BSides Warsaw 2018: Prelegenci Security BSides Warsaw 2018

BSides Warsaw · 20181:28:331.1K viewsPublished 2018-10Watch on YouTube ↗

Show transcript [en]

This is a bit of a free American. It turned out that we don't have many microphones, so I will take over this microphone. And if you have a question, raise your hand and shout it out. Yes, we will repeat them in case of need. I will also remind you that people on the stream can ask questions. But since this is one big improvisation, so if there is a question, let me know that someone is asking something. Adam has a microphone, so let's all introduce ourselves quickly. Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam

Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam

Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Adam Too complicated? Because we have it the other way around. Oh, too complicated. Never mind, never mind. It doesn't matter. It was a joke, never mind. Boris. Adam. Wojtek. And I'm not drinking anymore, right? We support you. I wanted to add that as experts we have over 100 years of experience in IT security And if you have any question, any one, we promise to answer each one. Each one? Each one. Each one? I didn't say it's honest. You didn't say it's honest. Okay. I'll see my... Oh, here's

a question. Here you go. Who wrote it? How many exploits did you write in your life? One. It was a long time ago. I don't remember anything. I don't remember. Maybe three. Can we change the person in the panel? Is it too late? More than zero. And less than? Less than zero too. More than Borys. Ok, a very interesting question from the stream to Borys: Why didn't you present the presentation of redteaming in Poland? For those who don't know the topic, I've presented the topic of redteaming in Poland nine times in one year. I wanted to test a theory, whether it is possible to present one topic that sounds cool and exotic in most of the conferences Very highly rated and performing the

same. You can, I confirmed the thesis. Never do it again, because it's very tiring and boring for the third time. And yes, for the next few years we will be joking about red teaming in Poland. We thought whether to do red teaming in Poland part two or abroad. Red teaming in Hungary. What is interesting in all this is that last year Borys spoke about it And it was the 8th time. And for some reason, the 8th video from YouTube has... I don't know... 10,000 views, thumbs up, so... It's not my botnet, really. One second, because someone on the stream... I just wanted to add something to what Borys said. If you want to show a presentation 67 times, then show

it 67 times, because someone will always come and see it, and if they don't want to, they don't come. And really, I know a lot of people who showed great presentations, they showed them once and never again, no one has recorded it and you can't see it anywhere. Well, it's a pity, it's really a pity, show them. I, for example, have never seen red teaming in Poland. There are at least 5 conferences on YouTube, so don't worry. Attention, I'm going to say something because you're running away from the topic. The question is why don't you look at the chat, so we do. And I would like to, because there was a question from the typical series,

why did you deal with security? Only in two sentences, because... Well, no. Most of us... You're too young, you're in the middle. For money. These three, I can answer for them, it was for fun 11 years ago, and then there were some other penalties in our system, no one took care of it. Other or no? Or lack of knowledge of how to race? It was more structured than today. 20 years ago there were not so many books, tutorials, movies on YouTube, how to become a hacker. And there was no malware, there were viruses. Yes, those were different times and I think people just wanted to have fun, to develop, it was interesting. Of course, everything we did was legal,

I'm just joking. 20 years ago, when someone entered this industry, it usually started... There was no bug bounty. There was no wargames. There was no bug bounty, no CTFs, no industry, no commercialization of all these services. And then, of course, everything was for fun. That's how it started. Today people ask questions: Who should I be in the security? What position should I go to? Should I go to the web, mobile, infrastructure, awareness, physical safety, virus analysis? There are many of them today. Nobody asked such questions then. People were just having fun. They were enthusiasts and that's it. And over the years it all changed a bit. And that's it. Do you have other experiences? But what about the younger

generation? What did this generation think? This generation of 15-16 years old? Your first Windows was? 95? Exactly. I got a computer from my grandfather. So I had 10. Anyway, about my beginnings, I understand that I have to continue the question. Yes, yes, yes. Thank you. To be honest, it started with this, maybe I'll bring the microphone closer, when I got my computer for the Communion, my parents put a password on my BIOS and I pulled out the battery to restart the BIOS, to remove the password, and then it just stayed like that. And I still pull out the battery. There is a question that I cannot skip. I will change it a bit, because I think it is not

appropriate. How many encyclopedic Polish hackers do you know? We greet our colleague Adam Ziaje from this place. And that's probably all about anger. We have been promising ourselves for many years that we are not to joke with our colleague every conference. But it is very difficult. After so many years, as we know each other, we make jokes practically every conference. And no matter if we are from competition or similar companies, there are many such jokes. And this is probably the coolest thing, that in our society, despite the fact that we sometimes compete, We can afford it. In my opinion it's great that after so many years I can still say that Adam is bald, you are fat, I'm talking about reteaming, you drink alcohol, and it's

still a hope that maybe something will come of it. That's it. The question is for me: is it Ruch or GKS? Of course GKS. The question is for Adam: do you want to buy Opla? No, not Tychy, of course Katowice. There is a question for Adam and Boris: do you want to buy Opla? The whole company? It will be revealed in a moment. Borys, why are you wearing a white hat today? I wanted to verify something. I bought a hat two days ago, a hat, on vacation and I wanted to check who... Bad, right? I can't, sorry. What? What? Did something change? I wanted to verify who knows... Did something change? ...that it's white hat. You're asking in what

context? In life, in general. A lot of sun. And that's why you need a hat. I came up with an idea a few days ago to shave my head with a razor. Don't do it like you never did before. Spontaneously. And then I bought a hat. There is also a question from the typical series. What system do you use? Attention! Windows, Linux, Mac. I'm saying that there is no FreeBSD here. If how, then how and why? That's literally the question. I'm being absolutely serious here. I've been explaining some Linux tutorials on Windows all my life, but recently I bought Mac, installed MacOS, installed Parallels and installed Windows. So all your life on the run. Adam

bought a Mac and then for two months complained that he can't move from XPS, so something else from this Windows remained. I use Windows because I work on this system, I do various strange things. Previously, some Linux was still running, sometimes I touch some Mac OS, now it is called Mac OS, but SX. Previously, Commodore 64, Amiga, Workbench, something. I would sell you a Kuksańca, because I had Atari, and you had a Commodore. Me too, but we can exclude him from the panel at the moment. I would like to. It's not appropriate to sit next to a fan of the Commodore. Commodore-er, Val's gum-er. I remember Linux from the account, but I have a joke, and it's funny that I use Windows Besides that we rarely use

it in our work, because we do something with malware etc. We use it for updating and presentation. These are two things that I usually use from Windows. Why? Because I started using Linux in my console. And I think that the one who uses Linux knows that it gives a sense of control and freedom. When you are 15 years old, For wargroups. Oh, you've infected me with that Amiga! Sorry. For WarGrobs, yes, of course. That's it. But we can go further now. To see if Windows or Linux is safer. And then it will be fun. I think we should both go. It will be complicated, but I work at Solaris, because only Spark works properly there.

Interesting. Ok, then... It's hard to comment on it. Wojtek? Ok, so I worked on Linux most of my life, but then I needed to have Office and I switched to Mac. Ok, a question from the audience.

I have an answer. I wanted to say not to start, because it really destroys lives. How to start? Maybe I'll think about it, because I started in a different time, which I don't want to boast about, but Wojtek is so young that he doesn't remember times without wargames and bugbounts. From my perspective, 15 or more years ago, it was impossible to read everything that appeared on the Internet. I tried to understand it, and one day I noticed that people from the district knew a little less about me. And that was it. So, for me it was more or less like that. Apart from the episodes I don't want to boast about. And Wojtek? You know what, generally, as Borys mentioned, security has spread

very widely, so you have to find at least what you want to start with. We are talking about you, but to younger people. You are also a bit of a smart old man. Okay, so if someone wants to be a malware user, it's a completely different way than someone who wants to be a web user. So if someone wants to be a web user and test web applications or mobile, then in my opinion, they should start with the basics, i.e. start programming in these technologies. And then, I think, general safety, i.e. reading various internet portals, but there are also various interesting pages that allow you to get more involved in this security, such as Pentester Lab, You have to buy

an account there, but when you buy it, it's not an ad here, but generally we have the whole course, the tax machine and it's very easy for us in the configuration and we can Of course there are many alternatives, but generally just practice, practice, practice and know the technology in which we want to specialize from the beginning. I see that Adam is here, is he? Adam Świerzbireńka. I wanted to tell you how I started, because it was funny. I just remembered that the website of G2L has a wide range of information on this topic. You can easily find it. And without advertising. Everything. Of course, this is not an advertisement of G2L. I recommend that

you start with security. This is how my story looked like. I went to a small company because I wanted to be a programmer there. But I've mistaken the number of my phone that I use for my CV. And the person who worked there, I had a security team and they said I'm a great hacker because I can do something funny with my phones. And that's how I started working in security. So you can make a mistake in your CV and it will work. As Borys said, we are a bit older and had less opportunities to reach some sources, so we were using some BBS, sitting for many hours on IRC, and we were exchanging views and materials.

You too. I think it's much easier now and you really have to want to start with security. You have to read the trusted third party, interesting articles appear, the Internet is full of tutorials of all kinds. So now it's much easier and anyone can do it at any time. You just have to want to get a hold of it. I will say it a bit provocatively: if you have to ask a question about what to do to take care of security, then do something else. It's about wanting and knowing how to do it. You need to know how to look for information, find solutions, solve problems on your own. Of course, if you have a

problem and you come to someone from the industry, they will probably tell you. I think everyone here is nodding their heads. If you agree to them, they will help you. Because people in this industry are quite friendly. But start on your own. You have to start on your own, you have to start looking. Marc is also friendly sometimes. For some. Really, try it yourself. Just like the classic said: if you want to do something cool in your life, just start doing it. There are a million of tutorials, a million of pages, you can start from writing in Google how to start in security and it works. Google will show you some cool proposals step by

step. It's a bit off, but the most important thing is wanting. Because the fact that you don't have knowledge, experience, you don't know today if it will be malware, web, OSINT or anything else, it doesn't matter at all. The most important thing is whether you will be able to devote yourself to it to 150% or whether you will have an excuse every day that "today is a party, tomorrow I will go to the cinema and say something about it". And this is something that I think is nice to characterize people whom we try to accept for ourselves, for work. People who want to learn, who have open minds And they don't know if they will

drift in the other direction or in the other topic in half a year. But they want to be with themselves and you can see it. And this is a key to the character of a person who will be great in security. You can also go to the security department, you know, go to the corporation. And in every other industry, really. Yes, of course. But I'm talking about what is close to us. Question? No, no, I'm not answering. No, no, no, I'm not answering. I don't agree with this question, because I've already answered it. And there's no point in wasting time on searching for information on your own. It's much better to sign up for a

course, even if it's on a private university, and let yourself be taught. That's the first thing. And the second thing is to find a mentor. Okay, so... And that's what this topic is about. Sure. You can always find the course on your own. Sure. Let's put a dot here, as a short summary for people watching the stream. In short, it is not worth wasting time on what is already discovered and it is better to learn it from a book or a course, because why would you want to open the door? And if you want to speed it up even more, find a mentor, that is, a person who will take care of you and show you where to go. Here is the question.

Let's listen. To the right... It's a bit sad to be the left Adam. I'm tolerant. Adam, the right one is on my right. Sure. Thanks. Your presentation will be about the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel"

and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and the "Squirrel" and I hope that one day I will be able to publish it. A question for the people on the stream. We will repeat that the question was whether Adam's presentation will appear on the Internet after some time. I would like to add a

little bit of a kick to the abyss when it comes to starting. Today, young people lack the element of madness and rebellion. Our friends, not us, had a way of writing the most fun on the website of a bad word or picture. So I will ask: where are those hackers? And why there are no defaces anymore? There are defaces all the time. Why are there no defaces like they used to be? It's hard to say. Maybe people have matured a little bit. They went to work. And there are no such conditions anymore. We were raised in Irkutsk, it was a novelty for us, we tried everything. Now there is no such thing. In those beautiful

times, it was easier to add a word to a code than to add a piece of code that Monero would dig. Or some other hashcoins, litecoins, slucoins, beercoins, any coins that generate real income. The answer is that the economy has changed a bit and the culture. A little bit, but such things are still happening. Maybe someone knows the situation on Confidence with Bob Budownicz? Oh, indeed. You know it. If someone doesn't know it, I've just made an attack on the Confidence website and on my blog there is a whole write-up, how it was and the context of why I presented with Bob Budownicz's helmet. So I invite everyone. OK. And here's a question, maybe for Mac: "What is the most interesting and

most difficult exploitation during the pentest?" I've never done a pentest. During the CTF. CTF, the most difficult exploitation, damn, I don't remember. I think it was some browser on a very strange operating system, QNX, I guess? Something like that. QNX, right? I think so. Are there any questions from the audience? Here is a question. The question is: when did you start having different passwords for different services and how old were you? Why did you assume that we started? Why? Someone will get the data anyway. I can say from my perspective that it has probably changed over the last ten years. It's hard to say that it was just one moment. Consciousness is growing. When you

are in the industry and you deal with security and you read about incidents, you are getting more and more scared, it is getting harder for you to sleep. because you worry about all the data that needs to be secured. And over time you realize what is more important for you, what is less important. And it's probably hard to tell everyone that it was there, how it was so many years ago. Probably to this day, some password in some service that I set up 20 years ago will be, and I will tell you later what it is, and it is very simple. Because I used it 20 years ago and I don't even know to this day that I don't remember this from the service where it is, it

comes with time. You do a risk analysis and learn all this. But I don't know, do you have a moment to say that wow, now you saw that they hacked Facebook, Google or RSA, then suddenly you say to yourself: "Oh, I'll start changing the password from now on"? I don't think so. At least that's how I feel. Yes, of course. The question is when we started using the password managers, which one is the password manager and why is it a .txt file, which is a encrypted GPG and you always have to decode it, then you have to copy it and why is it all so complicated that you can't use it. Okay, is there anything else in security that surprises you? I mean,

you read the news and think about me. Blockchain. Blockchain. Blockchain. Dark blockchain in the cloud. Machine learning and AI. I'm always surprised by the creativity of criminals. I've been observing them for so many years and every time a new attack appears, I say: "I would never have thought of that." And they came up with it. It's probably a matter of motivation. I would rather not to tell. I have this problem that for 16 years reading about technical errors we have seen a lot. With Mateusz we saw a lot on pen tests. Reading we saw a lot and it's getting harder and harder to surprise us. There are some little things happening, but these are some mutations of what has

already been. And in fact, this is a problem when you sit in the industry for 20 years, that it is a little more commonplace. Of course, we can take off our hats and say: "Wow, someone did an amazing job!" Because they came up with a way to bypass seven safety mechanisms and connect them to one big error that leads to something. But it's definitely a bit more difficult for us. and say: "Wow, this is something amazing, this technique of avoiding security is so great". What do young people think? I am always surprised how much the marketing department can do good research, publishing nonsense and blog posts that have no truth. I am not surprised in general,

judging by the statements, when something new, very technical appears, and it is completely different from what we have seen so far, then I am sure that it will surprise me. But what surprises me even more is when I see the programming that has been created, let's say, in the last five years, and there are bugs that are 30 years old, almost like Zipperdown, for example. Okay, a question for Adam Prawej. Did you visit... Just a second, because this question cannot wait any longer. Did you visit Thomas in prison? Unfortunately, during the arrest, when the charges have not yet been filed, there are no visits. However, I was sitting in the room where the arrest took

place, so I was next to him, I saw him, he has very nice dresses. Are these original dresses or provided by our beautiful country? They were probably private, although they did not look original. What surprises me is that I have a bit like Borys, that I rarely see something that makes my heart beat faster, but this year at least Meltdown and Spectre were... something that made me print out the manuals and sewed them up for a few days and analyzed them. So I still get something like that. And the question again from the category "old but bright" Do you remember your first identified error or exploit? I've never found anything. I don't remember. Old old man. Sorry, I don't remember. It

was so long ago that we have a problem with it. It was so long ago that it started to mix. And it's not the first time that you remember him, at least I think so. At least if it's not about me. Or you don't want to. It can happen that the brain doesn't remember it. I don't remember it either. It was something funny from today's perspective. And back then it was the best thing in the world. Four nights spent on research. and it's an incredible satisfaction. Today, from the perspective of the audience, it's something different. Therefore, the attitude towards what happened 12 years ago is probably pointless. There is a question for the colleagues from Allegro about the

Christmas ad. About what? Exploits? Really? No sense. The question is here. The question is: how do you assess the reality of the Bloomberg revelation? I mean, I don't know anything about it and it's hard to say anything decisive, but if someone writes about something and there is no evidence for it, apart from anonymous statements of 17 sources, I wouldn't write. Especially since those journalists wrote about various nonsense before, such as the pipeline in Turkey was blown up by a camera, and these cameras were mounted just after the pipeline was blown up. So Bloomberg has no good history here. The likelihood that such implants exist is. The documentation stolen by Snowden shows that the Americans did such things, so it should be

considered that the Russians, the Chinese and everyone else do it. It's possible that someone found something, didn't understand something and then made a fake article. So these things exist and it's hard to hide. But probably this article was a mix of facts, assumptions and completely fictional stories. I agree with what Adam said. I agree with what Adam said. You all agree. I agree with what Boris said. It's hard, you're not sitting here. Louder, louder. Okay, a friend showed proof that it's not true for everyone because he doesn't do it. So he actually broke your argument. I think that if we can add, we have to expect everything today. Everything is possible. When we have a billion dollar budget, then... Okay, so have fun for a while

in Marketing Ghosts and come up with the worst I will show you the name for the worst mistake. There was a mistake, and I will find it here. Before you find it, I can... because there is a company that is engaged in informing them that you have a mistake, they will come up with a website, a name, they will record music, a video. You can, you can. I assume that you will show yourself on the letter A, right? Yes, but... But it is already come up, but I think it would win. That's what I think in this competition. I will move the viewer here for a moment. Well, if someone... If someone remembers Heartbleed, then some joker on the

Internet changed the logo and made a real mistake, which was called Analbleed. And this is the logo. Very nice, by the way. The mistake was in the Open Lightspeed server, something like that. And it was probably... Some use after free, something like that. Probably. Yes. OK, let's hide it. Questions from the audience.

I used to forget to add some letters in the code when I was doing a pseudo-pentest in a certain institution and I turned off firewalls in the whole network because they were falling. Oops. Tomato. You broke it. You gave a nice example, for example brute-forcing. I understand that from my experience, brute-forcing an account in the whole organization, for example, to AD, where there are 400 accounts. You go out for dinner, you start Metasploit, there is a fire, madness, and suddenly there is a phone. Why did it stop working in the middle of the company? My colleagues told me from competition that they do such things. I understand that it was also the case with you.

We would never allow such a situation in our lives. We accept almost every package that goes to the Internet or to the client's network. There is a stamp, there must be an analysis, and what will happen if ... This is a question that is answered in the backstage, not to everyone. There are cases, as you say, different, sometimes smaller, sometimes larger. This is a risk of penetration tests. This is what you always communicate to the client, that everything can happen. And because of that, I haven't finished yet. And because of that, it may happen that for example 300 accounts will be blocked or some department will react very extreme and on some phishing campaign, for example, and miracles may happen. It may also happen that during the

physical entry, during such security tests, you may get in the teeth. And these are the procedures that are in place, right? The question about legal problems, that someone reacted too quickly and started a legal machine. Sometimes such a situation can happen, I say that it can happen, that someone could have it. where sometimes it's too fast for it to work and then you have to undo it and that's why in the test process at the beginning communication channels are very important, setting the range, what is possible, what is not possible, etc. - Tell me how many days you spent in prison. Because the police came and you said: "I do pen tests here". - But in days or months? How will you simplify it?

In the months. In Mendejsa. It's interesting how many of you had... You're not young, but how many of you had cases... I don't think anyone ever had any, no one ever had any sentence in their life. No one ever... Although you're getting red, terribly red. It's warm. No one of us had such adventures. I once had such a situation when I was called to witness. At 6 am, the gentlemen came and searched the whole apartment. Someone said that he could write on the keyboard with 10 fingers and he didn't have to look at the keyboard. Therefore, there is a high probability that I don't know, I sold them on Allegro. But those were prehistoric times. Yes,

those were dinosaurs. They came on horses, right? Yes, yes. Pretorian. Do you want to add something? Which question? The first one is about OpenTest? I can only say that it's worth having limits for sending SMS notifications sometimes. Or setting appropriate parameters. Sorry. If you do a pen test and you know that there is a call center on the other side or a customer service office that receives messages or emails, it is also worth, if it is not such a red teaming that the company knows nothing, to tell the company again: "Listen, let your party know that suddenly during the day you will get 200,000 strange emails with curses, because they may be very surprised." It is definitely worth taking care of

it. And you had premium SMS? Or normal ones? Only 10,000 came out and everyone was surprised because you had to pay more than 10,000. Adam, do you want to add something? Have you ever been hacked? Or your website, mail, anything? If so, how long have you been doing this? I will admit that I used to write a pretty cool CMS portal, I did it without any books and self-study. At that time I did not yet know what SQL injection was. I remember that after many months of work and collecting materials on CMS someone dropped the database, unfortunately I had no backups, so the whole portal went, so to speak... And your career as a programmer ended. And then I started to deal with security. I

can admit that it was a million years ago. Does anyone else want to admit? This will not be my story, but I heard that a friend from twenty-some years ago had a trojan netbus, it was called. And a prosiak. And he found a computer of a man who attacked him on the Internet and logged in to this netbus, because there was such an exploit for the netbus that you could enter without a password. and he saw that the other one was hacking another computer at the same time and it turned out that the other one was clicking on "open CD" and the person who was looking at it opened the CD and it turned out

that when he was analyzing the Netbus he installed it at home and they both hacked each other so that they could open the CD together and communicate by force. I didn't like that at all. I have an account on Yahoo, so you know. Questions? There is a question. The question is from the category: "Is cyberwar and cyberarmy science fiction or reality?" Adam. There is a book called "Cleave the Table, the Cuckoo's Nest" or something like that. This is a description of how the administrator of the university network in the United States in 1987 or 1988 noticed strange connections to his modems and was very involved and began to be interested in it. He looked at what was going on there and saw

that some people from Russia were connecting through these modems, through German servers, they entered his university and from this university they connect with the servers of the American army and download documentation of the armed systems from there. It was 1987. Just imagine what has happened since then. It is happening on a huge scale, for huge money, in Poland not so much. It depends on how we look at it, because when they join our systems, we can say that we are taking part in cyber wars. I wouldn't call it a war, it's just a regular spy operation, nothing different from carrying out documents that have been going on for hundreds of years.

Do you want to say something? It sounds good, so we can say cyberwar. Spamnation. Blackout. It's a story about what would happen if hackers attacked power plants in Europe. It's interesting because most of these things can happen. I didn't mean to be so drastic, to not scare you. It happens. It doesn't happen in the context of the fact that they haven't completely shut down Europe yet, but in the context of taking critical infrastructures, it is happening. I think Blackout is a nice story. It's really great, going back to the cyberwar, to realize what it looks like, there is a countdown to zero by Kim Zetter, talking about how Stuxnet looked like, how the preparation for it looked like, then the analysis, and

the whole environment. of what was happening in the power plant. From the popular scientists, my friends have already said: Spamnation, Brian Krebs, a fantastic story of spammers and stores. Imagine that all the advertisements you got that you can buy a cheap Viagra, they really sold Viagra. It's not that they wanted to take credit card data from you, but there were really pharmacies that really sent it. It was not original, but it was exactly sildenafil and it worked exactly as it should, so you had so many chances to buy and you didn't use it. The prices were good. Fantastic story of two groups that stood behind it and competed with each other. And "Kim Zetter? Come Down to Zero Day" as a book about Stuxnet.

Anyone who is not even an informatics can read it and understand it. The story is fascinating. And what I said about Cliff Stoll, "The Hedgehog's Nest" or something like that. As Borys said, Blackout is a great book, I recommend it. And when it comes to literature, I recommend to watch the whole archive of films from DEFCON. There are really some extra things. As for case studies, I recommend the presentation of Retrieving in Poland. I had to. I had to. I'm sorry. As far as Poncki's books are concerned, all of Mitnik's books are read like an adventure. Zalewski's books are not as pleasant to read as Mitnik's, that's my personal opinion. They are sometimes a bit more technical,

and in the question they were not very technical, but they also open the eyes of course. Zalewski, Mitnik, Mitnik my mother can read and she will like it. Ok, a question from the top of my head. I was supposed to have a presentation about quantum cryptography. Do you think we need quantum cryptography or is the problem of security usually somewhere else? And if so, where is the problem usually from your practice? There are definitely places that need modern solutions, but most places need very basic solutions. It's like you're announcing a bug ban while your web application hasn't had any code yet or you haven't done any pentest. You have to do it one by one. There is certainly

a moment at the stage of maturity of an organization or service where quantum cryptography is considered because we have an opponent who has probably already developed the current cryptography, but it is somewhere very far and on the list of goals of 10 organizations around the world. So before we get excited about super advanced problems such as blockchains and quantas, it is better to deal with those that have not been solved for 30 years, such as SQL injection. Or password. And phishing. And spam. I don't have anything to add, because as you said, for over 20 years we've been trying to solve problems that we don't solve on purpose. We have passwords and we thought, "Okay, let's make the managers a password." Wow. And it's a revolution and it completely

changed the perception, because one mile of users in the world knows what a password manager is and half of them can So, updates and 2FA solve 99% of user problems? Yes, but I would like to go back and develop a bit. Now I noticed a tendency that buzzwords are used to address trivial problems. and blockchain is a buzzword. There will be more and more of it. We, as security guards, cannot listen to it. If someone knows how to mutate blockchain on LinkedIn, I will ask for help, because I can't do it. Maybe there is a place for a plug. Imagine that I have an average company, a food company. Does my company need juice? Through SOC? Not necessarily orange juice? I remember years

ago, in a grocery store, my friend was working and he had a payment card terminal. He came to me and said: "I got a form, I have to fill it out and they ask me about PCI DSS. I have to do penetration tests and what I have to write there. It's a bit of a twist, but you have to remember that safety is for business and unfortunately, These security solutions must always be adapted to what you have in your company, what you can afford, and you must be careful not to lead to the situation that you spend billions on security and at this point your business will stop working because users will have four tokens, six walls of fire and they will have

to blink their eyes in a certain way to be able to access CRM applications. It's like my post office. I'm standing in the window and the lady says: "Oh, it logged me in because it's such a short time and I have to re-log". It logs in for 3-4 minutes. The queue is long and it's super safe at this point because it didn't click for a few minutes and therefore the system is super safe. its activity is very poor. Remember that safety is always a bit next to it, even though we are in safety and we would like it to be the most important in the world, it is not like that at all. And does

every company need juice, especially a small grocery store? I would say that not necessarily. There is a universal answer to most security issues and it sounds like it matters. If the consumer store was huge and had a critical infrastructure in the context of the new law, it would be clear that it should have SOC/C. There is no SOC anymore, but there are some other names, because SOC is too small. Fusion Center. The question is about juice. We have a trade ban on Sundays, and that is why the first autonomous grocery store was created in Poland. We are implementing newer and newer technologies for grocery stores, and this also opens some vectors of attack. If we

could do something with QR code, there is a risk of attack, but we also have to think about the effects of using it and how many people will want to attack us. And as Borys said, it all depends. We have to do some things. A friend has a question here.

Oh, listen. It's thick. It's thick. I saw this news, I saw that people said that this proof has a lot of mistakes. The question is whether the hypothesis of Riemann has implications for... I have no idea, because I don't remember what the hypothesis of Riemann was. I remember that it is a very difficult problem and very unsolvable. At least for now. And whether it was a legitimate proof, I don't know, I haven't looked at it anymore. But thanks for the information, I have to see. The question is controversial. Do you think that introducing Is it a good idea or a bad idea to punish for making mistakes in programming? Maybe not punish, but there has to be some form of responsibility for something like that. I don't know,

in software houses or in the companies that create programming as their life, it's more or less like that. On the other hand, solving problems is not entirely in our interest, because if we solve everything, we won't have any work. Isn't it a bit like it would kill open source? Because everyone would be afraid that there is a bug in the patch and someone will drag it to responsibility. I'm a bit afraid of such a solution. I've seen so many things in security that it would be hard to define that such a class of errors in security is actually a mistake on our part. What if someone came up with a combination of two trivial things and made a security error out

of it? Would we be able to define in a legal formula where the security error begins and ends? It would be very difficult, I think. The idea is interesting, but very difficult to implement. And usually it ends with a case in court and a discussion. So you would like to penalize people who do not check the inputs, right? And now the question is how much do they make it work? Listen, we're going to very dangerous areas. We can go down low. Are they whitelisting or blacklisting? Are they doing it only on the API side? Or on the WWW application side? Or on the third-party services side? This is how open source works in most cases. I would reverse it a bit. Yes,

that's how it is with most licenses. When you look at a license, for example... You haven't been reading flyers for a long time. To abstract from open source, which is a broader topic, I would like to reverse it a bit. Let's assume that there is a company that has software that does software programming for it. And here the law orders reporting and there are penalties for not reporting incidents related to software, holes, etc. This pressure has been transferred to companies that use this software to manage it, and these have mechanisms, civil-law agreements, etc. for their developers. Here, agreements between entities should also have penalties or SLA for fixing various penalties. I will give you examples from my life. We

do penetration tests, usually web applications, After the penetration test, we report the errors, the client fixes them. We check if he fixed them correctly. There are sometimes several companies on the way. There is a client who bought software from Software House. He would like Software House to fix it. The report contains 80 errors, 20 of which are critical errors. He wants to fix them quickly. But Software House says: "Wait, wait, we have a contract that says we fix these errors?" And the problem begins, because they say: "Okay, we don't have it, or we do, and now who will pay for it? The client has to pay for it, so it's time for programmers to fix these errors." From my perspective, I would say that Pentester should fix all the

errors. Software House will say: "We will only fix critical errors." The client will say: "So basically fix the critical and average errors, but we will not pay for the low ones." And it turns out that there are a lot of dependencies that make it difficult It seems to be the most trivial thing in the world. What is fixing mistakes? Sometimes a client can come back to us after 8 months in a web application, he fixed mistakes because there were many complicated process situations along the way and sometimes these are really critical mistakes. Only because it was very difficult to deal with this company all process-formally and legally. That's why such things should be required. If there is a problem with the software house, then the test is a

smaller problem. But if someone gets into trouble with the company because of the application, it causes a lot of damage. I have no legal argument to demand from the company that they got into trouble with. In the Polish court it will not work. Wojtek, do you want to add something? Yes, generally speaking, when it comes to software houses, the SSDLC is already being implemented, i.e. the Secure Software Development Lifecycle. Generally, security in software houses should also be about quality. It should work a little free-market, on the other hand. And so that we, as the orderer, or the companies that order, force it on their software houses to implement the SSDLC. so that programmers don't even have time to take care of security, because it's

not taken into the whole development cycle and only then, when such a bug comes and they find out about it, they are not even able to manage their time, because they have other priorities now. So it seems to me that here, in us as consumers of such programming, we should be put under pressure, so that we are aware and forced to do it in such software houses. I think we can slowly come to the end. There are two more questions. How do you think about the question: "Is the general awareness of the community of animals or animals Will the level of awareness in society... Will it definitely increase? Wait, for those who are watching us

online, I repeat, the question is: Will the level of awareness, of security in society increase or decrease? I wanted to say that. The level of security will definitely increase. that a part of our lives will grow, because more and more money will go into it. It is becoming more and more popular. But will there be a rise in security? Probably not. That safety will grow is an interesting statement. What will be safety? In definition, safety by feeling or technical safety or by the user's awareness. I think that in the last 20 years this awareness is growing. It's a question of whether you agree with me that it's getting harder and harder to exploit various aspects because more and more

layers are coming in that are fighting attacks. Users don't force it, of course. That's why it's growing, but there's also a number of attacks, there's also a number of devices that we connect to the network more and more, that we have IoT, that we have a lot of different technological solutions, which are more and more. That's why it's very fluid. Skada is a bad example now, because Skada was very popular as a source of target research. There were a lot of mistakes, they were very simple. They went very far from that point. In 2015 or 2013 it started. It's almost over now, I've heard from people who deal with this issue, and it's much better now. They've come to their senses and fixed their

problems, because the problem is very critical. And the power plants are starting to have problems. Wojtek wanted to add something, Adam? We'll send you the microphone later. We also have to see how these companies have changed over the years. Let's say that once such a model company looked like you had a VPN. Everything was in the internal network. Generally, all communication, such as some jubber, etc. was all inside and did not work. Now we have much more of these attack vectors. We have, for example, Slack, which is exposed outside. There is GitHub. So we have some weird indicators to check how efficient the code is, how it is optimized. It all happens in the cloud. And this is the buzzword we were

talking about earlier. Unfortunately, it also starts to exhaust us from the other side. We have SQL injection, which we have already talked about a few times. But if we switch to NoSQL, it turns out that there is also NoSQL injection in NoSQL, although it seems that it has been so many years since the discovery of SQL, but suddenly NoSQL appears. This is what I said, what surprises me, that in these new technologies, NoSQL is not a new technology, but let's say that more and more people are starting to get into it and its popularization has increased. And here we have old bugs that are coming back now. I know that this is surprising because it

is very interesting. As for IT, I think it will be on an even level. We have more attack surfaces and we adapt to them. I would like to ask what? The attack surface. Thank you. We adapt to them, we come up with some security mechanisms, but it is still increasing, so it is a bit of a syzyphic work. As for the awareness of users, I observe that those users They read about attacks, they know that something is flying around, but I think they are more likely to approach it, "Well, it happened to my neighbor, but it will certainly not happen to me." So I don't have to take care of it. For example, there are guests in this bank who take

care of my safety, and that's true, but on the other hand, People don't think that they also have to take care of their phones, install apps, etc. It's constant, it's a drama all the time. Adam Prawy. Hello, I'm Adam Prawy. Gandalf was gray, I'm Adam Prawy. The awareness of the security of users will be fading very quickly, because they are not interested at all. The user is not interested in whether the device is safe or not. The user does not know that he is using a safe device. The user buys an Android and hopes that everything will be fine or is not interested in it at all because the phone is used for calling and not wondering if it is safe. The

user buys an iPhone not because the iPhone is safe but because it looks nice and looks good next to coffee at Starbucks. But it will be safe by accident, because it will be safer than the one that Android chose. But it didn't control the security. Users ignore security, we do it. And our task is to ensure their safety, regardless of whether they want it or not, whether they know about it or not. And this is the most difficult. How to protect a user who doesn't want it and doesn't know about it? And this is a huge challenge, and the user's awareness will never increase. Because the user is not interested at all. This is our

life, and they have it somewhere. They don't even want to know if they are safe. They want to be safe only when it turns out that they are not safe, that something happened to them. It is only then that they are interested. And until it happens, they have it somewhere. And this is completely understandable. This is not their life problem at all. Our problem. On the one hand I agree, on the other hand I disagree, but a little bit. I thought about ransomware. I think that ransomware has raised the awareness of the average citizen that something can happen, that something can be lost. Of course, he is not necessarily taught to make backup copies, but something has changed,

I think, in his consciousness, because it touched him a little more. And here, even going out on the street and asking people, or throwing a hat in any direction, you will find someone who will say: "I heard that someone was encrypted data". And of course the question is: How much will it make people click less? This is the problem. We should think about raising awareness that attacks are less effective. How much will the results of awareness limit it? I think that... I just said that... We will become aware that it exists without any security problem, but nothing will change. Just a moment, a break. A question: do we still have time and strength? Because I think that... 19 minutes, okay. Do you have a

moment? Can you do it? One more moment. You will move away for a moment. There was a question, right? There was a comment or a question whether the information and its speed today do not make us unable to secure everything, so we have to accept the fact that part of That part of it looks like it does and we should focus on what is critical. But it's been like that for a long time. It's an analysis of risk. We just take some things for granted because they cost too much or they don't concern us. And we deal with what really hurts us, what causes a real loss. Usually money, that's what it's all about. Okay, here's an interesting question from the Internet. Borys, why do you use

the old Nokia? Is it a hipster element or security? Because I can. Because you can? Yes, because I've been using the old Nokia for 9 years. Sorry, I have an SMS. And you don't feel bad about 2G? I called today for a presentation and it's connected to what Imak said when you asked the question. I just use it, I call from the phone and SMS. It's so convenient for me, I don't change, I don't want to be online all the time, to sit in a tram and read a trusted third party. That's why I have an old, stationary phone. But of course, as a technical person, I have a risk analysis in my head and I am aware that, as Mateusz said, My Nokia has as

Pącki says so many lines of code with various errors that to be able to attack it is certainly not very expensive. I am aware that, as Mateusz said, this Nokia only operates 2G, so it is 100 times easier to listen to it than Android with Signal and with this awareness, this knowledge I use this phone. If I want to talk to this Adam and call this one, then I think what I say using the old phone. You use the code book. "Today it's a carrot, it annoys me so much." Exactly. Does XPAC scare you in the ATM? The answer is no, because it's the money of the bank. I think that's enough. Here's another question. Sometimes such campaigns

happen. Now is the month of cybersecurity. Probably half of you don't know about it. You knew about it? Yes, just about it. Sometimes it happens on a small scale, because somewhere NASK fights and organizes something. There was a moment, I remember, when Adam... I remember it well. I think Niebezpiecznik, Zaufana 3rd Strona and Sekurak together appeared on the poster of the Polish Post Office. Really? Something like that happened? I have to find this poster. And these posters were all over Poland. Today, the Polish Post Office is returning. Many times it is not a crypto advertisement. And it's still happening, but it's very difficult. It's an interesting question whether someone in government would ever come to a point where they would say: "OK, let's make a TV

campaign on a large scale and pay for it". Some time ago banks started making YouTube videos that said that we can be robbed. So there is already a step in this direction and it's happening. My company is also doing such things. But when it comes to campaigns on YouTube, everyone thinks they are cool, funny, but it doesn't change anything. People who watch YouTube receive the money, and Helena from the accounting department clicks the invoice anyway. That's a big problem. This is what Adam was talking about. I totally agree with this approach. The end user shouldn't even think about safety. He should have it in his package. And I think that's our... Of course, of course.

Not exactly. We also care about our own physical safety. You don't have an open house all the time, you just lock it on the key when you go out. It's not like I can be a cow and act like an idiot everywhere. I also think about what I do, so we also think about what we do on the Internet. It's also a zone of people. In Canada they don't close their houses and they live somehow. So, in Norway or in Holland. Because there are lawful elements of the race that eliminate criminals. And I think that for several decades we are trying to raise the level of security and we are not doing it well. There

are still attacks, leaks and thefts. It means that we are doing something wrong and we should change it somehow. Should we impose it on the law to make it safe now? Should we punish for someone's mistakes? Or maybe it's better to chase criminals? Yes, the rod has come in, so it will be safe now. We are definitely doing something wrong or at least insufficient. Yes, but it's punishable by penalty. One more question. Regarding security, does anyone who doesn't work in a bank and uses a computer every day know what's in the authorization SMS? Apart from the code that confirms the operation? The amount? Anything else? account number sometimes at least part. Exactly. The last four numbers of the account, the amount, etc. It's

different, but this information is quite complex. And imagine that these people don't read these SMS and confirm these operations. They have infected computers, and the money is running away from them. So it would be enough to read a little more. To them or to banks? To them. It's already like that, when they authorize, it's already different. It's different, but The transaction is actually signed, so the user signs it. The bank doesn't know if it's a user or not. From today, from midnight, if you send a transfer, the name and the address must match the account number. The question is: is there any question you dreamed of but didn't get asked? Something like... I don't know... I have one. Anything. I have one, but I know

the answer, so it's a bit pointless. Who will ask the question? I don't know, pick a random person. Maybe you. I had a question in my head: what is LIM? Maybe someone knows that. What is the abbreviation for "lim"? Which one is behind the corner, on the other side of the street? Lot and Marriott. It's "Brawa" I think. "Brawa" or "Siedział stolikowo" . The homework will be to figure out why this question and the others are somewhere in the back, because there was a second answer. "Brawa" . Wow! It's hard to comment on it. Even Borys didn't know. I can't repeat it. Answer in the backstage. Do you have any more questions? In the back of

the room. You have to speak louder. I think we'll pick this part of the question. The first part of the question is: what to do when you will be a victim of cyber-stealing of your identity. There is an article on the website about a man who was founded by a store. The man had nothing to do with the store. The store was called imyśniklectronics.pl. The man realised that someone had registered a fake store that did not deliver goods to his data. A typical example of a theft of identity, as rarely a model one. This man was not very well-informed, so he decided to intervene. He first reported it to the police station or the city council. Nothing happened. He reported it to

the prosecutor's office. Nothing happened. Then he reported it to the CERT Polska. Apparently, he was not able to fully explain what the problem was and no specific actions were taken. Then he reported it to the chief police officer's office, the Department of War and Cybercrime. He was ignored. Then he reported it to TVN24 and TVP.INFO and unfortunately they didn't take care of it. Then he reported it to Google Safe Browsing, which didn't block this website. Then he reported it to nazwa.pl, which said that it would do nothing without the prosecutor's order. Then he wrote a complaint to the Ministry of Justice, the Ministry of Internal Affairs and the Ministry of Administration and nothing happened. Then

after a month he wrote to me, I wrote about this article, within a few hours the representatives of all these mentioned institutions called me and asked: "Well Adam, why didn't you say anything? We would have done something." And two days later...

Adam, Adam said that it would be faster and cheaper to steal someone else's identity and change their name. It would be more effective than trying to get something back. Or continue the business. In general, a very good plan. Any other questions?

- Okay, so let's speculate if artificial intelligence will kill us or not. - I think so, but not as a real artificial intelligence, but what we now consider artificial intelligence, or the whole ML and all the companies that do machine learning, and it will definitely kill us, because something will finally go wrong. - Okay. - And besides, he usually doesn't know what he's talking about.

Any other questions? Speaking of artificial intelligence, there are companies that claim that malware with artificial intelligence is right behind the threshold. They have a very broad threshold. It already is, but no one has found it. It's already there, but no one has found it because it's too developed to track its tracks. That's the status. But there are also companies that say that their artificial intelligence detection systems are so effective that it detects malware with artificial intelligence. Maybe we should just put the intelligent part of the question in the answer box. That would be the easiest way. Just the question: is there anyone from Siri? I would like to add that the current role of the system is to protect the

users of the mobile phone that have been installed, and to attack the security.

I think we are going too far. I will say something else. Recently Amazon, this week, turned off its artificial intelligence in HR processes because it rejected women. It discriminated. I saw a nice meme with a description "statistics", then someone adds a frame and signs "machine learning", and then "AI". It's a long way to go. If we speculate like this, isn't it a bit like we'll meet in a year and the problems will be the same? Where are we going? What will change in the next year? That's why we will meet here next year. We will talk about it all the time. We have work, so... OK, sure. In the last year, the topic of the system

was the same. Every month, the system will do something, and the system will do nothing. The board of directors will do their job. So, what will happen? The question is whether the person who fought to turn this shop off could not simply swear at the owner of the shop in the name of the shop and turn it off. No, because the domain was registered on someone completely different and the name apparently sent someone a question whether it was his shop and he replied that everything was OK and that was enough. So the only thing he could check was that he wrote to the bank and found out that there was no account in this bank where they had criminals. But for a month funds were flowing into this

account. One more question for Boris. I knew it, I knew it after his face. How is it called in Poland? Pomidor. The last question from the audience. That was the last question. Wait, wait, let's try. Oh my God. This is a very good last question. If they have an artificial intelligence... Wait, wait, wait. The question is: Will the chip-in-the-skin help us in the context of 2FA? Will it increase the security or not? It will certainly increase the security of this factor, it will be harder to lose it. But on the other hand, did Touch ID affect security? If someone wanted to, I would break your hand and sign with your skin chip. It is interesting that in some countries, when you have

Touch ID, the racing organs can legally On the other hand, the news is that in the US, police have banned looking at the iPhone X's phone, so as not to block the wrong login to the phone. But they can't force you to put your finger on your face, but they can put your phone to your face to unlock it. Ok, that makes sense. A pro tip here is to close your eyes, because I remind you that Face ID doesn't work when your eyes are closed. So if someone would pull out our phone during a nap and wanted to unlock it, it wouldn't work. And how do you stick fake eyes? Like Jack Sparrow. I would try. I think we should finish, because the

organizers are already getting angry. Thank you very much everyone for participating in the panel.

BSides Warsaw 2018: Prelegenci Security BSides Warsaw 2018

Related talks