Organic, freerange credentials harvested from your browser

Behind the curtain number one, soon there's going to be a lovely speech about when 1 + 1 equals 11. That sounds like me doing math. The hidden math of application vulnerabilities. That's going to be on the the other side. Who wants to cross over? You can do it at your own leisure. But here we're about to witness the man who was selling speed before I sell speed discovered Estonia. And we still owe the guy money. So please give it up. Uh on the topic of organic freerange credentials freshly harvested from your browser. I mean I told you I love fintech. You you guys do stuff which I was told was illegal but apparently depends on where you work.

And uh I would like to welcome on stage Mr. Petra Mar

[Music]

[Music]

So, uh hello. Oh, it's very strange to kind of like hear only noise and not myself. So, I do hope that uh you are actually kind of like uh hearing me well. Oh, cool. So, I'll take these off. Anyway, uh today's uh topic actually came to me uh when I was preparing for a WordPress meetup and I tried to decided I need to tell them how their sites can be taken over by bad guys and I needed to have some demonstrations because people usually do not believe without seeing things demonstrated to them. So I started to look around how to kind of like uh get the credentials which I'm seeing are shared on the internet and

that's kind of like the beginning of uh today's story. Uh my own background uh I I think most of that can be summarized as been there uh done uh that uh and I'm not going to pause on that anymore. uh and look or think about uh typical scenario of an uh incident something got compromised. The question is how did they get get in? Uh well uh most of the cases when you are looking are going to start from uh initial accepts brokers. So basically they bought or got some credentials uh credentials from somewhere. uh cool solution is using steeler rocks which I'm going to uh talk uh more in a moment and uh there is also fishing

there is also uh uh MFA fishing or fishing uh cookies so I'm going to talk uh today about uh both of these uh things and I'm trying to uh stitch in also some uh live uh demos with the things so kind of like keeping fingers crossed because uh it will actually work. I did spend past hour kind of like rerunning demos and h seems it kind of like worked. But before we uh get to actually trying out uh fishing MFA and uh dealing with uh uh actual people's uh stolen passwords. A quick flashback to past years pet sites when I was talking about uh staying legal in the land of two use tools which I'm going to use today and I

wrote that actually you need to have intent to do something illegal somebody needs to kind of like find you need to have a victim and so on u and technically things I'm doing today if used incorrectly would go under Estonian penal code paragraph uh 216 uh prim preparation of computer crime uh by enabling by doing something yourself or enabling third party to commit the crime crime using the things I've been demonstrating. So uh long story short uh uh I have no intent to crime. I do hope that uh the result uh won't be that after this uh presentation uh it turns out I have enabled you to prepare crime to commit crimes. So stay safe and don't try these things at home.

That's why I did. So uh stealer logs how did I kind of like first time uh meet uh a case of stealer log uh was what I call the security salesman case. It happened uh couple of years ago and at one morning there was in the security mailbox email which starts like the usual. I hope this email finds well which probably it didn't after we had read the text and uh turns out that this person had purchased uh one of our uh company's passwords or accounts from dark waves and uh he was willing to uh show us uh where he where he got that uh if we are kind of like uh willing to listen to his sales pitch for

his white hat dark web monitoring service. So we thought that okay that's uh fair deal and uh yeah uh what we saw was that uh we learned that uh later that there had been uh a password stealer uh called the Russian password stealer uh and something like two years uh before the actual call from the salesman or email from salesman uh there had been uh infection uh of somebody's uh computer is that uh interestingly just now two years from uh that time uh there was a single login uh to this account. Uh then there was they just didn't do much. They logged in looked like okay login works and went away. And then uh 10 days later there was next login. Uh

and then uh soon after that was the email from the white white hat guy. Uh interestingly it was very professional so he kind of like didn't do too much snooping around because that way we could probably be more interested in suing him than cooperating. Uh and I've also found the same thing with uh different so so to say big bounty hunters who are contacting you to tell that there is something in your systems. I found that they very nicely just kind of like touch minimal amount to prove that there is the vulnerability and don't go uh around. Very cool. Anyway, uh turns out that uh uh how he uh found the uh found the credential he was scoring probably

the Russian uh market uh selling uh the or some some uh similar site uh where uh you can search by uh company name, you can search by industry, by country, by turnover I think and uh things like uh like that he found, he purchased I think u uh such a simple password uh set nobody kind of like has considered especially valuable is going for I don't know 10 bucks and uh that's how uh he got it and basically investment of 10 bucks is kind of like u I think very good uh advertising spend not that I'm uh promoting that approach but uh still uh so that was kind of like the first thing which uh got me thinking that okay

I need to talk more about these things and see myself how it works because uh yeah, everybody kind of like has uh has heard hopefully about Steelers, but how it works. Another thing I've been looking and seeing going around like I think the last one was like 16 billion uh lines of uh emails and uh passwords um is uh what's called uh ulp url uh URL uh uh oh sorry yeah url login and password uh collections and uh how did that thing come to my life uh in January uh this here. A uh hosting service provider noticed a surge of login attempts to old accounts from suspicious IPs uh which were outside of their usual uh client uh segment. And it

also did uh match the similar pattern they had seen about the year before that actually did result in compromising one of the clients and uh and uh uh actual notable data leak. So uh when I heard about that I was like uh I think I have seen something manifesting about that uh earlier and uh the thing uh which uh by the January we know it had a name uh it was silver bullet text the telegram complex collection silver bullet text is one of the channels but there was a bunch of others like cloud satanic cloud the alien and others where I think similar list the same list was repurposed or site modified with 234 million uh lines of these ulps.

Uh so um places where they are offered it's nice to see that that they all kind of like offering some snippets and uh for $1,000 you can get lifetime access to their nice data sets. So uh really uh cool uh how they how are these actually used? So uh this is actually another telegram channel. Uh some uh guys are running their own uh DOS service and uh uh I was kind of like uh peeking around uh Telegram and uh I happened to be uh incidentally on this channel when they uh somebody started sharing uh sets of uh control panel uh login with passwords and usernames. I hope I have sanitized everything here. So uh and kind of like

uh their reaction of the dos guys was basically illustrated by this uh animated uh uh image. So like oh my god the next thing was that they actually logged into some of these and uh and found found out that oh this one has like I don't know one terabyte of traffic completely unused. Can you imagine all of these have unused traffic? we can set up our dodosing tools on these servers and kind of like uh make fun. So uh and that I understood that uh I had seen that actually in the uh December and I understood that uh next time I see something like that I need to contact at least uh in Estonia all possibly affected similar people

because here are kind of like uh whatever hostings uh but uh I know exactly same kind of attacks reached Estonia a bit uh uh later with uh admin panel uh login or like self-service uh login. So the question is again how the heck did they get these uh lines? Uh there is old story about all of these leaked passwords and emails but these won't have actually uh URLs of uh hosting panel uh login. And these panels were also kind of like uh so kind of like diverse that probably also the idea of uh using u uh whatever uh password spraying attacks of uh existing uh accounts won't work there else. So uh what we are uh what it was most probably

was it was the massive amount of things uh that they had gotten from browser password managers or perhaps on the desktop because people tend to keep their passwords.ext files uh there. uh when I was uh talking about that in uh some more private setting uh people said no no no but you know from the summer 20 2024 Chrome is much secure so uh there can't be any more of these things these all kind of like old data and we are now safe we can now again use uh Chrome password managers and things uh well uh this is actually I think the time when uh Chrome became secure was probably somewhere like here and what we

are seeing is that uh one of the steelers Luma kind of like uh got perial boost uh after uh that. So basically the question was that uh Chrome came out with a better security for your passwords and cookies and uh how long did it take? So uh this is actually uh Luma Steelers post on accesss.is as uh uh let's say hacking forum, cyber criminal forum, however you call it. And it was on in the middle of uh uh September last year and uh they said that uh things have changed and kind of like uh uh we are working this is kind of like very like I I would say professional reporting. We have had an

incident. Chrome has improved their security. So uh okay this is what we are going to do five points and uh and uh so on and I especially kind of like like that they are actually kind of like real business people. So and while we are looking for a solution we believe that the only right decision is to suspend sales. So kind of like real kind of like things we are not often seeing from uh big companies doing the same thing. Did crowd strike stop uh their sales? Not sure. Anyway, that was so that was uh 12th uh 17th. Uh okay, they are having already app on cookie encryption pipers on new chrome uh updates. So uh yeah, kind of like five days later

the pro the situation is now normal. Everything has been uh stored and we are also releasing a bunch of new features. 19 uh two days later more. So one week from the original kind of like thing that okay we need to stop sales. So uh and by that time they had a new method that did not require admin rights andor restart which kind of like uh yeah simplifies all of the process. And from that on uh we probably come to the place where the Luma steeler took off and uh got to be one of the uh preferred steelers by uh people dealing with stealing things. Aha. Then there is kind of like more uh again this is already this April but

kind of like the updates are going uh uh on. Oh uh what then happened on uh uh May I think 21st uh it happened that uh Luma Steelers uh uh infrastructure was uh taken down domain size Europole had a press release uh kind of like uh uh so we have disrupted this uh bad operation and the guys were back in a couple of days. See you soon. This is from SpyCloud. SpyCloud is a company who is uh active on the s uh side of uh the previous graph was also from SpyCloud. What they are doing is they are monitoring all of the leaks. Uh they do have a pretty uh nice insight. Uh I'm not supposed to

know how into uh getting uh these steeler logs. So apparently they are monitoring all the time what kinds of uh steeler uh uh very uh versions are active. So uh this is now interesting. So uh you would might think that this was the day where it was takedown but no there was some kind of other hiccup on the systems. I I haven't found out why it was down. Maybe just I don't know some public holiday in Russia or whatever. No it should a bit before anyway. So, this is the effect of actually taking down 2,500 domains. Uh, and it's back and kind of like it did uh go down for summer. I think it's go it's probably up now again.

Unfortunately, I didn't see see uh more recent graph. I have had I've seen also more exact graph which again basically had this like one or two days where Luma went down and kind of like up again. So these things are working. So the next thing I started asking myself is uh okay uh I know these luma guys are doing these things and uh how easy would be for me u presuming I would have a criminal intent to get myself some stealer logs. So where would I start? Well usually kind of like the cool things to do things. Okay. Please don't go these places. uh they might uh turn up badly on your CVs because uh the fun

thing about criminal forums is that uh uh they occasionally the guys there kind of like uh get into fight with each other and the leak databases and things. So uh uh I think this is now this is this is from uh bridge forums version three uh or two and the previous version was uh leaked with uh much drama. So kind of like including all of the database of users their IP addresses and so on. So uh please be uh careful when visiting these uh things or better to don't uh and uh when you kind of like I actually went there because I as I said I was preparing for a WordPress uh uh meetup talk in Finland. So uh I wanted

to show them the price of admin account. So uh in bulks it's uh 50 cents and uh kind of like if you're buying WordPress admins it's $2 per piece. So if anybody kind of like has their own website so that's the price of that. I think most offending thing about this is I don't have the slide in this tech is that u actually uh yumla admin costs like three times more. I have no actual understanding why Jumla is so much more expensive but perhaps it it is kind of like a rare kind of beast or maybe the logic is that Jumla is is not used so much anymore. So the site still running old Jumla must have kind of like old

kind of like lot of kind of like uh history meaning that it has SEO value or something like that. So there's probably a reason I haven't understood why. Anyway, when you are kind of like looking at these posts, forums are all also kind of like suggesting that uh where else to look and uh from these places, I actually found a telegram channel which I have masked the name to kind of like because otherwise you would go there and probably uh cause uh overload to Telegram servers with that. Anyway, uh they are kind of like uh daily throwing out something like two to uh 5,000 uh lines of uh steeler locks. Uh uh it is free offering. So it I I

think it's notably low quality but for purely research project I think it was uh worth uh looking at that. So how much data is there? uh uh well I think it was like uh 1.1 terabyte uh when I kind of like calculated the size of all of this uh uh channel it had been uh the logs available for one and a half year uh back when they started the channel. So uh uh at some point I just decided one day which was 18th of the m uh 18th of any month and I downloaded the samples from uh from 18th for all of the uh times from the May 2024 to the last one I got now uh a couple of days ago ago

that was the September one. Typically one day uh logs rather compressed is 2 something gigabytes. So uh that's how the size uh comes uh when you are looking at uh these how do the steer logs uh look internally. So uh there's kind of like uh okay there are files like all passwords but it also is divided by things that has been stolen like chrome there is default profile. It is a question why somebody has has 50 has has had 15 pro uh profiles on the system. I haven't kind of like uh found good uh reasoning. Maybe it's a shared computer. Maybe something in school or something like that. Who knows? Anyway, um uh when you're going deeper, you're

going to find, for example, here's the full uh uh telegram u uh data uh which I think can be used to kind of like get access to your telegram channel. There's uh OpenVPN uh I think ProtonVPN, other VPNs. This one uh was some Brazil network operators VPN which was in this file. uh and this is kind of like just manually uh assembled from different sources to show the variety of things. uh SSH access. Unfortunately, all of the IPs were from uh 192 uh uh 168 uh range. So some internal hosts and uh so on wallets uh crypto wallets, cookies, credit cards and uh uh all all other things which kind of like turn out uh on

this uh and with uh cookies I kind of like the first thing I actually started counting and looking was the amount of uh WordPress admin cookies and uh h okay we can start uh getting the sessions. self but I had uh I think it was uh I have currently my test set which is this 17 days it's total uh 50 something thousand uh uh different logs so I did what everybody does I started VIP coding ask asked uh uh apparently cloud for sonnet uh to write me something that takes this sample data and writes the parser and then uh sends everything to elastic. So uh what I got 53,000 uh files uh 30 GB uh RA and 91 GB

uncompressed. I actually had thought that the text decompression rate will be will be kind of like uh I was expecting like to get uh let's say eight times but only only the uncompress compressed size is three times the compressed. So anyway, um thinking about that, I could manage also uh uh parsing all of these 1.1 terabyte into my uh nice small uh uh elastic. And uh now let's see if we can kind of like uh uh find the elastic also. So uh

uh first thing I started aha oh sorry I need to get uh put some time uh better timing from 24 May 1st to now

it's running on a very small uh nook uh my let's home home home home lab kind of computer. So it takes a bit of time but it will soon calculate us and show that uh interestingly these logs don't have anybody from uh almost nobody from Russia uh the and I do have logs from uh countries where uh uh where uh rich people live where a lot of people lives uh and probably also where a lot of people lives. Uh again uh speaking about the browsers it seems that despite the chrome has been updated it's uh very uh popular and uh when we are losing looking at the versions so I think we are with chrome

chrome currently at uh what version is 140 so uh we can basically see that uh yes uh recent chrome versions are completely present. So these dealers do work very nicely with uh uh recent browsers. So if you next time need to debate with your colleagues about whether uh uh using Chrome's password manager is safe, I know there have been very lengthy discussions about this. uh well uh show this uh these slides and tell kind of like that maybe you need to rethink your uh attitude. I'm not going to go uh too deep beside the uh statistics into the uh uh logs uh because uh kind of like uh potential uh PII and uh so on. But I'll uh show you a

couple of searches which I kind of like started doing when I got the idea of um uh what's going on there. So uh first one let's uh enable for a moment uh the view of uh of uh oh uh I need to also see that I we are looking at uh passwords and uh okay I'll uh let's try doing uh like that. So uh uh this is now uh what has been stolen from some Estonian uh users. Fortunately, there is not much but you are going to immediately uh see that uh the kind of uh accounts are mostly related to gaming and uh this is also what we have seen in my professional life is when we are looking at cases

when somebody's uh account uh has been compromised and or somebody's account has been used to compromise a system when it turns out it has been In stealer logs, we are always going to uh uh find uh from the same computer's stolen credentials also things like uh uh Roblox. I think Roblox is basically the malware delivery system. Uh pro prove other other ways but that's what we are seeing from logs. uh also other gaming uh uh platforms and in in Estonian case uh the next uh uh common thing to see is things like aa uh or I'm not sure if if I'm finding also here uh in in some earlier case I was also seeing a particular uh name of

Estonian ah Habs musical so somebody is kind of like going to that school and uh and so on. So that's kind of like what gets how how these things happen. Often parents to have their uh their uh uh working credentials in their home computers. Kids are using these at the same time. So kind of like most dangerous thing in your life is your kids kind of like uh how can you protect against that? I think it's easiest thing is to to uh not not exactly that not have keys but perhaps kind of like have a separate account on your computer. So kind of like it usually uh does help. So I see I'm kind of like uh

soon running out of time. So, uh, I'm not going to do more demos, but if anybody during the Q&A wants to ask me to look up, uh, some data or during kind of like, uh, coffee breaks during day, uh, feel free. We can kind of like, uh, see if your, uh, conceptions about what kind of passwords there are is true. But C panel WordPress admins uh these uh Cisco any connect uh web based uh clientless VPN login which is have something like plus C something something plus all of these are there present you search for VPN you get VPN kind of like it works very nicely and for uh fishing case uh this is actually kind of like a real uh fishing

site which is.com so it's probably pretending to be some kind of like I think in Kasa company. So uh getting in getting your monies. So uh uh so uh this is actually classical fishing but my interest was to see how actually well I can use against these things uh uh uh man-in-the-middle uh fishing like with something called uh evil jinx uh which I know is pretty well uh respected by uh red teams and uh also perhaps blue teams because there was a discussion about kind of like effectiveness of training. Uh uh evil jinx 2 plays uh very nicely with goofish where you can kind of like send out your play fishing campaigns. I'm not sure

that it's actually kind of like thing you need to do because uh like somebody from uh an Estonian company uh yesterday told me that if all of these play fishing uh uh uh work worked, it would have already eliminated the problem of fishing. But people still are going there. But anyway, it's kind of like uh usable. So uh I decided to uh try out this uh in a way that uh uh so what what could be a uh cool target and um I found that Estonian public uh and kind of like government SSO service TA has a very nice uh uh very nice uh uh demo uh demo environment which has for demonstration and testing purposes. So what I'm doing

here, I'm doing exactly what this uh environment is meant for. I'm doing demonstrations and uh testing. So it ought to be completely legal uh for that. Let's see. I do have here a actual uh evil jinx uh instance. So I can uh run it and it should be uh up. So uh now this is the official site. Uh I do have here. Let's see if it works. Yeah. So I do have here also now the uh hacked version. So what it's doing it's man in the middle. So my server at hack.de which is running behind Cloudflare like everything uh somewhere in the digital ocean is uh getting the sending the request to uh of official

site doing some kind of like small replaces with uh parameters like domain names and uh and host names and so on and serving it here. So what I can do now is I can uh I have been blocked. Uh any idea why I I why I might have been blocked? uh there is a lot of uh information about how to kind of like protect against all of these evil uh fishing tools and there's apparently something called J3 hash which uh takes different parameters from uh TLS uh session handshake and calculates a number and comes to kind of like this uh set of parameters and actually the hash from uh that. So uh like uh with all of the demos, it's kind

of like a problematic. It doesn't uh work so well. So uh uh why don't we kind of like change our TLS fingerprint? Uh there could be different solutions. Uh I just pick the easiest one. I'm running the uh mitten proxy on my system. So I tell here to enable proxy uh sorry proxy enabled sorry demo stress I need oops I need to uh get back in and let's see what happens I'll uh to be sure it uh works I'm using new in coordinator window and going back and let's see if it works. Yeah it works uh very nicely. I'm on the test instance. So with the test instance, the cool thing is that I can use also the

test smart ID. I don't need to use my own. It takes like I don't know four or five seconds when while it uh kind of like simulates that somebody is kind of like entering their code and uh voila uh I have logged logged in. Uh what I see now from uh that side I do see that the data has been captured by the MIT uh fishing. So I can see what kind of sessions we have here. Seems I have been preparing well. So I think we need to have sessions number the latest one is six which has credentials. It has also very nicely my set of cookies. So if I do here let's go back to the

official site. I'm not logged in. Uh, and I just, uh, add the cookies. And let's see. It redirects me nicely into the actual login page. So, it uh, turns out that it uh, works very well. So, for me now, the next question is that uh, let's see, can we actually kind of like uh, see does it work on the public side? I'm not going to go through because that could be kind of like uh uh problematic if I log in. But uh yeah, we are here. Uh now uh I'm probably going to when I refresh the page and also actually during the past page the page was a bit broken because I was coming from digital ocean IP and uh people have

added also protections against coming from uh rate limiting to requests coming from certain hosting providers known to have a lot of uh bad traffic. So uh let's let me uh see uh what happens if I uh uh I do hope I have kind of like uh pre prepared well and I'm not kind of like uh losing the connection. Cool. I'm sorry. Mulvat uh uh connect. Oh, okay. Sorry. Uh, this time I managed to completely screw at that point. But technically adding uh just one more layer going through proxies and so on kind of like gets uh passed these protections. Why I am showing these things is that uh this is most probably and again monitoring the their

discussions and what they are discussing the features that they're discussing on telegram channels and elsewhere they are discussing exactly these kinds of things. So if there is somebody kind of like from the other side trying to uh approach your system uh and kind of like fish uh you then be absolutely sure they are going through the same process. Huh this one didn't work. What might have been the thing they have been using kind of like to protect these things. Okay let's try this thing. Let's took another thing from a toolbox and go on. So probably uh getting through most of your protections uh by people who are well motivated given that you are a an

interesting uh target uh will be probably more like a question of minutes not and days and uh hours. So uh the moment you are getting people interested in you uh to kind of like uh be active enough to have hands on keyboard then uh it will be on your side also kind of like going deeper and learning more and probably also hanging out the bad guys in telegram Telegram channels. uh uh I suggest uh doing that also kind of like in a not so public way and uh kind of like uh learning their uh tricks of uh trade. Uh now uh yeah we we should have kind of like uh gotten through also with uh uh with that but uh we didn't

currently um as I showed you with kind of like uh there was couple of protections to get uh through. So I also did uh another side of uh self uh fishing. So I actually uh set up an engine server which logged everything including uh headers to see what is actually visible on the side of uh the attacked site. And I found that uh turns out these tools especially as they are also meant for uh red teaming and kind of like uh uh legitimate use do have some kind of uh uh Easter eggs. So uh turns out that uh I'm actually manifesting that I'm running uh even shinks on this uh particular site. So kind of like going

to to going that far as to actually uh block me by one uh JA3 hash uh might be kind of like uh uh having a filter that uh could be designed better. Of course, another thing which is in this case is always said to me that h but maybe somebody is monitoring the logs and using uh this thing to detect uh more uh uh more of the JS3 hashes possible. Anyway, I have kind of like shown too much of my logs or too much of my infrastructure. I'm seeing kind of like the next thing uh again here I'm seeing uh the site which is kind of like being uh uh uh fished and and so on. Um

kind of like uh one of the interesting things I'm kind of always looking at is uh is uh favicons because some people forgot to have favicons like uh me in this case. So uh browsers uh do ask for them and uh h I'm having also their error where where it's coming from. And uh another cool thing because as I said that uh uh people uh the bad guys tend to be behind Cloudflare. Uh you might be behind Cloudfare as well. So how do you kind how do you kind of like detect that there is two cloudfires and somebody is kind of like uh possibly trying to use man in the middle uh it's possible to

see again from the cloudare headers that there's loops too. So anyway, when you are doing your play fishing or when you are doing your uh uh protection side, uh do check all of the information coming out of your systems to see what can be used by uh defenders and uh kind of like uh to build uh smart defenses because uh the trick about this uh presentation is that I Ed the first uh version of demonstrating uh the problems with star one and a half year ago. I think it was in May 2024 uh on RIA cyber meetup. So kind of like everybody related was there and uh seems that it's uh not uh gained too much uh

interest to uh have the whole plug. But now is the time for questions. Did you get did you develop any questions uh uh during looking at that the question of actually uh for me searching in the logs I think we can leave for later but uh anything else is there any any interest >> oh here we go there's a question right over there >> oh there is >> there's one there and >> yeah uh thanks for the cool presentation uh first thing I think we understood that don't use Chrome password manager. >> Yes sir. Exactly. >> Uh second thing is uh what's other browser engines like status? Uh is a chromium only one which >> uh I think u uh in this particular set I

did not see fire for maybe I see maybe I saw we can look at the statistics also later. Exactly. But uh Chrome and H were kind of like the two ones which were kind of like on the pie chart the largest one. Opera was definitely also there. Uh other chromium based things like Brave. Brave is very secure. No, not in this sense. It still can kind of like leak your password. So yeah, but yeah. And al I think there was somebody >> there's one there and and then there we go. Yeah. >> Uh thank you for the presentation. Really good one. Uh you said um Groom's uh password manager is uh compromised was compromised pretty much uh

>> immediately. >> Immediately. Yeah. What about uh any third party uh password manager plugins? >> Uh I think I haven't seen uh things related to things like uh uh one password or last bus uh there. So the these I've been looking because uh uh you might have seen somewhere uh glimpse that I'm using one password myself. So, so uh I haven't seen these because uh and and I think the main thing which uh again people are asking that okay why are these password managers different the browser ones and the question is that browser is made in a way to make storing these passwords very easy and kind of like using these passwords very easy so they are not locking when I

would kind of like like want to log into something using my one password I would need to unlock because it kind of like uh very easily locks and it's also very easy to unlock on Mac with a kind of like finger sensor and things. So I think it pushes you to be uh more stringent on your uh security kind of like environment it if the things automatically locking kind of like it's it's difficult to steal if they always open then kind of like the stealing is uh very easy. So yeah, I I haven't I think in some stealing kits I have seen references to uh possibly keep but it was more like kind of like stealing the keep as file

and uh and uh and then kind of like thinking what to do about it later probably brute forcing and and kind of like that's that's it. So yeah but okay I think there was >> right here. >> Yeah, thanks Peter Peter. Actually my the previous attendant stole my question so I have to pose another one. Okay. >> Uh the question uh is that you you uncovered the chromium what about uh what about this other myth that Linux and Mac OS is more secure. What what is your comment on that? uh uh from the side of uh attacks uh there are Mac related steelers also but kind of like uh their amount and kind of like it's kind of like uh when uh with

Windows steelers there is a new story when uh kind of like massive operation gets taken down. So with a Mac there is a story like oh there is now one stealer for us also. So yeah we are also cool guys now. So it it is uh like that but uh uh kind of like follow up to that is that uh social engineering uh still works even if you and especially if you're thinking you are on very secure platform. So uh what I'm seeing what was happening actually back then when the chrome updated the security was that uh uh guys started doing something which was called fake capture. So fake capture is basically they're telling that uh

this is new type of capture you need to copy this paste and copy this text and paste it into your windows kind of like uh search bar and kind of like run it which basically was download something uh blah blah blah and uh so it anyway works and and kind of like if and and again I think when you are kind of like getting people to kind of like run these things they will be also very happily clicking all of the yes buttons of do you want to run it as an admin and uh and so on. So that was also with the uh Luma there was a the first version needed a admin to run. So they needed to

have kind of like encapsulation of basically kind of like social engineering to make you believe that you need to run this as admin and so they could then kind of like uh steal these things. So so they are kind of like uh yeah they are doing everything. And uh who else is kind of like trying to get you to run code? uh LLM I found recently one just kind of like out of this topic but very important for all of the cool kids doing the wipe coding uh these uh uh code AI and whatever uh cursor AI they kind of like start to kind of like run commands in the middle and I found that uh yes

I've said that the end file with all of credentials is kind of like uh off limits for them they can't access that so what they are doing well they are kind of like doing asking me to run command like catn and kind of like okay I checked you have credentials it wasn't that bug it must have been something else so kind of like similar way we are going to kind of like triggered into these fake captures and also kind of like uh running prompts we didn't want so no >> any I'm amazed because I also have an LLM but it's not the one you were talking about and I'm not a cool kid. So, uh, any any

more questions? This is getting fantastic. I now discovered that I basically since I use both Chrome manage Thank you so much. Now, I'm going to go and throw my phone away. >> Uh, yeah, >> there is one question. Yeah. >> Yeah. The question is about the evil jinx like how well does it work with like Google login, octa login and stuff like that these days? >> Uh, I think kind of like very well. Uh there are kind of like there is a ton of things called fish netlets. Uh and I think uh last year when we were dealing with one Estonian guy who was helping bad guys do their fishing. Uh the 0365 was kind of like the go-to thing to do.

But there are also for uh Google. I'm pretty sure there is also for Octa. there are fishets for all kinds of uh crypto exchanges and kind of like uh these things. So what what what's going on is again the same thing as I showed this couple of steps with HDA and TA. So they find the problem they fire up or something like that. They see what might be the possibility that uh their fishet is not working. They are tuning. They adding maybe some JavaScript. they are kind of like making some custom things to mask the identity of things. So I was doing with a plain vanilla kind of like out of the boxings to show that even

that works in several cases. So but but these things are protected better but uh there's a way to break everything. So like uh I do not worry that criminals are not able to crime kind of like uh they will find a way >> as a that's a motivational sentence if I ever heard one. Don't worry we're going to find a way to do crime. >> It's it's it's my job security. >> No, I know. Absolutely. No, I mean it would be as cool as a t-shirt like we sell speed and find a way to do crime. Um, >> yeah, >> I can say it now because my mom's retired, but whatever. Three, two, one. Well, if there are no

more questions at this moment, you can later approach Peter. He is going to tell you all about doing crime. Uh, but for now, thank you very much. [Applause]