PG - Cruising the MJ Freeway: Examining a large breach in legal Cannabis - Rex

all right I guess I am getting started thank you for the introduction Felipe is that okay soothing sounds of Felipe so I'm Rex as we just said and this is cruising the cannabis highway I talk about a series Thank You months I talk about a series of breaches in the large cannabis point-of-sale provider Who am I I'm a full-stack primarily front-end dev for a long time I've been doing that but I'm not as great as I should be considering a long time but you know been to a handful of hacker summer camps really like them it's good time I'm not in InfoSec directly but I do work for a few InfoSec companies doing front-end and

I'm also just nosy as [ __ ] goals I hope to give you an overview of the cannabis industry I hope to touch upon a compelling narrative involving disclosure this will definitely be an OS and talk or Austin I'm not even really sure how that's for announced exploits or anything like that but I do do some cute things with some command line bash scripts if anybody cares about that sort of thing and hopefully this will foster a discussion about InfoSec and cannabis so why should you care though well for one reason every time I come to hacker summer camp there are several talks about why you should care about responsible disclosure and hackers are really into that sort of thing

also this is a really pivotal moment for the cannabis industry so there is a lot of new tech coming in both soft and hard where there's a lot of money exchanging hands and because of weird federal regulations a lot of that money is kept on site or moved just in armored trucks or delivery courier people in duffle bags people have paid hundreds of thousands of dollars in cannabis taxes it just in a duffel bag that's happened also there are a high number of policy touch points there are a lot of lawmakers and lobbyists active in the space and a lot of the software makers are lobbying as well which to me feels like a conflict of interest but who's to

say really but if we don't all pay attention we might get stuck with the bill federic figuratively and literally literally lobbying lawmakers and also this is an untapped market I think as much learning and drunken partying is at hacker summer camp I also always invariably see large business deals taking place so maybe someone wants get on that so without further ado cannabis the sick nugs you smoke with your close friends and whatnot but not really we're talking about the cannabis industry so thank les you're a burnout stoner neighbor and more so your rich friends more affluent uncle because in putting this talk together and also a village I'm doing a Def Con about cannabis I've talked to a lot of dudes

who have really extensive cannabis portfolios in terms of companies they own and they don't even smoke last year it was a nine point two billion dollar industry so I yeah right I would venture a guess that the supply chain is a little more complex than you thought it looks something like this so just I'll walk you through it very quickly not very quickly really but we start with the grow-ops you can probably ascertain what that is from context and oh by the way the black lines are the green lines our campus so the the government tracks cannabis and what's called c2 sale at every transfer point so from where it's grown it gets tagged particularly with

video tag or whatever the numbered plastic padlock equivalent is in cannabis and that data gets entered into the system at the government level usually at state but lower municipalities can be very active in this to the girl Ops pass the product off to processing facilities to turn it into wax or vape or to make pre-rolls or whatever they also have to pass data to these compliance systems same thing when they pass it to a dispensary the dispensary has to track who bought what in these state level compliance systems the dispensaries are tracking all kinds of data about the customer as they sell to them and they're usually using some sort of sales analytics so passing all

that data wholesale they also are probably going with a dispensary tracker that is like cloud-hosted or perhaps provided by the government but it's through a third party and then some drops even are using like growing as well to get maximum yield that stuff has been going on for a few years in agriculture but I think given the monetary of Lu and cannabis people are making great leaps and bounds there and then we also have insulated hardware which are like vapes and I'm also including anything a prosumer grow-op might use like an automated nutrient feeder for example and a lot of that stuff's becoming smart and internet connected so look out some major players in the space we have metric a subsidiary

fran well which is a general like you know sort of like a GE general tech company they do a lot of hardware i've just cherry pick some stats here they've tracked four million plants and three million parcels we got bio track THC I believe the original company is still around they're just called bio track they started providing a system for dispensing medications at hospitals like in that episode of Nurse Jackie where she gets her nevermind MJ freeway they originated the phrase seed to say oh they've been around the longest they went straight into cannabis but their management level their management team has a lot of not just but I would say you know more Silicon

Valley oriented experience and also they pretty much have all the market share they're pretty much the big players in the game and that was the status that was looking to be unchallenged until this thing we're talking about now which is a breach on or about November 19 2016 with no loss of data according to a third-party security auditor but no we're actually talking about two breaches in two months around that time loss of data no we're actually talking about two preaches around that time a third potential pivot into government infrastructure definitely the loss of personally identifiable at them PII and employee information several month outage of service and the resulting attackers tampering and modifying cannabis restock

delivery routes identities of route drivers sensitive locations of crew operations etc and basically a [ __ ] they tried to get in front of it this is these are some words from their marketing department we were the victim of a malicious criminal cyberattack which does happen I can't them for that I say this only because there are a number of rumors flying around that this was not a hack and not an attack so basically what does it say about you when your customers think it was a DevOps [ __ ] and on January 8th clients began to experience the effects of this the system we're not flying for our clients who also had no access to

the site this mom I'll skip this for time it's anecdotal but basically I think they did a bad job of alerting their customers these are some pissed-off dispensary workers who basically just showed up to work one day and we're like hey guess what you can't work one of my friends who works at a dispensary she told her boss was down he said you're an effing liar who just doesn't want to work I mean I said [ __ ] a bunch Jones I don't know I said I think it's now but so ok right I'm looking into all this stuff I'm like oh my god why is nobody talking about this that seems like a big deal especially

for a company that's dealt with millions of dollars hundreds of millions millions of pounds of can't whatever a big statistic but that's inaccurate because a lot of people were talking about it everything from national print oriented news publications down to mom-and-pop blogs that focus on the cannabis industry but I'm dealing with a lot of speculation thus far I'm reading a lot of articles that are not firsthand I'm talking to some people who have some knowledge but they're also not directly related so I figure I got to get better sources and actually there were a lot of data points here if I'm just looking at everything I can find that has a concrete date and maybe some actionable

or objective information so I put them all in a spreadsheet that's a timeline and since everyone was talking about it get all those in a spreadsheet too but then back to read it because again anecdotal but like super insightful I think some people were pissed a lot of people were going back and forth about the nature of the breach whether breach actually happened and from what I understand some people got subpoenaed by MJ freeway well who got subpoenaed Reddit and Google specifically but I guess they felt a number of people on the board and I kind of felt this way too had some early information that was kind of curious and maybe not coincidental so another thing that was

mentioned with this hack is that a bunch of information got leaked like I said but also source and it had been put up on get lab taken down rather quickly but some people mentioned that it was also available on the Pirate Bay what you're seeing now is a result of a weight of about four months and some intense fiddling with peer-to-peer seeds and trackers and all that stuff and to me that's actually in alignment with what I saw on things like Reddit because people were like who really cares about this leaked source code it's just bad PHP everybody knows that's insecure but then somebody suggested do another search and I did I think it was

mr. glass actually and I found several more uploads so I'm like okay this is curious you got people saying they don't give a [ __ ] you got people saying well people uploading this repeatedly to meat that's sort of an interesting conflict interesting tension in the narrative that second 104 hours to download what still didn't have a lot of seeds so when I look at the source not even look at the source when I just look at the directory structure it's not a great start for them I mean I'm ok with it but it's terrible for them because it's every product they have every state level product every dispensary level product and also so like I said you know

I don't have a lot of InfoSec experience but I have been a consultant for a few years by which I don't really mean a freelancer but more so working for a consulting company for a bunch of different other client companies and one thing I can tell you is that if you have a team si si leaf well leaf data systems that's their state level thing right si si leaf Nevada leaf there's like a Washington leaf here basically to me that looks like a team that had a core product and couldn't decide on a development process or strategy that would allow them to have a core and add on custom customer functionality that is kind of a bad

smell in my opinion a note on architecture this is sort of a stack I guess but so we're talking about these in the middle here mostly you got MJ freeways graham tracker which was their old drupal-based thing with a bunch of plugins that couldn't be updated for like 7 years that's what got had to most likely you got there MJ platform which was supposed to take its place and be more secure supposedly and then you have all sorts of third-party ones right but have to integrate with the state-level ones for the state compliance tracking and a lot of times the selling point is you are automatically integrated by using these at the state level it will

automatically shut the data there then you have a bunch of dynamic websites that tie into api's for these trackers so maybe to display your current inventory on your site or in store menus like in McDonald's except with weed your vendors and suppliers so your grow up may just push their data directly into your you know dispensary tracker or a mobile app for customers to order that happens too but basically what I'm getting at is much surface area much and your data may pass several times through MJ freeway stuff that's food for thought I'm gonna skip this for time too but basically these are just transparent minutes of meetings from the Washington liquor state and cannabis board and

talking a lot about their dealings with MJ freeway and stuff like that and here is them talking about some ramifications of the breach so okay one thing I did with the source code I harvested get emails it's pretty straightforward stuff get log custom format minimum amount of manual cleaning and deduping I plug that right into recon energy which is a great tool I'm using the jigsaw plugin and even though the API key cost like a bajillion dollars a year if I had it I would buy it so a lot of reading here I got blog entries tweets reddit posts podcast transcripts training manuals get commits and I found a few interesting things first off I'm noticing some behaviors is

this a person committing directly from the get UI I think so you also have someone committing from the dev virtual environment right in the vagrant not a big deal but again kind of code smells in my opinion and you have a lot of remote contractors and this is just the ACE every name here starts with an A imagine how long the whole list was Gmail Gmail coherent solutions a bunch of other companies who knows where they are I mean I do cuz I'm nosy but what if I were less principal person I'd do something like hey dev well first I would make a Gmail right I would fudge the name a little bit and I would send

this sweet spearfishing pretext here I'd be like hey was looking at some of your commits lately trying to rebase and I couldn't because you have these weird commits from the vagrant environment and it just doesn't just doesn't work right could you please not do that also could you make a patch of your local copy of branch name and send that to me since you know be a nice guy and I was vindicated sort of I don't think they did exactly that the attackers but they definitely copied somebody's email to switch to letters around and started mailing people from there and then MJ freeway subpoenaed Google for that information not sure if they got it but perhaps most

interesting was this letter from a competitor - hold on let me plug in for power and hopefully not [ __ ] up the video feed okay so this is a letter from a competitor to all of the Washington State cannabis industry which just that alone seems kind of like a big deal and they don't even have a blog on this site so they just put that one page up what stands out to me and they're like here why don't you download a a hard copy of this same page because I want you to have it and take it away and regarding what's actually in this thing I'll try to be quick but it's like a really

really fierce tech software dis record from this one company about MJ freeway there's tightness over missed deadlines with the handoff from MJ freeway to well know from bio track to MJ freeway regarding these Washington State State tracking cannabis sorry brain fart the contract the the state contract right bio track law state - MJ free wait they weren't happy about it MJ freeway missed some deadlines the live track was not happy about that either and then MJ freeway also start biotech also started pointing out hey MJ Fermi also got hacked and it's very dangerous for us to commingle our reputation with somebody who's so insecure so they included a copy of a letter from a Google forum for dispensary owners and

workers and somebody got a data ransom email from a spoofed email address leaf data systems which is by the way a subsidiary or a related company - MJ freeway and MJ freeway likely data systems does the state level stuff MJ freeway does a dispensary tracker and somebody called them out on being a conflict of interest and the marketing person said well leaf node assistance is a separate company so it's okay but yes so this email was spoofed they're offering access to the information for pittance really or maybe he was just like a sampling of the database leaks for just a couple of Bitcoin or a fraction right like eight bucks in Bitcoin and I said I was gonna

do some like layperson like like try to figure out who it is maybe but maybe that's not necessary they just gave themselves away I didn't make that I swear just lined up but chips aside right why all this animosity I've worked for consulting companies like I said I've met some pretty [ __ ] c-level guys who like who would talk all the smack in the world about competitors about customers about employees but even they were to go out in public and bash a competitor because I think they realized like being involved in that drama as a Pyrrhic victory so I'm like my gut says there's something else going on here and as it turns out there is MJ freeway sued

the department Department of Puerto Rico and bio track because they lost a bid to bio track for for that contract and MJ freeway said hey wait a minute according to Puerto Rican rules you actually can't have a company when a Puerto Rican you know state contract if they have a felon on the board which bio track did a mr. steven seagal not that guy but that would be like really awesome and I and I wouldn't even put it past them really but yeah with some fraud stuff really nasty involving I don't know some mail fraud financial stuff but basically well I can't get into this for time either but if you come to my Def Con village which is the

cannabis village I can get more into it there but essentially some strange things happened even after this right I don't know exactly what happened with this suit I think maybe MJ freeway actually did end up winning potentially but if we look at the timeline of things a little bit more closely this is a very dense area of the timeline biotech THC gets highest score in Puerto Rico and wins Puerto Rico contract and I misspelled it's misspelled Puerto Rico nice MJ freeway brings suit against Puerto Rico over bidding and those are like a month apart a month and some change right Spiegel and Brian McClintock sell shares to holding companies so they divest and somebody else gets on the board 11 7

2016 on 11 16 2016 MJ freeway releases their next level software at a big cannabis convention here in Vegas and three days later they are hacked and everything is leaked and then they're double tapped a month and some change later those things seem very close to me I'm not a professional your mileage may vary I don't want to say it was aliens so I won't I just want to play with this stuff and how am i doing on time actually the phone went off no I think I'm decent on time yeah I just want to play with the stuff really I can't get too far into this because of time either but docker made it very easy I mean I

still had to fiddle with dock but better than fiddling with a bunch of other things no conclusions whoo foreign state actors maybe I don't know I mean you think I'm joking but really a lot of those contractors were pretty interesting places and what could you mug the downfall of your Western capitalist bourgeois ideals then your fledgling vice industry falling on its face especially when it's worth several billion dollars was it right-wing anti weed activists I don't know I was at Hope con a few days ago a few weeks ago and a bunch of white ringers showed up there I wouldn't put it past them to hack a very poorly secured cannabis site competitors maybe I don't know or just

bored teenagers advanced persistent ones the cannabis space has an interesting set of concerns regulation and compliance done poorly equals increased surface area there's almost like an inverse relationship they're obscenely competitive so people cut corners to be first to market because they want that market share and you can't rely on the feds to save you but when can you I don't if you want a deeper technical dive there's gonna be someone else giving a talk really just about the surface area and exploiting it but again maybe you won't be too interested in that because it's like PHP and node stuff that you've probably heard before at Def Con but he will be covering that particular speaker

will be covering some other point-of-sale systems as well in the cannabis space I'm gonna give this talk again it's gonna have some you know some more information in it I'm gonna go a bit more into the whole Puerto Rico Fiasco and some other things and we are gonna be at the Flamingo and the valley of fire and there's going to be a whole bunch of other cannabis related talks so check it out thanks to b-sides Soldier of Fortran mr. glass and mouse for helping us get some scheduling stuff sort yeah

any questions that dude I know you didn't really mention who you kind of has some speculation but is there any indicators on parts of the attack that would lead to any particular entity uh nothing I'm aware of and to be honest I can't really say anything more specific than that however I am really interested in the meta because I started looking into as well and doing some like OS and stuff on the third-party security auditor and they didn't really seem to be anybody I'd ever heard of again I'm not like a hardcore InfoSec dude but nobody else seemed to hear of them either and the reports seem to be kind of crappy so oh let me now come on film

yeah he said regarding the DoubleTap so there were like three or four different penetrations from two or three that were definitely in MJ freeways infrastructure and then one that was in Washington states and people suggested that it was not that they were not maybe not related I think perhaps they were but I can't speak to that with actual you know forensic evidence sorry oh wait wait but one thing I will say so the dump right there was a timeline and there were official you know notifications about these breaches and when I look at the get commits though and just the finally and even it has a date in the file name that was like a

month and a half beyond anything that they reported being breached so I kind of think the attacker was just select kind of stunt a little bit you know like be like we're still in here we have a foothold and we're not letting go and we just want everybody to know so that's kind of why I kept poking around to certain things to anybody else did you start with responsible disclosure was that one of the yeah that you were talking about and how did you responsibly disclose any of this information no I was moreso talking about MJ freeway being responsible about their disclosure because they disclose and then they said oh no wait that was wrong but that was a third you know our

third party security orders fall and then they they like Reedus closed several times changing the story each time like in a major way saying none of your data was lost to all of your data was lost and our source code and you don't have a dispensary tracker for three months sorry as far as I'm concerned I just found available information on the Internet I didn't do I also deleted that repo and EFS said it was very important that I let you guys know that so so it's interesting cuz you brought up the Washington State tracker tracking system do you think we're gonna see any breaches in the future that are going to be pertaining to like vehicle movement

because we know how currently it's next to impossible to deposit cash anywhere it's always constantly moving and I'd be more interested as an attacker knowing when those vehicles are going out of the dispensary so I could actually you know be a criminal organization and put a hit on it etc word as am i so so one thing that's interesting is that in certain states you have to log that information with the state even it like it's just publicly available and then in some states where it's not publicly available it's in this breach and then I would say I don't know if like you know the routes that the delivery people use to like bring the cash back or like you know

dude drop it off wherever they store the cash like that's that's not going to be in there but you do know where they're gonna be I believe in a lot of states it includes their drug their license plate number so that's you know go to the dispensary what look out for that person backtrack all the way to the grow house follow that person in see they may be the same person delivering the money I'm working with some people now I'm not sure if it's gonna go through yet but there's gonna be a guy he's a mayor he's gonna speak at the Cannabis village he may work with me on a c2 sale or C to

safe penetration tests some people express interest we're gonna you know pack into the or like grow up or something so we may try to like stage it first such that we first can track the person to the grow-op and do it like sort of use an entry point that way so that's something it might be interested in ya know Green Team exactly alright no wait purple team any more questions yeah thanks for Charlotte guys people [Applause]