Responsible Vulnerability Disclosure

Good afternoon everyone. Thank you for attending this event. A few words at the very beginning. First of all, a short story about B-Sides and why we decided to organize it in our country. B-Sides is an event that took place in 2009 in a a rented house somewhere near Las Vegas for people who were rejected and could not participate in Black Hat, because there were too many applications. And in fact they had the opportunity to say something valuable in front of their audience, of course. For this reason, because of purely time limitations, they could not participate in the more prestigious and more well-known conference, they organized, a group of them, of course, they organized the event "Be Sightseeing". Since then, this event has been organized in

50 countries. What is happening at the moment in Bulgaria is event number 650 and God knows what, because in Munich, by the way, the event is currently being held. In parallel, the same event, such events in Tirana, for example, in Pristina, in Cairo, which will only be held in our region by the end of the year. There will be such events in Istanbul and in some other destinations close to us. As Minister Bojanov said, the goal is not to create a security community, because in our country most of the other branches, like developers, QA and so on, have their own community. When it comes to cybersecurity, however, things are not quite like that. First, we are very small. Second, we are not

talking to each other. This makes us, with the other organizers, whose names you can see on the board, for which we are very grateful, because they did it voluntarily, not commercially, without any consent from them, to help create this community, because we think that from now on this will be extremely important for the country. We have to start improving the situation from somewhere, whatever it is at the moment. It is not as bad as it is, not as dark as some people think it might be, but at the same time we will not hide a place for improvement, there is one, and it is a lot. For this reason, I invite some young people to the

stage, who will present something extremely important regarding what Minister Bozhanov said in a responsible disclosure, exactly how the virus is supplemented with hundreds of thousands of users in Bulgaria and what has happened since then. I give the floor to the first lecture, Miglen and his partners. Hello and welcome.

Hello and welcome. It is a great honor for me to start with my topic, which is extremely close to my heart and I am very glad that the Minister has also started and mentioned some words about it. It is called Responsible Vulnerability Disclosure. Perhaps most of you who are in any other form in the cyber security sector, you work or are involved, you have a clear idea of what this means. Many of you may not know anything about this, so let me introduce myself first. My name is Glenn Vogev, I'm in charge of cyber security, as far as I remember. I'm the director of InfoSec in PeiHawk, you've probably heard of it. I am an advocate of an ideology that hacking is not a crime, something like ethical hacking.

And of course I am engaged, or at least I try to engage with cyber security in the public sector. I founded a foundation, it is called the Borska Foundation for Cyber Security and its ideal goal in addition to prevention, is exactly the establishment of responsible disclosure and the identification and disclosure of such vulnerabilities in the public and private sector in a responsible way. Now, what I want to tell you today, first I will start with a little terminology to make sure that we are all on the same page and we have the same understanding of the terms we use. I want to present you a draft standard for developing such programs for responsible disclosure of vulnerabilities. I would like to recommend, since I had the

opportunity to implement similar programs in the last years, to coordinate both sides, that is, I myself to detect vulnerabilities and I to coordinate vulnerabilities in the companies I have worked in. And of course, some good examples from the world, from the GDI Foundation, what we are trying to do here on an online learning platform, SchoolBG, they are pioneers in this without even realizing it. And finally, we will finish with Mr. Vladimir Dimitrov from the Cybercrime Department in GDBOP to tell us a little more about how this would help the society to be a little healthier. I promised you a little terminology. What is vulnerability? The most simple way to say it is a weakness in the information system, which could be exploited by certain actions,

some code execution, some consequences, or to bring something that is an unexpected result from the use of this system. It could be a web application that shows sensitive data or gives us access to an administrative panel, or something like that. What exactly does responsible disclosure of vulnerabilities mean? Responsible disclosure of vulnerabilities is, simply put, when someone encounters a similar type of vulnerability, whether it is purely opportunistic, i.e. we have seen a website, without a disk we find access to an admin panel or something similar, and we contact the owner of their website completely responsibly, sharing how we discovered it and how we could fix it. Of course, there is also a non-opportunistic discovery of such things. That is when someone deliberately seeks a vulnerability and of course

this can be done in an unpleasant way when this vulnerability can be exploited. And that is exactly my goal, exactly my goal is to avoid it. And when we as a company or institution, university etc. decide to have such a program, we tell the ethical society, the ethical hackers, we say: "Okay, you can hack us, no problem. Please keep this policy. Don't just give us your address, don't just throw us the website. If you find something, please don't leak it. Tell us and we will be happy to accept it, to thank you, whatever the form is. Of course, it can be financial or not. And that's exactly the next topic. The topic is bug bounty.

At the moment it is quite an interesting topic. There are different ways in which the Bug Bounty is implemented. Bug Bounty is the easiest way to get a financial reward. The Bug Bounty program can be implemented through company, for example HackerOne or BugCrow, which company to assess whether what is reported is of good quality and whether it really deserves financial profit. And the company, whether it is the company, the institution or the institution, not to overestimate it, not to be in full control, because it can happen that something that is valid is covered, to say that we know about it, no problem, we will not pay anything for it. There is a way to implement such a program, of course, it is a low-cost

way, we have to implement it ourselves. And this is exactly where the Security Text standard comes in, which I will tell you about. In the plan, you have already made the conclusions why this thing makes sense, not only in the public sector, but also in the private sector. If you have or work in a company, why does it make sense for you as a business or as citizens, why does it make sense for us? The most important thing is to prevent incidents like NAPLEX and other similar incidents. If there is a healthy enough ethical hacker community that discovers, identifies and of course there is a legal framework, that is, when we identify something we do not break any law, we do not get to know Mr. Dimitrov,

we inform them responsibly and everyone wins because the data is being confirmed, the personal profiles are being compromised, the finances and other information. The other reason to implement such a program in our company is that we receive structured reports. For example, if we are a company or a public sector and we run a pen-test campaign, The pen test has the property to be limited by two factors: time and budget. Let's say it can be a week, two, three months, it depends on how much we can afford. While a similar type of public responsible disclosure program allows us to be open to the world and say "Ok, hack us and if you find something useful we will pay for it." This is good for this. And

so we could attract people who have a little more free time and more interest and try to penetrate and discover vulnerabilities in our business logic, in the components of our system and our applications, which would have a greater return on investment than a one-week, two-week, three-week pen test. Eventually, right? It's not always guaranteed. It also allows us a secure channel for communication with potential ethical hackers. We could tell them how to contact us in a safe way, because it is possible for our site to be compromised and someone to compromise communication channels when someone wants to tell us that we are compromised by someone else, this first one who is not well-intentioned to block this thing. It also helps us to answer repetitive questions, for example, whether

we have a vulnerability in the configuration of certain components. We could explain this in the next vulnerability disclosure policy. And of course, we can say what is OK and what is not OK for the environment. The other benefits for us as a society, especially if this is done in the public sector, is that it helps us to build a healthier society. First, healthier in terms of preventing events, like Naplix and others, and it also helps us to give a good example to the new young people who come to the cybersecurity sector, which I think is positive for everyone. Prevent, full information disclosures, leaks that are left in the public space, maybe forever, and our personal, sensitive information is left forever in the public space, everyone

can look for it, which is quite unpleasant. And of course, it reduces the work of the cybercrime departments. They could focus on the truly serious and significant things in cybercrime, rather than dealing with vulnerabilities, which could be very easy to prevent, because when there is a healthy society that searches, finds, reports, structures and helps, there will be less problems. It won't disappear, but there will be much less problems. Usually, a vulnerability has a certain life. It starts with the creation of the project, whether it is a website, an app, it doesn't matter. And at some point, a vulnerability appears. All projects have vulnerabilities, some are discovered, others are discovered but not reported, the so-called zero days, and the third ones are still known.

Cybercriminals usually have a great incentive, and not only them, there are cyber companies that have a great incentive to discover such vulnerabilities and to use them for long-term purposes. For example, if they discover a component or software that is used internationally, there are many such examples in the near future, they could exploit it for months or years. a good society that helps to identify such things, we could save ourselves from such unpleasant situations. The other reason is that there are so-called "markets" for vulnerabilities. I guess most of you are familiar with this podcast, Darknet Diaries, episode 98, which talks about such vulnerabilities in brokers. If someone is found to be vulnerable in a component or service that is

used by a lot of people, he can earn a million dollars for this thing, to use it for unpleasant purposes, in most cases for cybercrime, or for the management of the masses, or for cyberterrorism, which we would be happy to prevent as much as possible. For this, a similar type of programs exist in in public software, in software-based code, in public institutions, especially in Bulgaria, because I am sure that there is a lot of potential here, we could save a lot of problems for the future. And now, how to implement this in our websites and so on? There is a draft proposal for a standard, structured to explain to the public, to the society, how exactly we expect these reports to be obtained for liability, that is,

security txt. First of all, a text file is put in a well-known directory or root directory of our app. We could place it in public or private repositories, in the builds of our app, inside, to incorporate it. It is not defined by the standard, but it is a good practice, because someone can decompile your app, to discover it and say "Hey, I found an API key here, now I will remind you that this is not OK". But, simply put, in the root directory of our website we tell how to connect with us, we share what kind of secure channels, that is, by email or another way, we provide a public key that potential ethical hackers

could use to encrypt the information to us, so that it does not happen that someone on the way changes it, blocks it, prevents us, to get the corresponding liability. Of course, we can say some politics. We don't have good specialists. Here we don't have the hiring office. These are the people who have discovered vulnerabilities in our portal, whether we have paid or not, some bounty. And of course, the place where we keep the policy itself, where we describe with this document what is OK and what is not OK to do. I personally recommend that the place where the public key will be stored is a third party. For example, Keybase or some other place where if your website is compromised and you have put security.txt

and the gpg file in it, it is easiest to say that someone can replace the key and from here on, you can't decrypt the report and you can't understand what they are trying to tell you. and some good practices on how to implement such programs, because I had the pleasure to do a lot of long-term work with such programs. As I said before, structured reports, you can deliver communication channels, you can use Keybase, I personally like Keybase because it's a bit out of date, it's not on your site, not on your application. You can also provide other channels, usually email is provided as well. You can answer questions. It happens very often to get opportunistic reports. For example, someone simply scans thousands of websites for missing

records of SPF and so on, and says that the configuration of your application is suboptimal and expects some bounty for this thing. If there are reasons why this configuration is like that, we could say in this policy: "These are the reasons, please don't send us reports, because we are for these people, we want to... If you want to participate in this program, here are the things we would like to hear. If not, life is healthy." Of course, it is very important in the policy itself to say exactly this list of exclusions. The most important thing is that there is no volumetric denial of service, because this is not exactly a vulnerability. I mean, you can follow the good practices for high availability, scalability and so on, but

in the end this is a cyber attack in one way or another, especially depending on how it is implemented. Also, suboptimal implementation of some configuration components, best practice reports, Is this really a vulnerability or you just didn't put in a certain code or something that is used up to date? Self-excess, DOM-based excess, injection of certain headers. Of course, there are situations where some of these things could be a combination with other things and lead to a real vulnerability, but in most cases it rarely happens. Enumeration of information that is already public. For example, we often get enumeration of consumer names that we have in our company. Yes, but everyone can go to LinkedIn and write it to the company and see all the employees in it. Is

this really a data disclosure or not? You can determine what is and what is not. Of course, When you create such a program, you determine the rules. Whether it is fair or not, you judge, which is not always healthy for the people who report these things. Therefore, if your company is large and has a large public activity, it is appropriate to use such a third-party broker like HackerOne, who are real mediators, to say: "Yes, you said that this is not disclosure, but it is actually disclosure, because There is also other sensitive information that should not be public. One of the best examples of such policies is the BBC. I highly recommend it. If you have time and desire, write to BBC Security and Sclosure Policy. It describes absolutely

everything very well. I like to use them as an example in the best practice. So, GDI Foundation. This was something that got me into this topic. I mean, I knew about this topic long before I knew what it meant, but when I heard this specific episode of "I am C8" with Victor Giveres, I had the chance to have a conversation with him. He told me what they do in the Netherlands and I told myself that it would be great for us to have something similar in Bulgaria. How can this happen, if not from one individual person? And we decided to create a non-profit that deals with this. I strongly recommend you to listen to this episode. It tells how millions of vulnerabilities have been discovered in the public sector

for the last 5-6 years, in companies, in businesses, which are with different criticality, from super critical to high criticality. and saved a lot of money and problems for the public society and companies, a lot of time and a lot of people. And so the idea for a foundation was born, which deals exactly with this in Bulgaria. It is called the Bulgarian Cybersecurity Foundation and fortunately, I talked to the Minister and fortunately they also develop the so-called program for responsible disclosure of vulnerabilities. And we decided to partner with the Bulgarian Cybersecurity and Cybersecurity Incident Center. I hope that this will soon become a fact, a part of the legal framework, a policy that to protect the ethical

people who want to expose some vulnerability in such a way that it is clear what crime is and what is responsible for exposing vulnerability, so that all sides are protected from potential problems. And now I want to introduce I think more than 20 of you have heard about Školo. It is a training platform. They started with an online diary, then they developed a lot with online lessons and other interesting things. They, without understanding it, are one of the pioneers of similar policies in Bulgaria. 3-4-5 years ago, they had published a similar article, which was titled "How to hack a school.bg". Why? Because they saw that in Google, many of the students who use their platform, have searched for exactly this, because they didn't want their

parents to see their grades. Normal development of things. And they had published a similar article. I would like to invite It's very interesting because first we will invite on one side the executive director of the school, Lyubo, and on the other side we will invite an ethical hacker, a teenager, who discovered a threat after he was inspired by the question. And they made a kind of public program for the discovery of threats, if they can present Lyubo and Stoyan on the stage. Hello! Hello!

Echo, echo, can you hear me? No? Can you hear me? Ah, ok. Hello everyone, I am Lyubo, as you have heard, from the school team. I will say just a few words about what happened during these years. When we started in 2016, We had three main pillars that were very important for us and are still very important. The first was the user interface, because there are diametrically opposite consumer groups. From users of 13 to users of 65, who have very different consumer habits. The second very important pillar for us was performance, because for us it is very important for the system to work fast, because if it doesn't work fast, there are problems and the consumer is not happy with this. And the

third very important problem was information security. Because we work with a very large amount of data and we understand that this is trust. Trust that the schools have given to us. In reality, because we are talking about information security, many people do not imagine what this is, whether they eat or drink. Think about information security as about health. This is something super important, but usually people take some measure for it when there is a problem. They are reactive and take the measures afterwards. We are from the small group of people who take the measures proactively and therefore every year we pass penetration tests from external companies and separately we have internal written processes on how this thing should happen. But as Miguel said, there are many

students who have enthusiasm, time, desire and motivation to constantly go somewhere and try to do something. And we realized that these people really want to help. I mean some of them. They just want to help, we just need to leave the environment and the opportunity for them to help. They are really helping the business when they say responsibly: "Hey, there is a problem here, fix it, so that it doesn't become a bigger problem." And that's why we wrote this blog-status in 2018-19, that whatever problem we found, we are in contact with. Of course, we didn't formulate it that well and structure it where we have to work, but in reality we are supporting and admiring all kind of help. Because this is

our mission and everyone who is ready to help us in one way or another, we are in contact to help. to talk to him. Of course, over the years there have been cases where there is no problem, but they report it as a problem, which is a little time-consuming, but that's how the world works. Now Stoyan can explain exactly what happened. What exactly happened? I'm hearing, Nadev. So, I am Stoyan Kolev I from Burgas, from the Professional Gymnasium of Computer Programming and Innovation. And the question that was found by IDOR or Insecure Direct Object Reference. The question was: I went to generate a report for the assessments and there was information about the assessments. For example,

where do you live, what is your gene, how do you speak. I think there was a number, but I'm not sure. So, personal information. And what they did, if I can disclose how exactly they did it. Well, in the post application, in order to generate the corresponding report, there was a visible parameter, so to speak, which was some ID and they just decided to change it. I wrote only "ID", not exactly "student ID" or something like that. And I decided to change it. Accordingly, a report for a student was generated, different from mine. And so I tried a few times to confirm myself and I realized that I was receiving information that was not mine. I

recorded a video about how I made a POG of the video, of the vulnerability and I made a report, I collected the relevant words and so on. I sent it to a school, to one of the team leaders. After months or something like that I got an answer that they will deal with the repair of the nearby town. After some time I got an answer that it is repaired. They wanted to talk to me and I got a reward. So, how did I motivate myself? I just woke up one morning from the bed, I think it was around 11, and I sat on the laptop and decided to just check... To grow up in school. It's not something special,

because I was too shy and... yeah, I was a little bit more mature and that was it. Also... Um... Thank you very much Stoyan, he is only 17 years old and he came here today from Burgas to tell us about his story. He is now a classmate. The idea was to show you an interesting example of exactly the same type of disclosure of the responsibility of the vulnerability and as you can see there is a huge potential not only in the people who are here and are engaged in cyber security, but also young people are interested in this. I strongly believe, even I am a little bit As Svetlin Nakov wants to turn Bulgaria into the Central Valley of Europe, my personal goal is to turn Bulgaria into a

mature Europe in terms of cyber-strength, that is, the leading force. I hope it will happen and I strongly hope that this conference is the beginning of this. I am glad to see you here. Many years ago, when I was at the age of Stoyan, I was also involved in the field of intelligence. I also told some of them, others didn't. And the next guest, I had the honor to meet him, to be awakened literally and figuratively, not by more than a kilometer from here. and my idea was to tell him about a similar type of situation. First of all, this is my personal goal, young people like Stoyan, not to be confused by Mr. Dimitrov

and his colleagues, but to be able to responsibly provide such vulnerabilities to the society and the companies, and so to have a healthy society. This is my personal goal. Thanks to Mr. Dimitrov for being here. I will be happy if he can tell us Have you encountered such incidents? What do you think about the case with Stoyan? How will this help the public sector? Do we have a microphone? Yes, please. Hello, can you hear me? Yes, Vladimir Dimitrov, I am a policeman for about 20 years. For the last 13-14 years I have been investigating cybercrime. For about a year and a half I have been the head of the cybercrime department in GDBOP. GDBOP is

the head of the Department for the Fight Against Organized Crime. and is specialized in the Ministry of Internal Affairs for the fight against organized crime. You know, the ordinary criminals are one or two, but thieves, people who sell drugs, this is the problem of the police. But when there is a long-term conspiracy to commit a specific crime or several people have a specific goal, this already presupposes the need for more serious resources. That is why last year the Head of the Department for the Fight Against Organized Crime was created. which has a more serious human, financial and material resource to investigate such organized crime groups. Some years ago someone decided that the Bulgarian National Office

for the fight against cybercrime should be in GEDEBOP, in view of the international contacts we make every day. The Bulgarian National Office for the Department of Cybercrime consists of about 40 police officers and officers from MEVE RE, who investigate over 15 different cyber and cyber-related crimes. Now, he, Miglen, says that we met, I don't remember this thing. Naturally, if he digs into his documents, he will find out what we have seen, when and how, but I don't remember, because if he starts remembering all the cases, he will probably have to get some mental deviations. For me, it's just work-like cases and we often meet with all kinds of cyber and cyber-related crimes. For example, I don't know if you know, but one of the biggest

problems when it comes to cyber-crime in Bulgaria, Europe and the world is something we call "NIBAN". The English term is Business Email Compromise. B.E.C. was invented about 15-17 years ago by the Federal Bureau of Investigation and generally speaking, it is a question of North African organized crime groups, who with phishing emails enter the email of a Bulgarian company The Bulgarian company is closely monitoring the correspondence with their agent from China. The Bulgarian company is delivering some pipes for some ventilation equipment. One time it is a company that delivers ventilation pipes, another time it is a company that delivers drones. Every 10 days we have a company from BIC that has suffered. The North African organized

crime groups carefully follow the correspondence. If it is a matter of over 15-20 thousand euros, they start working in this case. Sometimes they register type of squatting domains, so that they can redirect the correspondence between this Bulgarian company and their contractor. And at a specific moment, they just send an email or when they see that the Chinese company has sent an email to the Bulgarian company, they ask them to pay for this old invoice. Because when two international companies do trade, a few years ago there was a margin of about half a million euros. Now it's a smaller margin. In other words, you take the stock and pay for it in three months. When the Chinese company sends an email, they upload a PDF and say "pay this pro

forma bill". for the stock you received before and the hackers who follow this correspondence just send out a new email or make a special filter not to receive it at all. Either in the new email they say because of the corona or because the bank can't receive payments, please send the next 70 thousand euros not to the bill you have been paying us for 10 years in China Construction Bank in China, send it to our subsidiary in Hong Kong. Most likely some of you lost me, but this is something that every 10 days a Bulgarian company has suffered from us. B.E.C. - Changed I-Ban. The sums are from 50-70 thousand euros upwards, these organized criminal

groups that change I-Bans, They don't care about the money, they use the services of other organized crime groups that steal money. But I assume we don't have much time. I can talk to you about similar cybercrimes for days. The Iban-BEC change is the biggest problem when it comes to cyber-related crimes in Bulgaria. The romantic cheaters are another huge problem we are facing. On Facebook, a young Bulgarian is getting in touch with an American general who was based in Afghanistan before and now is in Syria. They are in love, virtually, he promises to come to Bulgaria and in this way, when the Bulgarian sells three apartments, lands by the sea, he sends him 300,000 euros for

17 different tranches, once on a bank trip to Turkish bank accounts, and give a bill in Portugal. We had a lady who was standing all day at the bitumata in Interpret to deposit money, because they gave her a QR code on her email. She went to the bitumata, scanned the QR code and deposited money. The problem was that she could only deposit 1,500 leva per transaction and she was standing there all day. Investment frauds. This is another huge problem we are facing. A Bulgarian businessman invested several hundred thousand euros in a platform where he will trade with his thing, whether it is crypto or the SpaceX shares. In the end, this businessman is left without

several hundred thousand euros. We also have a very serious problem with child pornography. While we are talking, there are about 300 IP addresses in Bulgaria, Bulgarian IP addresses, which download similar materials. This happens through specific software, in specific We won't tell you what the groups are now, they are peer-to-peer networks, but there are about 300 bulgarian IP addresses that are dealing with child pornography. On Friday night there are about 500. 20% of these IP addresses are VPNs of several international companies that have IP ranges in Bulgaria. Intellectual property, torrent trackers, this is also a very serious problem because the copyrights and the rights of foreign companies are being violated and they are losing millions of dollars as a result of the fact that North Macedonia, Bulgaria,

Turkey, Moldova and part of Ukraine are losing their illegal content from Zamunda and similar torrent trackers. Let's not say that many Young people are losing their games or software, which is affecting their computers. And here we come to another huge problem, which in my opinion is the most serious cyber weapon - the botnet networks. About 15 years ago I heard this word for the first time - botnet. And in practice I didn't know what it was. But botnets are like cars in practice. A group of hackers infects computers and finds a way to infect computers and he makes his own botnet network. The smaller version of botnet networks is the ratting. The term is ratting. Some young man drops a rat, this is a hacker tool, through which

you make a computer virus, you send it by email to someone and you rat it, infect the computer. Botnet networks are a little bigger, on a larger scale, ratting. As far as we know, there are about 10, 20, 15 on the global scene of large botnet networks operating. And I repeat, we see together with our partners from the Federal Bureau for Research in the USA, from Europol and Interpol, that the botnet networks are used exclusively by these cyber criminals to extract information from them. I have in mind that while we are talking to you, there are tens of thousands of infected computers in Bulgaria, which are part of one or another botnet network. In an investigation we

conducted two years ago, we got to an IP address from which something bad happened. Once in Eberra they tell us an IP address, the next time we are warned by the Dutch cyber police, which is one of the most active on the European scene when it comes to cybercrime investigations. And we see that this IP address is connected with several different investigations in Australia, in the Netherlands, in the USA. We go and find the IP address, it is some kind of a rubber band in Lulin. I told the man that I have a computer, we barely found it, it was with a dust bag. This computer, my friend, delivered me an internet cable, but I

use it only because we have a camera in front of the camera to shoot in real time. This computer was a Windows XP, antivirus-free, which sits there from the workers in this camera, one opens the ABB post, the other watches porn, the third pulls some torrents. and there were thousands of computer viruses in this computer. But the good thing was that the RAM and the processor were good, nothing was hidden under some office. The internet was fast and that's why this computer worked for hours and the hackers used it as a staging server. In other words, they don't hack from it, they just jump to another server to do something wrong. I repeat, we are talking about a different part in the US and Australia,

but I repeat, the botnet networks are a huge problem that we are seeing and a big part of our work is aimed at prevention. In other words, our partners most often with the Federal Bureau for Investigation of the United States, which is a world leader in the fight against cybercrime, to ask us to do something, for example, to take out a server from Bulgaria, which is used by a hacker group, or to interrogate a Bulgarian who has helped or participated in a criminal scheme. When we talk about, to go back to the topic of sharing of the information that is established, what Stoyan showed a while ago. I just want to remind you that we

have to be careful, because our law is quite strict, as it is a matter of unregulated access. The criminal code describes computer crimes. There are changes in the criminal code, I'm not sure if they will happen, the National Assembly will decide whether to adopt new laws, where the punishment for hacking, generally speaking. At the moment, a huge part of cybercrimes, such as unregulated access, data collection, the destruction of computer information, the destruction of information in a foreign information system, are so-called "light" crimes. In other words, under 5 years of imprisonment, it is predicted in our Penal Code, but a large part of these cyber-related crimes are to be The expected punishment for them is up to 6 years,

which will make them serious criminals and, accordingly, there will be an opportunity, generally speaking, to break our hands, to use special means of investigation and to use other legal methods to investigate cyber criminals. Everyone will agree with me that No wonder some of the companies you work in or represent have been a target of hacker attacks. Everyone will agree with me that this is an extremely unpleasant incident, which can in practice destroy the activity of the entire company. But on the other hand, well-intentioned young people like Stoyan, who spoke a little while ago, also have an extremely important role, because they What they find and provide to the company, of course, the company will take measures, will close a specific hole or will change something

in the site, in some information system and this will be our work afterwards. We are not saying that the whole society will will be useful, because personal data will not be distributed to others, because Stoyan has found that almost everyone who has registered at school can go to practice, if he shares time and desire. But when it comes to well-intentioned hacking, so to speak, we must be very careful, because we have had cases in which a company that has suffered with us and says that a certain person is connected to us via ProtonMail and he sends us a picture of the name of our database. He hasn't taken out the database, but only the name of the database is a categorical indicator that he has successfully

regulated access. A very important moment in which we need to stop. As Stoyan said a little while ago, I saw, tried something and I stop. A very important moment is also what the whole hacker has to do. Whether, as Stoyan tried to start, saw that there was a problem, immediately stopped and made a video and provided it to them and left their contacts in consequence of further interaction with the company. Or, as this unknown person with ProtonMail has numbered the database, for a while, most likely, he has extracted part of the database and under the anonymity of ProtonMail Thank you very much.

If I can use the examples that Mr. Dimitrov mentioned about business, about botnet networks, if we have a health community that helps us in the discovery of new diseases, we could save many similar problems, incidents and attacks on the public sector. They will have less work to do, and will deal with all the criminals who host certain videos. We can really focus and save money for the business and the public sector. And the other thing about the legal framework, I hope it will change soon, and I hope that this will become a fact, so that the boundaries can be clear, what does responsible disclosure mean, where is the boundary, where exactly can we test something and where we can't. So we

have to get acquainted with his department. Thank you very much for coming today and for your time. Thank you, Mr. Dimitrov, Yes, of course, I want to thank everyone. And now, if you have any questions. If there are any questions. Yes, especially to Mr. Dimitrov. Yes. So the question is whether this framework is being created for voluntary sharing of information from ethical hackers. As far as I know, there is no legal framework at the moment. I'm not sure if something is being done. At the moment, there is a partnership between the State Agency for Electronic Management and the GovCert. So I hope it will be a reality soon. Yes. So the question from the gentleman there is how

effective are the punishments for cybercrime up to five years, right? Is there anyone who is convicted? There is, for example, I will tell the hacker from Plovdiv. Instakill, which included a contract. We arrested him for having implemented unregulated access to a company's computer information system. We won't say which one. Are there enough orders that are proposed in the law? In my opinion, they should be slightly higher. This is planned in the next changes in the Penal Code. On the other hand, we have a part of the society that says: "Well, this will be done by the police state, because you see, the police do whatever they want and will take data for my IP address and will monitor me, what I do." But this

is not so far away, because everyone says, for example, Vladimir Dimitrov from the Department of Cybercrime said they arrest me. There is no such thing. When we do something, when we go to arrest a hacker, this is also agreed with the Prosecutor's Office, 50 colleagues know there who work there, the leadership of the Head of the Department of Crime Management, the leadership of the Ministry of Internal Affairs, everyone says the police arrest me, the police They told me: "There is no such thing. Everything is extremely legally regulated. We work on so many internal acts in the Ministry of Internal Affairs, the Penal Code, the Penal Procedural Code, which are described how evidence is collected. So most likely due to misinformation, the unknown part of society thinks

that a similar suspension of the crime will break the hands of the police to work against the society in general. Other questions? So the lady there is asking where is the border between cybercrime and misinformation and the ignorance of the society, of the victims. Yes, but I can't say that word in front of you, that's why I say misinformation and ignorance. They said, I didn't say it myself, but we often meet with such things. Yes, we are very stressed, for example, a business man came to us and said: "I met a woman on Tinder, she is from South Korea, then we chatted on WhatsApp and she told me to register on a website, I registered there, but the first payment was one million dollars. I said to myself

that I don't have one million dollars, I have 400 thousand dollars. She said: "I will give the other 600 thousand and she saved me one million." And it is clear that she made a website and she can make 1 million, 3 million in it. But this person says: "She sends me a picture of how she does it in good health." But I say: "At least write your name on a sheet to be written and filmed." No. Yes, the ignorance and misinformation, I will not say this word, the other one, is a big problem for us, but despite this they are victims of cybercrime. This lady who sold her property and sent it to a fraudster

who is on Facebook with some names, she is a victim. So we are legally liable, this is a computer fraud, in section 212A of the Penal Code, which someone to cheat, to mislead, to enter or change computer data, of course, the Facebook profile, he is punished with a certain amount, of course, and as if he did harm to the victim. So it is incriminating, it is a crime, the computer cheating, the fact that the victim is uninformed is another problem. That is exactly why it is necessary to... This is part of cybersecurity, because cybersecurity is an extremely common concept, and very often when I talk to people, they mix cyber security with cyber crime. And cyber crime is a very small part

of cyber security. I will use this opportunity to remind you all that when we talk about the general concept of cyber security, we are talking about three things: MIS - network information security, counter-action of cyber crime and cyber defense. These are the three main components. We have briefly turned it over to the lecture, but other questions? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - They are two cases, actually, or under the case. One is when the administrator didn't take measures, because he's lazy, or the other is when his boss didn't give him money to fix things. After that, there's a case, the company loses money, loses their image, and so on. and sometimes they try to tell the business owner to have a regression towards the administrator. In a sense. Well, this administrator must be judged on a partial basis, which is probably no longer part of this company, to prove in part what are the harmful things

that have happened as a result of the immorality of this administrator and, accordingly, to... Do you have such cases? Rarely, yes. We are more concerned with the criminal part, when there is a crime. And crime is already something else. I am trying to understand if this is a crime. At some point, you know that there is something there. No, the indecency is not a problem. It is not indecency, they know that there is something there that needs to be done. Just to clarify a little bit, this would more like a definition go to insider threat, because the person, due to non-engagement, indecency, laziness or something else, or a human error is allowed, an incident occurs.

63% of the vector is an insider. Unfortunately, this does not always break the legal framework. Not only in Bulgaria, but also abroad. I have worked on international incidents in the US, Sometimes they just break the internal rules of the company and the only way for this dispute to be resolved is through a private court. Simply because there is no unregulated access. Access is regulated. This person is a servant of this company. This is a huge risk for most companies, with certainty. It is simply not a crime of the criminal right, but a crime of indecency or so-called insider threat. It is difficult to find a criminal responsibility administrator, because he works for the company. He can even mine cryptocurrency. This is a violation of the internal company's rules.

It happens often. I know. That's why I said it. So it is difficult. I know there are still questions. I will be here for another 20-30 minutes. But we don't have time. We move on to the next presentation. Thank you very much.