Charlas dìa 2 Bsides Colombia 2025. Mañana

Thank you for being here with us today, to those who are here in person and to those who follow us through the channel of the University of Antioquia, Faculty of Engineering and through the channel of Bizabits Colombia. Welcome to this second day of talks. These talks for today are also very nourished with knowledge for you and as we have always said, Bizabits is that space to create personal networks, professional networks, so that you feel that knowledge unites us. And well, this is made community by community. I thank today mainly our sponsors who make these spaces and make the activities, the details like the batches they have, are possible and we can continue to grow in the community. mainly to

the University of Antioquia for being our sponsor host of this activity for this year and sponsors like Odin, Kaspersky, Lumu, Intrust and tusdatos.co that are the ones that make these activities happen. We also have as a sponsor from our CTF, Bugs Bounty and UGVAR, who are the ones who are in the CTF with us. Some announcements before we start, in case you didn't know or didn't hear yesterday, today we have a space for children, there are some children who are in EcoKids today, EcoKids and Visites, they are not here in person because they are in another classroom, They are in block 19-215, they are on this same block, that's why there will be children here. They have workshops today associated with robotics, games, they

will even play a football match with robots. So it's very interesting that we can listen to the experience right now and we hope that they come right now to tell us how it was. Hands-on, we are going to have two hands-on today. We are going to have Nico from 9 in the morning with the game of who commented yesterday, the card game, the Backdoors and Breaches, in case you want to play with it, remember that those who finish the game have a prize with it too. And we have a depuration hands-on with Jira and GDB at 10:30 in the morning for those who want to go too. This is done in block 21, which is

the one next to it, in block 326. CTF for those who are playing Those who hadn't started playing, they would be a little late today, a lot of people stayed yesterday. After our War Driving activity, the War Driving activity was three hours, they went out to do wireless network analysis in Medellín, it was extremely interesting and there were people playing along the way. Finally, the party, today is the party of B-Sites at 8:30, It's in Manrique, in the Martin Moreno Brewery. For those who want to attend, those who are going to attend, they have to bring the badge. There is only an entry with badge. If they don't have a badge, if they lose it, they won't be able

to enter. So it's important for those who want to attend, we invite you all. Today we started with another international invitation. I present to you Victor Cázares, Cázares, Cázares, sorry, there is a Cázares here and that's why we get confused, Cázares. His talk is Cazando tu propia marca, he comes from Paraguay and well, we receive a round of applause to Victor and welcome, welcome. Thank you, thank you, how are you? How did you get up so early? Well, let me introduce myself so you can get to know me. My name is Victor Cazares. I started my career in cybersecurity working as a penetration testing in an Argentine company. I am Argentine but I have lived in Paraguay for almost 10 years.

there I have my company and basically we dedicate ourselves to cyber security to break things and also now we have a SOC and as part of the work of our SOC this idea of being able to share with you one of the methodologies that we use to hunt threats and be able to make a much more proactive defense to the clients that we are monitoring in the SOC Well, everything starts with a domain. Generally, most of the problems, if we talk about phishing or identity supplantation, come related to a domain. So, the first thing we have to do is ask ourselves How is a domain? How is the structure of a domain? So, here I leave you a little review, in case you didn't know, always at the end

of the domain there is a point, which is the highest hierarchy level of the DNS. That point is not seen, but it is. From there to the left we will have what is a TLD, which is the top level domain, approximately, according to IANA, there are more than 1400 registered TLDs. It can be .pi, it can be .co, it can be .io, etc. Then, further to the left we had what is SLD. which would be the second level within the domain, then comes the name that we register as domain and as third level or fourth level we would already have all the subdomains backwards. This is important to understand because in the spectrum of the whole globe, let's say, we have different types

of domains to analyze. Every new domain that is created in the world can represent a threat to our company. So, in the world currently we have 274 million domains created, only domains. And for example, that day that has the capture, which is the 9th of Since this month we had 185,000 new domains created, only that day. And then we have the classification by the type of area. That's why I explained the structure of the domains at the beginning. Not all the NICs of the countries spread all the new domains that are created per day. That is also important to know, because all this information comes from a collection that in this case makes it a tool called "Zone Files" and sells it

to this information. So, it would be good that the NICs of all countries can publish which are all the new domains that are created, because, for example, the Paraguay NIC does not do it directly. And if we do not have that information of the new domain that is created, we will not be able to analyze if it is a threat or not a threat for our company. So, here we have Approximately 1900 new domains created per day. But additionally we have the amount of subdomains that are created by domain. That is, I can create a domain with N subdomains and domains that have been compromised. So we have a big problem because it is a

very high volume of information to analyze. So how do we start? And well, here we have a set of quick answers that we always do, right? Don't worry, everything will be fine. These things don't happen here. 100% security doesn't exist. Divide and you will reign. They are like the two positive premises of those phrases that we usually face in cybersecurity when we have a problem. Well, going to the big one. 274 million of domain. How do we do to to see that within those 274 there is no threat to our company. Why? Because I can have my website, where I have my login and so on, and I can have a phishing of a domain that is "nadaquever.com"

and that "nadaquever.com" has a phishing of my bank. So, not only by similarity we will catch if a domain is malicious or not. So we have to analyze them all. And the first question is: of those 274 million domains, are they all really alive or not? I can register a domain, I never raise a server, I never generate an HTTPS certificate and that domain was simply registered. So there we have a topic. And then the other issue is: if the domain is alive, is it accessible from the IP? from the country where I am, because for example, for Paraguay there are certain domains that are visible and other domains that are not. So, that would be

an implicit filter that I could apply to be able to say: "Well, I have all this information, how can I see what I would really be interested in analyzing?" Because obviously, to analyze that amount of information, all raw, it would require a great computing capacity. And the idea is that we, through this methodology, can do it with a hardware that is not very expensive and with the use of artificial intelligence. So, the first thing that happened to us is to say, well, let's validate if the domain is alive. If the domain is alive, let's see if it has the type of validation of OB or EB. The OB and EB validation It occurs when companies present documentation about their identity. On the other hand, in

validation B, I don't have to present any document to obtain a digital certificate, a certificate of HTTPS. So, that's a good point, because from there we can apply that filter and say, well, all companies or all domains that are believed that are alive initially, because that would be the implicit filter, that the domain is alive, that it is accessible from the country where I am monitoring it and that it has a certificate issued by DB, that is, if we use Let's Cree, for example, we will have a type of of domain or Https certificate of EB. So, all of that we are interested in. Why? Because all the others that have OB and EB, even though they can be

hackable, the IEOs and committed and others, we are not going to take it in the first filter because we have a limit of computational capacity, in our case, right? that we can apply this methodology and scale it to the hardware level to analyze everything, be it DB or V or whatever? Yes. But basically our idea was to try to reduce the consumption of the hardware so that we can have greater efficiency and the lowest possible cost and have efficiency in what we are doing. Well, then, going a little bit to how we did the first filter. The first filter we did saying, well, if a domain that I take from all the world domains, that

I have a CSV, right? I say, well, are you alive? And the first thing I told Charlie Pitti at that time was, check if a domain is alive, and the only thing they answered me was with the register A, that is, with IPv4. If the domain had IPv6, it wouldn't respond to me. So, everything you do, according to my experience, I tell you with ChatGPT, you will have to evaluate it at the level of code in Python or in the language you program. And you will have to test it, because ChatGPT has a lot of flaws when it generates the code. It generates it at an impressive speed level, much faster than us, yes. It's

true, but we have to check what it is generating and if what it is generating is really doing it in the way that we need it. And the second filter is the validation of the SCL. Well, applying these two filters and the implicit filter that the domain must be accessed from the country in which I am, we already have a set of domains to start analyzing in a much more reduced way. From those 74 million domains that we initially had, we went down to approximately 71 million domains. A lot. Not all domains were alive, not all domains were accessible from Paraguay. How did we do it? Basically with two virtual machines, 32GB of RAM, virtual CPU, we created silos, we

used Chromium to be able to enter and check if the domain was alive or not, with different techniques. We have 71 domains. Well, now it gets a little nicer because we had reduced the number of domains that we would have to analyze and it was time to, well, As I said at the beginning, I can have my website with my bank login, and there can be another domain that has nothing to do with the bank, like colombia.com.pi or something like that, and I have a bank phishing. So, the similarity is not enough to check if that domain is a threat or not. We had to go one step further than that. So we decided to

enter each domain that we consider as unsafe within that classification of 71 million, take the HTML code and also make a screenshot of what that domain showed. The screenshot will help us to analyze the image and be able, through OSR techniques, extract the text and see if that text corresponds to a phishing of a client that we are monitoring or not. Well, and here comes the "problem", because if I have 10 GB only of photos that are generated in one day approximately, how do I analyze all those photos? I need a GPU, this GPU for example has around 8000 CUDAs, a little more, and the capacity that those CUDAs have give me, to be able to reach a standard

of 10 to 30 images per second. So, not only It would see the HTML code, the similarity, but it would also be able to check if that domain photo corresponded to a phishing or not. And to do it we only needed 1800 dollars, that GPU and in 20 days we would have the information of those 71 domains. Maybe it looks like a lot, but with that hardware it is not. Well, up to that point we had thought that we had a methodology that we were guided, but everything can get worse as in life, right? Because... And the subdomains? What about the subdomains? We are analyzing new domains and so on, but what about the subdomains? How many subdomains

are there? 2.3 billion, for example, this page offers us to sell subdomains that they know are alive. And analyzing 2.3 billion subdomains based on the fact that we can have only 30 images per second processed, we will never finish. So here we faced a big problem again. We were one step forward and one step back. The light at the end of the tunnel. I don't know if anyone remembers in 2011 the case of DigiNotar. DigiNotar is a certifying entity, it is a CA, I think it is Dutch, if I'm not mistaken, which was compromised in 2011 and when that CA was compromised, certificates were generated in the name of Google. So, those certificates were used to steal credentials from different sites. And

from there, from that commitment, something called CTL-SLOCK was born. The creators of CTL-SLOCK were really Google's engineers in their first version. Well, we knew that, we had researched a little more and we said, well, a CTL-SLOCK basically every time I create an HTTPS certificate for a domain or a subdomain, that goes to a registry. I'm going to apply it later on how it works. But so you have an idea, it's a registry of all the HTTPS certificates that are generated in the world. Well, what do we do? We started to investigate a little and there was a tool called Serestream. It was a Python script, you put it to run and it brings you all the new domains that were asking for or

renewing their HTTPS certificate. Great! This is going great. Why? Because we already had the information and we could start applying filters. Because until now, let's say, we don't apply any filter. But after two weeks of having that, Serestream goes down, stops working and we go back a step and say, well, what do we do? Let's investigate a little more what the ETLs Lock are. Well, as I was saying, I'm going to generate an HTTPS certificate for my domain. I'm going to do that with a CA. That CA will go to one of the sources, there are many sources, there is Cloudflare, Google, Let's Encrypt, there are a lot of sources. It will tell you, "Victor generated an HTTPS certificate."

Well, not as Victor, but it will tell you, "A HTTPS certificate has been generated." in the name of this domain and it is stored in one of those sources that have something called MERTRI which is like an integrity check of the logs that are stored there that say that it was not manipulated. Well, the point is that those logs are stored in these sources and can be consulted publicly by anyone. That's the idea. So, What did Google engineers say? Every time someone generates a new certificate, they have to tell everyone that a new certificate has been generated so that we can check that there is no commitment from a CA, that there is no commitment

from someone that a digital certificate is being stolen. So, initially, the ETL Log was born as a methodology to check that someone is not stealing a digital certificate or that someone is not generating certificates on behalf of a company that does not correspond. Until then we knew that the information was public, that Serestream was no longer working, and what do we do? Since I'm from the old school, I'm going to be 40 this year, I don't know if I'm that old, but I'm a little older than the old school, I had two options. The first thing that comes to mind is to read the RFC, the 91-62, which is in its version 2, which came out in 2021. Google engineers had made it the first version,

then that was donated to the community and we already had an RFC 9192, which is the current RFC of the ETL logs. So I went to the RFC page, I searched for the number, downloaded, opened the file, it weighed 3 megabytes, hundreds of pages to read and I said: "No, I'm going against the technology we have or am I being a bit stubborn in wanting to read an RFC and understand it by heart? But since I had already had a bad experience with ChatGPT, in the sense that I asked for things to do at the level of programming and it didn't always give me the results that effective, so that led me to read the

RFC, right? But I said, well, I'm going to give you one last chance at ChatGPT and in an hour you have to check if you really are or are not a member of ChatGPT. So, one hour with JTPT timed. I put the timer and said, well, I dedicate one hour to JTPT, I give it a context, I tell it: give me a summary of this RFC, it starts giving me a summary, How does it work? I start to ask technical questions about how it works. First to understand all the logic of the RFC, how it was really working, what were the telelogs. There were different versions of the logs. There are versions of logs B1,

B2, B3. Currently version 3 is available. Not all log versions are available. There is an index for each log source that starts from zero. And for example, the script goes up to 665 million domains that have registered LetScript. And well, I started doing all that analysis and we started having problems with the code that ChatGPT was generating. Well, I tell him, "Macho, put this in debug mode and let's see what the real error is." Because I don't know if it happens to you, but what does happen to me is that ChatGPT gets stuck or enters a loop and tries to solve the errors alone without having all the information really necessary to see that error. So when I I put the script in

debug mode and I ask the raw one and I tell him, well, enter the certificate you received and let's see where the error is to be able to extract the domain, because what we have is a digital certificate and from that digital certificate we have to extract the domain name. 20 minutes pass with that loop until it is solved and from there, exactly in 47 minutes, I already had the first version of the script running. and monitoring the logs. This is live, that is, live you give the script to start and it starts to attract you. Well, this was an important step because it allowed us to have visibility of all those sites that are creating an HTTPS certificate and that can represent a

threat to our company. How many did we have per day or how many do we have per day? Two and a half million approximately of sites that are registered through the ETL log and that can or may not be a threat to our company. And here it all starts again, because we go back to the analysis, the ETL log publishes everything, it doesn't matter if the certificate has extended validation or not, it publishes it. So we would have to do the check again, if it has validation of B, if it has validation of B, if it is accessible from my public B or not, and it's like starting over. Here what we did is a methodology of processing by lots. What did we say?

Well, the ETL locks are going to be published all the time. And as I was saying, there is a index, you can start today or you can start acquiring the domains that were published a month ago or two months ago, or if you want to return the index to zero, you can also do it. So what we said is, if I stop to analyze and analyze because I have to defend a bank, an infrastructure, or my own company, or my own domain. I'm going to see everything that could have been analyzed before. I can see what was analyzed in the creation of domains as a separate stage too. Because I don't know if you remember

that one thing was the domains that were registered and another thing are the HTTPS certificates that are generated for the domains. I can have a domain and that domain never raise a server and that domain can have a similarity, for example, with the site of my company. So I have to send them to a stage there to have it monitored. Now, when I already generated the HTTPS certificate, maybe it starts to be malicious. So, in an AWS, we have the script that I had just mentioned running and saving all the new certificates that are being issued. So, there we have it separated by lots too, where we are discriminating in one minute or every two

minutes, cutting the files to be able to clean those logs and then do all the integration of the methodology. and that AWS is consumed by a local internal server that we have, where we apply the SSL filter, which is the one we already know. Domain, are you alive? Domain, are you DB or are you OB? If you are DB, I'm interested, if you are OB, I'm not interested. And then we save it in inseguro.txt. Obviously, here is a summary, but that file has several lots, let's say. And the checks begin. The insecure files are taken, we start checking by similarity, and here it happens that there are domains that were created with similarity, but they do not have HTML code. That is, the

HTTPS certificate was generated, but it does not have HTML code, it does not have an image, it has nothing. But it has a similarity with a possible client that we are monitoring. So that, on batch. and there it is waiting until someone wants to load something there, we will know, we will catch it. Then the OSR analysis, we use and Chrome, Google Chrome to get the capture of the domains, of each domain, we wait 2-3 seconds, we take the screenshot, if you take it in HD resolution it is enough so that you can do a fairly good OSR analysis and from that OSR analysis the text is extracted and that text is checked with similarities that I am going to show you now. And then HTML, We also

decided to extract directly, here if an attacker is a newbie, as it is said, or is a script kid, it will copy the HTML system as it is. But for the attackers who are more advanced, they will change the HTML code or they will search for things. So, that's why we do the three checks on the domain and if there are coincidences, we push to a Slack. so that you can have an alert that there is a coincidence. This is an example of a filter that is from the OECR itself, where we declare exact patterns to be able to say if this name exactly matches within the domain, no matter what level it is, no matter if it is like a subdomain 5 to the right,

it doesn't matter if that is there, So we are going to give you an exact score and from there we add keywords like bank, bank, login, password, whatever you want. And from there you decide what score to give. For the photos, for example, we have a score of 60. And for what is HTML we have 80, and for what is Similitude we design our own logical functions, because we have a characteristic, a very special domain that has only two letters to monitor. So all the functionalities in Python, searches for similitude and others, throw us millions of false positives. So in that case we made our own logical functions to check Similitude by name. For OSR, what we did was to rely on everything that

is Anaconda. The GPU that I showed you, we have it installed in Ubuntu, because Windows gave us problems to access the to the CUDA driver and be able to use it efficiently. We managed to install it, it worked, but the processing level we expected from that board with the Windows drivers was not adequate. We expected to have at least 30, 40 images per second and with the Windows drivers of the graphics card, we couldn't get that. So Linux, as a virtual environment we use Anaconda and Ptorch, which is a library that serves us to initially dialogue with the CUDA and be able to use the resources of the GPU to the maximum. Detection times. Well, applying all this methodology, having it already in operation and so on, how

long does it take to detect, since a malicious domain is published or that it is malicious because it matches with one of the three filters that we apply, until the operator makes a check. From the generation of the certificate by the CA, that is, since we generate an HDTPS certificate with Let Encrypt or with some other tool, until it reaches the source of the ETL log, that if you remember we had it on Amazon monitoring live everything that fell, it can take approximately two hours. Between the fact that I generate an HTTPS certificate and everyone knows that this HTTPS certificate has just been generated. 45 minutes, two hours, it depends on the CA, it depends on the day. There is no strict

law, so to speak, at least I did not find, that says that at such a time, such a certificate must already be published. If there is an agreement that in less than 24 hours, any new HDTPS certificate that is generated should already be in the registrations of the ETLLOC. So, we took an approximate time of two hours in all the practices that we did, and from the different checks, if it is by similarity, 30 minutes later, the alert is pushed to the Slab. So, between the attacker creates something similar to our domain and we already have it as an alert, it takes about 2 hours and 30 minutes. This is going to be great for us because it allows us to build automated reports to report to sites

like SER and others so that that domain starts the takedown. Then, if it is by HTML, we have an average of one more hour. Here we already have a lot more information to analyze. Here we do not use GPU, we only use processor. And here we have, as it is text, it is light, but we still have an average of one hour. And if it is by OCR, which is the heaviest load, which are all the photos that have to be analyzed constantly to see if it is not correct, here we have four hours. But imagine you, having nothing, applying a methodology with very low cost that allows you to have an alert in four hours of some domain that has no similarity, that has no similar HTML

and that is a phishing of a client that is monitoring. The truth is that the advantage of going out to hunt ourselves, our own brand, makes a lot of difference when it comes to proactive defense. As a conclusion, I don't know if we are good with the time, I think we are good, 10 minutes, well. As a conclusion, if we are going to look at the past and we are going to apply this methodology to the past with the 2R, we are going to require a lot of hardware. That is, looking at the past will have a very high cost, that there are companies obviously that have that capacity to have that hardware, but With this I think it is super efficient. Then all the registered domains, we

have to place them in a stash, if it has or does not have similarity. So, as I told you at the beginning, there are two things. When I register a domain and when that domain generates an HTTP certificate. They are two different things. If I have a domain registration that the attacker left there and coincides by similarity, I have to know it. If I have a subdomain that was generated, that has in some part of the subdomain the name of a client that I am monitoring and took out the HGTPS certificate, I have to know it and I have to save it also in a database to have and be able to analyze it constantly,

because what happens too is that many attackers raise sites, they raise it in blank, then this is not going to skip any alert, if it is going to skip the similarity, but at that moment the site is not malicious, then we have to continue monitoring it later and what we did or my recommendation is to prioritize everything through the OV validations because we know that although there is the possibility that a site that has HTTPS with extended validation is compromised, the complexity is higher than when a phishing attack is made, that the attacker normally generates a similar domain to the company that wants to attack, generates a certificate with the Encrypt and that's it. So there we already catch it. Well,

this has been my talk. I don't know if you have any questions, any doubts, something you want to comment. I have a question for Victor. Don't be shy. No? No? Well, a round of applause for Victor, please. Thank you very much. Thank you.

Victor, here a small detail of Vice Vice Colombia. Thank you, thank you. For being here with us. Thank you. Believing in the space and accompanying us today. Thank you. Likewise, Victor will be here in this space, will be in the morning today, also in case you want to talk to him, connect with him and ask him questions that you have in case you had any kind of, of good at this time. Thank you very much. We have the people of Mercado Libre, they are here. They told me they were coming to make an announcement And to the people of Mercado Libre they have already accompanied us today and they want to update us on how we

are doing. Hello, good morning. My name is José Cortés. I am part of Mercado Libre, especially to invite you to a hacking event called the MeliHacking Event. 2025 Brazil, although it has the name Brazil because some flows are from Brazil, the event is open to all people who want to participate. What is a Meli Hacking Event? Well, it has a lot to do with something called Vogue Bounty, which is They are programs where people publish vulnerabilities or report vulnerabilities to a company and that company pays them in return, depending on the criticism and how serious or how much impact vulnerability has on Mercado Libre, especially, which is one of the largest programs in the region, up to

$15,000 is paid, depending on the report. So I came to invite you to this event because it starts today, it goes from today 14 to 23 and right now I'm going to give you more details of the event. As I mentioned, it has a bigger scope, there are more targets to attack and the bounties or the rewards or the payments are higher during this time. Let's start talking a little about the scope. The scope is, well, what domains or what free market entities can attack, which ones not. We talk about the promotions that have to do with the event. There are some challenges to gather some very specific flows. We also have the award table. how to create test users for people who may

not have free market users or who want to test flows in other countries. How are reports made and in the end a space for questions. Then, politics. There are types of reports that are not allowed, for example, let's not stop in so much detail, but For example, social engineering or attacks of denial of services are types of attacks that are not received. For this event, especially, the only difference is that they will not accept leaked credentials. Sometimes they report, for example, in Telegram channels where people work who are far from the law. They there suddenly publish credentials that were stolen or found somewhere, they are publishing or selling them or things like that. That kind of thing can be reported, but during

the event they will not be accepted. They can be reported, but outside the event, with the bontis or the normal payments that are always there. Physical attacks are not valid, for example, to go to a free market office to try to enter or something like that. That kind of thing is not allowed or they do not enter it. in the scope of the event or in general they are not accepted. Here we have a link from HackerOne, suddenly many know the page hackerone.com, it is like the platform where many companies offer these services to interact and connect with hackers. The scope is all this, this is the normal scope that Mercado Libre has, they are all the domains, or many

domains that we have from all countries, mainly Mercado Pago and Mercado Libre, Chile, Brazil, Mexico, also Uruguay, Argentina and Peru. Those in blue are Tier 1, that is, the ones who pay the most. There are some scopes, some domains that pay more than others because they are more critical or generate more impact for the company. The yellow ones would be a Tier 2 that don't pay that much. But it's still interesting to try them. For example, Mercado Libre, Dominicana, Ecuador, Nicaragua, Paraguay. We also have applications on Android. and IOS. In Android we have Mercado Libre, Mercado Pago, Drive application, logistics and crowdsourcing. In IOS we only have Mercado Libre and Mercado Pago. And especially in Mercado Libre Argentina and Brazil

we have some points that are like some data phones. And those can also be tested and hacked.

The last thing that has been added to the scope are some services, especially Mercado Play. I don't know if you noticed that Mercado Libre recently released a streaming service where you can watch series and movies. It is interesting to try it, that although it is in tier 2, it does not pay that much. It is a service that is very new and there may be things that have not yet been found because It's very recent. We also have Bio Libre, Portal Inmobiliario, which are sites where housing or rental is published and these things. Tu Carro, Tu Moto, and there is also the Play Market application on Android TV. That application is also very recent and we are accepting reports about these new services.

And especially for this event, during these days reports will be accepted for these domains that are normally not accepted. What is Fiori, Docs and Fiori Cloud, which are internal services of Mercado Libre, it is an internal platform that the company has. In theory, no one who is not authorized can not even access the domain. So, just being able to access and see something there, could be reportable because in theory it is not possible. Sustainability and email experience are services that are not generally in the scope, vulnerabilities are not accepted from there, but during this event they will be accepted, so it is interesting to try it. Well, for events there are usually some promotions, which is:

we pay an extra for certain vulnerabilities or certain flows, and challenges that are to... to deal with very specific issues. We'll see that in a moment. So, some of these flows are not available in Colombia. That's why the event is called Brazil, because there are some flows that are only from Brazil. For example, the Pix flow, which... It doesn't sound like anything to us, but here it's something like the keys, the transfers that you make with keys that have recently come out. In Brazil it's called PIX and there are some flows on that that will accept reports and will be paid 1.5. That is, if you win a bounty of 10,000, they don't pay you 10,000 but 15,000. Well, we don't stop much because it doesn't apply to

Colombia. There is another flow called "business to business". This applies to any site. On the right, in the middle, are the sites where it is accepted. Which is Brazil, Mexico, Argentina, Colombia and that's it. This is also going to pay 1.5. It must be taken into account that reports for this flow with test users will not be accepted. They have to be real, productive users. And what is a business to business? They are special users who are tagged or marked as a business, as a company, they are not people. In the link that is there, there is all the information on how to create a user of this type and all that information. the flow that allows businesses to buy in quantities is going to be tested. So,

in Mercado Libre there is a function that if you sell in quantities, you can offer discounts depending on the quantities that they buy from you. So, if you buy more than 10, I give you this discount, if you buy 20, I give you another discount and so on. There are two specific flows that can be tested in this case. It is for sellers who can only configure up to five major prices. That is, I sell a product and as I was saying, if you buy me 10, I give you this discount, or 20, this discount, you can have five options. So in this case, if you manage to create five options, six payment options that are outside of

what the business established, it would be a vulnerability, for example, a vulnerability of the business. And for vendors, that these vendors can access to be able to buy to businesses, you also have to be a business. If you want to buy by quantities, you also have to be tagged as a business. So if you manage to buy with discount by quantity to a company, being a normal user, it is also something that should not happen. So, this is like the luxury of Business to Business, which can be tested and any issue that is found in IPC can be reported and it will pay 1.5. There was also Product Ads, which is a functionality that is in several sites: Argentina, Brazil, Colombia, Mexico, Peru. This

can be tested with test users and below are the rules of that business. It is a product to create advertising in the free market so that sellers can buy advertising. For example, the user must have a yellow reputation. I don't know if you have seen when you buy that there is a reputation of the seller as green, yellow, red. So, for example, if you manage to create or buy advertising with a user who has a reputation in red, which is below yellow, which is what the business indicates, you are violating the business rules. So, it is something that can be reported. And there is the detail of the other rules that have that flow. The Brand Ads is very similar, it is also advertising, but it

is more oriented to when someone looks for a product, that your product appears as better or higher in the results. It is another service that is available, it is also for Colombia and it is paid 1.5 also, it can be done with test users. There is the Display Ads Light, which is the same advertising but it is oriented to smaller sellers. It is a simpler service that people can create advertising faster and it is more economical and all because it is oriented to smaller companies. There are the business rules too. For example, it cannot be a CBT user. In it, a CBT user is a seller who can sell in several countries, for example. So if with one of

those users you manage to create a light advertising that is not oriented to large sellers but to small ones, then you are violating that flow and you can report it. With this, what I want to show is that not all vulnerabilities or everything that is reported is technical, it does not have to be a super complex injection. but it can be simply that you managed to make something that shouldn't happen according to the rules of Mercado Libre in their business. It can be logical. Smart Transfers is a product from Brazil. It's a product that allows you to make transfers automatically between your own accounts. This is not in Colombia. There's Flex, which is a product that allows sellers

they dispatch the products they sell, so it's a different service that Mercado Libre does not distribute, but the same seller does the distribution on their own, so the platform for that service is totally different and you can report any flow you see there. The link is there, it's from the application, it's a mobile application. It is available with test users too and it is available in all countries. There is a special challenge, well there are two. The first is this, account and cover, that especially if you manage to bypass or skip the double authentication factor, they can pay you up to $15,000. That is, when you normally enter with your key user, the normal thing is that they ask you to

confirm your identity. either by a token, by facial recognition or any other means that is another authentication factor. If you manage to enter an account with a valid key user and you manage not to have to do that double authentication factor, that security is skipping you and they can pay you up to $15,000. It is open to all countries and it should be with productive users. There is another challenge, which is re-authentication. When you enter Meli, you do the double authentication factor, you are fully identified, you managed to pass everything. There are some moments where Mercado Libre can ask you to use the authentication factor again. Why? For example, you're going to transfer money and

there's a maximum token that if you want to transfer more from there, you must generate an authentication with the token. It can be the token or facial recognition or whatever you have configured. So if you manage bypass or skip that re-authentication, you can also pay up to $ 15,000, it is open to all sites with productive users. All this is also in the web version of Mercado Libre as in the mobile version. So, the prizes and how these test users are created. This is the normal Meli's bounty table, the one we usually have. This is what is paid generally without event. We see that there is tier 1 and tier 2, which is what I showed you

at the beginning. Crypto is like another functionality that Mercado Libre has, but in Colombia there is none. And there are two specials, which is the execution of remote code and a coin takeover. So, as we see a criticism in Tier 1, which are the most critical, you can pay up to $ 8,000. And the ones who pay the most are account and cover and remote code execution, which can be extended to $ 15,000. What is normal, this is what is normally paid. For this event, what is RCE, account and cover, that is the same. but Tier 1 and Tier 2 will be paid a little more. For example, Low vulnerabilities are usually paid up to $100, here you can pay up to $200. And

as we had seen, the tier 1 reviews are up to $8,000. In this event, up to $10,000 will be paid for tier 1 reviews and up to $3,000 for tier 2 reviews. And there is a special prize which is 15,000 dollars if it is in a remote code execution during the event. There is a form there on the HackerOne free market page, there is a section that is Credentials, which shows you how to create test users to test all those flows. And there is also a video of someone who is very active in HackerOne in Argentina, where he explains how he creates the accounts and how he tests all these flows. Same at the exit, we are in the

area of the CTF. So, any questions, I can pass them on to you. There are even some Telegram channels that were created for the event where we will be interacting with all the hackers. So, the reports. How are you going to have to report to be able to participate? It's simple, in HackerOne you normally have to report the steps you followed for the vulnerability and a title. In the title you have to use this tag, which is "MHE-Brasil-2025". At the beginning of the title you put that and then the title of the normal vulnerability. and, if possible, we must use a header in all our requests, which is called x-buckbunty, and the value is the username of

HackerOne. This helps us identify who is doing the tests and other things. Reports are accepted from today to noon in Argentina, that is, at 10 in Colombia, until 23 at the same time. And there is a window of duplicates until the 16th. What does that mean? During the first two days of the event, if several people report the same vulnerability, the prize is distributed. This is a bit to discourage hackers because many times they are ahead for an hour in the report and they don't win anything. So during the event it is being done like this, this special duplicate window so that they can win something even if someone else has reported the same. This is not during the whole event, but

the first two days. And well, this was the invitation to the event. We are also here with the partners, the people from HackerOne. I don't know if you want to invite people. Let's say that HackerOne and MercadoLibre are different companies. HackerOne is a platform where any company can go to register and start paying hackers for reports and MercadoLibre uses this platform. They are ambassadors of HackerOne and they are going to invite us to the platform. Jose, thank you very much. Good morning. As Jose said, I'll make it very brief. Those who want to, we'll wait for you in the library area, the CTF, to talk a little more about HackerOne, not only Mercado Libre, but all the programs that are

there, doubts you may have and others. We are also with Andrew. We are both co-embers, if you want, stop, Andrew, so they can meet you. Welcome, we hope you like Mercado Libre and we also have t-shirts for you. They are 50, so they are not finished. Thank you very much. Thank you, Pipe. I don't know if there is any question for me or Pipe about the program, about Evoke Bounty, about HackerOne. If not, we will be there, we can share the presentation, we can share the Telegram channels where we are sharing more information or any questions you have about it. Ready, thank you very much. Well, thank you very much Mercado Libre, HackerOne too. For those

who do not know where to go, this is block 19, this is block 20, that is, it is in the next block. First floor, if you go straight, there you will find the library. There is also where the CTF is being made, where the screen is of how the CTF works for those who want to participate. And well, don't miss that opportunity, it's super interesting everything they mention and I think it's very good for them and for us in this field. Well, we continue with our agenda. Yes. Give me a second. Ah, okay. No, I don't think there's anything. We continue in our agenda with Mario, Mario the Wolf. He brings a talk about AMSI, the dog that barks but doesn't bite. And he's

going to talk about AMSI, which is key to Windows security and many defense tools. Well, what is the problem here? Ramson GANs and APTs that easily evade it. In this conference, the techniques that are being used to evade this protection will be revealed and what we should know so as not to be exposed. So, Mario, welcome and thank you very much for participating. Thank you very much, Gus. Good morning to everyone. Thank you very much for the assistance, for waking up on a Saturday, as Chavarro says. Thank you very much to Gio, Gus, Luis, the whole team, all the guys who make it possible for us to be in this space sharing knowledge. Let me introduce myself, my name

is Mario Lobo Romero, I have been in cybersecurity for about 18 years, working with various industries, various sectors, health, military, financial government, and in this last stage as a threat researcher at Lumo Technology. Well, I would like to start by asking a question. Who knows something about AMSI? Have you heard of AMSI? Have you ever heard of it? Less chavarro, the rest? Good, one, two, perfect, it's perfect, we're going to learn a lot today. I decided to call the talk "AMSI, the barking dog but doesn't bite", in the end you will understand why.

I always start by putting a little context of what we have in the industry today and how the paradigms sometimes cloud us. What happens if I tell you that 79% of the attacks last year had no malware and were fileless? Did you know that? Did you have that context? Or sometimes the paradigms make us think that what was, is going to be. 79% is a lot, a lot. This is what is moving in the panorama, in the cybersecurity ecosystem and in the course of the talk we will see how this makes more and more sense. Maybe right now it doesn't have much, but in the end it does. I'm not saying this, I said it, CrossTrade, which is one of

the largest cybersecurity providers in the world and one of the most important intelligence companies.

To understand what is AMSI, first I want to explain very briefly and generally how an EDR works. We all use EDRs in our equipment, but sometimes we don't know very well how they work. An EDR is basically an agent, here in the center, the one we always install, that works like a small motor that collects, collects information provided by many sensors or collectors of the operating system. There are some that we know a lot more than others, for example, the static scanner is the collector of life. That's the one that goes to the file system, the one that goes to the processes, takes out a hash and compares with a database and says yes, what

you have is malicious or not, it's valid. There are some others that were added in the course of the history of Windows, like the ETW. I think that all of us who have handled forensic issues here know what it is. Event Racing Events. Basically all the changes that are made at the level of registration, at the level of software, at the level of users. Any change that is made in the operating system is registered there. that is available to the provider of the EDR, the EDR takes it, makes an algorithm, it can be static, now with IA or any method, and decides if that information taken from the operating system is malicious or not. There are some others deeper, such as Kernel Mode, which basically

does a hook, an intercept of the processes, to verify which are the libraries that that process calls, which are the DLLs and determine if that behavior is malicious or not. Let's say it's the same sense for all collectors. Others have been incorporated, like the AM, which is basically to see if before the operating system goes up, we have changes in the kernel, changes in the booting and it warns us, it warns people. And in that context of collectors, AMSI is one more collector. that is in charge of script management, everything that is executed in memory. There is something important and that is, these collectors are provided by the operating system, but the security providers can also

do it themselves. What happens? If I start making all the collectors, I end up making another operating system. For example, making something that collects all the ETW is very complex at the programming level. The other important thing is that a great power has a great responsibility. Do you remember what happened to someone who modified the kernel Moog driver? Yes, do you remember? Someone told me what happened. Exactly, exactly. And it seems that Windows in the future will change the interaction policies with the kernel just for that incident. That is, if I mess with powerful things, I have to accept the responsibilities. So, already knowing how an EDR works, let's see what the AMSI is. The AMSI is basically Anti-Malware Scan Interface. It's a feature that

came in Windows, from Windows 10. Why from Windows 10? Because there is the PowerShell framework. And PowerShell brought many advantages for the administrators, but it also brought many security problems. So, there AMSI was incorporated. as a method for scripts, basically scripts-based languages, to have an interface with the Antimalware products. AMSI is fully integrated, in principle, with these components. PowerShell, obviously. It is available on all devices with WS Script, with CSS Script, JavaScript, Visual Basic Script, and the Office macros. So basically everything. And what is incorporated privately can also be configured so that AMSI can take it. Why is script language interesting for attackers? First and easiest because it's an easy path, the easy one. Under low development time,

I don't need so much, connecting the talks we've seen during these two days with LLMs, with agents, this can be created basically now automatically. Scripts that are being created automatically. I don't have to go crazy because programming in Scripting is relatively simpler than other languages. I can easily bypass common methods like hash match in signatures because a simple modification in the script will create another hash. And the most important thing for me, it seems that PowerShell would have been made for attackers and not for administrators, and that is that the execution of the code is done completely in memory. especially PowerShell, I don't know if you were aware of that. That when I can run a PowerShell code without the file

ever being left on the team. I mean, at the forensic level that's a huge advantage. I can run it directly from the browser to the team's memory. That's why the attackers, the ransomware teams, restart to save or try to erase, in most cases, the forensic traces. It is also portable, I don't need to install anything. What is already installed in the team, I use it. And, let's say that .NET is present basically in almost all teams. That is something that comes by default. What we call Living of the Land, which is that the attacker is going to live on the land, what comes there, what he finds and with that he attacks us. There is malware, there is malware still. And here comes another thing

to reflect on, and it is Did you know that the second most used TTP in 2024 was Common Scripting? Specifically PowerShell? So everything starts to have a thread, right? So there's no malware and there's no files because the second most used technique is PowerShell. This is what attackers are using today. But why do they use that? We are going to see the architecture of AMSI and there we are going to start to see many interesting things. When I run a script, the program that solves the code, for example the PowerShell terminal or Visual Basic or any other application that solves the code, the first thing it will do is call the AMSI libraries. Those AMSI

libraries, what they're going to do is take that code and leave it in a specific memory space. What for? So that later, the provider, this part here, the com.ap.layer, which is registered in the system, can take that code and solve whether that is malicious or not. That's all the science behind it, when you run a script. What happens? The provider can be anyone. I can, through a library that is documented in Microsoft, serve as a provider. Then I can take the data and see how it is. There may be many, from one to n, anti-malware providers. That's why you can install any amount of DDRs and the system will not put a problem, the system. And

other things are the incompatibilities between themselves. In the end, the provider takes the data and returns a message to the operating system that says: "Ok, I don't see a problem with the code" or "be careful, that's malicious". In this scheme that you see here, with your hacker mind, what do you think can be bypassed? What do you think can be changed so that the provider can't read that? It's pretty obvious, when you understand how it works, the bypass method becomes pretty obvious. There are multiple methods, but there are two or three specific ones that become pretty obvious. Any idea there? Any idea? No? Let's go. Okay. No. Basically, when the code is taken to the AMSI buffer, which is

that memory space. I could make that memory space not be the memory space that the provider is waiting for. Right? And what happens? So what will the provider read when it goes to take the data? Something that I can give it and it is valid. So I redirect the memory space of that buffer so that the provider looks at what I want. Another thing is to take the reaction of the provider, the response, intercept it and tell it: "No, it was malicious, but the operating system reads it as OK." And for the EDR engine it will be like an OK. So there are multiple ways to exploit this. And as we will see, it is not so complex, it is not so complex. Ah,

sorry. Well, here a little more. explaining what the AMSI Scan Buffer is, or the AMSI Scan Scripted String, depending on the version, it changes the function. But it's basically the same, when we run a script in our PowerShell, there I did the test with something super burned, which is DNSCAT, just to do the test. And Windows Defender appears and tells us that it is blocked because it is a virus. I already read it and it is a virus. It went to the buffer, to the AMSI stream and determined that. At the level of the ETW, which was the other part we were looking at, of the logs, at the forensic level, this is going to look like this. and it is the category, it was determined as an exploit,

this is what the operating system returns, the EDR to the operating system, says that is an exploit, a shellcode, it was executed PowerShell, because remember that in that architecture we saw that the program that generates is the one that is there registered, the source is AMSI, and it gives us the path of the AMSI, the AMSI path that determined that. That was what the EDR took and decided, "Ok, I've seen that, that's a virus." Knowing what AMSI does, let's see what are the most common methods of bypassing it. First, the easiest, download the PowerShell version to one that doesn't have AMSI. You will say: "But that doesn't happen." That happens. Why? Especially in the financial sector, very large companies that

have very old programs, that need old versions of .NET, Well, they have to install 1.0 because the programs are not useful. When installing that, they do not have the precaution to verify if, for example, the PowerShell is also included. They invoke it, they download the version, and you left because that does not have AMSI. So, if this is not controlled at the level of the company's GPO or policies, it can be done. It's very easy and in the cons it's that it can also be easily detected. Here it starts to go up the level and it's that the scripts have obfuscation. What are the advantages? That it is very easy today with LLMs to do obfuscation processes, as we will see later in the concept

test. That's what I did, I used Gemini to do the obfuscation and without I told him not to take it, and he did. So now it becomes easier and easier. It has an easy implementation, low effort, results soon. The problem is that since IA is used to do the obfuscation, IA is also used to detect it. So, detecting the patterns, let's say it's a process that can be done, But the huge advantage of the obfuscation is that it can be part of an attack process. So I can obfuscate some part that suits me and join it, paste it to other techniques. Here you realize this part of the code I made for the Puck. This is what Gemini

did. What I told him was to encode the variables that could represent a threat so that AMSI could detect it and this is what he gave me. This is part of the code. The other thing is to make a patch, which is basically what we are going to see later. It is highly effective. The problem is that it is also highly invasive. It is not as easy as making a defuse, you have to have a little knowledge. The advantage is that if it is done, it is very, very, very, very difficult for the EDR to reverse it or to be detected by another means. Let's say that the most difficult one, which is the patchless AMSI, which I also used within

the chain for the... because we'll see, which is to make that patching, but not directly, but using reflection. I don't know if you have an idea of what it is to do reflection in terms of libraries. No? Okay. What we do here, by doing a patch directly, the possibility that it detects us the behavior of the EDR is very high, because I'm doing something that is supremely invasive. Reflection what it does is use other libraries to, by derivation, do what I want. I give you an example. Excuse me for using you. What is your name? David. Everyone realized that I asked him who David is. But if I had taken someone who knows David and asked him his name, he would know that you are David,

but I wouldn't be able to see it. That's what reflection is. I use another library to ask for the memory addresses I need, to do the patches I need, and I go unnoticed. Why? Because the EDR in its behavior is looking at specific things. It can't look at absolutely everything. And there I get out of the detection scenario. This is the most difficult one. I used it in part for the POC. I chained all these that we saw and later I'll show you how it was done. Well, here we are going to see the test. Here, basically, I show you that everything is fine. For this test we are going to have a Windows Defender. Windows Defender with everything up, no problem. the real-time protection, the complete

cloud, I only removed the one to send because I do not trust and I burn in the script. Tamper, protection up, no exclusions, if you realize there is no exclusion, the LDR is absolutely clean working as it should work, in this case as I tell you Windows Defender. The advantage of this technique is that if you noticed in the architecture of AMSI, this is transversal to everything. Here I will use what I told you about DNSCAD, which is a program from 2023 absolutely burned, precisely so that you realize that no matter what goes there, when I do the bypass, that will let absolutely everything go. Here I copy the command, if you realize, what I'm going to do here is call through PowerShell

to the IEX, so that it takes the code, it goes down in memory, there will be no file left in the machine, it will be all in memory. I tell it to run it and it was blocked, I don't know if you can see it well, but it was blocked by the antivirus. Why? Because I haven't done anything to it, this is how it has to work. So, that went to the AMSI buffer, the antivirus Windows Defender said: "Yes, that is malicious, so there is no problem." And here it will show me in the ETW that it was actually alerted. The antivirus took the action it should take and it will show me everything there. The details, it says exploit, shellcode, the source, which is AMSI, and

made the antivirus the work it had to do. Now let's see the version with the patch. I'm going to put it at a faster speed so that we can see everything well. Ready. Something important about PowerShell is that every window I open, that's a session. So, if I go to ... you can see as many AMSI ScanBuffer as I want. So, another window is another session. I run my PS1, that there is important the obfuscation part, why? Because at that point I could have detected the EDR. That's where I have to skip the first call. I'm going to give it an enable verbose so that it can see everything it's doing in my script, and after it's patched, I'm going to say patch

me the ETW too, to prevent these changes from going away and being registered, and in a later process the EDR can identify me. There I go, what I told you, Reflection, I use Windows Forms, which for some reason of destiny and the creators of Microsoft, has the ability to verify the addresses in memory of other libraries. I see what the start of AMSI is, I check what the buffer start is, I check what the list of providers is, all this in memory using Windows Forms. I rewrite the addresses of the different providers, of the AMSI Scan Buffers of the different providers, with the information that I want, so that it always goes there. I redirect the true to another place in

memory that will never be seen by anyone, or at least not by LDR. Look, those are the original bytes and I'm going to rewrite them. This is all important in UserLand. There I am not an administrator for absolutely nothing. Nothing will be left in the team and I do not need to be an administrator. A beauty. Here it tells me: I detected the first provider, I'm going to patch it, I patch it, I just make a check to verify that the operating system is not returning the changes. And once the patch is done, I take advantage and patch the ETW address to avoid that those changes remain in the register. Once this is done, I'm going to do the same test I did right now, exactly

the same. I take the DNSCAD, the most burned program in the world, and I'm going to run it there. There it was already loaded into the memory, nothing happened. There it was to have skipped, nothing skipped at all, everything is up. So you can see that it is not a trick. And already in memory I will invoke the program. I already have the code in memory. So I'm going to start the StartCAD. For this PUC, what I did was set up a DNSCAD server, then I'm going to start a remote shell. using DNS. So what happens? "Ah, well, everything is closed in the company." Well, most leave the DNS open. By using the subdomains of the DNS I will

start the session. So I write the command that the creator of dnscat tells me to be able to start the shell. And let's see how to start the shell without problem. Well, here I presented an error, which is because I had not defined what the DNS are, which is very cool because I can ... If, for example, the DNS of the site are secured, I can use any other I want. So I'm going to tell you to use the Google DNS. There it will tell you to use 8.8.8 and using port 53, Here the session starts. Something jumped, absolutely nothing, surely if you do not have something that is capable of sensing the network at the level of anomalies, you will not be

able to detect the tunnel either. So now I have a session on the team with the permissions, it got cut a little there, but hey, there it goes well, so that you can see that it is the same, the same desktop 5BGH04 that we have seen at the beginning, I can have the complete shell, I do the dir, from there on it's a matter of imagination. I did this with that example, so it was quite explicit, but there is imagination. You can put a PowerShell script that makes a dump to the LSAS, has the users' hashes, you can do a hash pass, a golden ticket, whatever you want from there on. They can lower the EDR, they can remove the

rest of the security from the operating system. And all with something very easy. And that's a lesson. We have been so worried about the complexity that we are forgetting the simple. And the simple is highly effective. That is the POC that I brought you. And that triggers something very ugly. And that is what the ransomware bands are using. How? If you notice in this table, absolutely all the ransomware bands that had an incidence in 2024, including Infostellers, use PowerShell in their attack methods. And that's why they are so effective and that's why they are so effective today. As you know, There are two giant markets in the current cybersecurity scene. The first, which are the ransomware bands, the ones that

make, let's say, the attacks. But there is one very important one, which is the market of Initial Access Brokers, which are only dedicated to sending InfoStealers to everything that moves, take passwords, classify them, what Eduardo showed us yesterday. and pass it to the bands that have commissions and they take care of the rest of the process. So, both in the part of the brokers that sell the credentials, as in the bands of Ramsover, this is present and it is a very effective method to be able to avoid security. So you will say, but now what do we do? Now what do we do? Because this is relatively simple. The first thing What I recommend is to have a cybersecurity strategy. Tools are

important, but tools without context don't go anywhere. I could have the best tool to detect the DNS tunneling. But what happens? In a scenario where chaos is the norm, how am I going to find an anomaly? A strategy that helps me is that my stack of tools works in a much more efficient way, that I have a determined control of what I'm implementing. So here let's say we are in a scenario where the defense in depth is what is in command today, besides what is possible. But the idea is that we slowly move to Zero Trust, with policies of minimum privilege, micro segmentation, granularity and where we can detect anomalies and behavior. Beyond that, some

issues such as to verify that PowerShell is not executed by normal users in environments that do not have to do it, but that is contained there. Minimum privilege. I should only have access to what is essential for my work. So if you realize, after we have a solid cybersecurity strategy in companies, it is much easier to act in any term. That's what I brought you, what I wanted to show. If you have any questions, I don't know if you have any questions about how something was done, what we saw there. Without a doubt, here we are all learning and the idea is to be able to... The question of some can serve to get doubts to another. Yes, I'm going. Or you don't understand anything,

absolutely nothing. I'm going.

Hello, how are you? Hello, how are you? Good, good. I wanted to ask you about the interaction of Windows Defender in that concept test. If I disable Windows Defender in my team because I'm going to install another antivirus, does that have any effect because ANSI is not going to work correctly? Well, when another antivirus is installed on the team, some of the functions that Windows Defender developed are delegated to that antivirus. If the antivirus has the same procedure, that is, the same architecture that we saw here, it will very likely take the ANSI on the same side. Most do so, so I was telling you that it is very difficult to create collectors for everything and get involved with the

operating system has implications. That is why I was telling you that this technique is very, very, very effective because it is transversal. All antivirus, the EDRs, XDRs that use that architecture are going to be victims. So, one says, well, I have the best solution, CrowdStrike, to say something. I mean, I'm not sure, I don't have... I'm paying a lot of money for a tool that... No, no, no. I mean, the one who tells you that they sell you a solution for 100%, that's not true. That's why it's important, I mean, the tools are very good, But one cannot trust everything to a single pillar. That's why I left the cybersecurity strategy at the end. Because the tools of the stock are like in

the armies. When my friend fails, I'm there to be there for him. And when something happens to you, I'm here to check it. But it's not a good strategy to think that the EDR is useless. LDR works, but it needs an accompaniment and to be within a security strategy. That is the deep message. Not to think that it is useless because it really works and not all scenarios are like this. The EDR can be effective for other things, for example, but having something, a strategy that can shield you at the level of verifying that when something fails, I have a backup. In other words, in this case, something on the network that can censor the tunnels, etc.

Eduardo is going to say something. I work with Kaspersky in response to incidents, but I know that our product also takes advantage of AMSI because it is a functionality that is there and will always be there. So, it takes advantage of it. If AMSI alerts, it goes and checks, but it is a, Mario says it very well, it is a matter of trust. We do not trust exclusively in it and I, as an incident response specialist, I see when the attack came and took AMSI, it imported 5, it went right and did a lot of other things. But I also see many alerts and in the end they call me because they had ransomware. They

tell me, "No, no one detected anything." And I say, "No, look, you've been here for hours with a lot of alerts, a full screen of alerts in red saying what happened, what happened, what happened." and you assumed that red meant they were defending me and I didn't have to do anything. So it's strategic, totally in agreement with Fabio. Any product takes advantage, if there is a functionality, we will all take advantage of it. But the mistake is in downloading the responsibility in that AMSI and saying, "As he didn't tell me, I didn't detect it." The first logic of all risks is that I don't put all the eggs in the same basket. That is fulfilled

for deep defense and zero trust. So it's having that accompaniment of a strategy, of other tools that can supply that. And there's something super important, and that is that no one can tell you that you are 100% sure. You have to assume, and that's what Zero Trust says, that we are committed. And that mitigation is what will save us. It's not whether they're going to attack us or not, it's how I'm going to react to the attack. How am I going to mitigate?

Thank you Mario. The question is specifically focused on this technique that is used, what would be the way to detect that technique? The way to detect the technique, let's say that at the level of politics, would be using something of minimum privilege, is, hey, if a normal user, a user, does not have to run PowerShell, does not have to try to download the to try to do at least the attempt to download the PowerShell version, because I should not allow it at the level of politics. Oh no, that's a control, yes of course, after it is executed, then no, no, no, it's already Yes, you're right. At the level of controls, it's having the policies, etc. etc. Then it's having something that can detect at

the network level or have other means or that the EDR you use is more complete and looks at other things. Last question. Anyone else? No. A round of applause for Mario, please. Thank you very much. Well, we also have a little detail here from Visites Colombia. Thank you very much for joining us, for trusting the space. You are always welcome. Again, thank you. We see that many are coming and going, we see that they are taking advantage of the other spaces. As you know, we have CTF, we have the part of Coquits, the children who are here on the second floor in workshops. We have the part of CTF, we have the part of the hands-on that

is being done in the block on the third floor. And well, we continue with our talks here inside the auditorium, always thanking our sponsors, the University of Antioquia for being our host inside this space of Visites Colombia this year, and of course, to sponsors like Odin, Kaspersky, Lumu, Ink Trust and the part of tusdatos.co, and the sponsors of CTF, which are Bookspun T and Uqbar. We continue with our talks. It will be an honor to present someone from the house, also from Colombia, Jonathan Mazo. He will be talking about "Hacking Space: Real Attacks on Satellites and Cell Phones". So, Jonathan, welcome and the auditor is yours. Good morning, nice to meet you. My name is Jonathan Mazo Ramírez.

And then we will look at some emerging technologies, as we saw yesterday in Car Hacking issues. and all this subject of cell phones and satellite hacking, which is a little unknown, right? Where that field is much of the military sector and many times we do not know that space and cell phones, which is an invisible space, we do not take into account. Many Reptimers focus on web, mobile, operating systems, but what about satellites? Oh yes, we implement double authentication factor. And what about antennas and cell phones? Remember that we have an infrastructure which we support to implement security controls. There is a double factor, but we are not aware that we could intercept cell phones signals, where the OTP is sent, I can simply capture it.

So here you have to take into account all those emerging technologies that we are going to see today. A little about me, I am currently a professional in telecommunications, security specialist, I am a candidate in four doctorates, do not tell me where I got time to be a candidate of four doctorates, I have four master's degrees in different specialties in criminal intelligence, cybersecurity, cybercrime and much more. In terms of experience, I have worked as a consultant for DEFIR, I am currently an architect of cybersecurity. I also do some research. And recently I created a foundation called the Cyber Command Foundation, which is a center specialized in investigating security and digital defense issues. Where the idea is to

start covering several fields at the level of genetic hacking, quantum hacking, satellite hacking, cell phone hacking, something unknown to most people at the security level. Let's look at what we are going to observe today, current context issues of satellite hacking and cell networks and everything that has to do with attacks and defense issues, how to protect ourselves and how defense entities are acting to protect these systems so critical. Here I bring a little illustration, let's look a little bit, I like to do, I am also a teacher, oh well, I also did not tell, I am also a teacher, I have been a teacher at the University of the Forest and I have also given as an instructor training to defense actors and some intelligence agencies at national and

international level too. Let's look at the current context of cell phones and satellites. We see a little these threats in the radio-electric spectrum, where normally communications are very critical. GPS, cell phones, then that's something we don't see, but many times we don't focus on this. And here you also have to make a call to people because it's not just web applications, there are also satellites that manage all the communications of each one of us. How long did it take or how many took into account the Google Maps issue? Keep in mind that it is also managed by a satellite. What would happen if tomorrow they leave us without any type of satellite? They leave us without communications. Also the

issue, for example, that in our daily life we see a lot of GPS issues. Ah, who also sees the climate issues, how is the climate today? is also managed by a satellite, right? We also see some important communications, for example, phone calls, we are communicating daily, text messages, all this is managed. both by satellites and by cell antennas. And I think more than one of us see antennas and we don't even pay attention to them, because for us it's invisible, right? We pay more attention to the banking application than to the management of our money, but not to these critical infrastructures. And well, a little message that we saw is that the next conflict can be

won or lost in space. And space is no longer a sanctuary for a few, but now it is a domain of war. You saw what happened with Iran and Israel, right? Who knows who guides the rockets or missiles that Iran is managing towards Israel? It's not through work and grace, the Holy Spirit, right? It's through a satellite that guides these missiles. So, what would happen if I, being Israel, hacked the satellites that redirect those missiles that Iran throws? Well, I already have a very big strategic advantage, right? And I think we don't know this, "Oh, yes, Iran attacked Israel." Yes, but there is a critical infrastructure that we can take advantage of. Let's look at the invisible panorama. Then we have many transmission

systems guiding, for example, vehicles, synchronizing electrical networks, bank transactions, obviously, government and military communications, and we also have the whole issue of climate monitoring, which obviously we care about. Above all, let's see how it is composed. Well, here I think... Wait a minute. Oh, I... Oh, well, let's see. Here I have a... Let's keep it a little dynamic so it doesn't get too boring. And about that, look, here we have a page called AMSAT, where I can start managing each one of these satellites. Look at the great variety we have of satellites. We have varieties, styles and others. And about these, there is a page that we could visualize. Let's look at it here. It's called Satellite Map.

And here we are going to look, we are going to look here a little bit. Wait a minute. We are going to look here a little bit what we could visualize. In this little page where we can visualize. Wait a minute, let's open here. Here. And here we will be able to understand, look at the entire spectrum of satellites that we have today. Right now we are going to go a little deeper about each one of the satellites. So look at the large number of satellites, both low orbit, those are all Starlink satellites, and here it is quite crucial the role that Elon Musk plays in this satellite strategy. We also have another amount of satellites, a little in a medium orbit, right now we are

going to explain a little the subject of low, medium and high orbits and here we have a little less satellites in a medium orbit and in a high orbit, they are a little less, if we see them here we have satellites, for example GLONASS, where we say that we synchronize our GPS, Cosmos, OPS and others that we could have to be able to synchronize these GPS. So let's see that within that low orbit there are many more, within that medium orbit there are little less and within that high orbit there are probably many less. And here we will continue to observe each one of those. We are going to exemplify that. We will continue looking

then, that within the cell networks, if we look at the panorama of the satellites, we see that there is a large number of satellites. Let's look at these cell networks a little, how they are made up, where here, each one of us also have many cell devices. I think that almost the vast majority of citizens worldwide, each one of us have our own devices. And on this we could also have, let's look a little here, we could also obtain, for example, a profile or triangulation at the level of cell networks. If we look here, it's called Open Cell ID, And OpenCellID manages almost the vast majority of cell phone networks that we could have. It is a fairly large database. Even some armed forces use

these pages to do triangulation or profile what is inside a cell phone network. Remember that cell networks work as panels where probably if I am closer to a cell network or an antenna, the cell is changing the direction of those antennas. And he always takes, or our cell always takes the cell antenna that generates more profit in these areas. So that's why Many times there are some intelligence agencies that love to use devices like the HackRF or the BladeRF to do "in-sick-catcher" or intercept communications. So, they are usually located at a distance of 500 meters and what they do is intercept those networks so that those cell phones can connect to that antenna where they are simulating a BTS or a cell phone antenna.

So, there we are going to understand a little this panorama and each one of what it is all about the subject of cellular networks and satellite networks, which is quite crucial. Ready, then we will continue looking a little. what we can get with these satellite and cellular networks. So look, this is a bit of the architecture that we have in the satellite networks, where we usually have, for example, how it works. Let's look at the ecosystem a bit of how these satellite networks work. These satellite networks are composed of three critical components. We have space components, where in the space network we have Three types: we have the geo, which are those that manage all communications, even now we

are going to see that even these geo also manage connections to satellite networks that are on Mars and on the Moon. Yes, we also have satellites on Mars and on the Moon, if you didn't know. We also have the MEOs, which are in a medium length and these, normally within these MEOs we have GPS satellites and Galileo themes. We also have the LEOs, which are, let's say, a short distance from Earth, in the orbit of Earth and on this, some FATSAT satellites and some Starlink satellites operate normally. And obviously within, let's say that below these, the LEO operate issues of redirecting guides to airplanes and we also have guides, for example, to drones, missiles and others. On that we also have another critical component, which are

the stations to land, where these are the ones that control each one of these satellites, of course they are on land and normally communicate with the satellites to be able to send instructions and others. And about this, we also have on land some tracking antennas, which are these huge antennas that you can see in some military stations and those are the ones that begin to redirect all these communications. We also have some links, uplink, downlink and crosslink, that help us to interact with these satellites. Normally, for example, the climate satellites, what they do is a downlink to export the images of the states at the map level on the land that we have there. And about that, there are some weaknesses that we can observe.

Normally, many of these satellites launch into orbit and are difficult to update. Right now we are going to go a little deeper into that. We also have weak signals. What happens if I have a satellite in orbit and I am on Earth? Well, normally the satellite will be orbiting the Earth and it will always be rotating, so I will never have a fixed connection with that satellite, because if I have it in a few minutes in one part, it will rotate and in another minute, look, it is rotating around the Earth. So I will never have a stable connection with the satellites. So now we are going to go a little deeper into this. About

that is what I was showing you. We have the land stations, We have low orbits, where here, well, normally these operate to be able to manage the connections or guides to planes, drones, missiles and others. We have the GEO, which are the ones that are normally the backbone that manage all these connections of those satellites. And we also have the connections between satellites, even satellites that orbit on Mars and on the Moon. So here the connection to these satellites becomes quite crucial. And what would happen if tomorrow I manage to intercept a geo satellite and I take it? What would happen? I have a lot of information, a lot of information. And that puts me at a strategic advantage against any nation.

And many intelligence agencies take advantage of it. And I don't mention some because they are quite... Well, they are two that really take advantage of these strategic advantages to put some nations in the spotlight. We are going to watch a video that I am going to project here so that we can understand a little in the future how the management of this type of critical infrastructures that we are going to have is going to be. So let's look a little. A satellite orbits the globe at 7.5 km/s. Then he drops a 6-meter rod that falls 400 kilometers to the ground. No explosives, only speed. The God rods, throwing tungsten rods from space, making them fall very fast. Match 24 at

the beginning, but the atmosphere decelerates it to match 8. It goes super fast until it reaches the Earth's surface. Another satellite waits in orbit for years, and when it receives the order, it releases a capsule Here is a caravan of 12 satellites. They have small missiles and wait until a military commander on Earth orders them to attack enemy satellites, neutralizing their vital communication and navigation capabilities.

These are not science fiction. They are real projects of powerful armies that have been thinking about this for years. We are in a new space age. It is much easier to get there. And that's why countries want to control it. We have reached the point where these crazy ideas that seemed like science fiction become more... We must be aware of all this. Space advances are very fast. The new military space race is between the United States, China and Russia, although less and less Russia. It is a US-China rivalry. Both have a new military branch dedicated to controlling, defending and preparing for space combat. Or, in the words of the US Space Force, "transform our focus from space of support in combat to domain

of war." And it's getting full. Many satellites are going up. More than 12,000 floating around Earth right now. Oh, and by the way, I've always had problems with the images of points that are satellites. This is not on scale. These satellites are not stuck, about to crash. But there is a lot of technology floating around, a lot, and more and more it is dedicated to military purposes, which is worrying. It has become a vital tool of modern war. That's what this video is about, about these devices Satellites that not only allow planes and troops to navigate and communicate, but also scan the world looking for missile launches. They reveal secrets, look through the clouds and at night to capture underground submarines, wire cutters, North

Korean ships. I will show you how the armies work in technology to attack enemy satellites with hooks, lasers, with a nuclear bomb. I spoke with several experts, including one of whom you will hear a lot, while trying to understand the space war in depth, this race to control and dominate an area as mysterious as difficult to watch. All this happens just when we enter a new era of intense global rivalries. They intensify, while the most powerful nations are showing great interest in everything that happens in this area, far above our heads. Yes, it is space, the last frontier, and it is time for us to pay the due attention. An infinite ocean, the man is not happy

unless he is strong to the limits of his knowledge. Ready guys, so the video is quite entertaining. So there we see, he is John Harris, he is a US journalist who loves to expose governments, I don't know why they haven't annihilated him, but he loves to expose governments a lot. And about this, he teaches us a little how The military strategy, even led by some governments, is put on hold and about that I think there are some news, even that China has developed a laser that has come up and this has done so with the aim of being able to annihilate some satellites and put a strategic advantage on China over the United States and Russia. We are also going

to look at the spectrum of cell networks, that I think that each one of us is already aware of what cell networks are, how they are composed. Those who are telecommunications engineers, I think they also have this in focus. This is also a critical infrastructure, where we also have access to cell antennas, We also have protocols, some weak, some more robust, on these we have for example the evolution of some protocols like 2G, which is already supremely vulnerable and yet most operators continue operating in 2G. We have 3G, I don't know if you have seen these machines that distribute sweets, also operate in 3G. I invite you to see what signal these machines operate that distribute sweets

in 3G. We also have 4G, which is the one that the vast majority of people use, 5G, and probably with the arrival and development of China, 6G will come. We will also have 6G. And here we have some of the problems where 91% of the operators continue to maintain 2G and 3G, which are supremely vulnerable. What else do we have here? Here we have several documented vectors where we have interferences. So what I mentioned to you, we with a device of probably 300 dollars or even the BladeRF also handles quite high frequencies, we can start doing things. What Daniel showed us yesterday, we can start doing RF interference issues. So if I am, for example, I'll give you an example, if I am

in a military station and I have two or three devices of these, well, I can put these large antennas in view and I can start generating interference, yamming, towards these connections of these satellites. We also have false signals. I can also, with a device this small, put in vain more than 100 million dollars in military critical infrastructure. And this is a device that costs 25, 50 dollars. It's an SDR. Now let's look a little at what this is. We also have, for example, passive downlink, what those satellites can be transmitting, also with a small device like this and with some antennas out there that we can play with. So we can also put on the bill,

I say again, the national security of a nation only with 25 dollars and anyone can do it. Here we also have issues like making a noob link, that's a little more complicated, because here it would be to start transmitting information to those satellites But here you have to be very careful because we have to make a recognition of what time you can upload the information because, let's say, I insist, the satellite continues orbiting and it is not still, it keeps moving, moving, then we are going to have to be very sure when executing command injection to these. And this is quite easy because the satellites They use devices, well this has a little screen, but

they use small devices, even any Raspberry Pi or something like that. And about this, we can go up and do an injection quite easily because they are firmware that have not been updated in years. and there are many very outdated firmware that you could put in hack these satellites. We also have repli attack, so we can do command retransmission. So imagine you with this device, be listening to the signals that the air forces are emitting, And on this, what you are going to do, if it were a malicious APT, you could be replicating with a Rf hack those signals that we are taking passively with this SDR. And on that, also within these cell phones, we have something widely used by intelligence agencies, which is the

In-Sycatcher, where they can intercept communications and they can intercept whatever. We also have some vulnerabilities in some CCS7 protocols, which are quite obsolete. We have text messages intercepting, as I mentioned with OTP issues, but we, of course, we ensure all our banking applications with OTP. And who ensures the infrastructure of cell networks? If you go and ask Claro what vulnerabilities there are in the communication protocols in the cell networks, they won't tell you anything. This is super vulnerable. We have call redirecting, also widely used by some intelligence agencies to redirect some calls and be able to put these calls in view. On this, let's look at these vulnerabilities that are at the level of HACC-RF. We have some protocols

that come even from the 70s and 80s. There are satellites even uncommunicated, that even here I saw a news that a German hacker managed to put back in motion a satellite that was 12 years ago uncommunicated. And it was only make a patch and we could put online to that satellite. But there are too many satellites, imagine how many satellites there will be, that are circulating in orbit and that are unused by nations or the military, simply because they dropped a connection. or because the firmware that has not been updated for a thousand years is not without updating. So here we have to put this kind of thing into play too. And the firmware, well I repeat, if it is easy in the real world, Even yesterday

they showed us about car hacking. Hacking Fingward is quite simple. Well, imagine hacking Fingward that hasn't been updated in 20 years. See how easy it must be, right? And we also have issues with cell networks, mechanisms and protocols without authentication. Do you think that communications today are encrypted? What do you think? Yes, super robust, right? No, this is Almost used mostly by the military sector, but we, as common and current, we do not have an authentication, because for that, communication is not usually focused. We also have 91% of operators that maintain 2G and 3G, and on that we can put a nation in vile with only 200 dollars. On that, let's see that we have some threat actors or APTs,

we have millionaire budgets, here they talked a lot, I don't even know if many paid attention to the fact that most APTs have financing from the states, I don't know if you know that, most robust APTs and that hit the states are financed by states, we even talked with Lotbit, with with Eduardo Kaspersky and his Russian APTs that are probably funded by the Kremlin. Right? We also have Equation, which was shown yesterday in the APTs of the OT, which are funded by the NSA. And you think there will be no APTs funded by the military sector to attack satellites according to their political interests, to be able to espionage, sabotage and obtain a strategic advantage. Remember that military intelligence always seeks the strategy, an advantageous strategy

towards other nations. So we have some examples, for example with Russia, which has done things like jamming, satellite intercepting and others for these nations. We also have some criminals who also use these advantages And you won't believe me, some gamblers used satellite technology to delay the bets of 10 and 12 seconds to be able to make bets and earn a million, well, millions of dollars on this. And what does the police say? Let's see what the police says, because the police I didn't know, I didn't understand why these gamblers won a silver van. Let's take a look here, hopefully there's no publicity. With InDrive delivery, put the price, choose the vehicle and choose the dealer according to your

qualification. Predetermine a result of a sports event to look for that size of that sports event. It could be done properly by each cartel, it could be done by its own...

... let's say, sportswear, sportswear search, or also with information that came from third parties. And then there is something very famous that also, as a function, was, let's say, doing the investigation, we realized that the whole international community, practically, in all international police forums, was talking about the delay of betting houses. Whenever you attended a forum in Europol or Interpol, all the forces would say that there was a delay, that the cars were parked, that they were the main victims. But until this moment, there was no security force or body that would have detected and disengaged it. So, it's a great novelty that we have echoed from Spain to practically the entire international scene. There was no force, no one who would detect that. In this case, as mentioned

before, they used large parabolic antennas, mainly about 240 by 240, which they had in their own houses, with these parabolic antennas, let's say, that they had, they were a bit where they received, let's say, that image from the stadium itself, from the sports field itself, and by capturing the signal without editing, they got that delay of between 10, 8, 10, 12 seconds, with which they were ahead of the arrival of that signal to the betting house. In which championships were these bets made using these parabolic antennas? In Asian championships, South American championships, UEFA Nations League, Bundesliga and tennis.

Here we can observe a little that even the military forces do not know about this, because obviously here we continue to insist, they are invisible threats and we always focus on cybersecurity, on the web application, on the mobile application, but where are the cellular issues and the satellite networks that are quite important. Here I will go ahead a little bit. Let's pass it. Let's also look a little bit some threats and actors and how we are trained. Normally the intelligence area, that's what we call a lot, in the United States, the one who is strong in CININ is the NSA and the CIA as an intelligence agency agent. Here CININ does it, the DNI, the prosecution, obviously with permission and with the whole

issue of legal issues, the Army does it, the Dijin, the Dipol and the CTI, right? Without IN. We also have, for example, at the level of Geoin, an aerospace agency has currently been created in Colombia, where it also watches for that, but additionally here also some intelligence agencies that almost always the DNI we have the National Intelligence Agency, we have in Colombia we have other agencies governed by the military sector and many times I criticize this a little bit and although I have given training in the military sector, we are probably not prepared, even the intelligence management agency may not be so prepared for this war sector where they are going to intercept their satellites. Let's remember

that at the Colombian level we have, if I'm not wrong, four satellites, we have Liberty 1, FATSAT 1, FATSAT 2 and probably FATSAT 3. They are even going to release another one soon. And probably those satellites are being vulnerable. What is the government doing? I don't know. You guys answer the question. About that, we have some real cases. FASAD 1, we have telemetry issues in text-to-plan. FASAD-1 is a project of the army coordinated with a university and we probably have in low orbit, in LEO, we have a encrypted downlink, we also have telemetry in text-to-plane. Here there is a fairly high risk. We also have at the level of DOT phase, there are some things to improve in phase

2, where we probably have improved capabilities, we have some vulnerable protocols to X.25 and we have a bad practice, which is to use only a land station to be able to manage these satellites. We also have, we do not have geographical redundancy, so what would happen if Bogota was attacked or intercepted? these satellites would be lost, right? So here we have to take into account at the national level how we are prepared to face a war with China on satellite issues. We are left, they disable us and they disarticulate us. We also have some real examples like Viasat. Viasat entered into war between Russia and Ukraine and it was a direct attack from Russia towards the satellites in this war and

on that they left some some geological turbines, even indirectly affected us those attacks within this war called Biasat, where they left more than 30,000 terminals destroyed globally in this war. So look at the importance of all these fields. I will go accelerating so that we can see a little these vectors. Within that we have a little this architecture where we have different threat actors from tier 1 to tier 7, remember that tier 7 are the nations and military units and tier 1 are script kiddies or people who are just starting. And here we see a little the heat map where probably in different areas those threat actors will act, so they can act in the earth

stations, They can also be articulated to attack satellites directly, enabling these, using them to do command injection, also being able to inutilize these, and on this there are many, many types of attacks that these threat actors could be using. On that, then, we are going to look at a software laboratory defined by radio, it is this little device that we have here, And on this one we could use it as follows: to be able to work in multiple frequencies and protocols, then perform this software. Before it required millions of dollars to be able to do what this small device does, where probably a device like these huge ones that had antennas and used by the military area,

now they are supplied by a $ 20 device. So here they also put us in veil that type of threat. Some virtual laboratories, you can take a picture if you want to start these satellite issues. so that they do not compromise the nation. So we can have different environments that NASA has for us, that some radio enthusiasts have for us, where here we have different types of simulations that we could do at the attack level without compromising any critical infrastructure or doing what we would do. So here we can also have some environments so that they can start to dive into these satellite hacking issues. On this, legal considerations in Colombia. Remember that we can not do any kind

of transmission or reception. This is regulated by the Commission of Regulation of Communications and the ANE, which are the only authorized to do this kind of thing. I couldn't do this right now because I would get into legal problems. Unless you do it in a controlled environment, with a Faraday cage and others. But this, guys, also takes into account the considerations and the disclaimer, we can't do it in Colombia. Unless we do it in a controlled way, in a Faraday cage, to avoid interference and others. Because if I activate that RF hacker right now, can start to generate interference in other communications and there we could get into legal issues. We are going to look at that laboratory a little bit

so that we can finish. Wait a minute, I'm going to project this video. If not, I'll project the video here so that we have it here in mind. Let's take a look at this video. It doesn't have audio, but I'll explain what we're going to do. So, to do this kind of laboratory, obviously I'm not encouraging you to do it, we're going to have an SDR and a NOAA filter. This filter will help us amplify the signal with this antenna that we have here. We are going to connect it to the SDR, we are going to look a little at how we could make this laboratory and we are going to project it in a panorama that we have complete visibility to be

able to perform this type of laboratory. So we are going to do it with this antenna that we have here, with an SDR that we have here and we are going to do it with a NOAA filter that we have here. It is a small filter that we could use. Let's look at the interfaces a little bit. This one is from Radio Bunker, it's a radio amateur, where this one is going to start reviewing, for example, what we have at the level of communications. So, within this one, there are some satellites that operate within specific frequencies. Let's see that it starts intercepting these communications and starts receiving some signals from these satellites. So, let's take a look, it tunes the frequency in which this satellite operates,

and let's take a look at some programs like WX2 and Magi. There are other environments called Dragon OS, which also serve for all these communications. And look, we started to receive some signals tuning only the frequency of that particular satellite. About that, well, this takes time, because I tell you, this laboratory is not easy at all, because you have to wait for it to transmit, and it is not the gigabyte speed that these satellites are transmitting. It is a fairly slow speed where we are going to start, and well, we have to start to resize the frequency to be able to follow the satellite and to be able to receive it because obviously this one, as you can see here, is moving and every

time it moves, look, it is tuning there a different frequency. And obviously it is transmitting a downlink at a very low speed. And on top of that, look at the image loading super slow. But here we can start to receive this type of images. I keep charging only with $ 200. You can do that at home, obviously you are not going to do it without permission and without the authorization of the ANE and the Colombian Regulatory Commission, because if we don't we get into legal problems. Well, he's going to keep intercepting and here we will be able to obtain even other images, as we will be able to observe here at the end of the video. This is super slow, you

have to wait and we are going to look a little the images that it has preloaded, we come here a little bit, a NOAA climate satellite and here it will preload other images that it managed to intercept in other communications, look here. So look at what is quite critical, that this person, only with $ 200, can intercept this type of images. Imagine in the military sector, if I am transmitting confidential data and I can only transmit it to Earth with a satellite, if I can intercept that satellite, what would happen? If I start having issues of espionage on those satellites, what would happen? And these entities, as we saw in Spain, without knowing, because this is very difficult to detect if I don't

have adequate telemetry on those satellites. So, of course, I can start intercepting this type of communications and the army, well, nothing happens, right? We are fine. And that is very difficult to detect if we don't have adequate telemetry. To finish, guys, because they are already rushing. So, to finish... Wait here. Finally, these were the components we have: NOA filter, an SDR, some amplifiers that we have there, and this to be able to perform this type of communications. And on that we have different types of encryption. Currently there is an encryption that we are exploring and training there, together with the forces, which is the issue of quantum encryption for these satellite issues. but I don't know if you knew that they also hacked this quantum encryption

protocol in some satellites. And it was our friend, brother, Chinese satellites. So there we also have to start improving all these areas. Some frameworks, to finish, international. MITRE is not left behind. MITRE has developed a framework called SPARTA. that helps us improve, just like Mitre ATT&CK, helps us improve security in those satellite environments, model the satellite threats and on that we have the SPARTA framework. We also have another framework, for example the SPIL Space Shield, which will also help us improve security and cybersecurity in these environments. On this we have some key conclusions, the danger of using, for example, topics like IA and tutorial videos to build these weapons with a very low budget to put in place the national security of a sovereignty. On

this there are other issues to be corrected. And a call to attention is that, guys, not only do web applications exist and mobile applications. We need more professionals to start observing these environments. If we talked yesterday that the IAEA is a future environment, two years, this will enhance their careers. Because what security engineers work on satellite issues? Raise your hand. There are none, right? And if tomorrow, for example, the military forces want to hire staff trained in satellite security issues, do you think they will not ask for a silver van from a security engineer who knows satellite issues? So, there I leave you the chip, not only in Pokémon in IA, also in Pokémon in these fields of emerging technologies that are also neglected and that believe me that

a nation and a military sector would pay millions of dollars to even do an audit on satellite issues. So here I leave you a little this topic. And to finish, I have a dynamic and I want to make a scholarship, a gift, here to finish. Through the alliance with Spartan Academy, I don't know if you know it, Spartan Security, we have, or I am as a head in this course, of intelligence researcher, where we will start to observe all these dynamics, strategic advances that nations have, as the CIA, the NSA, Mossad and other intelligence agencies use these strategic advantages to set up to the nations, remember that APTs are not simply bad or cybercriminals, they are military units that have budget and money that they would use

to be able to use these strategic advantages. So there the idea is also to start that you start to train and start to put to the ground all these concepts that are normally seen only in military units and we want to make them available to you. So, about that I'm going to ask some quick questions for whoever can answer me and about that, then, you can win this scholarship. Ready? So, let's look a little and who can tell me what components or what type of satellite, if you give me an example of a type of satellite, orbit in the Leo orbit? Raise your hand, raise your hand. Ferren, raise your hand for what? Who are you saying? Starling, ready. Thank you

very much, you have won the scholarship. Ready, now if someone gives us your email to... Ready, those who want can sign up for the course by scanning the QR code and here we will see all the concepts of intelligence. everyone, so that not only military units and intelligence agencies have access to this information, but that you as natural persons understand the dynamics of strategic advancement. Ready? Thank you very much and I hope you liked the talk. Thank you. Jonathan, let's open to a question. We only have time for one question. I don't know if anyone has a question for Jonathan. No? Good. Ask, ask guys that. Where? Hello, good morning. Good morning. This topic really does not

have the visibility that it deserves because it is very important and currently, well, Apart from the domain of cyberspace, there is also space per se, which is like the war of the future. I would like to know your perspective on Latin America or countries that are not superpowers, How can they be working in this field? Suddenly, it is an alliance with private companies or from the academy. Because, of course, the mega countries have all the budget, but let's say here in Latin America, how does that work? Yes, let's say that at the national level in Colombia, one or two years ago, the Aerospace Force was just built, which was previously the Air Force, right? And we have been advancing at minimal steps, very little, like this. If China

changes, it will be like this, and it will devour us all, right? So there we must, as researchers, And here I also draw attention to you as professionals, let's start generating campaigns, even I told Daniel, I don't know if he's here, Daniel was like, "Well, in car hacking there are very few who are investigating car hacking issues for being an emerging technology, but why don't we as researchers, as professionals, start to train ourselves and contribute also with this field, that it is not only the military field, but also from a professional and investigative field and to contribute to the military sector. Because the military sector is often supported by the private sector, right? And many times those sectors love to bring people from outside, from the

United States, from Israel, and they bring professionals that one says, "Oh, my God." And why not develop? What would happen, for example, look, I'll give you an example. We fought with Israel. What happened to Colombian intelligence? It fell. It collapsed. And if we start to support these issues, with external entities, for example, right now we are fighting with the United States, they do not provide us with strategic intelligence and that puts us almost at a disadvantage, because we can not nationally develop these capacities and contribute to the military units, which are usually supported by private entities. So the idea is that we start as a professional to train ourselves, to come to these types of events, to know these initiatives

and that you start to open up, to do an open mind with these topics and not focus only on web applications, on applications, operating systems, but there is something bigger that we have not seen yet. The idea is that you start to see this type of little things that will serve in the future. I believe that in the future of 10 years, a space safety engineer will pay Much money. So, let this be a seed for you to continue training and investigating what space safety is. So, there I leave you the seed. Thank you very much everyone. Jonathan, thank you very much. And well, again, thank you for trusting the space. We have a detail from B-Sides

Colombia. Thank you very much for participating. Yes sir. We continue with Good morning, hello, hello. Thank you for being here on Saturday morning. Thank you very much. I try to understand my perfect Portuguese. Thank you. And well, please, if you don't understand a word that I speak, because, because yes, do it. If you don't understand, don't understand, tell me. Today I'm going to talk about some attacks by ransomware, but not the obvious ones like Black Cat, Lockbit. That's not necessary, everyone knows what happens. I'm going to talk about other attacks. And obviously I like cats, so please look at my cats. I had a lot of work to prepare my kittens. Who am I? I'm from Brazil, I live in São Paulo, I'm

a specialist in cyber threat intelligence. I like it. It's not about solving the misfortunes. I love seeing the misfortunes. The uglier the cybernetic thing, the more I love it. That's what I love about doing research. I love it. Obviously, I like cats, clearly, and I'm also one of the organizers of Villa Hacker, along with Gio, Marco, who is over there, Luis, and so everyone is very welcome to the United States. for DEFCON, not for the United States. Well, you understand what I mean. I've already done talks in many places around the world, talking about misfortunes and gossip. It's very important, too, that to be a cyber threat intelligence specialist, you have to like gossip, nothing more than that, like, "Let's see what's

going on." So, maybe today, and be a… Oops, it was… and think, how can someone who is not me protect? I just want to say that there are problems. And well, to understand some things about as a service, like Hands-on as a Service or malware as a Service, any type of as a Service, it is also important to understand how the criminal ecosystem works. It's like an ecosystem that works like a big industry. Everyone works, everyone makes money, almost communist, you know? Something like that. It's really something very sophisticated, very organized. Each part of this a chain of people, of the attack part, a person does that service, it's super strategic. I mean, the idea of a hacker, a little hacker who lives with his

mother, with a black hood, yes, it's not that anymore. Of course, there are some weird guys, but that's not what happens. And also, it's in this way, as obviously it's a criminal ecosystem, Everyone wins, there is no government or police saying: "I didn't get paid anything, I didn't get paid anything." It needs to be something that works, in fact. Well, everyone knows how a handsware attack works, right? Yes, somehow they have to get into the network, it can be for phishing, some vulnerability, they usually enter for some social engineering attack, phishing, something like that, for credentials, I always forget this word, "bridge it", "leak it", how do you say it in Spanish? I didn't understand

anything. That's it. That's it. Well, in some of these ways, you enter the servers, obviously, they do a recognition, an exploration, lateral movement, blah, blah, blah, until the data is encrypted or a wiper is there. I don't know. If an APT attack can be a wiper, super destructive. But not in this case, as a service. As a service, They want money, that is, financial motivation. So, it's not a "wiper". It's someone who will encrypt the data and demand money later. And basically, it's very simple how the whole system of handswares works. Each part has many people involved, such as developers, operators, initial brokers, exploit brokers, infrastructure, I don't know what, even people who have to wash money. This is a very important part, because

I earned money, a lot of money, and then what to do? How to have this money in my hands? It's important. Well, Hansonware operator, a person had a brilliant idea. Well, why not make a group of friends or not so friends to make money? Okay, of course. So, he had a developer who did malware, a person who will manage the infrastructure, servers, blah, blah, blah. And there has to be a distribution for the affiliates. How do they do that? Very simple. They post it in forums underground. like Bridge Forum, Raid Forum, and things like that, which were very open, or ExploitIn XXX, and others, there are many types of forums. And they offer: "Hello, I have this service, it's very cool, it's

incredible, you need it for your operation", and that's how it goes. So, the affiliates say: "Okay, I want to be part of this." And they are responsible for doing "Enter, enter, enter" in their panel that the operators create. "Enter, enter, enter." Okay, it's usually very simple now, very simple, because it doesn't need a lot of expertise to be an affiliate. To be an operator, yes, but not an affiliate. They made the invasion and it was successful. earn about 70-80% and the others go to the operator. So, see, everyone is earning. After that, of course, there is the initial access broker. So, this part is very important because there is like, when credentials are found, for example, they will look for credentials in places

where leak, information leakage, or buy from insiders, or make a brute force attack. They try to get this part, the hardest part, the most... "Oh, what the hell!" It's the boring part of this business. So, these guys earn a lot of money, they find and sell. A business, blah, blah, blah, super fast. They can also sell in forums, depending on where, from which place it is located. For example, in Latin America it is very common not to have very organized forums underground. There are, but there are not so many. What happens is that, well, I say in Brazil and surely in the rest of Latin America too, there is a lot of WhatsApp, Telegram, that is, negotiations. Now also in Signal,

others, of course, Discord, blah, blah, blah. but essentially in these forums, you buy, you sell, you also say, "Hey, well, I'm looking for a job, do you want to hire me?" There is a lot, a lot, a lot of employment for pen testers. Just an idea, you pay very well. I'm not suggesting anything, but you can sell your services, in an educational way, I'm clearly saying that, for educational purposes. There are also exploit brokers. I found a zero day, an incredible vulnerability that I know can make big misfortunes. What can I do? I can sell to these brokers, but they can also, I don't know, these brokers also sell. There is a business billionaires, brokers, you

earn a lot of money, especially in zero days. So, each zero day depends on where you pay millions. For example, it was zero June, depending on what type of zero day you paid, you paid about a million dollars. Sometimes, not now, but Android was worth much more than iPhone. I don't know how it is now. That's why I say it's a very organized organization, very sophisticated, where everyone makes money. Again, I'm not suggesting anything that goes into this business. But, you know, right? And also the "chasers", that is, the people who try to convince the victims that they have to pay. Look, I'm in your company, I already have everything, I know your company has money to pay. I know. Before the invasion, I

investigated. So, let's be reasonable and negotiate. Because the victim will always say: "I don't have money, I'm poor, I'm sorry, give me back my data." We know it's not true. So, they will put pressure on that. So, there are people who exchange money because it is necessary. I received in cryptocurrencies. Ok, and now what am I going to do with that? I have to wash this money too, so to not know that it is in a certain address of Bitcoin or whatever, of cryptocurrencies. These people will probably put it in a mixer and do a lot of things or later transfer it to NFT or buy works of art or I don't know what, maybe some casino. Well, you have to wash the money, that's important

and not have to where I came from and where the money goes. That's very important. The people who make money. And the most important thing of all, of this chain, which is incredible how it works much better than all the companies we work for, the victims. Without the victims we wouldn't have a job. Neither us, nor those who attack, nor those who defend. So, applause for the victims. Thank you. We love the victims. Now I will explain how the ecosystem works. as a service. Grand Cap. And CREP is a service that also emerged in 2018, lasted about a year and a half. The distribution was as always, through exploitation kits, phishing, advertising, committed IDPs, botnets, a series of things. Nothing very different. His affiliate program

was great, his control panel that sold to the affiliates, also great, everything was quiet, if they needed anything, they had technical support, 24/7. It really works. Much better than calling the phone operator: "Hey, I have a problem with the internet." No, it actually worked. Very well. "I have problems with my victim. I have problems to get the ransom on my account." There was already technical support for that. and they made an announcement, for example, in Exploit Inc. here, they were probably of Russian origin or somewhere in the region of Russia, Ukraine, maybe Ukraine, but that region. So, now, look, it's here. This handsware also implemented very quickly, it was super light. In a year and a half,

they made more than five updates, one after the other, super fast. Their recovery of crypto coins was one of the few that asked only in Dash, that is, a decentralized currency, also more returned to privacy, not as much as Bitcoin. used different domains, for example, .bit. And also, how we, as cybersecurity researchers, are looking at what cybercriminals are doing, they are also looking at us. What are we doing? That's why they used those domains, for example, Blipping Computer, No More Ransom, ESET, Emisoft, and so on. They used all of that, always. and it was also very fast to generate the domains of C2, of its control server. They were DGA, that is, every day they created a new domain. It is

very difficult to know where it is, because it is always new and with a different TLD. Well, there was polymorphism in the extensions, .crep, . I don't know what, even one with 10 characters. This is very rare to achieve. In other words, it is a much greater difficulty, a degree of difficulty to find that much bigger. They also used third party services, the execution of the payloads was in memory, that is, everything was done basically in PowerShell and in memory, that is, it doesn't leave many wheels that were over there. Well, the injection process is also not very different, as basic, What did they do? They were very funny. They said, "A clown." They said, "Are you looking at what we are doing, researchers?"

They put the names of the researchers here, like here, "Hello, Marcelo," a researcher who was looking at his code all the time. Here, from Fortnet, AMLA, AMLA is a… It's a South Korean company that was also very behind them, we want to know. They even tried many vaccines so that computers wouldn't receive this malware. So they were… Yes, very irritated. Even here, it's not bad to read, "Hey, MLAB, zero day exploit, MLAB, V3 little denial service." That is, they were so angry with him that if next time they want to try to block my handsaw, I will put a zero-day against you. And they did. And also something here in Russian, something like talking about their intimate masculine parts and offending, comparing with

a, how do you say, a pencil, I don't know how to say that in Spanish, but yes, things like that. Pencil and things like that. And what did they do when the companies, obviously they talked about them, they put in their forums to promote what they were doing. "Hey, you see, this company, this manufacturer talked about me, this magazine, this publication talked about me. So, we are very, very good. You can trust, use our affiliate services." And that, what did they do? Here they are saying, "Why do you need to buy our services?" This is one of the latest versions, 5.1.0. Look, buy our services. That was their official page. Of course, within the Tor service. And, as

I said, MLAB launched a vaccine application against Gantt-Krebs. So, the Gantt-Krebs guys got in touch with Blippin Computer, which makes publications about cybersecurity, to say that, no, no, we don't accept this bullshit, it's not possible, we don't want that, so in the next version we will have a zero-day against them, against this antivirus of MLAB. They were very angry with that. Well, after that, angry, they launched other versions, even with exploits against MLAB. Here, there is always like messages inside their code, when you read the code of Maurer, you could read those very funny notes, it was very common. But, in one of the last versions, they said, "Yes, we attack companies too, but now I want to attack people, people

like us." Yes, it's not enough. They started sending a lot of malvertising, mainly through CEO poisoning. When you look for something, Google, the first sites, URLs that appear are from these small words, looking for whatever it is. Normally, things of sexual content, that here they said, hey, well, what's going on, what is he doing? I have everything recorded, photographs of what was good, what I was seeing, watching, like things of... Adult entertainment, but very hardcore. Maybe they don't want their family, their children, their wife, their employer to know what they are doing. If they don't pay me, I'll show this to everyone I also have their password and email. Basically, that's it. People were desperate. They have a video because

it's linked. When people clicked here, they obviously installed the payload. Very smart. Because, of course, they put people with a lot of fear and people download it. input vectors of this version V5, the latest version, that is, all possible, all that you can imagine, they were very sophisticated, advanced, they used, they trojanized applications, exploration kits, PowerShell, botnets and I don't know what, that is, it was a group, that was a very, very large service, they did everything and a little more. And well, What happened during the wars? Well, the world is living in war, we know that, but this person was in... in Syria, what happened? The person posted on Twitter saying, hey, I was

attacked by this Hanson, a person with these things of sexploitation, which he says now, I was attacked, I only had some photos of my children who are dead, a drama, they published it asking for money to pay, but please, free me from that to have these pictures again. The whole internet was very moved by that. So, Gant Crabbe said: "Oh, sorry, sorry for everything. Normally, victims of places that are suffering from war, we don't attack, it was a mistake on our part." That is, he released the key to decryptography for these people. Very generous, very good vibes these guys, really. And well, a time came, everything that is good, lasts a little, and we already have more than two billion dollars. I

don't think so, really, I don't think that's it. But each one of us has more or less 150 million dollars that we are investing in serious business, really, that is, laundering money. And so money is laundered. and that we will withdraw from public life, bye, see you at some point in life. When they put that, many other people in the forum said: "Oh, what a pity, how sad, I'm going to cry." They did a great service, thanks to our cybercriminals community, they are incredible, thanks, everyone cried, they were very sad. But what happened? and it was not long after that there was Revo happened. That was super destructive. That is a service. That is an image of CrowdStrike. It's like the TTPs

were the same. There was almost no difference. That's why we know it was a rebrand. What is a rebrand, actually? A rebrand, probably people... For example, we have a group of friends on WhatsApp, but there is a friend who... It's like, very bad. So, let's make another group of friends without this friend, who is not very friendly, and we put other people. Rebrand is exactly that. That is, there are probably many of the same group that met other people and made another group of as a service. Wevo attacked many places. It was a disgrace, that. But... After Revo, Darkside, Black Cat, possibly many who are in Black Cat came from here, from Revo, which was Gant Crab, which

was something else. Nothing is lost, there is a reformulation, a rebrand. Another hens were an attack that was a little different from all of them, Jigsaw Hens. Jigsaw, as the movie is called, Jigsaw, today there is a name. Yes, well, a very beautiful kitten, of course. Those services started in 2016 and they used Jigsaw's character to make it look like a super impact. "Oh my God, what is that?" And of course, it was sent through phishing, malicious software download. "I don't want to pay for this software, what am I going to do? Crack that." of course, they downloaded this hands-on. And also, there were many versions because it's an as-a-service, that is, it could also be sold, not only rented, and each version

modified some little thing, little but modified. Some were very poorly made and could be, for example, interrupted by the action of malware. Some versions. Others, not even paying ransom could be done. Well, there were more than 60 variants written in Visual Basic, only in Windows, Cryptography S, 220 types of files, that is, enough for the time, 2016. And its extensions were always very funny: FAN, BTC, YOLO, KKK, like Ku Klux Klan and so on. They used a routine that created a copy of all the files to encrypt and put the extension. It was one of the first to do that. and also the rescue values that varied between 2 to 5 thousand dollars depending on

the variant and many had the Doxing threat, that is, they will pay me and in addition to paying I will publish their information for everyone in some Facebook page of life or some forum, why? Because I want to be bad, very, very, very bad. And how did they sell? Here, for example, probably here, HIDE Forums, which no longer exists, was, well, that newer one that, since June 2023, was put together, but was selling that, one of the versions. That is, here very important, fucking load detection. This is very important too. I have to go faster because I have 10 minutes. I have to go, "Ahh!" And there's more. Really, wait for the end, it's very good. And more technical things, that's

how they encrypted. But what did they do? A 60-minute countdown. "Okay, 60 minutes. If they don't pay me, I'll erase 1,000 items. If they don't pay me, if they try to restart, I'll erase 1,000. After 72 hours, I'll do the total "wiper", that is, erase everything, everything, everything, everything." When they try to restart the word, the compo says: "This is going to be a very bad decision, are you sure about that?" In many versions, the cryptography key was in its own binary, but to know that you have to understand reverse analysis. And there was always a lot of fear. I didn't have a schedule to start making these disclaimers. "Pay me, pay me, pay me now." That

is, it was a lot of sadism. Like Jigsaw, exactly. And who created this? Who created that? A Venezuelan doctor whose nicknames were names of diseases. I don't know what that is. It's Coulapius or Nosophorus. It looks like a disease, in fact. But he was arrested. Poor doctor, he doesn't do very well in Venezuela. We know that Venezuela is in a very bad situation. Well, poor thing. But there are still many versions of Jigsaw with another name. Now, This malware is very important. It's called Any Ransom. What happens? In 2017, it was discovered that it's not a ransomware, it's a locker. It won't encrypt the files, it will only lock them. It will only close the applications, only Windows. But what did they ask for in

Ransom? Nudes. Nudes. You have to send 10 photos of yourself naked. I want you to prove that you are also you. That's the truth. Send for One Kill Yourself, from ProtonMail. This doesn't exist anymore. I tried to see it too. And also, it's not enough to send this. You also say, well, I don't know, I want to publish their photos in some forums or sell them, I don't know. What happens? Well, they executed in VB, nothing very... But the most unique thing is that they did, you know, a cartoon of children, Tommy, Tony, something like that, they put that when there was a locker. Well, I discovered later that I only needed to type 12345 to unlock the

screen. It was a shit, really, it was a shit, terrible. But look, it's exploding. Well, finally, this is the last one, because this is very, very, very interesting, "Chested Locker". It happened recently, about two or three years ago, They exploited a vulnerability in the API of the Cellmate application, allowing unauthorized remote control. They exploited a code in Python, there is a code in VX Underground, in its repo, quiet. What is this application? It is a punishment belt for men. Well, yes, it is totally automated. Here, the Zanoria is what you might think. Yes, it has a name. But imagine it with its chastity belt. Well, I'm not talking about your fetishes, each one has its own. We play, we hear and we play, yes,

but… That's it. So, this hands-on, it closed, it closed, it's not the word, it made a lock on the IOT, that is, it blocked all devices, the interface too. That's great. The attacker activated the devices of the people who were using this belt. Very important. The commands prevented the device from opening. Can you imagine the device closing? and it can't be opened. That's it. Well, malware written in Python is in GitHub, and against that, you can exploit, play, in a clear way, educational purposes. Right? I've said that before. Well, the ransom note didn't ask for much, it was little. Well, now, 0.02 bitcoins is a lot, but, no, don't worry. And that person says, "Hey, something happened to me." But look how it is

in the code. "I have your cock now. Send me 0.0 bitcoin." Yes, that's it. And well, what happens is that they made the suggestion of how to open that with a key, how do you say for construction? I don't know, like to open... I don't know the name. I don't know how to say it in Spanish. A key. What is it called? A key to open it through an electric three-volt discharge directly into the engine. Remember what I was talking about, right? Yes, exactly what the suggestion was. And that's how it was. Finally closed. If you don't want to bring something more graphic, because it's very ugly, you look for it on Twitter. Yes, I mean, to open that,

I needed an electric discharge. Well, you make your own things. I'm judging, but these things. And yes, this is what happened, poor people. And well, that was it. Thank you very much. Sorry for being super fast, but thank you. Sibel, thank you very much. Two questions, questions for Sibel. I don't know where this comes from. Any questions? Well, no, a round of applause for Sibel, thank you very much. Thank you for being in the space and look, a little gift for you. Thank you. Thank you very much. I had left you some water in case you wanted to... I left it here, but... Well, we continue with the last talk of the day. Just to remind you, the ideas

that are still in the closure, see everything that what happened in this event that we have been doing for about four days, from the training part, hands-on and activities to do. We thank again our sponsors, the University of Antioquia for being hosts of this event, Odin, Kaspersky, Lumu, Intrust and TusDatos.co. And very important, after we close, the invitation is that we take a picture of the space so that you can also remember being here. Well, Manuel is here. Manu, yes, go ahead. We have our last talk of the day. Manuel, who accompanies us from Peru, as an international quota too. If you play it, if you... I don't know if they wrote it right. But

he's going to talk to us about Canary Tokens in early detection. So, a round of applause here for Manuel. Thank you very much. Perfect. Again, we welcome Manuel from Peru. He comes with a talk about Canary Tokens. Good afternoon, guys. How are you?

Well, as you already commented, the talk is about Canary Tokens, a bit with the title "If you touch it, you detect it". To start the talk, have any of you heard the term Canary Tokens? Yes, it's a good percentage. Well, let's explain a bit what Canary Token is, what it is for and in what cases. In what cases it does or does not serve us, it does not serve us for all situations. Let's see. Well, the presentation, my name is Manuel Flores, I have seen application security, cyber intelligence and pentesting. Let's see. As I indicated, it's not about knowing when they are going to enter, but we already know that they are going to do it. Under this permission, the use

of Canary tokens will work. Why? Because it is a type of non-preventive defense, but reactive. No environment is 100% safe. We all know about weaknesses, whether it's infrastructure, tools or users. Users, that credentials are filtered, as seen in previous talks. That a lateral movement can be made. Or on the side of insiders. Limitations of traditional security go on the side of preventive ways. always, well depending a lot on the tool, we have the point of trusting some machines, trust some users and put others under alert. It will always depend on the configurations, for example a tool per se, for example a DLP per se, will come with some default configurations, but in reality who has to give the configurations or who knows their institution better

would come to do the same engineers within the organization, the IT area. Well, here comes what is the honeypots. How many have heard or know the definition of a honeypot? I would understand that it is a more well-known tool. It goes that way, honeypot is trying to make someone fall before honeypot, so that someone tries to enter that server that has by default the password admin, admin, password, password, or that does not have a password. So you divert the attention of the attacker. And depending, there are tools like SNARE, among others, that what they do is learn what the attacker or the bot does inside the tool. And here comes what concerns us in this talk, which are the Canary Tokens. They would come

to make some digital traps, some digital files, so that we put it inside the team, we put it inside a machine, And in the phase if an attacker becomes careless, he starts scanning the entire team, enters a folder, sees the folder, sees that it has that folder, sees that it has that file, opens it, "I have credentials, vacancy, no", continues. Speaking of attackers, so to speak, careless. In that act, in that "trajin", they open the documents and when opening the documents is where he acts or sends us a signal in our tool. does not generate a real impact. For example, honeypots in some places or in some configurations. If they are poorly configured, you can skip the honeypot to the real network, if they are poorly configured,

of course. And well, the idea is to generate immediate alerts. Why use Canary Tokens? The alerts are cheap, there are free solutions and they can be integrated into different tools. In fact, within the talk we will see an integration with what would be Azure. And here are the types of files with which we can play. URLs, false documents, DNS entries, integrated tokens, false credentials, configuration files. What I was telling you, a doc file, an excel, a .exe, a .sh, a folder. All that, if we can place it well, does not attract attention and if someone manages or tries to access it, tries to open it, generates our alert. This is the basic operation of Canary Tokens. How to create a Canary Token? We have the

Canary Token tool, the free tool, and then we have Canary, the same tool, but at a price, well, they charge you, right? It is a business solution. The steps, let's see them, I just have a video of how to create it, the idea is As we see how it is created, we will understand that this is a solution already created, but anyone with a little knowledge could modify the files, embed just the communication process with a network or with a specific IP to launch the monitoring. but you choose what type of document it is, a mail is provided, a webhook to alert us and the token is downloaded to the file that we are generating. That file can

then be modified. We have what is in Word and in Excel. I'm just going to put the video. For example, that is the platform, we can choose between different types of files, that is the Canary Token, the link can be found on Google. They can be registered with temporary emails, so don't they don't have to put their personal or corporate emails. For example, we choose in this case a Word. Here, for this phase, we can only put an email to which the alert would reach us and the idea of disguising it is, for example, well, about the file, this is a Word, it is an editable Word, so ... a database over there. It can be edited, it can be put information more

or less confidential, to attract attention, change the name, but this is still a file to which if you click, if it opens, as we are going to see right now, right now it is empty, but it will open or it will generate an alert. An alert arrived to the mail, for example, your Canary token has been opened, this is the IP, look at this, take the actions of the case. and all possible connections that were made. I'll show you a map, etc. As I told you at the time, if you see some IPs, well, it was actually the IP, then I realized that I was capturing my own IP, so I started using VPNs. But the idea is, this is reactive. I'm already in the phase of, look, they

attacked me. I already have it inside, my tools have not detected it, now only With this I am aware of where I have put it and what possible user could have opened it. The same can be done with executable files, in this case, and something that could be usual is the netcat, the nc.exe, could be placed in a location user, so that someone who manages to enter and suppose wants to generate a reverse shell and finds a valid ns inside that machine, it will be one of the little things with which I could interact because I would no longer need to download your tools, as long as everyone has it in the environment it is easier for them. And that point,

nc.exe that is valid, will generate an alert every time it is executed. which can also be played with other types of tools, but here it comes, how to say it, that with all the tools, whether they are .exe, .sh, .docs, .exe, these Excel files can be integrated. And well, here it appears when it opens, etc. As I was telling you, the need for early detection to In this case we are going to see an integration with Azure, we are going to see how to use logic apps, for that specific case and Azure Sentinel. The idea is that we can link this to our own tools, in reality the only thing we need is instead of getting

emails, that it reaches our logs manager, so that already within our own tools we generate our types of alerts, I don't know, that generates an alert so that someone can check it, the SOC staff who is right at that moment, check this alert and something that you will see at the end, the idea is that these Canary tokens are specific. If this file is in many people, there would be no way to identify which machine was the infected or well, which machine was in which the attacker is, And the idea is this, it's not about keeping a good list, a good list of this channel and everything that belongs to this machine, etc. Where could we place them? Well, in web applications, within

specific folders, etc. We are going to see this in Azure Sentinel, Logic Apps, and we can also use what I was telling you, personalized webhooks. To integrate it into our tools or our solutions, whether we are in a cloud or a local defense environment, We can skip the cloud service part, everything goes to the logs register, logs are registered, those logs are centralized, they are analyzed and from them alerts are generated. Here Azure Sentinel and Azure Logic Apps enter. Within Azure we have tools that allow us to automate certain flows. This webhub alerts us. and I can launch my own rule. In this case, I receive an alert from my Canary Token, it can send me an email,

or, and the idea is that it goes to the LOCKS analyzer, so that, for example, an EDR, having more information about all the LOCKS, can say, "Look, this machine is the one that is opening more Canary Tokens, so it can create more specific rules for me." We are going to see this in a small demo video, so that we can have or create alerts related to these tokens that we define. For example, here we are in our Azure environment, we create a Logic App. There we will define, well, information of the instance, who you have managed or initiated, or have your free demo account from Azure. And do you manage it in business environments, Azure, or only

at the anti-spam level? There, perhaps, that type of... Well, in reality, it can be implemented with any solution. This is where we define our trigger. well, the decoder, we have the HTTP webhook, the Canary token, apart from sending us the mail, we can tell it that instead of sending us, it sends us or generates the log in the webhook and that's where it links with the Logic App. So we have the URL, we have to configure the communication between the webhook and my Logic App. And let's see, we have it here. This is where we are going to configure the webhook. well, where the notifications are going to go. And within our Logic App we already start receiving these logs. Every time someone opens a

file, these logs are opened, well, these logs are generated. And what we are going to define is an action now. We are only going to add for these effects that an email is sent. We choose the action, you know that Azure has different tools, they have these integrations with other platforms. Here we define that an email is sent to us, so that when it is enabled or activated, someone clicks on the file, the notification arrives. This is the main part, the basic part. Now comes the integration with CIEM. In fact, we configure Sentinel here. And here with Sentinel we can link it with Logic App. In fact, that's like a step by step. First Logic App, but now

that Logic App sends us the information to CIEM. And in this way we can create rules. We can, as we have all the logs, the SIEM stores the logs and it serves us, we know what the commands are, we know the type of response, it will allow us, let's say that a machine every three seconds, there are two interactions in less than ten minutes and there is something complicated there. Let's see, here we just put it. We are linking Logic App with Sentinel and here we are creating the rules. In fact, right there we are creating the rule of ... well, this is a very basic rule, the communication with the Canary token is generated and it will generate an

alert, not by mail, but at the SIEM level.

So, once we are in this type of tools, we can define what is criticality, already able to define a playbook for this type of cases and in that way we would be integrating this tool, this Canary Token, with our infrastructure. Let's suppose we have for the high end, or that we have the Sentinel. It is independent. The only thing that asks us, or the only change, would be communication with the Blue Hub. That way we have rules implemented. That way we receive the logs, we are alerted every time someone opens a file. Where can I put those files? As I was telling you, it should be a known executable, a basic executable at the time of a privilege or lateral

movement process. It could be useful. Or put it as a file, a super striking name, like "No borrar" or "Important information" or "Worker's salary" in June. Those files would draw attention and if someone opens it, either inside or outside the organization, all this will generate alerts and either it will help us to know that someone is inside or it will help us to know that someone was already inside and the information was filtered. Why? Because we saw where the IP came from and that could already initiate the research process. Good practices would be to make sure that the token is credible and what I was indicating, document internally, know what token is in which machine, in which direction, not

put it in locations, suppose desktop, because it could be confused with a usual action of the user. Suppose the user opens it by default and we have it and we have not aligned well our rules within the SIEM, it will not be generating false positives at any time. Another point is to verify that these tokens are generating alerts, whether it opens and there is a block and the functionality is lost. The placement of routes that an attacker would access and keep or rotate the tokens periodically. Conclusions, it is not enough to protect or avoid or protect in a proactive or preventive way, rather, the idea is to have a flow there to know if someone entered and

that our tools have not seen it. And the Canary tokens are a good option. They are low-cost tools, but if they are well implemented, they can serve and can be integrated. In fact, it would not take longer than a new creation of a use case. The implementation could be a bit technical depending on the tool we have, but it does not require much effort. And when combined with the monitoring systems that we have, whether it is Sentinel or any other tool, they improve the response times before an already given instruction. That would be all guys. If you want to download the PPT, there is the QR on the left and if you want to see the video, there is the QR on the

right. Anything, means of contact are here. If you have questions, doubts, if you have found the Canary Tokens interesting, I am at your disposal. Manuel, thank you very much. Does anyone have a question? Something to consult Manuel? No? Yes, one second. Ah, what a pity I didn't see you. Good afternoon, excuse me. I imagine that for the Word part, it uses macro codes to be able to give you the alert. Not many times users have it enabled or have to enable editing. In this case, based on your experience, what do you recommend that the user is put? A Word, an EXE that pretends to be Netcat. What do you recommend that could work best in this case?

Thank you very much.

I wanted to ask if, in this case, when you send or open the file, let's say I'm the attacker and you download the file and for some reason I have a team of other bad hackers who are using it and I send it, does it do a tracing too? For example, when you send it by WhatsApp, usually WhatsApp or WhatsApp servers, they do a basic reading, does it do a whole tracing of all the tools that read the IP address? No, it goes by the side of where it was opened. More than ... suppose ... I don't know if your question goes, if I open it with another tool. Not as another tool, but if it does the tracing of, for example, the servers that ... where

it happened, in this case, WhatsApp, when you send a file, they open the files, because they do like a reading, literally do a ... Yes, they open it to do a review. So, if those saved IPs appear, In that case. Let's say they save it on one side, you save it here, but they open it in another machine. Yes. No, it would only detect where it opens. Now, if you are lucky and just in that case there was a preview, there it could have been registered. But the focus is where they open the file. Another question, by chance, have you thought about it in some practice, let's say, generally cyber attackers send, well here I

don't know if I think it has happened to them a lot that they call them by name or something like that and they send them some documents and they tell them now this document, so basically it's like they can do counterintelligence with these tools to be able to know more information than is generally known. Yes. So, with that tool, have you thought or developed a workshop or something like that? Making a workshop is a good idea, but yes, that tool on the geolocation side allows you that. In fact, there are many videos on YouTube where they say "stuffing a scammer", you pass him a file so he opens it and tells you the location, from where the attack comes out. But yes, it is an alternate

use to integrate it into defense mode, but it is a good use. And it would be good to have a workshop related to that. Taking advantage of it and joining it as tools to OSINT. OSINT or cyber intelligence. Any other questions? Last one. Good afternoon to everyone. For you, what would be three dynamic changes that should be made, for example, in a Word file? What should it have to generate an alarm? Could you repeat? Three dynamic changes that should be generated. so that it generates an alarm for you when that Word file opens. When the Word file opens? For example, someone consults it, that generates an alarm for you. What would be those three dynamic changes

that should be determined for you if you are analyzing it or monitoring that Word file? Well, actually, the simple fact of opening the file already generates the alert. Now, if someone, let's suppose, I don't know, tries to interact by saving it with another name, perhaps, or compressing it, because that is action on the file, not on the action of the Canary token to notify me. That could be, since we already have the name of the file, which is our token, we could implement other tools within ours, the ones we have, so they have a monitoring on that file. And it could be about compressing it, renaming it, this... Of course, compress it, rename it, I don't think it's going to

be deleted because there's no interaction that justifies it. The main thing is that the file is opened. Now, if it is overwritten, it should also be mapped. I don't know if that's where your question is going. Yes, yes. Thank you. Well, a round of applause. Manuel, thank you very much. Thank you very much. Well, also, as with all our speakers, thank you for trusting the space, for accompanying us here in Colombia, for making the effort as well. As you know, this is to continue creating community and how good it is that we have had a good assistance from Perú this year. So, thank you very much. Something from us. Thank you very much. Well, the guys in the back, we invite

you to sit down. We started the closing, this is a little more more soft, more calm. Keep going, there are chairs for everyone. Well, starting to close, we want to talk now... Hello, hello. Yes? We are going to do something called "A Minute of Fame". A Minute of Fame is We're going to invite assistants, people who were in training, people who have been in the CTF, in the hands-on, from those who went to the War Driving, and the fame minute is simply to comment on your experience with Visites. I don't know if anyone wants to start, anyone from the assistants to the talks today, who came yesterday, today, who was here the last two days. There are stickers for the one who

Thank you very much.

A minute of fame for those who have attended the War Driving. Who wants to come? After a long night, how did you get here? The experience? No? Hands, already? But, yes, better that you come here. And Nico too. Nico. Yes. You have him there by chance and I have this here. But first it's about the experience and we already talked to Nico. Come, come, come. First the experience, yes. Thank you. From Acacio or what? Up, up. Here is the sticker. The group of stickers, thank you. No, thank you very much. Well, a thank you to the organization, to the sponsors. A round of applause for the organization, for the sponsors and also for you for coming to these cool events. A round of applause, please.

Well, I've been in the community for a long time and many of them are friends here. These spaces have become a national reference. We can meet, all for free, but the idea is also to collaborate. When you see someone who needs a problem or has a problem, you stop for a moment, you give them an explanation and with that you collaborate and so we continue to grow in the community. And the last thing I wanted to tell you guys tonight, the closing, you know that it's going to be a little bit higher and the idea is to share a space of friendship, build more society and business if possible too, so it's good to see you guys

right now, ready? A hug then. Thank you very much. Nico, balance of War Driving, how was it? Well, yesterday being 6:30 maybe, 7 at night, no 6:30. We got on the bus, approximately about 40, well, there were 4 free seats on the bus, we took a fairly extensive lap, approximately 3 hours of travel. The winner managed to capture almost 15,000 networks and the truth was a pretty fun experience, We made some strategic stops. The idea was to capture the largest number of networks. Additionally, together with the CTF, there were some flags that were immersed in the networks that were out there on the street. So the idea was that everyone could also, apart from knowing the networks around Medellín, that they could capture some bonus flags for

the CTF. In general, I think we had a lot of fun and I don't know, here are the guys from G-SAC, they can maybe give a word about the experience. Well, good afternoon to everyone. We are G-SAC from the University of Distrital Francisco José de Caldas in Bogotá. Very happy, very happy in general for the whole event. The CTF was incredible. Bux Bonters and UGVAR did an excellent job. The hands-on, the... techniques, they are not seen in the day to day and it is a very, very, very interesting space and this is for the community and for the community and you can see the effort of the organizers. So thank you very much for everything, that space that they give us, that we are learning the majority,

it is incredible and it is very valuable. So thank you very much, thank you very much, incredible in general. Thank you very much, thank you. Well, let's see the point of view, are you going to speak too? No? Okay, ready. It was for stickers, right? Neither. Well, we want the point of view of training assistants. Anyone from here was in training? Those who came on Wednesday, Thursday? No? Any of the training assistants? Yes. There is a suitcase here. There is a suitcase here. It has a counter backwards. It smells like dynamite. Well, hello everyone. I have been, this is my second training. Last year I was in the intelligence of threats. The trainings are very interesting, there is

a lot to learn. Definitely, every time I try to participate in the event, I recommend the trainings a lot. The networking that the teammates learn is very interesting. I recommend that for the next events that are held, you participate in the trainings. It's very interesting, a lot is learned and thank you very much to the organizers for being part of that knowledge, that people who are definitely at a very advanced level, so they can reach the region and that we can learn. Thank you very much. Thank you very much and I don't know, Levi, do you want to tell us how you did with the students here? A minute of fame if you want to tell us how you did in training, right? Levi, yes, yes, yes. Yes,

you are the famous one here. But more the experience here, how did it go with the people and well, how did it all come? Good afternoon everyone. Well, first of all, I want to thank Visayas, all the organizers, Gio for the invitation to be able to participate in this event. It's the second time I have to come, I came around in 2017, around there. training. but they don't have doubts, they are very dynamic, they ask, they investigate for themselves, they try to understand all the logic, etc. Everything that is behind it and especially the part of the context, which is what I was interested in, that it would be very, very, very free, very clear. And well, nothing, thank you very much to

all for the cordiality and for the friendship that is generated here with everyone, they are all quite kind, thank you very much. Thank you, thank you for everything. Well, about the Hanson, anyone? Yes, don't go away, please. About the Hanson, experience, who was part of the talks about the Hanson? No, no one? Experience, anyone of those who put together and made the Hanson? Lucho, if you want to talk about yours, no? No, it didn't go very well? Well, they cut it short. Hello, hello. I'm here without you because I was just leaving the course. The participation we had there was extremely good. The attendees also interacting, participating, asking questions. It was a reversing topic, more focused on the technical

part, but extremely interesting. And about the other two Hansons, It was wonderful. I was also in Nico's, in the incident response with the cards. The invitation is for you to play, practice, go down, it's online. Because, as I've always said, in response to incidents, the most important thing is preparation. If your team is not prepared, that will suffer during the incident and during the time of the attack. And in the end, it will be money. So, if your team is prepared, if they know how to handle an incident, if they have the tools, and the game basically tells you which part can improve, then great. and the other Hansons, I also had the opportunity, thank you very much to those who participated, the

extremely interesting Metasploit, all the tools that he gave us. And well, the invitation is to be posted next time, to also send us your ideas to share knowledge. What I told you at the beginning of the event, this only has two objectives: to share technical knowledge and to make stronger relationships with cybersecurity professionals. And that's it. That's all. Well, thank you, thank you, Luis. Come here for a second. Here to tell us a little about the experience and I don't know if Yoga is around there too, that we had, just to hear a little about the participation of Eco Kids. So, Emi, what did you do in Eco Kids? We played football with robots.

and we played with a little mouse and that's it. Thank you very much. Well, he's my son, he's my son too. But the participation of Coquito was super nourished. Now another assistant is coming so we can hear what they did. So we want to move forward. We go first, go again. Yes, teacher, teacher, one second. Here. From the house, here from the university, of course, the professor who also helped us to make all this possible. Experience. Well, from the university, welcome. I hope it's not the first time, nor the last. I hope to see you again here. And the house is pleased that we can share all these cybersecurity events, that we can learn each little thing. and we know experts, we

know people we don't know much, but the university is delighted that they can be here, that we behave a lot, and welcome, this will always be your home. Well, now yes guys, go ahead. Here you have the HMI, if you want to connect to the USB-C, there you have it, with internet, you need it too.

Hello, good morning, afternoon already. First, I would like to thank all the participants who were in the CTF. There were more than 136 participants, summed up in 67 teams. Well, first of all, congratulations.

Ready? Are you two alone? The other two members are in charge. Ready. As the rules indicate, the award for them is done to the people who are present. The first place will be given $ 250 in cash, an entrance to the Dragon Yard, sorry, in bonuses, and hopefully ... Good, good. How are you doing? I am very grateful to this event, to Visayles, to the UDEA, to the University of Antioquia. For my part, my partner and I had not been there, we did not know Medellín, they received us very well, we learned many things. And part of these CTFs is not even doing things as a team, but as a family. That's what allows us to get a lot of the types of

challenges, problems, a number of problems that we were having and or that we didn't get anywhere. So, I also thank Boonters, thank you QR, they supported us a lot in some doubts we had. And to you for participating in this event. Well, I don't know if you can see it, but this is the prize, the medal for having taken the first place for you. Well, now we continue with the second place. The G-SAC group is present.

for these for this group in second place we have then a prize of 150 dollars also because it will be in bonuses and a medal then a applause for them Ok, that's it. Thank you very much once again to BookBar and BookWounters. Excellent work, they did an incredible job. The challenges were very fun, we suffered a lot, but no, we learned a lot, a lot. You can really feel the love and affection they make for the community. And nothing, thank you very much and really the applause is for you. And now the third place is Garabato, are you present? Go ahead. For the third place, we have a $150 prize, also in a bonus, and the corresponding

medal. Sorry, $100. Look at the picture.

Well, first of all, thank you very much to everyone for the organization of the event, very cool, more than anything, we learned a lot and let's say, despite the fact that it was cold, it was a good experience and we hope to continue being here soon. Thank you very much.

Finally, a round of applause to all those who participated in the CTF, who took the risk to really try to solve the challenges. Let's say that both from UGBAR and from Bookbunter, what we wanted was first to have fun, second, to learn, because we understand that a very easy way to learn is by practicing and having fun. Also from Bookbunter, we want to invite you, we are going to be doing a meetup related to the whole issue of the CTF, explaining the challenges that we did with a lot of effort and love for all of you. So, to keep an eye on the social networks, that we will be publishing the link and when the realization of this meetup will be. Also thank

UGVAR for the disposition and for also having helped to build this CTF. And I give them the floor to close. Again, thank you very much to everyone. Well, thank you very much to everyone for coming, to those who were at the event, for participating, to those who played. We try to bring challenges of all kinds so that everyone can have fun and get distracted. That if I like something, I can dedicate myself to that and start to dive into everything I love. So, thanks to everyone for coming. To those who suffered with me building the CTF, that we missed a room. To Lucho for giving us the opportunity to organize the CTF. Even Nicolás, who, if those who played here in person, realized

that there were routers. He was the one who lent us that infrastructure so we could play War: Wild King here inside the university. So, thank you very much everyone. For a picture with all the teams, can you upload it for a moment? With the top 3, top 3. No, maybe at the end a picture, no? Everyone. While they are preparing for the photo, a special thanks to this team that is very young. They have been preparing the CTF for more than three months. They put the chip, they learned a lot, they put the infrastructure, they put the knowledge, everything at the disposal of the event. Thank you very much for the hours of Transnocho. I hope this space can be repeated again.

Thank you, thank you and thank you. Thank you. Thank you. Well, we continue with the promotion of the winner of the World Driving. The activity that was executed yesterday after 5:00 PM with a previous preparation and we went out on the bus at 6:00 PM. It was a supremely fun activity where many networks were captured, we interacted with all the participants, it was fun. And well, who was the winner, Nico? Well, with a total of about 15,000 networks, the winner was Mr. Mario Balvan. I don't know if he's here. That's it, Mario!

A very dedicated person, with modified antennas and with a lot of hardware but at the end, I think it was his desire to achieve it because first he didn't have the battery to feed them well and with the cell phone he managed to capture everything. So, part of the prize is a t-shirt that catalogues him as an alpha male. And the next prize It's 100 dollars and this is a detail from the organization. Thank you very much. This is my first B-Sides. I think that when you win a challenge or a contest, you already acquire a commitment with you to also be part of the organization. to bring a little more of what is hardware hacking and a little more of the

whole issue of RF hacking. Thank you very much for the contest and for the prize. Good Mario. Yes, ZTF is open until... Until Monday noon we will have CTF open in case you want to continue playing, of course there are no more prizes, but good that you keep playing, that's what we're looking for here. Ready? Thanks. Elizabeth. On behalf of Lumu, we also have the point of view of sponsor, which is to get here to meet with all of us and well, thanks. Well, for everyone, very good afternoon on behalf of the Lumu Technologies team. We feel very proud as sponsors of the event. I think that here we go with the knowledge of different activities that were done, networking,

talks, workshops. What else? We also see from the cybersecurity side, as I tell you, many talents, know how they think and how our opponents act. Evasion techniques, what do we do with artificial intelligence in all this cybersecurity issue? And really, the applause here is for all of you for all the talent that there is. The space too. How nice it is to see different ages in these spaces. And we hope that Lumo Technologies can be replicated in other cities in the country where there is also talent. Thank you very much. Thank you, Elizabeth. Thank you. Very kind. Edu, too. Edu, who else is going to talk about sponsor? Thank you. Well, as you may have noticed, I work with

Kaspersky. I have gained the trust of the company, but the trust has been gained by the team behind this. The objective, from the company's point of view, is to accompany a group of people who try to get this to more people, for the participants, making the least investment. And I think that here it has been shown that which is worth it. I think those who are outside are missing this great opportunity. Great speakers from different latitudes. And while possible, we hope to continue to accompany you. I think it is also my goal to continue to accompany the organization as it has manifested. Here we talk about security problems and for us it is clear that the

problem persists, so we have solutions. Mario said it, do not let yourself be told that there are 100% safe solutions. We are all clear about that, even those that we offer. This is a subject of strategy and this is part of that strategy for everyone. To start growing, to learn, to have opportunities here for those who are sitting here and have just played a CTF and have just won. Someday they will be here in front of us and tell us how they did it, why there are risks there and that those who are on the other side see an advantage and start generating solutions. Ready? Thank you, really, congratulations. Thank you, Eru. Thank you. From

Intros, thank you also for collaborating in this space. Good afternoon everyone. I just want to tell you my experience, it is the first time I come to a CTF and being here as a sponsor with a different vision than all of you have, it is an enriching experience for me. As a system engineer, my line was always very developed and I had the opportunity to come with my partner to be here and support and sponsor and live it. Thank you very much. Excellent space, excellent community. Congratulations to the organizers, a great effort, but that effort is reflected in this, right? That today we are here, finishing, all very happy, making new experiences, having new friends. And well, I sincerely congratulate everyone who is

here, I congratulate them for giving themselves the space to live it, I congratulate the people who are able to teach us here with their experience. I had the opportunity to be in talks, in the contests, and no, well, Wow! Since it's the last day, I'm gonna toast to everyone here and three things I want to leave you with. Are we still on YouTube? Alright, I can't say it. I can't say it. Sorry. So two things I want to leave you with. It was gonna be three, but we're live. The first thing, which is this conference is special to me. I don't know why. I think it's because I love GEO and the community here is different. And you

guys are special. And you need to believe in yourselves all the way, not halfway. Because a lot of people here are very smart. Like I said in the room when I gave the workshop, my job for the next year is putting a flag down and saying, please use AI to upgrade yourselves. If anyone tells you that's script kitty, stay away from them. Now, how many people were at the workshop here? Perfect. I need heads. I need you guys to say yes. When I say this, go find yourself alguien that is like-minded and is interested to upgrade themselves. Because when I was doing the workshop and I gave this example, I called my friend and I let him

speak. What time do we wake up to grind? He told me between six and eight. seven days a week. Yes or no? Yes. We work on AI, finding the latest techniques, how to use it, how to break it, how to create things on the fly. I'm doing things that I never thought that I would do. And because of him, he's my accountability partner. How do you say that? Like your partner that's not going to let you fail. and because of him i'm always grateful and i wanted to give that example find yourself someone like the three guys up there next year you guys gotta present you to present of something you've created with ai if not if you

don't do that cybele you know you guys know anyone that was hanging out with me last night you know what i want to say but i promise you if you do it You're gonna take your skills to another level. And with that being said, Gio, thank you so much. And I appreciate you. And the last thing, I dropped two tools here. And that means a lot to me because it's not at DEF CON, it's here. So I will leave that to you. May we drink, may we party, and may we hack all day. Thank you guys. Thank you. Thank you Marco. Sol, without you, ECHO KIDS wouldn't have been able to appear here. I want you to

talk to the guys and comment on this, please. Good afternoon, my name is Sol Argento. I want to thank GIO, the sponsors who made ECHO KIDS take its first steps here in Colombia. Today we had a very rich experience where the kids could be. What I try to convey is, through technology, a different look to the parents. Let's stop giving them instructions on how things are, but let them think for themselves. We worked on everything that is lateral thinking, critical thinking, all that is innovation, leadership, all through games, which is the best way for the kids to learn without realizing it. Well, I don't have experience in speaking in public, and especially with these speakers. On the networks there will be

all the evidence of the testimonies of the kids, of the parents, And well, for more Eco Kid in Colombia, thanks to Gio, to the sponsors who brought me from Spain. I come from Spain to share this and to give another different look to the parents of how parenting is, right? Accompanying them from the game and from the lovingness and that they take care of those little souls who have everything to grow up and ...to be their children, to let them get the best out of them, so they can discover themselves. Well, thank you. Sol, thank you, thank you. A round of applause for Sol and Eco Kids. I wish we had Eco Kids when we were kids. Imagine where we would

be. Well, I want to invite organizers here, of course, that without all this collaboration, all that effort, all that vocation that we have for this community to continue growing, that it couldn't be done. So Lucho, if you want to call, Elkin, also here, we are all here, Santi is there, Gio of course, Gio is the head for everyone here, both to contact people and to guarantee that this space is. So for those of us who are here, the organizers who are still out, a round of applause for them. Yoga too, volunteers, we had volunteers, we had people who have been putting many extra miles so that we can do this. Any words guys? As you can see, part of the organizers are

people who have been in the community for a long time. Elkin, Gio, Yoga and San. San, a very special thanks. I think this event couldn't have been done without her. She doesn't come from the technical side. A round of applause please. She managed to bring together and consolidate the team and from all the administrative skills she has, she always insisted and supported us in everything that was done. The whole graphic part that you could see, all the designs, t-shirts, everything is is thanks to her work with her team. Thank you very much, San, for all the effort, weeks and nights after nights. Thank you. Thank you all. Thank you very much. Especially to the university, who trusted us again. This

is our home. How nice to come, to share in Medellín, in this beautiful city. And to the speakers. The speakers that accompanied us, took the time, moved, organized all the material, thank you very much. I really have no words to thank you for all the effort you made and all the quality of talks you gave us in this event. The sponsors, we can't do this without the sponsors and I hope they will continue to accompany us so that this event reaches more and more people. Who stayed out? The attendees, of course. The time they took to come here. Thank you very much. This event is not without the attendees and we ask you to please, if

you liked it, please replicate the information, our networks, recommend us so that it is more and we reach more people. The event has a very special part and it is networking. I have told you during the different spaces. That's why we have a beer, and we usually make the special beer of the event. From the technical side, we are very introverted, but a beer helps. To talk, to share experiences, research, analysis, points of view, strategies. methodologies. So a beer helps us with that and to relate with people who have our own interests. So tonight, from 8:30 we wait for you there so you can go, we share, we talk with the speakers, organizers, staff, everyone there talking about this interesting topic that is security and everything

that comes, everything that Marco said, all the challenges that come. I remind you, the entrance has to be, you have to go with the bus, so you can enter, so you can enter Martin Moreno, in the Manrique neighborhood. Yes. Guardel station of the new bus. Exactly, and we wait for you there. All right? Beer for everyone. Well, that's good. Well. No, yes, yes. And a beer? No, yes, yes. Gio's words. Yes, seriously, seriously. It's a topic, yes. A round of applause for Gio. It's a round of applause for Gio. Now, as usual, for the closing of the event, please, if you can accompany us in a photo, here at the top. Outside. So let's go outside and we take

the picture for the memory. For the memory, let's go. Thank you all for attending, a round of applause for you all. Thank you. Thank you to the people who supported us from the YouTube channel. All the talks are recorded there. Please subscribe and see you later. Thank you. Guys, we also have to give a thank you not only to the university but also to the broadcasting team, those who were here doing the streaming for YouTube. Thank you very much.