Freaky Leaks from a Chic Geek

so good morning everybody thank you for coming uh I really really appreciate it I'm going to take you through a little journey of a few things and why it's important to care about sharing in a very uh good manner and also why I find it very Troublesome that a lot of uh vendors or uh even countries uh don't have the capability to share in an adequate manner about uh actual threats that occur in the world so I don't like to describe myself with the lot of Sears but I I do enjoy the digital Rockstar lifestyle of getting a tan from fluorescent lighting uh and that's that's that's my background um so when we originally thought about this whole idea of

connectivity it sounded great uh many times when we connect things it's functionality over security we got to get things done uh business people hey guess what we need this product out we need to have people connect to it it's a database that's fine uh unfortunately things have changed over the years and I do like to stress that the internet was never designed for business never its original uh intention had nothing to do with business so now that we're in this world where we are very much interconnected we are faced with the challenges of since the internet was not meant for business many of the protocols are not meant to be secure so they leak applications leak there are uh

challenges if you're a developer and you've got a project manager who doesn't understand the value of putting forward a budget in time for you to actually test at a basic level it doesn't get tested uh my husband is actually a developer a net developer and that's one of his challenges wherever he has worked uh he does married to me uh want to to do things about securing his code but when it comes down to time and budget he's pushed back and it's a very common thing um and the thing is that a lot of these things leak and we know that they leak and there's always going to be a vulnerability in things but how do you

bring it up properly and how do you share the information now when I started 39999 years ago that's all I'm saying uh the threat landscape was very very different I remember some of the first viruses where one we had a marching band going across the screen we had another one that was very nice enough to uh try to patch your system uh those were more helpful things um fortunately nowadays the threat landscape has completely changed it's gone from something where uh there were a lot of technologists and curiosity to something where the entire landscape is now very much monetized in addition to that uh obviously the top of the list uh when we're dealing with uh things like

foreign governments and nation states I'm sure you are all aware of the Shadow Brokers and the recent leaks involving them we have various governments that can sit on zero day vulnerabilities and that actually makes me feel very uncomfortable because you never know who the next person will be in power who has access to those vulnerabilities and Tiny Hands kind of scares me so we've got some interesting challenges is right uh luckily they don't know very much about cyber warfare or they'd actually be a challenge but you also have to think about competition I used to be the uh security expert for Lloyd's banking group here in London and at the time it was quite funny that one of their competitors

would forget to change the IP address when they tried to launch a Dos attack against their infrastructure and it happened on a weekly basis yeah um but obviously a lot of people are scared of these these people you know the creepy hackers the glasses wearing people uh for very good reason uh we're very curious and I'm very curious and unfortunately our curiosity can sometimes cause harm but at the same time our curiosity can expose us to information that maybe we shouldn't have or was not intended so here comes the challenge of trying to share that information appropriately if you happen to find information like that so if we take a look at any sort of

information intelligence if you want to call it that word that you would have to share you find an issue with a vendor you find an issue with a protocol you find an issue with a government website uh how you share and what type of information you would need to share and this becomes challenging because if you're not an Intel expert and you're just a security researcher who loves to make and break things uh this is a completely different world of how you have to report information at the same time if you want to report this type of information to say a national level sht uh not that the UK has one anymore but I deal a lot with

the Dutch sht and they don't actually have a proper reporting structure of what is required unlike us shirt where they actually have a format because it's been well established so you're kind of left floundering as to what exactly they would need if you're not familiar with this type of stuff now there are other ways to share that I actually prefer if you're not familiar with dealing with law enforcement or SE or you don't want to get tied up with that now here in Europe you happen to have what I would say the best CT I've ever run into in Europe and that is the Luxembourg CT it is luxembourgish CT Security with a smile that's what the the circle part means uh

they actually set up this thing called the malware information sharing platform where you do not have to be aert to be a junior member they have a virtual machine and what it contains is the newest and greatest TLP white hashes of malware that is coming from all of the Cs both public and private who happen to be members and that's very very helpful for a smaller organization that doesn't have an aramco budget and you can also submit as a private party to this by uh doing it I find it quite helpful obviously post things you can uh share some information up with virus total for example if you happen to find some dodginess and you know it's quite dodgy

and you can go ahead and upload or uh send a URL link or something for them to go ahead and scan but there are methods outside of getting involved with law enforcement or national level searchs where you can actually try to share some of this information in an adequate manner and there's even other parts like in uh stack exchange and then there's another sharing platform 4D 5A off of slack that also contains some of this information so we've got a lot of challenges that's not a really good picture that's a poor cat I wouldn't want to be that cat so you've got all these challenges right uh number one I would say ego is a big one if you are

trying to report something to a vendor many times they don't really want to know that they're baby is ugly I ran into this situation last Tuesday when I uh did a presentation at a bank and I showed them you'll actually see on the slides that they had been compromised and their security person was like oh all right well nice to meet you I got another meeting so there's some challenges because he didn't want to know that his baby was ugly uh vendors sometimes uh they don't have a good mechanism to report or sometimes you might face getting sued like an AT&T issue over in the United States they're more litigious than they are in Europe uh you might have some

sort of liability issues or you might not want to be that poor security researcher here in the UK of whom I will not mention his name that helped with the one a cry issue and all of the British media went into his private business and he had to move does anybody want that situation because I don't I can't afford to move I live in Amsterdam it's too expensive and uh this is one of my favorites to much stuff to report I have so much stuff and there is just not enough time in the day to actually report all of these issues so it can be very overwhelming and I definitely do not report to certain governments now

that I know that can stockpile legally because I feel very uncomfortable with that so there are a lot of challenges so moving forward to today I love oasp oasp is a great organization and this year they went ahead and updated the oasp top 10 for 2017 with some new additions and A4 they merged a category A7 is a very general one of they didn't put enough attack protection up and uh welcome to Web 2.0 it's all controlled by apis and very frequently apis are not secured very well which can lead to all sorts of naughtiness so let's take a look at it this is just the very first part of the oasp top 10 and for the information

gathering portion and I consider this very much most of it is very passive these are things that many security researchers or curious people end up finding anyway they're not directly attacking a machine but they're finding information in different ways that say the web developer or company didn't intend on so the reason why A1 injection is still high obviously I changed this because this was actually from a bank and this was their URL that's been sanitized and we still have a lot of problem problems and for here that's an account number um that's a problem right now when I discuss it with this particular Bank although they're in the Netherlands and it's a requirement in the

Netherlands if you are a company of a certain size that you have to have a responsible disclosure program it's a law they actually don't have a secure adequate one because it's also the law in the Netherlands that in order to report a vulnerability it has to be in a secure manner or you could be liable so I have to be able to email them or send information in a secure Manner and they don't actually have one they just have plain text email so uh it was only because I was in the bank uh doing a presentation that I could show them this that was the only method so A2 pretty groovy this is also from part of the bank um things like uh

expired certificates from 11 years 3 months ago and verisign true test it's a little blurry for obvious reasons they were using a test certificate that was only meant for tests that showed on the certificate right uh again I had uh great difficulty trying to tell them this because I I'm also a customer of this bank so I brought that up too that was a problem but these things are still out there and how do you communicate it effectively I'm not going to go to the police and tell them that I mean it's not appropriate and unfortunately the UK doesn't have a Ser but it's also not a thing that you would uh give to say aert

because it doesn't really involve them so you're really depending on say the bank in this case to step up and it's a big problem so I I just changed around what the actual search parameters are but I did this last week just to try to show a graphic and these are just very general expired SSL searchs whether it's on web or it's on uh mail services or whatever just a very widespread and there's uh immediately showing almost 4 million out there so it isn't a unique problem but when I said that sometimes there's too much to report I can't report all that that's craziness that's just absolute craziness so there's a lot of issues that we still

have um A3 I like this one uh I have not been able to contact this organization either they told me to fill out a help desk ticket and I'm not a customer so I don't know how I'm going to fill out a support ticket for them uh but they are running a uh stored cross-site scripting in the comments going to Russia uh that's a Windows XP for the key boot inii all the way down and the attacker actually hardcoded the username in so you know exactly who it is is that nice uh it also ties to a Yandex uh email account but again I haven't been able to contact them so I've been trying Twitter

that's really depressing by the way uh so there's a lot of problems uh A4 uh this one also discovered last week I will tell you that the company rhyme with misco this is one of two and I have not been able to adequately contact them they only have a clear tax method and this is not included on their paid bug Bounty program it's outside so I literally have no way to securely contact them uh except if I try to get them to follow me on Twitter that's really depressing it's just so depressing uh this is a very common one and uh I like to point this one out because this is post breach and one of the top ways that I find

leaky things is by misconfiguration here we have the Democratic National party right here's a VPN right I actually tried contacting them too they don't have a responsible disclosure fact yeah I'm going to have to fax them because it's really depressing um this is one of the worst ones that I found two weeks ago this is a European police officer that works for a European International agency that uh allows me to screenshot their desktop and here's an active police investigation cash investigation for uh bribery on this other side you can't see it's actually the police officer's schedule uh I tried to contact that country's CT but I actually got no response even though it's a European CT

because I thought it was pretty important that uh I blurred out the pictures obviously but to be able to tag into an active police officer's computer see their schedule and see an active investigation with an undercover officer unfortunately like I said I've gotten no response from that c uh Trump Towers because I can't just show the Democratic National party without going on the other side right so uh they got fined because they were running some weak stuff and the United States in the uh state of New York last year for 50 Grand so I was given a pentest course and it was late at night and I had a friend from Eastern Europe tell me about the debate uh before the

presidential election something about a 400 lb hacker I thought at first he was calling me a 400 PB hacker I was like dude I'm not that fat I mean seriously I'm bit chunky but I'm not 400 PB so uh he then explained and I go give me a few minutes and within four minutes I found that and then I double checked uh that I can still connect uh the day before yesterday I I use filezilla 0.939 beta in my pentest course installed on a Windows XP on the back end because you can actually tell that to it uh there's other services behind it and it connects directly to their POS system I tried to contact them also by

Twitter I didn't get a response I didn't know way to contact them so anyway uh there's a lot of issues I mean here is an organization between them the DNC especially Trump Towers they should have the money to be able to have this kind of stuff they should have some sort of responsible disclosure I can't go to the Canadian police for this what is the Canadian cir going to do it's a private business so I'm left to hey you know uh you got a problem your customers who pay a lot of money for those hotel rooms or uh people who have actually bought condos in this thing and the payment system is exposed using a very weak old

old exploitable FTP version Twitter doesn't work in telling people most of the time and because we're in Web 2.0 uh this is an unprotected API you can crawl up and down the users I can see rewards goals for this particular membership it's a very very large what was it multimedia platform with um membership videos and all sorts of things um this this is just crawling using the next user in the API it seems that also somebody has already been taking advantage of it and inside the data machine they're selling cheats and wees uh again I've been trying to contact this company I'm not filling out a help desk ticket that's that's crazy so uh there's there's some issues out

there and we still have the same issues which is kind of depressing also it keeps us employed so you got to look at it from both sides of the coin but there's got to be a way that we can more effectively say Hey you know uh company X Bank X whatever x uh you have a problem here's the information and it shouldn't be in a super formalized Manner and in a way that exposes a security researcher or private individual to Media or any other type of uh public view is sometimes we don't want to be in the public view so unfortunately this is now the leak economy who has Bitcoins anyone Bitcoins yeah you're buying the drinks tonight um so leaks

are now a big business and there's also now two sides of the coin you've got security vendors who charge a lot of money for all sorts of indications of compromise intelligence things like uh uh lists of uh fishing sites or compromise sites or whatever so the leakers and the criminals are feeding the vendor economy as well so it's going back and forth it's a very interesting Dynamic I would say it's the modern form of big data I hate that word uh Gossip at a very large scale and it's very difficult to try to stay ahead because there's a lot of things connected a lot of people connected a lot of different systems a lot of complexity and a lot of

variables it's a lot it's even a mouthful for me to say so this is bang of course I sanitize it um mail server extreme rat Port 80 and the client's log in over 443 and again I had a great difficulty they still haven't taken it down by the way I'm a customer of that bank kind of pisses me off but anyway um this is a European power station I did contact this CT and I was not able to get a response it's running it's mod bus that is an IC protocol that's ABB the vendor attached to it with the exact version and when it was last updated for the firmware and that is Extreme rent so we have some issues if people

can find this type of stuff so easily but yet cannot communicate effectively with say in this case the power station or the CT that should be notifying them and it's very unfortunate so we're going to continue to have leaks and then we have this problem where we're running into if somebody's able to get information about your system or you uh we have a lot more I would say extortion or porn related malware where you have instances where if it sees that you're going to a particular porn site it's got list it then tries to embarrass you right so then you end up paying a small fee and this is a problem because sanctioned countries like North Korea

this is one of their motus operandi so can make quick money and data is valuable so I did some uh recent stuff uh and this is all uh from the last two weeks just to show you uh you now have ransomware software as a service it's pretty groovy I like that that and there's another one called Satan which is getting really big so if you don't know how to do it you just sign up with them they take their cut they run most of it it's fantastic right then of course there's vendors who once they find this information they can sell you at a very high rate this extra dark web intelligence information right because everything's in the dark web it

makes it sound sexy there's the exploitation Market zero day Market uh this particular Bank I'm working with uh they didn't pay the ransom so we call this proof of data to taunt them until they go ahead and pay the 10070 with the transaction fee coin for a Middle Eastern Bank um there are are all sorts of ways to launder your money which is great or if you have a problem with that as soon as you get in a hard cash hey I like London I'm not saying anything but there's a lot of empty houses owned by Russians okay so I do want to say because I I want to leave some time for questions lots of questions there is

hope uh there are ways if you can't get your information to the appropriate parties you're here at a fantastic conference last evening uh trying to attempting to uh put things in the bags while drinking beer cuz you know goes hand in hand uh I met a lady who happens to work for a particular Bank where I found that it looks like a criminal entity had set up uh people inside that bank to set up accounts which isn't that unusual anymore so because I met her I was able to actually send her the information this morning um so that's very helpful and most of the time when I find this type of information I have to leverage my network of people

I've met at security conferences to actually get it remediated so it's very important we are not attendees we are participants and these particular types of conferences like bsides talk to people because you never know and that's one of the best ways to share information obviously test uh there are free tools there are tons of free tools if you want to see if somebody has uh left up documents by mistake where developer left up some test web pages there's Google there's this great thing called the Google hacking database where it just gives you the strings to put into Google and you can find your stuff with site equals or site colon my organization.com or. co.uk so it's a

very easy way uh very basic o uh oasp zap has fantastic uh testing capabilities uh for testing any sort of web page if it runs a web page it can be compromised like a web page it can be tested like a web page whether it's uh an embedded device or not it's running the same type of technology and uh you know tet will also show you the banners but there are ways um now one of the reasons why uh we need to try our best to share good information uh I was reminded because shimun 2 is an ongoing attack and has been since later last year uh where it's just a slightly different type of

dynamic when Shimon one occurred unfortunately there wasn't a very good I would say adequate it security infrastructure at a ramco and uh unfortunately when they got hit there were other collateral damages so after this Photograph was taken because they couldn't get the trucks to load it was on the automatic loading system but it was attached to the it and payment systems uh these were shut down so that's uh 13 days how much petrol do you have right unfortunately uh Qatar got hit and uh at the time and now as of yesterday morning it's become quite public uh the Saudi ramco did not collaborate very much with them because of what was going on with Arab Spring

and Al jazer at the time and so forth fortunately now Qatar has been kicked out of the cool Sunni k uh cool Sunni kids club uh from the GCC as of yesterday but uh these types of things can have very very bad effects um when a major organization gets compromized and they can't produce what they're supposed to produce then it can have a KnockOn effect that is completely undesirable uh in the case of uh shimun 1 it actually threatened the world's oil supply to raise up a barrel of oil to $400 to $450 a barrel if they were unable to uh keep their production up because they have such a large market share right but if you take a a good

example of that power plant I think all of us like electricity because I need to plug in my laptop and then hack all the things right and water is tightly associated with that and so forth we all like the modern world and we need to have a way to effectively communicate this information uh to the organizations that are being affected until then we're going to have to leverage this wonderful bsides network uh and I did the he wasn't the original one but he retweeted it I like Josh so I like to bring up an idea of bad sharing kind of like bad touching um this was off the register about the possibility of uh the laws changing here

in the UK obviously because there have been some idiots doing awful things um that they want to be able to surveil and see those idiots right they want to see what they're planning they want to see those Communications but on the other side what happens if it gets too much and now uh a friend clarified that this would only affect uh UK residents or UK citizens so a person like me who's not from the UK I suddenly some four-letter agency wouldn't demand my laptop but it's still a very scary thought that people are discussing this type of information because we're all directly affected I think most of us have probably found one way or another some

sort of software of vulnerability whether intentional or unintentional or unintentional right uh now in the UK you happen to have this group uh the open Rights group that deals with privacy uh now they don't usually take uh things like the eff where you find a big uh security vulnerability but they might be changing uh who knows uh in the Netherlands we do have an organization like the eff and it's called bits of Freedom so if you happen to be in the Benelux region you can contact them if you're afraid to contact say a vendor or a c or law enforcement directly and they will try to anonymize your information uh and I do not agree with

governments hoarding vulnerabilities and then they get used on a big scale because that makes me feel very uncomfortable because other people who are not so honest can use those same vulnerabilities to exploit again you never know who will be in power next so we know that there's a problem we know that we all have a boat it's going to leak we're not going to reinvent the internet tomorrow so we're going to have to find ways to deal with it to talk and sharing doesn't mean oh and these are the internal IP addresses that got popped you can sanitize your conversations you can sanitize your Comm Communications but still uh discuss and inform about the threats there are

possibilities and there are ways but I do stress leverage your existing Network and the network that you're going to extend today so by the way that's a real cat I didn't know who knew it's a real cat who enjoys swimming and wears a swimsuit but we know that things are leak but we're going to have to get used to it right we're going to have to deal with it and we're going to have to find ways to ensure at least our information isn't as leaky you know I'm a little biased so ask so I did leave time for questions so that concludes so if there are any questions which I love to answer please start and thank you very

[Applause] much