebody says something, if you get some alarming news, you know, or... you feel really stressed or angry, you can also practice this. So if you like, just

put your hand on your tummy right now, or if you don't have to, if you don't want to, and you can close your eyes or not, that's optional. But the idea is, okay, just exhale. Okay, and when you exhale, you're squeezing the air out of your tummy. So your tummy's contracting. Okay, that's squeezing the air out of your lower lungs and your upper lungs. And then You can hold it for a second and then just breathe into your, expand your tummy, you know, so you're filling your lower lungs with air and your upper chest. And then just hold for a moment, then you can either exhale through your nose or through your mouth. And now

just notice, listen to what's going on around us. You know, you can hear the noises from outside. Just notice like how you feel, if you feel differently. So we just did a very short breathing exercise, which is very powerful because that's interrupting that stress fight or flight response. So, you know, actually scientists know that when you feel that fight-flight response, it's like from primitive times. You basically can't think straight, and so that's why it's very helpful to do this deep breathing, like if you have a job interview or... you know, a presentation like this, which can be terrifying. So I just also want to say that with mindfulness, okay, try to, I personally try to control the negativity in

my life. Like I try to just be, if, so you're being mindful right now, right? But mindfulness also means you expand your awareness to what you're putting into your body. That means like not only what you're reading or what you're hearing, around you as well. You know, how do other people make you feel? If you are around people that are complaining all the time, you're angry all the time, or you're listening to, you know, violent, watching violent movies, just like see how that makes you feel as opposed to reading something personally inspiring to you. And that can be different for different people. Like I personally find reading like stories of how people overcome adversity. Sometimes entrepreneurs that become really successful, like rags to riches, that can be

very inspiring. I like to know how other people overcome adversity. That helps me kind of put in more positive things in my mind than negative things. And then I have... less to filter out, you know, it's like I'm fighting less. So final thoughts, it's very, you know, this community is very important. If you look around you, you know, just remember that a friend, a stranger is just a friend that you haven't met yet. We have many excellent people here and we need to, I believe we need to support each other in the cybersecurity community because we are all facing different, you know, challenges and we're all in this together. And I encourage you to experiment

on yourself. I mean, I always consider myself a human, my own guinea pig. And so that's why I've been doing for years and years, I've been experimenting with different yoga styles, you know, meditation styles and different tools. And so what I'm presenting to you are the things that have worked for me. And hopefully you can go out and explore more and see what works for you. So just, you know, to try to develop your awareness. We talked about mindfulness, meditation, and yoga. Those are very powerful tools. And exercise, and that can include, you know, that's any kind of exercise, basically anything that's inspiring to you, whether it's mountain biking, running, yoga, walking fast. you know, Tai Chi, there are many different things that you can try, and

so I just really encourage you to experiment on yourself and to be kind to yourself, you know, not be so hard on yourself, and be compassionate to yourself and other people. Every day I try to do random acts of kindness, just something as simple as, I call it trashercise, just like pick up trash if you see it on your way to work. I mean, it helps you feel better and then you don't have to walk past it too. And it helps other people too. And if you can do something, like some kind of more extensive volunteering or mentoring other people, that really helps you get you outside of yourself and helps you feel grateful for

other people that might not be as fortunate as us. And when you help other people, you actually feel really great yourself. So also, so lastly, I want you to be like a weed or bamboo. You know, bamboo in storms, it blows around and it bends, but basically it doesn't break. And we can be like that too. You know, adversity, I believe, can make us stronger. And so every day, you know, We do face a lot of adversity, but if you ever see a weed growing in the sidewalk, like I once saw a tomato plant growing behind a dumpster in back of a subway, and it was amazing. It had all this fruit, and I thought, you know what, nobody's caring for it, and it's still thriving.

It was pretty amazing. So I believe every one of you is just like that. All right, any questions for me, Winnie? All right, well... I want to leave my contact information here. If anybody would like more resources or has any questions, feel free to contact me always, and I'll be outside if you also have any questions. So thank you guys so much for coming to my first talk.

Thank you, Serena. That was great. Go out there and hack yourself now. Yeah. Yeah, hack yourself. Serena, one thing you may consider is you could always lead a group meditation at some point, maybe early in the morning or late in the evening if people were interested. Here is your most improved for giving your first pocket hackathon. Thank you very much for your participation. I don't know what I did. I just, I don't know. Oh, my God. Yeah. You were great. That's it. This is ours. You want a USB-C dongle? I was afraid you weren't seeing me. Oh, yeah, I saw you, but I wasn't sure. So how much time did I actually do the solution? You went over by about 30 seconds.

Oh, okay. So like if people had asked questions, then it would have gone over because it was like 23 minutes? No, there would have been time for a couple more questions. Oh, okay, so I did good. So I did like 23 minutes. Your pacing was perfect. 23 minutes plus, okay. Thank you. Yeah. See, most of the struggle was trying to shrink the material. Yeah. Trying to get it concise. Back to the other settings. My first practice session was 49 minutes, 45 minutes or something. People do that a lot of content. Yeah, there's a lot of content. It was awesome. Keep doing it, please. You're all here to tell me you have your file permissions set

exactly right. My tool isn't needed? Schmott 777? It's running on a file system that doesn't support it. Yes. It works on Windows, too. You just type that, and it'll do the right thing. So you must be Jared Chandler. I am. That's pretty easy to pronounce. I assume I'm pronouncing it right? Yes, you are. I'm going to wait and try to start it straight up, since it's a clock. That's a couple minutes. So you want me to tell stand-up jokes? If you want to. I don't know what's so funny about file problems. I don't know. I could probably think of a few things if you gave me long enough, but under pressure, maybe not. People usually think it's

funny when they've got something hanging in the open they shouldn't have. It can definitely be the cause of some pernicious little problems. Is there a micro... We don't have a lapel mic, so it's just a live mic. All right, sweet. So I'll do an intro first. Okay, we're going to go ahead and get started, everybody. Good afternoon. Welcome to Besides Las Vegas Proving Ground. This talk is So You Think You Can See HMOD? Reasoning About File Permissions. And our speaker is Jared Chandler.

A couple of announcements before we get started. We want to thank our sponsors, especially our inner circle sponsors, Critical Stack and Val-a-Mail, and our stellar sponsors, Secure Code Warrior, Paranoids, and Amazon. It's their support along with our other sponsors and donors and volunteers that make B-Sides possible. So thank you. These talks are being streamed live. As a courtesy to our speakers, to our speaker and our audience, please make sure your cell phones are set to the silent position. At the end, if you have a question, just raise your hand. We'll call on you one at a time. We'll get Jared to repeat the question back so the YouTube audience can hear it. And with that said, let's get everything started here. Please welcome Jared Chandler. Well, thank you

for coming. I know file permissions may not be the most glamorous thing, but sometimes it seems pretty important. So I'm Jared Chandler. Today I'm going to present something called X-Ray. It's an open source tool I've developed to help lay users reason about Unix-style file permissions. It lets you ask human-friendly questions about the security of your file system and get concrete answers back in return. So in terms of what I'm going to do today, I'm going to talk about the motivation, why did I develop this tool. I'm going to talk about the approach I took to actually solve this problem. I'm going to give you a demonstration and show you what X-Ray can do. I put

it up on GitHub. It's research software, so please be kind to me. But you're welcome to pull it down and fool around with it. And I'll show that URL again at the end. OK. So a little bit about me. I started out as a full stack developer a long time ago. I've got probably a decade plus experience out in industry. I've done a lot of different things and I've done a lot of different roles. Database stuff, networking stuff, you name it. But these days, I'm at Tufts University working with Dr. Kathleen Fisher. My research areas of interest are things at the intersection of human reasoning and formal methods. Some of the other research projects I

work on are automatic protocol reverse engineering from network samples. I'm working on clandestine botnet infiltrations, so, you know, like Ocean's Eleven, you've got a botnet and I'm gonna steal it and no one's gonna realize it's been stolen until it's already too late. I work on cognitive attacks on end users, so that's figuring out ways to deceive the user sort of at a biological or a perceptual level, so it's really hard to defend against that. And I work on file permissions, and that's what I'm going to talk about here today. So every good security story starts with a crime. I was a teaching assistant for a computer science class. and one of my duties was to

find out when the students were doing bad things. We teach them to use GitHub and to use version control and you teach them that and suddenly they're using it to share answers, collaborate inappropriately, cheat, et cetera. So I learned to go out on GitHub and look for people up to no good. And one day when I was out there, I found some scanned copies of our exams. This was stuff that only the staff and the instructor should have access to. It should never have been in the hands of a student. And I kind of jumped to the conclusion, oh clearly we got hacked. Some student created some malware and uploaded it as a homework assignment and then we ran their submission unsandboxed and it took copies of these files

out and that's how they got the data out. and the languages we use to teach are kind of stupid, simple languages, except for standard ML, which is compiler language. It's kind of wacky. So if somebody wrote malware in standard ML, I tip my hat to that person. But there are a couple things that didn't make any sense. If you're that badass, why are you posting this stuff on GitHub? Why also didn't you post other solutions? "Why didn't you post grades? "Why didn't you post our infrastructure "that you clearly would have had access to?" And then it kinda dawns on us. Somebody on our side had made the exams world readable. We went back and looked,

somebody was in a rush. They were trying to do something about grading. They couldn't get the file permissions right and they were just like, "Chmod 777." Everyone gets all the permissions and you know what? That worked because probably the job got done and no one looked back. Nobody realized anything was wrong. Later, a student goes to make a copy of the course material, as they're allowed to, and they probably didn't realize there was anything in the copy they took that they weren't supposed to have. So we felt pretty dumb. How many PhDs does it take to get file permissions right? Clearly more than we had, and we had a few working on it. We realized if this had happened here, it could happen again, and it may have

happened at other places that we were responsible for and we weren't aware of it. And when we dug a little deeper, we realized we didn't even understand, like with a lot of clarity, how file permissions work. That we had some misconceptions about what should be secure and what shouldn't. So probably not everyone here is totally familiar with Unix and Linux style file permissions. We certainly weren't. I'd like to do a little bit of a level set and just talk about some of the things that I thought were relevant about Unix file permissions. I'm going to talk about what they are, how are they evaluated, and how you set them. And this is just kind of

to give you a sense of what we're up against when you're trying to get them right. So there's three parts to Unix file permissions. There's the user, the group, and everyone else. The permissions themselves are read, write, and execute. And execute is either run it as a program or enumerate the files in it. And when they get evaluated, there's this algorithm that is applied. And you never see this unless you go back to some seriously old 1970s graybeard written on a typewriter-like paper. Probably would have a hard time finding it. And it breaks down into three cases, where if you're the user, you get the user permissions. If you're not the user in the group and you're in the group, you get the group permissions. And if you're

not the user and you're not being in the group, then you get the other permissions. How about how you set those permissions? Chmod 755. Chmod equals RW plus X. Chmod U equals RWX comma GO equals U minus W. Did that make things more secure or less? I can't really tell. Sometimes you need to know what the permissions were before you issued the command. Sometimes you need to know the context in which it is, like what are the permissions of the directory above it that's containing this? So with all that stuff going on, it's no wonder it's really hard to reason about if your file permissions are correct. And then after that, we were like, okay, well we have a better idea of how file permissions

are, how they're supposed to work, let's try checking some of them manually, 'cause we have to secure this directory, we have to make sure this mistake doesn't happen again, but we were quickly over our head. Like the directory we're working on, it's a multi-user system, we had like 200,000 like directories and files. So doing it brute force, you know, in our heads clearly wasn't gonna work. But we had a couple of insights. Our first insight was that how people think about file permissions is different than how they're implemented. There's sort of the idea you have of security, which is this type of user should have access to this type of file. And then there's all

the group and schmads that you type in to actually try and implement that policy. And it's great if those things exactly overlap, but that's not always the case. Sometimes there's things that are in your head as thoughts that don't get implemented as permissions, and then there's other things that are permissions that you never really thought about in terms of thoughts. Both of those things are kind of dangerous. Our second key insight was that when a human is reasoning about whether or not the actual permissions implement their idea of security, they're running that algorithm again and again in their head, they're running it recursively for every single file, every location in the file system. And that's

really, really hard for a human to do. I mean, you can do it for maybe two directories deep and about four files, but beyond that, it just kind of exhausts your mental resources. So, we study formal methods at my school, and when you study formal methods, everything looks like a nail, and when you have a problem, you break out your formal methods hammer and take a whack at it. The approach we used is something called symbolic execution. So symbolic execution is one technique that allows you to reason about what a computer program will do or how it will behave without actually running it. Our key insight here was that we treat the entire file system and the permissions together as a program. Symbolic execution lets us reason about which

parts of that program will execute for a certain set of conditions. Sort of like, what are the conditions for a branch or for an if statement that will cause this program to go into this particular location and satisfy this condition. So what we do is we take the permissions and the algorithm that's used to calculate whether or not the permissions are satisfied, and we convert that over to constraints. So those three cases I showed you earlier, we convert them into cases of plus user, which means you are the user, minus user, which means you are not the user, plus group, which means you're in the group, and minus group, which means you are not a member of the group. Then, does anyone recognize this guy? Are there any

fans of the TV show The Office here? We take this guy, he's got some properties, Jim the user, and we have a set of constraints that allow permission at a particular location. We look to see do the properties of Jim the user satisfy one of the sets of constraints on this particular file. If one of those sets of constraints is satisfied, then Jim has permission to do this particular action. So that's great. File permissions, or excuse me, that's great. Boolean formulas like let us calculate things very precisely using constraints You know you can have lots of ands and ors and nots and if you're like a math person You're super into that because it's exact, but it's not exactly user friendly, so we built

x-ray We wanted something that was fast easy and safe for everyday users to use you give it as input human-friendly security questions like I what can everyone access, it uses symbolic execution to churn away, to calculate those constraints, and it gives you concrete answers like file one, two, and three, and here's why. X-Ray has a simple pipeline. You basically give it the output of running the find command, you pipe that into a text file, and you give it another text file that talks about users and groups on your system. It's a Python script. You can bring the tool to your data. You don't have to bring the data to your tool because hey, I do

security too. I wouldn't trust something that asked me to have root access up on the cloud. Here's an example of some of what we ask for data. If you've ever run the command ls on a Unix system, you're pretty familiar, so we're not asking for too much. X-ray is a little different than how we regularly think of permissions on a Unix system. We use something called semantic permissions. Maybe a good way to describe these is, if you know exactly the path to get to a file, you can just jump to it. That's what we call traverse. But how about you're a user who doesn't know what they're looking for, and you need to enumerate the files in each directory at each level to find the thing you

want to actually get to. We call that discover. Edit and execute work similarly. We think these map better onto sort of how humans think about security than simply talking about like the actual concrete permissions on the file system. Putting it together, you can ask simple questions of X-Ray like Dwight can discover in the DMPC file system. There's three parts, a who, a what, and a where. So it's like a user or a group, a permission, and then a location, which is a path with some regular expressions in it. We wanted how you write the query expressions to be as similar as possible to how people actually talk about them in everyday language. We also wanted

X-Ray to use what you know. So like you're familiar with this, X-ray basically just adds a little bit of extra data. You write a query in X-ray and it adds two columns. It has a column here which indicates all the files that satisfy this query and it has this column here which indicates all the files that violate the query. If you're looking at the counts, the counts sum up the number of child elements in the tree that actually adhere to or violate the property. Let's say you're only interested in things that actually violate or things that actually adhere to. We have some modifiers of example and counter example that basically say, show me only the things where it works or show me only the things where it doesn't

work. And if you're looking for the why, like here's a query, Toby can read in dmpchr.jpg. X-ray supports what we call X-ray mode. Turn on x-ray mode and remember those constraints we talked about earlier. You can see all the constraints that a user or an agent satisfies. So right here we can see this agent, Toby, satisfies this set of constraints right here. He satisfies this set of constraints right here and he doesn't satisfy any at the leaf level. This allows you to reason about why the permissions are working or why they aren't for anywhere in your file system. Okay, so I've hit you with some screenshots. I'd like to also convince you that it's easy to use, so I'm gonna try it out live. Okay, so here we have

the X-Ray Permission Query environment. So remember the office? Let's imagine we work at Dunder Mifflin Paper Company, and Michael Scott's the CEO or the boss. He's got a big heart, he's a nice guy, but maybe he's not the guy we want in charge of editing files. So why don't we ask X-Ray, where can Michael edit files? So we type Michael can edit, dmpc, okay. X-Ray tells us, it gives us counts where Michael can edit a file and where Michael can't. This is kind of showing us an overview first, and then if we want to drill in on smaller stuff, we can do that. Let's do that. So we're gonna write example. We only want to see things where Michael

actually can edit it. Okay, now we only see the files that Michael can edit. You see anything in there that's interesting? Let's see. Well, we've got this file right here, lametoby.jpg in the HR directory, and next to it is the salaries data. I guess that's reasonable that he should be able to edit the salaries. I don't know if I want Michael to be able to edit some sort of marketing jingle. That seems like that could be a little dangerous. And it looks like Jim's got some sort of list of clients. I'm not sure Michael should be able to edit that. Okay, how about Dwight? Dwight's an interesting guy. He's got lots of curiosity. Let's find out what Dwight can discover. Example, discover

DMPC. All the things Dwight can discover. Oh, looks like Dwight can actually discover the salaries right there. That doesn't seem right. That's probably some sort of file permission error that we need to fix. And it looks like Michael's probably got the file permissions wrong when he edited the file. So originally I talked about exams, right? Some files that were out there in the real world that shouldn't have been. Let's write a query like that. Example, everyone can discover DMPC, Let's do the HR directory. Let's just see what's inside the HR directory. Ooh, looks like the salaries are discoverable by everyone. That's probably not the way it should be. And if we wanted to find out more about why that's the way, or why

that's the case, we can turn on X-ray mode like this, rerun that query, and we can see exactly which set of constraints is satisfied by the user. So we imagine X-Ray would be used differently by different teams. We imagine a red team might use it to figure out what's accessible and exploit it. And the blue team would probably try to defend the same stuff. Maybe you're in DevOps, you want to figure out what's changed. Maybe you want to figure out if the things that are accessible still are. If you're a developer, before you use a container or VM, maybe you want that, maybe you want to check out what can see what. Or you're like me, you know, you just want some help with your file permissions. We took

this tool and we ran it on three different academic file systems ranging from 50,000 to a quarter million files and directories. We found file permission errors in all three. They ranged from like, "Hey, this guy who owns this directory can't see some of these files in here," to some issues where I'm picking up the phone and calling people on the weekend because my research project found something that was that important that they should actually secure right away. So to recap, I've talked about the motivation, why I thought this was interesting, and what motivated us to develop this tool. I've talked a little bit about the approach by which we use symbolic execution to actually perform

this. And hopefully I've given you a good demonstration of what X-Ray can do and hopefully encourage you that it's not too hard to actually use, that it's something that, like, with a little training, you could probably get some real use out of it. We're very interested in doing more research into the area of file permissions and figuring out what kind of file permissions are common and why. So we wanted to get this tool out into your hand. We're hopeful if you use this tool, you'll give us some good feedback and you'll tell us more about the types of file permission errors you discover as a way of sort of paying it back to us. And

we're hopeful that this and other techniques like it will hopefully reduce file permissions in the future. I'd like to say thank you as an audience, thank you to my mentor Emily, and I'm happy to take your questions.

The question was, have I thought about extending this to cloud systems like S3 buckets? Yes. I think anywhere where there is sort of a concrete execution model of the permissions, we can use some of these symbolic execution and formal method techniques to actually assist the human to actually reason about it. We think that's a promising venue for further research. The question was, It works with basic permissions, does it work with fancier permissions? Right now it doesn't, but we're hopeful to do that and a whole lot of other stuff in the future. The question was from an infrastructure side, when you have lots of different layered roles, how do you use something like this to determine the effective permissions again we think sort

of this constraint based approach where we're able to sort of create a formal model of what the effective permissions are and use some of our actual research magic to calculate those things