Analyzing Open Buckets: a Beginner’s Journey Through Misplaced Secrets by Michal Kamensky

[Music] [Applause] [Music] [Applause] okay hi everyone so i'm going to talk today about open buckets if you don't know what it is yet it's fine i didn't know either so who am i my name is michal kamenski i'm a computer science student at a tefnion i'm working at a studio position at a cyber intelligence as a cyber intelligence analyst [Music] so i would like to start this presentation the same way i started my job interview for the role i don't know anything i don't want to mislead anyone i want to walk you through my journey so when i say anything i really mean anything i when i started with linux i tried to type in my password

and couldn't figure out why i wanted to get typed in and nothing would show up on the screen it took me quite a while to figure out that's just the way it works in linux so my purpose here today is to walk you through my journey and i will do that by ex walking you through some case studies from my work that will be more technical um and well that's it let's begin so what's the bucket a bucket is a database that is stored in the cloud and the problem is many companies just misconfigure their buckets and leave them completely open on like for anyone to access them with just a web browser so that's what a bucket looks like in

the browser just a list of files this is a picture i took from from an article i found on google and you can see the credit just right down right below the picture and companies many companies i was surprised to find out just leave a lot of sensitive information a lot of customer information their employees of information just open for anybody so the first case study i want to talk about is this airline they left their bucket open on the on the web and what did we find in there there were many many terabytes of files for example [Music] there were there was source code with passwords and keys and i don't know a lot but i

don't think that you're supposed to put your password inside your code [Music] here's a screenshot of course i redacted the parts that should be public that they did live public their aws keys their passwords api keys trust everything there were airplane navigation and landing source code including equations for calculating landings of airplanes that had writing permissions just anyone could go and change the source code for the landing of an airplane um there were a security procedures from various airports around the world and there was an alert system to send the urgent messages and alerts for a pilots while they're flying me there and many more okay so there is all this source code there are apk files there are java files

i've been told to find passwords keys i don't know how to do that i've been told to look for secrets i thought like the main stuff that should be left secret i they realized it was like a professional term that meant passwords and keys uh after i realized that i knew better how to google when i knew that terminology i could know what i should look for and what i should learn so i found this open source tool there are many open source tools for analyzing information for finding anything you want to do you barely need to write anything new yourself in this world of tools so there i use this uh open source tool called apk leaks

and it just reverses the code of the apk files and

and finds automatically passwords and keys for example amazon keys they all start with ikea and then it's one way you can find the keys in the data and it just prints out everything you need to find so this was a bucket that was kind of different from other brackets that i was working before it just made me realize how bad the situation is with leaving um just any information open um why would anyone leave that open um and there are so many other buckets just like that open out there you can you just can't get all of them um you don't necessarily need some brand new zero day to attack or to find a sensitive information you can

just by misconfiguration of buckets or other systems get a lot of information and i'm no expert but i think that's something that could get abused by terrorists and it just it's good that it got closed so the thing i like most about my job is the attribution um it's to find who the owner of the bucket is it feels like a puzzle something you need to figure out you need to search for it you need to think creatively um so it can be difficult but it's the most interesting part uh sometimes it's really obvious for example if it says just besides tlv in the bucket name you can assume with a certain certainty that it belongs to besides okay

but it's not always that simple so i want to talk about a case study that involved a bucket full of student records student names their id numbers and their grades in various courses so the bucket name include the word israel all the newest files in the bucket were from the same academic institution in israel and it was live it was still there were still new files uploaded every day and all of them were from this same institution academic institution in israel so it seems pretty obvious right it pro it probably belongs to this academic institution um but not so fast while i was going just sampling some files to see what's in there i encountered

an invoice it was an invoice from a company a to company b both of them were from a foreign country none of them related any way to israel none of them related to this academic institution it was weird like why would it be in the bucket um so i sent this invoice to my team leaders i they told me just it's the bucket of this academic institution you need to go over it quickly and we will send it for remediation so it will get close as soon as possible [Music] but i sent it to them and i was like wait a second how do you know it belongs to this academic institution how why don't you think it might be something

else for example this i found this invoice why would it why would it be there um but again i'm a newbie i don't know anything who am i to challenge them um am i just being stubborn they have a lot of experience if they saying no whatever leave it should i just leave it or should i like keep going or investigating it or whatever but so i said okay they know better but my brain is still itchy so just for myself i will go over i will understand why they believe it's it belongs to this academic institution i will just ease my mind so i started going over the files there are millions of files you can go over

all of them even if you wanted to and of course i didn't want to do that's not not ethical so what can i do i looked at the files i tried to see if there was something that stood out and first of all i looked at the dates i saw that all the old ones belongs to academic institutions from a foreign country and all the new ones belong to this academic institution here in israel and i managed to find the exact date when the switch happened second i kept looking for things that would stand out i don't want to just go over millions of student records it's not interesting i want to find some proof

who this bucket belongs to i don't want to report to some random academic institution about this open bucket if it's not their bucket so i noticed that the invoice that i found had a slightly different name scheme than all the other files they all were just random strings but there was something different about the snap scheme so i looked at other files who had the same name scheme and most of them were just a bunch of stock photos it didn't help me much but um then some of them were screenshots that had some uh it was some documents of a company that was verifying student records so i googled then i have this company i

found two websites the first one was a global website it was of this foreign country that um that this company verifies student records in this country and the second one was um it was the ending of coil and this this website was verifying customer records for this academic institution in israel so i just was telling you the road that finally worked but it wasn't that easy it took a lot of trial and error so i i just found myself at 3am in the morning screaming my computer being part i was really proud of myself that i found something that much more experienced people my team leaders didn't find i didn't i wasn't proud of myself because of the technical steps

none of them were more than basic i was proud of myself that i wasn't scared to research on my own that i didn't just say then probably know better i should just listen to them and leave it and leave this alone and of course i was i didn't have anything to be scared of they were happy i did that they were part of me and that's something i think is very important for a company that employs juniors um to have this kind of atmosphere okay a few other stuff that i found really cool at my job during this few months i'm working there is that a lot of the boring stuff can be automated the research most of the time can't be

or at least not in a really simple way but other stuff can be i got really excited about regular expressions they were mind-blowing first in a bad way because they were a little annoying but while when i got the hang of it it was really cool that you can just with a few rules and get exactly the data you want exactly what you're looking for other cool stuff i found is that without any tools anything special just with using source code you can find open buckets on websites you can see in the network tab in the dev tools what a sources they are calling to retrieve images you can use that to see where are they calling them from and

sometimes those buckets are open also most companies are not very creative with their names of their buckets most of the times just companies name production or fraud and if you find one there are probably other ones no one just misconfigures just this bucket but by mistake if you know how to configure it you do it so if you find prod you follow you probably will find non-prod and stuff like that so i started there i didn't know how to type a password into the linux terminal um and after two months i got to where i'm here right now it to this case studies they were just two months after i started my job um i wanted

a i want to conclude this first um by my experience that you can learn a lot when you're just a beginner everything is new to you everything is interesting you can just learn really fast also the company culture is really important to make the juniors feel that they can contribute that they will be heard that they can just um they can speak their mind and that everything that they won't be dismissed um also it's important to make friends that are at the same stage as you are that maybe were at the same stage that you are just a year ago or two [Music] to not take this journey alone um and there are no shortcuts just learn

your own and keep trying and about the technical stuff you i just the main thing i learned there are all this cool stuff all these vulnerabilities zero days but at the end the main vulnerabilities are just stuff that gets misconfigured and you can find a lot of sensitive data this way and that's it so i want to thank besides i wasn't playing and talking here actually my friends pressured me to talk here but i'm glad i did and somehow i got accepted [Music] and i want to thank my team for being supportive and i want to thank you for being such a great audience [Applause] [Music] [Applause] [Music] [Applause] you