Irresponsible Disclosure

thank you very much Dylan thank you thank you and if anyone wants pretty a get right cuz I don't like responsible disclosure no we have to do it all right sorry anyone that well let's go straight to the end so we all like dark roads uh you know unless I have some light modes on the talk so let's turn it on right so special mentions to few guys that helped me out over the course of this time that I've been doing this my name's Phil Miller but anyone that doesn't really know me I work for coming all day after exploits we kind of do you know responsible disclosure yeah regulation the boring stuff I'm homeless I live out

of hotels it's pretty fun yeah kind of a thing you do when you work remotely but for the talk let's just remember I'm not a lawyer I'm probably the last person you want to talk to when you have this much Jager you don't want to attack me yeah representing you terrified young but yeah but I'm not offering legal advice I wouldn't go to AFF go to lawyers go to people that actually know what they're doing yeah so let's go straight into it types of disclosures so we've got responsible disclosure we got coordinators closure which similar very similar for disclosure where you just kind of you know throw it out there and hope that you know things don't go wrong which

often times they do send what's this caper partial disclosure where I've done it a few times when you know people aren't really listening the right people aren't really kind of kind of approaching you or you can't get a hold of them and that's where you kind of really give kind of a redacted version of your disclosure be like okay well this is an issue I can do there and you kind of get them involved because even certain will get involved to be like this is a big problem someone else will get involved and that's kind of a good step forward their non-disclosure zero-days a PT's the things that you don't really want to happen they often happen with some

disclosure responsive disclosure kind of as I was going really yeah just as things kind of happened with yeah you approached the right people in a sense so you kind of you know talking to the appropriate you know vendors organizations trying to get people involved from our yeah kind of creative dialogue where you're getting involved in that sense and kind of giving them what they need to patch those issues full disclosure you know kind of doing it without any you know warning kind of going straight into it kind of not really giving any kind of precursor that hey I'm just gonna drop this which kind of causes problems a lot of companies I'm like that Google's good

fracks doing full disclosure because I do it quite often nowadays and then you know they go out I'll expand you know nowadays we just gonna drop this man has given notice it's really yeah there's no way to patch it there's no way to kind of do anything about it and you know it's gonna cause a lot of issues for the vendor farm people for yourself even because if you kind of you know give them you know this disclosure which you're doing you know openly there's gonna be a lot of issues in that sense with you know Cisco's good example a lot of companies they really please just close you just thrown out at them as like well all these corporate you

know kind of companies are just gonna go down the wall because there's nobody to really patch in time yeah for disclosure right so moving on we go to the first kind of case study in that where we worked with a company called beer 52 which is based out of Edinburgh they kind of provide beer because hackers love bail and you know we kind of need free beer so how do you free them right so this is kind of example we kind of go about yeah we found a few different vulnerabilities and we're like well you know how do you go about doing that and we kind of emailed them to say well yeah we found a few issues in your

company we'd like to go about you know disclosing this jr. we understand that you're not involved in a bug bounty program and yeah we'd like to kind of open a dialog kind of create yeah this context of where we can talk and yeah we often ask you know can we have some swag can we have something here a turn because we're kind of doing this for free but at the same time a lot of companies do understand that yeah you don't for free but you know we have a lot of swag laying around we might as well give you some yeah give you a t-shirt give you some stickers it says you know we love it we love it all

so you know let's take it so you know shortly after we were given a kind of email where they were glad for it they were like you know we understand those issues we understand that we can't really cover a thing and yeah tell us what you have shortly after I was also we had the C seed into this a developer which kind of got involved into this and we were able to directly talk to the developer involved to kind of have that issue or issues and you know get that patch so as a result the actual I believe he was a co-founder of their futu basically told us you know we can send you a free few you know cases of free

beer and we're like damn I'm right trigger ESMA salt we kind of you know produced some proof concepts because usually when you provide a service you're kind of giving more of a report when you're disclosing to bugs you kind of not really doing in a report style they're not paying you to do a report i'll see don't waste your time too much they have all the time in the world and if they're not paying you you might as well do it in a yeah proper way but without wasting too much time to kind of you know constructor report on that sense so yeah few proof concepts what it does all you need really to kind of do that as was

old jason holla bill on the way we actually got free bill so that was one of the better kind of installments we did know so this yeah i put it to free kind of principles to disclosure and you know you got communication without communication you don't really have anything begin with and you're kind of go in the wrong path because you're gonna go to have an open disclosure or you know you do something that's gonna annoy them because they weren't warned they won't talk to you it's not really a good way to kind of engage with a vendor or engage with a company integrity that's a big one because you want to kind of keep your integrity with

a you know disclosure because if you kind of go this wrong way you know and you're kind of going for some you know hey what kind of asking for some staff but asked for money or we're doing something yeah it's kind of gonna kind of seem as if you're doing something maliciously and that's why you kind of want to keep your integrity the whole way forward even if you hey you can send some money to another account that you know you are keep your integrity there where you can go well we didn't though so that's why we're disclosing us and that's really why you want integrity in this transparency always have complete logs of exactly what you've done every

network you've touched every subnet everything so just in case it goes wrong or even if it doesn't you want to be able to go that come I feel like you know we've done this we've done that we've connected to these networks we've you know attached to this computer and this is what we've done and you know when you're going for it they really appreciate that because it makes it easier for their job they can look at you and logs and be like okay bet your hosts them that's you know we know what you've done cool yeah we understand that you're just disclosing it purposely and you're not actually trying to be malicious you're not hiding

yourself through all these tunnels moving on to AXA this is actually for a kind of a developer for AXA which we actually disclosed to and we actually went about kind of the issue was the company didn't actually have a proper presence so we had to get a hold of their clients which happened to be you actually was one of them great team they have their own search which is perfect and yeah it's it helps us out a lot when we can go to a client if you like hey one of your developers is you know kind of doing this and we'd like to get a hold of them and that kind of helps us you know reasonably disclose these

things to them so they got in touch with the company which you know this year actually come to contact with us and he actually you know responded saying well we understand there's a lot of problems with our thing and you know we kind of be interested in using user services so that was a case we did there risks in disclosure there's you know quite a few risks when you disclosed legal threat yeah pretty self-explanatory which kind of results to you can sued a half the time just legal threats half the time you're gonna see a lawyer at your door they're gonna kind of you know knows either way in depending on how yeah your exposure is

how deep he went into network what you've really done and how serious they say that kind of implication if this see you know hey clients are gonna be affected hey client or stakeholders gonna say hey yeah what's this they're gonna be interested to kind of see you out of talking because they will try that they'll try every way that they can you could go to jail that is a very likely you know thing that's gonna happen and a lot of people didn't realize when they're going to you know responsible disclosure or are they going to kind of screw research that there's a very good likelihood that you may go to jail because the CMA is pretty loose and

we'll get into that later hey you can't go salted as I found out once going to a trade show that after talking to a vendor for so long and we'll get to that one in a bit that you can actually get assaulted by at the vendor you're disclosing to because sometimes they do not like you talking about the incident and sometimes they do not like when you talk about it on Twitter but that's the yeah that's kind of the risk you take and yeah we got a great you know pendous kind of bingo going from Pentos banners which kind of you know kind of outlines exactly how you know pen testers get hold their you

know crumbs are sometimes it's just hey it was a feature you know it's as simple as that and that's a real big issue for us because it's not a feature it's a buck but so going on to the amazing company that we you know had a bit of an issue with kind of at the you know late last year into the media we had a bit of a kind of issue of a fender we actually were in touch with FBI as a result because of this very hitless we needed to make sure that you know companies and clients were aware that hey you're you know vendors not doing anything about this so we kind of need to make sure we

have a back-up plan in case someone actually realizes what's gonna happen long story short we spoke to the company and yeah kind of said you know while on occult with FB honor we said well they said we'd like to buy you out and we ran okay but we do provide a screen service and you know if you're willing to we can provide reports and we give you a ride up and yeah we're estimating 140 hours so we kind of gave them that fair go we gave them exactly what we were going to provide and yeah that's kind of how you normally go about your business clients but in the sense they actually seem to be agreeable and

went you know we're going to work for the financial aspects we're gonna want you to delete anything that's you know kind of incriminating for us or that's gonna kind of make us look bad and it took a you know quite a while into January when is up in the end we were like well you know where's the documents every every week it was like well now we're ready you're gonna send us this we're ready with our documents when you guys gonna send us your documents and they just kept saying you know they kept putting it off bring it on bring it on and like subscribe a trap right so I actually went to see the client at a

trade show she kind of put a face to a in an email and as a result I was actually assaulted and about an hour later I was given nice email saying well you know stuff you guys we're gonna you know want you to do this I've watched go see yeah and yeah as anyone that's actually rehearsing law or actually knows lawyers you'd understand that there's not actually a proper legal fret it was just made is baseless but yeah it's scary to most people it's like well [ __ ] yeah I need to lawyer up or I need to do this nut I'm in trouble yeah so we had a kind of nice kind of reply to them

which they weren't appreciative of and they kind of went away so it's nice there but yes it's away from resources for also the researcher because we've put months of our effort into it we've got no return if anything we've actually lost money on you know our lawyers on our kind of resources everything no very long so yeah reward says closure you know you get some swag yes my maybe yeah maybe it's public bug grab me amazing if it's not you might not yeah you might just kind of get thank you and that's really what you expected this kind of job when I was starting out like nine out of ten companies who just say well thank you for that yeah

wait small or yeah we just don't provide this and that's the case with most companies so it's you know it's pick and choose and so kind of monopoly kind of you know you're kind of gambling other resolve that one company might want to services or one company might one choose you legal issues there's quite a lovely issues there but the main ones in sigmay and Syria and the CFAA we won't really go too much into but see may affects us in the UK so we can go into that right now yeah so what is hacking and going to yeah DK government's hacking is really kind of not really a good term it's it's really you know as long as you do

anything on like a PITA that's kind of I will go into the actual act in a second but really it's yeah a cheetah nature or anything kind of unauthorized access in pedo and they don't actually define a computer properly and you know that can be a serious issue because when you don't define what a computer is you're kind of looking at a technology he's kind of done something that's out of scope in the senses yeah you might have just logged into a account that was already logged in and yeah kind of you know authenticated against the default account and that's an issue so you know as the Crown Prosecution Service will go they'll go through quite a lot of the

law and they'll kind of consider you know what fraud was a anything else in their sense kind of you know a little bit descriptive and that's kind of an issue for us so computer misuse Act really defines for kind of sections is you know I don't has access to key material and compute material is not defined we don't define material self so it's very broad and you know it could be anything you know with intent and that's a big one if he knew what you were doing you're actually looking at a lot more time than if he didn't if you were just you know misusing computer once to use kind of what they're looking at

prosecuting for and usually it's lapping the rest when it's with intent you're kind of looking a bit longer still you're looking at the kind of high end of two years so you're not too much into it but it's still pretty scary to think hey I'm gonna get locked up for about a year and do like he is you know time served in that sense reckless plus you know it could be I've destroyed data and that's really was looking at is yeah I've destroyed some data from the company yeah doesn't matter what the data is could have been in a cache faster than anything but you're looking at the higher end of the scope which you know

we'll get into in a second if you you know touch say a SCADA system or anything that's you know kind of controlling actual things like hospital or something you're looking at you know a lot of time so I'd kind of move away from your phone safaris where you going hey IFE system because some my offices IOT systems actually you know effect the real world and that's where you're gonna look at some serious harm if you do something wrong and you know sometimes we like to you know press the on-off button and see what happens but let's kind of steer away from that and less we know what it's actually doing so you know you can be convicted for up to 14

years and that's kind of a serious factor to realize when you're doing anything relating to screw research if a company doesn't know you know hey I'm kind of just researching this I'm looking into system oh it might be a you know default gateway it might be anything as soon as it says you know you need to login or you need to be authorized you look handsome trouble now and then there's the even worse factor when you're going into actual you know damage of the network or damage of an actually students wire from where you know we're talking about you know SCADA system easier you could access anything that's really serious in that nature and that could actually result in life

behind bars so yeah the u.s. actually has quite a nice the system in that sense because it actually defines you out you you're looking at ten years maximum twenty in the sense of you know you're going to serve some time but you're gonna be you know watched that's where the survey comes in and that's where yeah you have to still know about it in the sense that you know even though you're not in the US and even though you probably don't think you know you're gonna be kind of pushed towards the you know US law as long as that company has any stake hold in the u.s. it has any stake holders in the u.s. it has anyone that's remotely

involved in the US you have to be aware of the CFAA because the survey they can easily get you on as long as someone in the company is from the US and that's why yeah it's an operating us your bidding trouble does I've stakeholder so Phyllis you're in trouble you can be extra and that's you know that's a nice fact to know you can actually be tried in the US and as you know something whoops no yeah Marcus oceans it's a step in the right direction we are getting kind of used to this yeah this is quite a new topic everyone really think of ski research is this big thing people think oh she research a

student here now I'm even yeah bug bounties everything it everything relating to security has a sense of like InfoSec that the sense it's is still new as much as it's been around for you know ten twenty years it's not really been in the sense that we can close bugs to companies because a lot of companies back then you could go hey I've got a problem and they weren't really looking into it in that sense so you know we've got enough food subscrive Center actually has posted really that you know we understand that issue we'd like to engage with companies to kind of build a bug bounty program and they've actually done this by doing yeah they've got

involved hacker one they've had to push them involve hacker one Katie was very from ludus Trudy she's come getting both of this she's also been involved with as we go to the next one the international standard ISO 291 the four seven so yeah yeah so those kind of things to look out for you can get it for like free a few Oscar nicely otherwise hundred pounds give or take worth looking over even the 2014 version is free now I believe and this is worth you know seeing what to do because it's really kind of giving us standard to go to a company and be like well you know I followed these you know I'd like to kind of you know make you

aware of this please don't sue me please give us a report or yeah please do as you can but yeah be nice to us how do you disclose do they have a bug bounty program yes perfect grass you know go to the pub bug bounty program policy and kind of goes that way about how to do it on the other side do they not is there ready to communicate with them do they have a you know scree page I advise any company that doesn't so you actually include a screen text file because everyone looks for it nowadays and that's the best way to kind of get involved with you know scurry so just because they will be looking for

that if not is there any other way to copy a hold of them do they have a security team kind of way do they have any contact details about a department that could be it helps you as we down they do Congrats they don't get ready to kind of research into how to contact them look at you know do have a Facebook page Twitter page Instagram page anything that could kind of lead to you know contacted them which we've kind of lead to another company which would kind of give you information on how to contact the right Department or the kind of people who will be involved in that sense and that's what you want to do you

really want to get the right Department off because if you get just anyone involved you know the social media team is not gonna help you yeah but kind of widest of plug banners or you know the kind of widest vulnerabilities and that's the way to go forward yeah how do you disclose if it's you know it's something serious look at going to cert look at the e FF look at legislative organizations which you know would include so for example or yeah NCIC anyone who's gonna really kind of be helpful as we've done in the past we've got involved because we believe you know kind of people who are wise needed in that sense that yeah if this was a risk

factor of you know critical or some sense how do we kind of mitigate this and you know you kind of want to make people aware of this so you want to go to the right kind of organizations that sense if you've done something wrong and you know as long as it's sort of our ability you know potentially talk to zff they're very helpful they'll give you advice potentially look at kind of a safe harbor program you know which kind of you know protects you in some sense to kind of if you don't give that information out but without you know any recognition of yourself or you know kind of mitigate your own risk as well and yeah that's kind of a little

bit into how we do through research and how screw so it can be good and can be bad there's no right way to do it and we're still learning and you know that's the way to go forward no thank you [Applause]

so I started my first network engineer I found out that I prefer you know the streets other things I actually broke into my school systems when I was younger as a result I actually found like I was like hey you know they're rewarding it's like attaboy kind of thing and it's interesting that that was an attaboy because nowadays it's not and that's kind of where you know problem now but I kind of felt well thanks everyone's kind of rewarding in that sense so I kind of moved to hey what if I break into big systems so I learned that it's not all attaboy but in the end they will you know reward you if they see necessary and so I

fought well it's still a good community if you're involved in InfoSec it's amazing community as we are all here you know InfoSec is a great thing but the corporate size not as good as we think but it's getting there and that's why as we progress as the years go on yeah we're gonna get to a deploy to everyone but as long as you follow the rules and regulations as is safe so what your people for example screw sandbox escape it's kind of way to do it yeah purposely releasing disclosures so you think they go to harm kai I'm not sure that's their purpose but it is in that sense I it's I don't feel that house you know

tabatha has done it is kind of responsible I don't feel that they've done it it's kind of better the community I feel that they've done it because I can and I feel that yeah of course harm you're doing it maliciously in that sense and as much as they might not think they've done it in that way and as I think I'm a few people few I'm not gonna mention their names but a few come in of people have actually said well yeah they're going for a lot or something it's still not a way to you know disclose something even if you think hey yeah I'm going for a lot I'm you know stressed or anything I'm just

gonna release these it's there's no excuse to how you go about it's you know just closing anything you have to do it responsibly regardless as long as you've mentioned to that company and if they've ignored you after a year or something Shawn look at disclosing yeah we go you know often we go one ninety days is a good time to kind of respond to this focus and I still think you still want to give them some advance warning even as you go you want to go off tonight as we go well I'll give you a month now I've got it ready here's the pages are they yeah if you can't patch that in time wrong time or something give them

advance warning again that yeah after they elapse of time hey this is an issue if you're just going straight out well yeah you're breaking some laws making a lot of issues there's gonna cause a lot of havoc in the FSA community luckily we all follow Texas care phone we can go well a lot of these are kind of useless they do have some nice ones but a lot of them you know they're not going to be relevant that yeah if it's something else it can be same as a troubling issue [Music]

frameless Microsoft that'll only have so needed and they still thanks to release thanks i I feel when it's a bigger company there is actually as I've worked I understand that there's a lot to go through it's not just that they can't do it at 90 days they can't do at 90 days it's just that it's it's troubling in that sense that hey yeah we're a big company we can't just go after a bug every day so we have to kind of create this timeline and a lot of you know people like Microsoft for example they have actually different people who don't actually work at the same time working on the same project so they're not all

involved in that same thing but they are involved in how to fix it so yeah I believe you know you kind of have to give them more than 90 days and I think we're just learning how to do it the still so even though we've said 90 days is acceptable we've kind of learned that and I think by now we've actually learned that 90 days is still not acceptable we probably should look at longer times just like Randall oh yeah

[Music]

this is here at a brokerage house no sense I've dealt with over the past you know dealing a zero days it's will be dangerous now he's actually so most people actually sighs away from doing that just because you know you kind of evolved to nation-states and stuff now and it's just you don't want it but you say that but it's you know see seller you know Microsoft zero day for you know main office your day so East European company country and you're looking Stuart I mean yes it's five figures still it's not it's not too much if you were to disclose out responsibly you probably get yeah maybe a little bit left but at least you get the

recognition and you can actually say you've done that because we've you really want to say hey I've disclosed to a nation of state probably not and you know can you look at your safe you know you look at yourself to say way knowing that you know you're Terry's line hacked because well we know what apts do we know what people do when they're you know involved from that kind of sense we know what's gonna happen with those zero days do you really want to be a spear researcher who wants to disclose yeah to governments they have their own you know departments they have thrown you know professionals and you know they have loads of your days the issue is do you

want to you know kind of you know add to that probably not so it comes back to integrity in that sense that's the first thing thing to say because I believe it's a bit of your it is again you do that a bit because I believe when I do it I look at the company itself I look what that what they do I look at their kind of founders and you know their age range I go well then you to it you know they're a small company that startup or you know they're a big company but they're young guys old guys I go I kind of build that kind of you know reverb I I do for fun I come you

know my clients in that sense but I think I will still send an email to every single company that I finally just go to work because I will just go well you know you still have this issue it's how I go about closing it to them I think that's you kind of build a template around what that company does and you have to kind of profile that company and then go I'm gonna do it in this way because you want to make them aware in the safest way there you go well they're gonna read this you know they're they're 30 or they're 50 and you want to go it well they're gonna look at this and be like

oh yeah these guys are nice chest they're not like they're not gonna you know they don't ask you for money they're not doing anything where you know they feel intimidated by that sense you don't wanna make your clients are intimidated and that's kind of the way to do it [Music] have the answers that question so we actually in-house we use a in terms for which we've developed which kind of scans most of our your hunters and they're kind of quite like shown but we kind of do it in a sense where we have two different services and our kind of palos how we go about payloads and we kind of get a nice list of companies so

we kind of go from those and we kind of it might take a year before we get to them but it depends on the priority you know what kind of issue it is and we go from there but for anyone that's going involved in it I think yeah just pick a company but pick a company that's probably involved in a bug bounty because a bug Valley is gonna be you know the best way to do it because when you're going like us you're kind of looking for them to get you as a service so it's actually better if you go you know to a pea size or something and you go network with a company and go well oh

yeah we can provide the service it's probably not good to do what we do where you just open email kind of like kind like a like you're and scare and that's okay just like hey we found this can you wire us that money but it's not in that sense it's yeah it's much nicer but it's more yeah we can provide the service if not we can give you our basic package it's kind of more of a sales tactic where we have this package but we can defeat dispatch and that's kind of the way that we kind of aim to do it