Spotted In The Wild - Anthony Flemmer

okay so um I'm Anthony FL from uh defense logic we're a i' say a smallish cyber security company we've been going for seven years and um what I always found when I first I knew nothing about cyber security when I started the company which was probably the craziest thing I've done in my life but everyone's going to do something bad in their life and um I've been in banking doing project management I thought I knew everything about being an entrepreneur that's another story but um so we started the company and everyone would they would say oh there's a lot of things going wrong but they don't want to tell you anything and I found that

really frustrating because what is actually going wrong in these really not very large companies like law firms and little financial services companies and so I thought well that was one of my big frustrations was you know what is actually going wrong with these small companies because nobody's telling telling us they just say are they insecure they're insecure so this is basically a list of probably 10 stories that I've got um on well I don't divulge the company's names I just give them a sector because some even some of the sectors I've purposely misleading you guys so you can't draw names to those companies um and uh so I'm keeping everything sort of confidential but I'm

trying to share some stories with you so that you can actually just have so it's just Story Time guys this is going to be the least technical talk you're going to get all afternoon so if you're wanting technical talk that's the way to go all right so yeah let's get on to the first story so this I I really enjoy this one because I was down in South Africa looking after some clients down there and I get this mad panicked call oh um the the ncsc has phoned up jersey Telcom and they have uh they've gone to this um what am I saying again story keep my story straight this engineering company and they have

literally cut off their internet access now if you know anything about engineering companies they've got massive CAD drawings that they got to send around so these people tiny little company 10 people uh sending trying to send their drawings over their mobile data and uh so they thought they could do that for a while then they thought they could just go to another it provider and and the JT guys no we actually control the whole of the internet in Jersey so you will still be cut off of in a few seconds so you honestly you need to fix this problem so they came to us and we're like okay what what what what actually is going on

what's going on here so we go in there and we're like okay rout 10 years old un patch dracon don't even know those things exist and there was okay that that's anyone can make that mistake um we go we start looking at um oh they've got Apple yeah so because we've got apple and nothing no one can ever hack Apple we decided to turn the antivirus off for Apple this is absolutely unbelievable so that going from bad to worse yeah so then we we looking a bit further we said okay so why have you got these three RDP ports open oh no that's our it guy he just logs in from home I mean Jersey's only 9 miles long or wide

or whatever I don't know how lazy this guy was but he's so lazy he didn't even put a password on this thing there's no password open access no antivirus I don't even don't even bother about updates I don't even know that is the thing that happened and so these guys became like a spamming Central Station for the whole of Europe that's how the NCC picked them up little old Jersey this tiny little company of 10 people just like spamming millions and millions and millions of emails out of one of their own Apple servers so he was like okay obviously I'm going to charge you like a wounded Buffalo because that's the kind of guy I am and so we went in

got them a new new rout cap told them get rid of that it provider note boards turn on your antivirus and that's literally all we did you know but I mean what the trauma and then we had to obviously write a report yeah it's all good and then they could get their online access going again so this was a naive belief that you I'm so small that no one's actually going to give a rat about what we do but turns out they do next story so this is another one that I also find quite amusing I've got a few a few phone St phone app stories this was a friend of mine I can say that here because you

w know who my friends are and um and uh and she was like no I've got these typical South African got these great great app developers they'll be fantastic app is secure and it's brilliant anyway I was like you need a pen test you really do need to get a pen test no no no cuz lots of sensitive data sitting behind this app uh ch Children's Health Data sits behind this and I was like no you can't you can't be doing this and so so so she comes along and eventually some client says where's your penes because she's trying to sell into these corporations to for them to use the app so so we do the pen test okay I

really need to get this done urgently because I need to get this into the yeah okay we do it for you do the pen test literally within 2 hours Rich PHS me up he says I'm into their database being we just got the APK off Google we're into their database what do you want me to do with it delete it export it encrypt it you know can do anything so anyway right up the report and uh yeah get oh that's not that's not a nice that's not a nice I'm sorry you are a friend but that's what it is and so she says okay they start fixing it takes them six months to fix it but during

that period I get these phone calls can you write an attestation that everything's okay no we only do that once it's fixed then we test it and then we tell you it's okay so yeah then the whole sort of naivity of the process and how long it was going to take that but the suppose the overriding lesson here was that sort of when developers are good at developing doesn't mean that they're good at security and when I actually spoke to the developers they were under a lot of pressure to deliver functionality on like a daily basis they could not care about security because they just didn't have the time the money or the band to do it so it's just

getting that priorities right for for both of those okay be careful so one more so yeah this is an interesting story um so bit of little bit of audience into your action how many of you think it's illegal so who think it's who thinks it's illegal to pay a ransom to a Russian Ransom way G in America in America in America yeah this is this is an American story who thinks is illegal to pay Russian so so everyone else here thinks it's legal unless they s so you do know something okay go so um and again so yeah this story is basically paying the ransom so this is an interesting one we got we've got

partners that are instant responders and they they called us in they said okay can you um can you P because the this this Law Firm has been has been ransomed and uh they are and we need to rebuild the environment and uh because I had quite a lot of people involved in this one they had mandans which would if you ever get in a attack with manage you you'll learn how slowly you can actually respond to an incident it's quite incredible we couldn't believe like it's now been five days these guys are desperate to get onto the next step can you guys no we'll get to it and they're just charging up unbelievable and uh so we're there we're busy

building up the system and we so we didn't really know what the ransom was so then the ransom comes through and um well these guys they're not wanting a lot they're only wanting $10 million think wow that's a you know you how how you going to do that how you going to pay these guys so turns out if you go get a good lawyer in America who can then with this extreme knowledge of Russian sanction gangs say this is definitely not one of the sanctions you can write a letter to the doj to say yep you can pay these guys because they're not sanctioned Russian gangs they're Russian but they're not sanctioned so then there was a bit of negotiation and

haggling and all that is a pretty slick operators these guys um they only gave a 10% discount so it was like 9 million at the end of the day then you've got to get organized somebody who can operate a Bitcoin wallet that's a whole another part of this thing and you got your negotiator and then you got to pay these guys then so this organization actually landed up paying that and the reason for that was if that data had got up it was incredibly sensitive dat and uh if it had gone out their business would have been it would have been over just it's an end of business decision at that to make so the 9 million was happy

to pay it I've got another story about Ransom not the law firm but a different kind of industry a resources industry they got uh caught up in the moving one and they also were going to get a ransom their Ransom would have been close to 90 million and they actually took the decision not to pay it because they thought they could pacify the impacted people with $90 million and I think they made the right decision so that so it's you don't always pay it you you it's a business decision about how much pain you're going to going to take either way and nobody wants to pay the rans but I guess when you your business is going to go on

the you've been buing for 20 years you have right so yeah this is another watch my story sometimes I elaborate a little bit too much so this is another little thing with we had we um did a little pen test on in the Caribbean um and um we were scratching around we we got onto a standard user they' given us a standard user desktop within their environment that we logged in from here uh from from the UK and we were able to hop across to another user got in there and then we came across this file file that was titled ads. teex we thought oh that's that's nice admin credentials probably go in there open it up and there was there was

a password there so we tried to use that to escalate our privileges that didn't work but what we did see was this very odd URL there so we plugged that into the thing jumped on there and used that credentials we land up in the banking system their banking system is there with the 155 million there ready to be executed on and uh yeah so like it's just very poor user hygiene in that environment that could have led to a massive loss if we we such nice people okay so this is a yeah this is a these are little Japanese uh mes or whatever there only Japanese thing up we did a pen test for a Japanese war and I

suppose one of the most interesting things about that was well my pentester isn't Japanese and um their whole environment was Windows Japanese so he to work his way around knowing windows to the level that with all those those Japanese you know Ki icons had to actually figure out where the H was the whole time but you been done doing pain testing for quite a while was able to do that so he went in there we spent quite a lot of time on this test and we were sort of escalating ourselves around escalating privileges actually moving around their Network quite nicely they had dark trace on there which didn't really sort of pick us up on the way

through but you know that's another day another story and um so we came to the sort of wash up meeting and we were like y we were able to move around and we saw a few things and we found this document that looks quite interesting but we're not quite sure I got a feeling he might have actually known what it was but he pretended he didn't know he sort of puts it up there on the screen like oh uh can you just take that down what's that now that's all the partners Bank balances for this massive Japanese Ware so okay we've got to get rid of that and uh so and we've also got to put in a lot more

controls because we can't he people dancing around on neck like that with that much of e so that was a eventually we actually ended up putting a SE solution into that Japanese verm on top of the trans well that's it yeah so this is one of this was a few years ago I suppose I naively hope that um msps have improveed their uh their cyber hygiene but um frankly I doubt it because I've seen a few things Str over L MSP for list of internal IPS that are getting used and the list of x to them wait of two weeks and going a list of full full four external IPS like how many more weeks I'm going to wait for

the list of internal anyway this is a different story so we got this is a friend of mine and U she runs a very successful financial services company and she asked us to come in and do a pimp test so we went in there and we actually physically went into the thing got onto the network was Scouting Around there and uh we actually discovered uh the msp's password and we thought okay well that's going to be clearly that's just going to be the password for this particular Organization no it was the msp's password for their whole tenant and they and the thing that used to that absolutely annoyed me the most about this was these guys branding and

everything was we take data security seriously we do data we daa security Specialists and uh that was their whole sort of goto market and this is what they do anyway obviously you give them their password that they don't even acknowledge that it was an issue at all and they competely blank you when they see you in the streets that's just thing so yeah next story okay so this this is probably one of the more bizarre ones that I've uh dealt with and uh just P chance got the inside tracking so these guys appeared approached us they boarded and said okay before we go to the market we want to um we want the app tested so we said fine but we know the

app's rubbish so I said okay that's nice to know and and um but um but tested anyway we've had we had an Outsource partner they were you know Outsource and they they now bring it on sh we we know it's R but tell us what all the problems are so we tested it and um yeah obviously we found the I think it was the AWS password sitting in the APK which basically gives you full access to AWS and so we thought okay well that's that's just absolutely ridiculous believe people that lazy about the coding that you can actually pick it up but they did that and um so it gave them the report and I said to them yeah we

can do a retest or we can do another test and I gave them a nice discounted price and then they just sort of disappeared so I okay that's that's that's interesting anyway um literally two years later my son's working for a software development house and these guys pop up again so he said Dad I'm working seeing this working on this chcken out it's absolute R I said those guys those oh okay said have they fixed this issue he said no they haven't I said you got to be joking he says yeah and they're no longer just launching in the UK they're now launching in another continent in the rest of the world they're expanding their business and

doing this and it's actually a like semi sort of financial app it's absolutely lows my mind you know You' got a problem you know it's you don't just like I don't know so I think the board asked for a pen test they gave it to them but the board never asked for have you fixed your problems in that pain test that you were given so yeah it's absolutely crazy stuff that you get out there next one uh yeah so this is not probably the most exciting thing but it it happened quite recently these guys are moving into um the cloud environment and they set up those sort of Cl desktops in there so they said okay can you come in

and can you test our Cloud environment we've got these Cloud specialist people to set it up and I said okay that's fine um go in there so um pentes is busy testing testing around there he says Anthony all these virtual desktops they' all got admin credentials is is that correct or like pre certain that's not correct I why would you have that guys is this no no no that's not meant to be happening like just just absolutely useless I mean yeah I mean luckily the guys did a test and we picked it up but I mean that could have you know any other organization that could have gone out and they could have been having the

AWS up with everyone with admin credential sitting there and of course third party people logging in wasn't even their own stocks it was brilliant so that was that one of the nice failures and then this was a a strange one we did this for a large U War firm of about, people they wanted us to test their Citrix the Citrix setup so we said that's great they gave they gave us a laptop with the citric was set up on and um as the C was set up was set up I think on Windows 10 or whatever or 11 at the time and um the windows default setup had had an SSH open port set up so

you got all this nice citric functionality controlling your tunnel and everything but with a nice open Tunnel wherever you like uh to sort of reverse proxy um the data and XO trade it out so you sp spent a huge amount of expense setting up the CIT TRX but you just basically left your your back door completely open so yeah I didn't I honestly didn't think we're going to find anything in the CX test because that's just like it just shows you know again just po configuration and getting set up with default I think it was a default window setting at that particular time that pic that that created it I don't know if that's changed but yeah just something to bear

in mind with thect setup yeah and this just to sort of wrap it up at the end there's a lot of automated testing going out there uh and you need to just sort of balance that with some manual testing and uh the manual testing will prod and poke where your automatic testings aren't going to be looking and we typically spend on a pen test about 80% % of our time doing the manual stuff the 20% we we automate we try working through like that that's where you'll find these well generally just about all of these things that I've been talking about are not vulnerabilities but misconfigurations and and poor usage there one more

slide yeah so one of the things that you've got you've got to look after is your sort of make sure that your active directory privileges are properly set up whichever whatever environment you're using and that and get people to actually test hopping through with their standard users moving around the environments because some of those active directory setups are incredibly complicated and if you're not testing it from the other side you're never going to know what's going on those are my stories for today guys thank you very much if you want to come and cheat to me please for your welome thanks