Keynote - Holly Grace-Williams

um over to your Holly goph for D magic fantastic uh just a reminder for those some of you have heard this already but just a reminder the talk that is going on at 2:30 that I can give you no details about the special guest he's the kind of person who only has a first name that talk please do not take photographs during that talk and a reminder you've all already been told red lanyards stop taking photos of the red Lan lanyards people there you go also uh this is this is not a talk what we had arranged we did a call for papers we asked everybody to submit we had a reserves list it was

all going very well and we said what happens if somebody drops out on the day or the day before or something like that and I said I will put a talk together and then two days ago I thought oh this is all going well it's no a problem I'll just skip my talk I'll be out on the Bender stage and then yesterday I got confirmation no you are talking so don't worry I had a talk it's all it's all prepared but it is one of my usual talks where I'm just going to rant about things that have annoyed me about computer so this week things that have annoyed me about computers is this little guy this

little guy here so anyone whove seen Kimo before seen me talk before we give foxes as a giveaway if anyone is sitting there thinking why are the foxes the giveaways I'm in charge of the marketing budget and they are CE what F information do you need so if you're like a fox how agile are you a lot of people in this room so um so we have some foxes to give away if you want one of fox fantastic grab them from the front other there's some more uh on our stand as well one of the things that I wanted to do to advertise the foxes was create this little fell here that I mentioned a

second ago and I thought oh I need an image of a a fox and everybody's telling me that my job is going to be replaced by AI soon so AI must be able to make me an image of a fox my experience with AI this week has not been a good one I went on to Dary or whichever is your image generation AI of choice I said make me a fox sitting down on a white background that's my prompt if you'd like to recreate my frustration and it gave me a cartoon Giant Eyes wonderful little fox and I said L's cute and turn it down a bit chat GPT it's bsides it sent me this image not on a

white background on like an eggshell background an offwhite background so of course in my slides it didn't look right it wasn't quite what it should be oh white background please chat gpg goes that is a white background this became a 10minute rant of me fighting Chad GPT about a freaking existential crisis by the end of it talking about what is the fundamental underlining meaning of the word white I tried everything I tried hex codes and everything and it wouldn't work and eventually I gave up and I said transparent background and it went no problem and it regenerated the image without that you know the grayest squares for the transparent background wasn't transparent at all so yeah

whoever mentioned AI earlier I know you mentioned it but been in the talk this morning as well I don't think AI is going to replace me soon it's certainly not going to work make a freaking transparent background for me so for anyone who's not seen me talk before my name's H Grace I'm a penetration tester so everything that I talk about when I approach uh security is talking about hacking computers and this talk is based around some frustration I've had this week talking to customers and the way that they're approaching security and some guidance that I'd like to give for those and also just a little bit of a frustration I was talking to somebody

this morning they were asking about um is there any content out there to share with people at the very early stages of getting into cyber security specifically what they were talking about with young people that can be shared with Educators to try and help them grow into into cyber security and um there is and I'm not going to stand in front and say there's no content like that at all because there's some good org Gan a putting some some good stuff out there but my God is there some bad things out there as well and my God is there some bad guidance in general about cyber security so whilst we do talks like this and we all talk about The Cutting Edge

of security and people talk about uh things like what I spoke about last time I was here talking about using AI during penetration tests and Cutting Edge stuff that kind of thing today I'm going to rant about how awful computers are and dear God can we stop writing terrible software so um I was given this speaking slot I was given very short notice to do it and they said we want you to do a keynote so welcome to my talk titled what the [ __ ] is a keynote and you can imagine I'm on slide three and my plan this whole way is I'll ask chat GPT it's fine it'll help me out but we've just done the transparent

image thing so that's not helping me at all so I asked some friends I said what should I do in a keyot what is the kind of thing that I should do and they explained explain how the industry has changed over the last 10 10 years explain how the indry might develop in in the future and inspire people for the future so I'm going to do my best to do that you might not leave this room thinking cyber security is great I'm glad I'm here you might leave this room thinking yeah computers are awful aren't they but we'll see so um yeah we we're spoken about Ai and AI is a fantastic thing and in fact I spoke about AI last

time I was here in terms of how we use it during penetration testing so anyone didn't see that talk and wants me to do oncore material at the end but how from an offensive security point use AI it is a fantastic tool but the truth of the matter is it's Al also the worst thing in the world some people might have seen me post this image and similar images to LinkedIn recently like I said I've been writing some training material and trying to get some of that entry level stuff where people breaking into cyber security and one of the things that I did was I asked chat GPT to give me a diagram of a uk3 pin

plug and this is what it did and I wanted to post it as a bit of a cathartic post something to LinkedIn where I can get the the community to Rally behind me and reassure me and say yeah we're not quite there yet but still isn't AI amazing yeah it didn't quite get the image that you wanted but we're on our way to inspire the messes and because you're all cynics all I got was lines along the along the lines of which wire's the blue wire and if you can't see that from the back the blue wire is the yellow one it's the one just above the love so last time I spoke about how AI

was fantastic uh we use AI during penetration tests to do things like um data mapping so for example when we gain access to a network we compromise a user account and I want to demonstrate things like uh PR management of pii AI is really good at those kinds of tasks where I can give it a screenshot or give it an image of a passport a utility bill a driving license whatever and said scan the network and find me more more of these and then customers think we're magic because they go how did you find all of these files optical character recognition and some quite frankly basic artificial intelligence so it is great but we're not quite there yet the second

rant before I start talking about how we can develop things and and uh make good in the future is we have a vulnerability management platform when we find vulnerabilities on pentests we put it into a nice interface it's a bit like a ticket management system if you're not seeing our interface here's a vulnerability the customer can add notes to it they can say right we've fixed it in this way or this is the approach we can have a bit of a discussion and then retest it and Market is fixed we have this one of our customers is using this platform and they messaged me and said can your platform export to excel yes you press this button here and

it'll give you an Excel spreadsheet but being given a vulnerability management platform there's still a whole bunch of companies out there whose risk management strategy looks like this and this is what they present to the board I talking to somebody this morning about this in fact and their rant was not about the use of excel but their rant was presenting CVSs scores to the board that's another thing that that company does some people uh laughing out loud there because yeah sometimes as in Industry the way that we present things in the adult room it's maybe not as great as it should be so so far I'm absolutely raging because it's like Tuesday at this point and somebody's

asking me if I can give them all of the vulnerability information in a spreadsheet oh God but I'm supposed to be here I'm supposed to be inspiring you and try to wedge this slide in and be like things aren't that bad really there's work to be done and I said right what is the what is the problem that I'm trying to address what is the problem that I'm trying to talk to how do I build up to to inspire things and I thought really I can break this down into into two things there is good guidance out there but good guidance is slow to get around like I said I didn't want to get to the front and say there

is no information out there for people in the early stages of their career there's no information for people out there in college pre-university things like that because there is but it's slow to get around and the sad thing is bad guidance is constantly reinforced and I see this all the time I'm going to show you a couple of screenshots one I've shown previously in talks as my usual goto for this is bad security guidance but actually recently a company that I I interact with I'm not going to name them but simp you might recognize the screenshots um just did did another example of this this terrible thing and I think this is something that a lot of companies um

don't try and counteract Maybe putting out information out there about like you have uh annual security awareness training or things like that and you're telling your customers what you think is the good guidance well you're not necessarily realizing that for the other 364 days of the year they are constantly having bad guidance reinforced so we'll show you some of the bad guidance to prove that point and then I will leave it as an exercise for the reader to how do you deal with that how do you how do you uh fight that bad guidance and make sure that your good messaging is getting through and I'm also going to talk about gaming outcomes spoken about this

previously a couple of times in the context of like um fishing engagements and where companies think that they are doing a good thing for security but actually it's not before I get on to that so you know what I mean about gaming your outcomes a good example of this is if you work as a seesaw and you want to get like a paise or a promotion or you want to get let on the adults table or whatever and you want like some project that you can point out for look how good at security I am fishing campaigns are a great thing to do because what you can do is you can send an example fishing email out that is

really really well crafted you know it's got a good URL in there something that would be hard to spot it's it's tailored to the person that you're sending it to those Kan send those fishing emails around loads of people will fall for it because we're all humans we all click the link the bad thing will occur right then do a security awareness training session doesn't really matter what you say then send a second fishing email around that's like one of those 419 scams where it's like I have won the lottery and want to share it with you click here and nobody will click the link and then you can send up to the board and say dramatic improvements in

our fishing score the worrying thing is somebody's writing that down aren't they it's like that is how I'm getting my promotion but that is what I mean about gaming outcomes I'm going to talk a little bit more in the context of penetration testing but it's that kind of thing that I'm talking about so guidance is slow moving and there's a lot of bad guidance out there I still come across organizations in fact last week I was speaking to somebody who is a medical practitioner so non-technical role they're working in medicine and they were complaining that the organization that they work for makes them reset their password every 30 days hopefully everybody's noing in the audience hopefully every understand that

you shouldn't be enforcing password rotation it's bad if you've never come across this before if you enforce rapid password rotation all of your staff members passwords are going to get weaker because instead of choosing good hard to remember but complex passwords they're going to go summer 2024 winter 2024 because you're making them rotate them a lot or presumably that person because they freaking every 30 days they've probably got like Monday one Tuesday two cuz have got to cycle themselves so frequently so this is what I mean about um good guidance is diff is is out there but it's slow to get around and bad guidance is constantly reinforced example number one um the MCC has been advising against password

expiry password rotation since 2015 that quotation is from the ncsc so if you work for an organization that enforces password rotation the ncsc has been banging that drum for nine years so that's the kind of thing I'm talking about um if this is your first time coming across this guidance please don't do that sometimes there's some Nuance here and of course password rotation is trying to address a real risk the same as password complexity another good example of this and forcing users to use symbols and numbers in their password that kind of thing there there is a risk that um people are trying to address with that I will just give you the short story because I've only got 25 minutes

and it is that the bad outcome will outweigh the thing that you are trying to solve if you do have a specific risk in mind that you think password rotation is dressing you must balance that with the fact that that woman's password's now Wednesday 3 cool so um good guidance is slow to get around the ncsc wrote that quotation that says stop doing this nine years ago and we're still seeing it and bad guidance is constantly reinforced here's my usual screenshot this is M365 if anybody's nerdy enough to recognize it just from that little clip I was setting up an account for a user usually I'm doing test account or a new team member account so those kinds of things and I

tyed a really long password in there it was a pass phrase is probably nine or 10 words that I typed in there originally and the screenshot this password is not strong enough oh okay pass phrase there's something wrong with it I used a password manager and I randomly generated a password I don't know how many characters are in that password but can we just say enough enough characters in that password and this password is not strong enough and I'm sure every use cyber Security Professionals right you've realized what this is we're going to talk about complexity here and I'll get to that in a second but one of the things is a user might type a password

like this thinking that maybe they've heard previously or maybe they just thought about it themselves and they think that's what a long secure password should look like they think it's strong and then Microsoft tells them that it's not and what they take away from that is that's not a strong password so they try a few combinations and mess around with it maybe they read the error message in black there and they come up with something else and my new staff member at Kimbo call goes right I've got it strong password Accord into Microsoft Kimbo 123 we all knew that was coming right and that's what I mean about bad guidance is constantly reinforced just in case anybody's very new to this stuff

and doesn't understand why that occurs in this particular case Microsoft is enforcing complexity Microsoft's complexity rules are you must have three of the four uppercase lowercase numbers symbols so because that previous password is only upper case and lower case it is saying it is weak you sticker one on the end jumps to Strong so that's what we're getting at if anyone wants to guess what the last character of my M365 password is you're right no it's a digital one um so so this kind of thing this slide has changed recently I don't know exactly when but it used to be password one two3 and Microsoft now do flag password one password one two3 anything like that is

weak because it's a terrible idea based on a a previously Bri for password that kind of thing uh password in uh previous disclosures known weak passwords like the word password they they're flagging something along those lines so I Chang it to a kimo1 123 which is terrible that's fine that this is what I had prepared a week ago when I was on the can you please be our backup speaker in case somebody drops out on the day and then yesterday when I'm putting my slides together incidentally I needed to change my bank password I'm not going to go into why that is it's always a bad day whenever you have to do these kind of things went on my banking website and

I received the these two error messages don't strain your eyes in the back I'll will read them out to you the top one says you've either not entered enough characters or you've entered too many what I love there just like exasperated size from the audience it's just like can you not work that out programmatically um interestingly this input in modern browsers it has a max length uh parameter on the on the input and it's set to 15 characters so that should make you all cringe don't set short maximum password lengths you cannot enter more than 15 characters so it can't be too many then you've restricted the input anyway so there's a whole bunch of guidance that I could

talk about here about why maximum password lengths exist and not they should be set to and things like that I'm not going to worry about that you're all professionals I think everybody's getting the message I'm getting across the point of the slide is users are getting bad guidance constantly if you're doing annual security awareness training three four times a day they're seeing error messages like this and they're struggling um also the bottom one just says we are sorry but the details you've entered aren't in the right format please check them and try again what so this is where I am for 20 minutes yesterday going what because the only guidance they've given is your password must be six to 15 characters

including both letters and numbers and I'm looking at going that is between six and 15 characters that includes letters and numbers what is the problem here you cannot include symbols so my password has a symbol in it and therefore it is the incorrect format at no point do they tell me this so there you go I worked this out eventually by going to that website's security guidance thinking I can't I genuinely couldn't originally I worked out after a few minutes I couldn't work out why the password wasn't being accepted I assumed that they hadn't just blocked all symbols I thought maybe I'd Ed a single quot or something and they disliked that for reasons we'll get on

to so swap different exclamation mark swap different sign all that kind of thing couldn't get anything through I checked their guidance and this I swear I not in any way manipulated this screenshot This Is A banks guidance avoid using plain words in any language because they're more vulnerable fair enough avoid repetition and obvious sequences like two all try comparing two unrelated words such as a memorable address with a car registration or birthday not your own or try combining two unrelated items such as a memorable address with a car registration or birthday not your avoid using plain words in any language because they're more what so I'm now sitting here thinking like is this me do I need to do I need

to call an ambulance like what is happening but the best part I needly highlighted in the end but I think I think you've all got it is the fact that it says avoid repetition and guidance twice so there's a few things that we could pick up from this I could start talking about things like the ncsc recommend three random words hopefully everybody's come across that if you haven't it's worth taking a look at their idea think random they call it hasht think random because people hashtag things like that I don't think so um so it's worth reading their guidance on there updating your approach good article you may or may not agree with it reasonable adlets will disagree

about security guidance but it's interesting that this bank took a different approach and I like how they just kind of wedge not your own on the end there anyway beating the stad horse users constantly come across this kind of thing and users might look at some of these resources as a certain Authority on these matters and that's the reason I picked Microsoft and an online bank for my working examples because I'm sure in some cases in fact it might hurt you to think this but in some cases your users might trust their online banks guidance more than the guidance you give them because they hold them up on a pedical right it's is an authorative source of

trible so this is something that I think we should we should take away yes it's really really good to um focus on uh The Cutting Edge of security and Lancaster University here a minute ago talking about why you should fund research and you definitely should do that and it's great to look at The Cutting Edge but don't forget those early stage things so don't forget people who are in education still or young people who are trying to get good guidance on just how on Earth do they say safe online somebody uh mentioned to me this morning they have children and um their children are really starting to get into video games now they are very young and they're

saying like oh we want to play COD and things like that and they're like you're like six years old what do you why do you want to play and they are as an individual struggling on that not only because is cod appropriate I think many people would say not um but also there's a whole bunch of other games that this person themselves has not heard of so they're like you can imagine the Ally Googling like what is a Minecraft small typo in that search can get you a whole different world can't it two people left and you should feel bad um but that's my point is that if if the adults themselves don't know then of

course we have some problems here so yes look at the cut research yes I can talk about AI I can rant about my little fox I can talk about SQL injection I could talk about whatever you want but there's a gap I think in the industry the guidance exists but for some reason not getting it out there and then the last rant in the I think four minutes that I've got left is another thing that a customer mentioned to me recently a customer requested a pentest and it was all just normal we got through the the standard stages as an internal infrastructure pentest they say come on site try and hack our Network find as

many vulnerabilities as you can write a nice report that's great I love internal infrastructure assessments although I'm generally a web application specialist internal infrastructure assessments are brilliant because very often there's just something somewhere that's bad um recent example a couple of weeks ago I was doing an internal infrastructure and uh the customer had backed up their virtual servers to a network share and the network share was unprotected any domain user could access that Network share so just a brilliant example because I I get there 9:30 in the morning I find this folder just full of fmdk it's just V virtual machine hard Diss and I'm like I am going to hack them but the problem is these files are

100 Gig each so I am going to hack them in download three and a half hours and that was obviously I go and I do my port scans I do my my network mapping I carry on with the pentest but that was the way in it was three and a half hours later I downloaded 100 Gig server disc mounted it and pulled the hatches out of it so that was brilliant um so so sometimes you know like internal infrastructure assessments is great but in this particular case in the two minutes that I've got the customer wanted it to be delivered without the knowledge of the IT team and it was time limited to a single day that that aspect

was timated to a single day so s for clarity you know a week long engagement or something like that I don't remember and for the first day of the engagement they wanted to bring me into the company as if I was like a new starter hide me away somewhere in an office and see what I can access this actually turned out to be a really interesting engagement and they did in this instance get good value from it but I think everybody worked out there is a problem there because there is a strong distinction between a pentest and a red team engagement if you're not familiar with this stuff if you don't look at the offensive security

stuff very much I will very quickly summarize it for you generally speaking in a penetration test it's a scope Limited Gant so something like please come to our office and test our internal Network it's time limited something like spend 5 days doing it and we're not doing that trying to be uh stealthy we're not trying to hide from the team we are trying to find as many vulnerabilities as we can as quickly as we can because hash time is money right they just want the efficiency what they're trying to get out of the engagement is find as many vulnerabilities as possible so they can fix them there is a different engagement known as a red team for very mature

organizations where they're not assessing particularly the syst system security they are assessing their assessing their organization's ability to respond to an attack so there's a blue team out there what we might call the sock team and I'm trying to not not only hack them but I'm trying to do it without being detected very very different approach from my point of view I'm going to go slower I'm going to be stealthier everything's going to be dragged out you're not doing a red team in one day and this is what I mean about gaming your outcomes that company had a particular reason for this and that's it worked out well in their instance but quite often customers they get a little

excited with pentests and stuff like that and they want it to be a bit more like it is in the movies and sadly although my day job I think is the coolest job in the world it's not quite like 1995's hackers movie with Angelina Jolie and so be very very careful when you're asking testers to do these kinds of things I'll just quickly summarize what what you should be doing instead is it is a good thing to tell their operations it is a good idea to let the the tester um know what you're concerned about or share with a test are the areas that you particularly think uh are concerning and it's completely fine to

to be thinking about the differences between are we looking for as many vulnerabilities as possible or are we assessing our ability to respond to that kind of thing that is that is a good thing but be careful not to limit the tester in a way that is unrealistic and you ain't getting red team in one day and that doesn't mean you get a report at the end that says we passed a red team they couldn't hackers because you gave me freaking seven and a half hours to do it any questions thank you